Escolar Documentos
Profissional Documentos
Cultura Documentos
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
www.juniper.net
Part Number: , Revision R2
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. JUNOS Software Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3 Copyright 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Writing: Appumon Joseph, Aviva Garrett, Bhargava Y.P, Brian Deutscher, Hareesh Kumar K N, Janet Bein, Keldyn West, Regina Roman, Tim Harrington, Vinita Kurup Editing: Cindy Martin Illustration: Faith Bradford Brown Cover Design: Christine Nay Revision History 29 December 2008Revision R2 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
ii
iii
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes. 7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software. 8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties. 9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customers possession or control. 10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under this Section shall survive termination or expiration of this Agreement. 11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customers ability to export the Software without an export license. 12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable. 13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available. 14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html. 15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
iv
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris tout avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).
vi
Table of Contents
About This Topic Collection xlv How To Use This Guide .................................................................................xlv List of EX-series Guides for JUNOS 9.3 ..........................................................xlv Downloading Software .................................................................................xlvi Documentation Symbols Key ......................................................................xlvii Documentation Feedback ..........................................................................xlviii Getting Support ............................................................................................xlix
Part 1
Chapter 1
Software Overview ..........................................................................................3 EX-series Switch Software Features Overview ...........................................3 Layer 3 Protocols Supported on EX-series Switches ..................................9 Layer 3 Protocols Not Supported on EX-series Switches ..........................10 Security Features for EX-series Switches Overview .................................12 High Availability Features for EX-series Switches Overview ....................14 VRRP ................................................................................................14 Graceful Protocol Restart ..................................................................16 EX 4200 Redundant Routing Engines ...............................................17 EX 4200 Graceful Routing Engine Switchover ..................................17 EX 4200 Virtual Chassis Software Upgrade and Failover Features .....................................................................................18 Link Aggregation ..............................................................................18 Additional High Availability Features of EX-series Switches ..............18 Understanding Software Infrastructure and Processes ............................19 Routing Engine and Packet Forwarding Engine ................................19 JUNOS Software Processes ...............................................................19 Supported Hardware .....................................................................................21 EX 3200 and EX 4200 Switches Hardware Overview ..............................21 EX 3200 and EX 4200 Switch Types ................................................21 EX 3200 Switches .............................................................................21 EX 4200 Switches .............................................................................22 Uplink Modules ................................................................................23 Power over Ethernet (PoE) Ports ......................................................23 EX 3200 Switch Models ..........................................................................23 EX 4200 Switch Models ..........................................................................24
Table of Contents
vii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Part 2
Chapter 2
[edit access] Configuration Statement Hierarchy ...........................................27 [edit chassis] Configuration Statement Hierarchy ..........................................28 [edit class-of-service] Configuration Statement Hierarchy ..............................28 [edit ethernet-switching-options] Configuration Statement Hierarchy ............29 [edit firewall] Configuration Statement Hierarchy .........................................31 [edit interfaces] Configuration Statement Hierarchy ......................................32 [edit poe] Configuration Statement Hierarchy ...............................................33 [edit protocols] Configuration Statement Hierarchy .......................................33 [edit snmp] Configuration Statement Hierarchy ............................................37 [edit virtual-chassis] Configuration Statement Hierarchy ...............................37 [edit vlans] Configuration Statement Hierarchy .............................................38
Part 3
Chapter 3
JUNOS CLI .....................................................................................................43 CLI User Interface Overview ...................................................................43 CLI Overview ....................................................................................43 CLI Help and Command Completion ................................................43 CLI Command Modes .......................................................................44 Chapter 4 J-Web Graphical User Interface 47
J-Web Interface .............................................................................................47 J-Web User Interface for EX-series Switches Overview ............................47 Using the CLI Viewer in the J-Web Interface to View Configuration Text ..................................................................................................49 Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text ............................................................................50 Using the CLI Editor in the J-Web Interface to Edit Configuration Text ..................................................................................................51 Using the CLI Terminal ...........................................................................52 Understanding J-Web Configuration Tools ..............................................53 Starting the J-Web Interface ....................................................................54 Understanding J-Web User Interface Sessions .........................................55
viii
Table of Contents
Table of Contents
Part 4
Chapter 5
Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) ..............................................................................................59 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) ..............................................................................................60 Chapter 6 Software Installation 65
Software Installation ......................................................................................65 Understanding Software Installation on EX-series Switches ....................65 Overview of the Software Installation Process ..................................65 Installing Software on a Virtual Chassis ............................................66 Software Package Security ................................................................66 Troubleshooting Software Installation ..............................................66 JUNOS Software Package Names ............................................................67 Downloading Software Packages from Juniper Networks ........................67 Installing Software on EX-series Switches (CLI Procedure) ......................68 Installing Software on EX-series Switches (J-Web Procedure) ..................69 Installing Software Upgrades from a Server ......................................69 Installing Software Upgrades by Uploading Files ..............................70 Troubleshooting Software Installation .....................................................70 Recovering from a Failed Software Upgrade on an EX-series Switch ........................................................................................70 Rebooting from the Non-Active Partition ..........................................71 Chapter 7 Configuration File Management 73
Understanding Configuration Files for EX-series Switches .............................73 Configuration Files Terms .............................................................................74 Managing Configuration Files Through the Configuration History (J-Web Procedure) ..............................................................................................74 Displaying Configuration History ............................................................74 Displaying Users Editing the Configuration .............................................75 Comparing Configuration Files with the J-Web Interface .........................76 Downloading a Configuration File with the J-Web Interface ....................76 Loading a Previous Configuration File with the J-Web Interface ..............77 Uploading a Configuration File (CLI Procedure) .............................................77 Uploading a Configuration File (J-Web Procedure) .........................................79 Loading a Previous Configuration File (CLI Procedure) ..................................79 EX 3200 and EX 4200 Default Configuration ................................................80
Table of Contents
ix
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Chapter 8
Licenses
85
Software Licenses for the EX-series Switch Overview ....................................85 License Key Components for the EX-series Switch ........................................86 Managing Licenses for the EX-series Switch (CLI Procedure) .........................87 Adding New Licenses ..............................................................................87 Deleting Licenses ....................................................................................87 Saving License Keys ................................................................................87 Managing Licenses for the EX-series Switch (J-Web Procedure) .....................87 Adding New Licenses ..............................................................................88 Deleting Licenses ....................................................................................88 Displaying License Keys ..........................................................................88 Downloading Licenses ............................................................................89 Monitoring Licenses for the EX-series Switch ................................................89 Displaying Installed Licenses and License Usage Details .........................89 Displaying License Usage ........................................................................90 Displaying Installed License Keys ...........................................................90
Part 5
Chapter 9
System Basics
Understanding Basic System Concepts 93
Understanding Alarm Types and Severity Levels on EX-series Switches ........93 Chapter 10 Configuring Basic System Functions 95
Configuring Management Access for the EX-series Switch (J-Web Procedure) ..............................................................................................95 Configuring Date and Time for the EX-series Switch (J-Web Procedure) ........97 Generating SSL Certificates to Be Used for Secure Web Access .....................98 Managing MS-CHAPv2 for password-change support ....................................99 Configuring MS-CHAPv2 for password-change support ...........................99 Example: Configuring MS-CHAPv2 on the Switch ...................................99 Chapter 11 Administering and Monitoring Basic System Functions 101
Monitoring Hosts Using the J-Web Ping Host Tool .......................................101 Monitoring Switch Control Traffic ................................................................103 Monitoring Network Traffic Using Traceroute ..............................................105 Monitoring System Properties .....................................................................107
Table of Contents
Table of Contents
Monitoring System Process Information ......................................................108 Rebooting or Halting the EX-series Switch (J-Web Procedure) .....................109 Managing Users (J-Web Procedure) ..............................................................110 Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure) ............................................................................................112 Cleaning Up Files ..................................................................................112 Downloading Files ................................................................................113 Deleting Files ........................................................................................113 Setting or Deleting the Rescue Configuration (CLI Procedure) .....................114 Setting or Deleting the Rescue Configuration (J-Web Procedure) .................115 Checking Active Alarms with the J-Web Interface ........................................115 Monitoring System Log Messages ................................................................116 Chapter 12 Troubleshooting Basic System Functions 121
Troubleshooting Loss of the Root Password ................................................121 Chapter 13 Configuration Statements for Basic System Functions 125
radius-options .............................................................................................125 Chapter 14 Operational Mode Commands for Basic System Functions 127
clear snmp rmon history ...........................................................................1306 show snmp rmon history ..........................................................................1306
Part 6
Chapter 15
Virtual Chassis
Understanding Virtual Chassis 135
Virtual Chassis Concepts .............................................................................135 Virtual Chassis Overview ......................................................................135 Basic Configuration of a Virtual Chassis with Master and Backup Switches ..................................................................................136 Expanding ConfigurationsWithin a Single Wiring Closet and Across Wiring Closets ..........................................................................136 Global Management of Member Switches in a Virtual Chassis ........136 High Availability Through Redundant Routing Engines ...................137 Adaptability as an Access Switch or Distribution Switch .................137 Understanding Virtual Chassis Components ..........................................137 Virtual Chassis Ports (VCPs) ............................................................138 Master Role ....................................................................................138 Backup Role ...................................................................................139 Linecard Role .................................................................................139 Member Switch and Member ID .....................................................140
Table of Contents
xi
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Mastership Priority .........................................................................140 Virtual Chassis Identifier (VCID) ......................................................141 Understanding How the Master in a Virtual Chassis Configuration Is Elected ...........................................................................................142 Understanding Software Upgrade in a Virtual Chassis Configuration .....142 Understanding Global Management of a Virtual Chassis Configuration .................................................................................143 Understanding Nonvolatile Storage in a Virtual Chassis Configuration .................................................................................145 Nonvolatile Memory Features .........................................................145 Understanding the High-Speed Interconnection of the Virtual Chassis Members ........................................................................................145 Understanding Virtual Chassis Configurations and Link Aggregation .....146 Understanding Virtual Chassis Configuration ........................................146 Understanding Virtual Chassis EX 4200 Switch Version Compatibility ..................................................................................148 Understanding Fast Failover in a Virtual Chassis Configuration .............148 Supported Topologies for Fast Failover ...........................................148 How Fast Failover Works ................................................................148 Effects of Topology Changes on a Fast Failover Configuration ........153 Understanding Split and Merge in a Virtual Chassis Configuration ........154 What Happens When a Virtual Chassis Configuration Splits ...........154 Merging Virtual Chassis Configurations ..........................................155 Chapter 16 Examples of Configuring Virtual Chassis 159
Virtual Chassis Configuration Examples ......................................................159 Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet .......................................................................159 Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet .............................................................................................164 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration ..................................................................170 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets ................................................................................175 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch ............................................................................................184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch .........................................................................190 Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File ...........................................................................196 Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails ................................................................................................207 Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge .......................................................210
xii
Table of Contents
Table of Contents
Chapter 17
213
Virtual Chassis Configuration Tasks .............................................................213 Configuring a Virtual Chassis (CLI Procedure) .......................................213 Configuring a Virtual Chassis with a Preprovisioned Configuration File ...........................................................................................214 Configuring a Virtual Chassis with a Nonprovisioned Configuration File ...........................................................................................215 Configuring a Virtual Chassis (J-Web Procedure) ...................................216 Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure) ......................................................................................218 Adding a New Switch to an Existing Virtual Chassis Configuration Within the Same Wiring Closet ................................................218 Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration ...................................................219 Configuring Mastership of the Virtual Chassis (CLI Procedure) ..............221 Configuring Mastership Using a Preprovisioned Configuration File ...........................................................................................221 Configuring Mastership Using a Configuration File That Is Not Preprovisioned .........................................................................222 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) ............223 Setting an Uplink VCP Between Two Member Switches ..................224 Setting an Uplink VCP on a Standalone Switch ...............................225 Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure) ...........................226 Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI Procedure) ............227 Configuring Fast Failover in a Virtual Chassis Configuration .................228 Disabling Fast Failover in a Virtual Chassis Configuration .....................229 Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure) ............................................229 Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure) ......................................................................................230 Chapter 18 Verifying Virtual Chassis 231
Virtual Chassis Verification Tasks ................................................................231 Command Forwarding Usage with a Virtual Chassis Configuration .......231 Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member ...............................................................234 Verifying That the Virtual Chassis Ports Are Operational .......................235 Monitoring Virtual Chassis Configuration Status and Statistics ..............237 Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) ......................................................................................237 Remove, Repair, and Reinstall the Same Switch .............................238 Remove a Member Switch, Replace with a Different Switch, and Reapply the Old Configuration .................................................238 Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch .........................................239
Table of Contents
xiii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Chapter 19
241
Troubleshooting a Virtual Chassis Configuration ..........................................241 Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment .................................................................................241 Load Factory Default Does Not Commit on a Multimember Virtual Chassis ...........................................................................................241 Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis ................................................................................241 Chapter 20 Configuration Statements for Virtual Chassis 243
Virtual Chassis Configuration Statement Hierarchy .....................................243 [edit virtual-chassis] Configuration Statement Hierarchy .......................243 Individual Virtual Chassis Configuration Statements ....................................244 fast-failover ...........................................................................................244 id ..........................................................................................................245 mac-persistence-timer ........................................................................1335 mastership-priority .............................................................................1335 member ..............................................................................................1335 no-management-vlan ..........................................................................1335 no-split-detection ..................................................................................249 preprovisioned ....................................................................................1335 role .....................................................................................................1335 serial-number .....................................................................................1335 traceoptions ........................................................................................1335 virtual-chassis .....................................................................................1335 Chapter 21 Operational Mode Commands for Virtual Chassis 257
Virtual Chassis Commands ..........................................................................257 clear virtual-chassis vc-port statistics .....................................................258 request session member .......................................................................259 request virtual-chassis recycle .............................................................1306 request virtual-chassis renumber ..........................................................261 request virtual-chassis vc-port .............................................................1306 request virtual-chassis vc-port .............................................................1306 show system uptime .............................................................................264 show virtual-chassis active topology .....................................................266 show virtual-chassis fast-failover ...........................................................268 show virtual-chassis status ....................................................................269 show virtual-chassis vc-port ..................................................................271 show virtual-chassis vc-port statistics ....................................................274
xiv
Table of Contents
Table of Contents
Part 7
Chapter 22
Interfaces
Understanding Interfaces 279
EX-series Switches Interfaces Overview ......................................................279 Network Interfaces ...............................................................................279 Special Interfaces ..................................................................................280 Understanding Interface Naming Conventions on EX-series Switches .........281 Physical Part of an Interface Name .......................................................281 Logical Part of an Interface Name .........................................................282 Wildcard Characters in Interface Names ...............................................283 Understanding Aggregated Ethernet Interfaces and LACP ...........................283 Link Aggregation Group (LAG) ...............................................................283 Link Aggregation Control Protocol (LACP) .............................................284 Understanding Layer 3 Subinterfaces ..........................................................285 Understanding Unicast RPF for EX-series Switches .....................................285 Unicast RPF for EX-series Switches Overview .......................................286 Unicast RPF Implementation for EX-series Switches .............................286 Global Unicast RPF Implementation ...............................................286 Unicast RPF Packet Filtering ...........................................................287 Bootstrap Protocol (BOOTP) and DHCP Requests ...........................287 Default Route Handling ..................................................................287 When to Enable Unicast RPF ................................................................287 When Not to Enable Unicast RPF ..........................................................289 ECMP Traffic Handling with Unicast RPF Enabled .................................289 Chapter 23 Examples of Configuring Interfaces 291
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch ...................................................................................................291 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch ...................................................................................................297 Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch ..................................................................................303 Example: Configuring Unicast RPF on an EX-series Switch .........................311 Chapter 24 Configuring Interfaces 317
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ..........................317 Configuring Gigabit Ethernet Interfaces (CLI Procedure) ..............................321 Configuring VLAN Options and Port Mode ............................................321 Configuring the Link Settings ................................................................321 Configuring the IP Options ....................................................................322 Configuring Aggregated Ethernet Interfaces (CLI Procedure) .......................323 Configuring Link Aggregation (J-Web Procedure) .........................................324 Configuring Aggregated Ethernet LACP (CLI Procedure) ..............................325
Table of Contents
xv
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring Unicast RPF (CLI Procedure) .....................................................326 Disabling Unicast RPF (CLI Procedure) ........................................................327 Chapter 25 Verifying Interfaces 329
Monitoring Interface Status and Traffic .......................................................329 Verifying the Status of a LAG Interface ........................................................330 Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets .......................................................330 Verifying the LACP Setup ......................................................................330 Verifying That the LACP Packets Are Being Exchanged .........................331 Verifying That Layer 3 Subinterfaces Are Working ......................................332 Verifying Unicast RPF Status .......................................................................332 Chapter 26 Troubleshooting Interfaces 337
Troubleshooting an Aggregated Ethernet Interface ......................................337 Troubleshooting Disabled or Down Interfaces .............................................337 Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) installed ......................................................338 Port Role Configuration with the J-Web InterfaceCLI Reference ...............338 Troubleshooting Interface Configuration and Cable Faults ...........................343 Interface Configuration or Connectivity Is Not Working ........................343 Troubleshooting Unicast RPF .......................................................................343 Legitimate Packets Are Discarded .........................................................343 Chapter 27 Configuration Statements for Interfaces 345
Interface Configuration Statement Hierarchy ..............................................345 [edit interfaces] Configuration Statement Hierarchy .............................345 Individual Interface Configuration Statements .............................................346 802.3ad ..............................................................................................1335 auto-negotiation ..................................................................................1335 chassis ................................................................................................1335 description ..........................................................................................1335 ether-options ......................................................................................1335 family .................................................................................................1335 filter ....................................................................................................1335 flow-control ........................................................................................1335 l3-interface ..........................................................................................1335 lacp .....................................................................................................1335 link-mode ...........................................................................................1335 members ............................................................................................1335 mtu .......................................................................................................357 native-vlan-id ......................................................................................1335 periodic ..............................................................................................1335 port-mode ...........................................................................................1335 rpf-check ...............................................................................................360 speed ..................................................................................................1335
xvi
Table of Contents
Table of Contents
translate ..............................................................................................1335 unit .....................................................................................................1335 vlan .....................................................................................................1335 vlan-id ...................................................................................................365 vlan-tagging ..........................................................................................366 Chapter 28 Operational Mode Commands for Interfaces 367
show interfaces ...........................................................................................368 show interfaces ...........................................................................................378 show interfaces diagnostics optics ...............................................................389
Part 8
Chapter 29
Understanding Bridging and VLANs on EX-series Switches ..........................395 Ethernet LANs, Transparent Bridging, and VLANs .................................395 How Bridging Works .............................................................................396 Types of Switch Ports ...........................................................................398 IEEE 802.1Q Encapsulation and Tags ...................................................398 Assignment of Traffic to VLANs ............................................................398 Ethernet switching tables ......................................................................399 Layer 2 and Layer 3 Forwarding of VLAN Traffic ..................................399 GVRP ....................................................................................................399 Routed VLAN Interface .........................................................................400 Understanding Redundant Trunk Links on EX-series Switches ....................401 Understanding Storm Control on EX-series Switches ...................................403 Understanding Virtual Routing Instances on EX-series Switches ..................403 Understanding Q-in-Q Tunneling on EX-series Switches ..............................404 How Q-in-Q Tunneling Works ...............................................................404 Limitations for Q-in-Q Tunneling ..........................................................404 Understanding Unknown Unicast Forwarding on EX-series Switches ..........405 Understanding Private VLANs on EX-series Switches ...................................405 Chapter 30 Examples of Configuring Layer 2 Bridging, VLANs, and GVRP 407
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch ....407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches ...............................................................................................414 Example: Connecting an Access Switch to a Distribution Switch .................422 Example: Configure Automatic VLAN Administration Using GVRP ..............432 Example: Configuring Redundant Trunk Links for Faster Recovery .............447 Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches ...............................................................................................451 Example: Setting Up Q-in-Q Tunneling on EX-series Switches .....................453
Table of Contents
xvii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring a Private VLAN on an EX-series Switch .....................455 Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches ...............................................................................................460 Chapter 31 Configuring Layer 2 Bridging, VLANs, and GVRP 465
Configuring VLANs for EX-series Switches (J-Web Procedure) ......................465 Configuring VLANs for EX-series Switches (CLI Procedure) ..........................467 Configuring Routed VLAN Interfaces (CLI Procedure) ..................................468 Creating a Series of Tagged VLANs (CLI Procedure) .....................................470 Creating a Private VLAN (CLI Procedure) .....................................................471 Configuring Q-in-Q Tunneling (CLI Procedure) .............................................472 Configuring Virtual Routing Instances Using VRF (CLI Procedure) ...............473 Configuring MAC Table Aging (CLI Procedure) .............................................474 Configuring the Native VLAN Identifier (CLI Procedure) ...............................474 Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) ......475 Configuring Unknown Unicast Forwarding (CLI Procedure) .........................476 Chapter 32 Verifying Layer 2 Bridging, VLANs, and GVRP 477
Verifying That a Series of Tagged VLANs Has Been Created ........................477 Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface ...............................................................................................479 Verifying That Q-in-Q Tunneling Is Working ................................................479 Verifying That a Private VLAN Is Working ...................................................480 Verifying That Virtual Routing Instances Are Working .................................482 Chapter 33 Understanding Spanning Trees 485
Understanding STP for EX-series Switches ..................................................485 Understanding RSTP for EX-series Switches ................................................486 Understanding MSTP for EX-series Switches ...............................................487 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches ...............................................................................................487 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches ...............................................................................................489 Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches ...............................................................................................490 Chapter 34 Examples of Configuring Spanning Trees 491
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches ..........................................................491 Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches ...............................................................................................505 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches ..................................................527
xviii
Table of Contents
Table of Contents
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches ............................................531 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches ................................................................................536 Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches ..................................................540 Chapter 35 Configuring Spanning Trees 547
Configuring STP (CLI Procedure) .................................................................547 Chapter 36 Configuration Statements for Bridging, VLANs, and Spanning Trees
549
[edit vlans] Configuration Statement Hierarchy ...........................................549 [edit interfaces] Configuration Statement Hierarchy ....................................550 [edit protocols] Configuration Statement Hierarchy .....................................550 alarm ...........................................................................................................555 block ...........................................................................................................556 bpdu-block ..................................................................................................557 bpdu-block-on-edge .....................................................................................558 bpdu-timeout-action ....................................................................................559 bridge-priority .............................................................................................560 configuration-name .....................................................................................561 cost .............................................................................................................562 customer-vlans ............................................................................................563 description ..................................................................................................563 disable .........................................................................................................564 disable .........................................................................................................589 disable-timeout ............................................................................................566 dot1q-tunneling ...........................................................................................567 dot1q-tunneling ...........................................................................................567 edge ............................................................................................................568 ethernet-switching-options ........................................................................1296 ether-type ....................................................................................................571 filter ..........................................................................................................1335 forward-delay ..............................................................................................573 group-name .................................................................................................574 gvrp .............................................................................................................575 hello-time ....................................................................................................576 instance-type ...............................................................................................577 interface ......................................................................................................577 interface ......................................................................................................578 interface ......................................................................................................579 interface ......................................................................................................580 interface ......................................................................................................581 interface ......................................................................................................582 join-timer ....................................................................................................582 l3-interface ................................................................................................1335
Table of Contents
xix
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
leaveall-timer ...............................................................................................584 leave-timer ..................................................................................................585 level ............................................................................................................586 mac-limit .....................................................................................................587 mac-table-aging-time .................................................................................1335 max-age ......................................................................................................589 max-hops ....................................................................................................590 members ...................................................................................................1335 mode ...........................................................................................................592 msti .............................................................................................................593 mstp ............................................................................................................594 native-vlan-id .............................................................................................1335 no-broadcast ...............................................................................................596 no-local-switching ........................................................................................596 no-root-port .................................................................................................597 no-unknown-unicast ....................................................................................598 port-mode .................................................................................................1335 primary-vlan ................................................................................................599 primary-vlan ................................................................................................600 priority ........................................................................................................601 redundant-trunk-group ................................................................................602 routing-instances .........................................................................................602 rstp ..............................................................................................................603 storm-control ..............................................................................................604 stp ...............................................................................................................605 traceoptions ................................................................................................606 translate ....................................................................................................1335 unknown-unicast-forwarding .......................................................................610 vlan ...........................................................................................................1335 vlan ...........................................................................................................1335 vlan .............................................................................................................612 vlan-id .......................................................................................................1335 vlan-range ...................................................................................................613 vlans ...........................................................................................................614 Chapter 37 Operational Mode Commands for Bridging, VLANs, and Spanning Trees
615
clear ethernet-switching bpdu-error .............................................................616 clear gvrp statistics ......................................................................................617 clear spanning-tree statistics .......................................................................618 show ethernet-switching interfaces ...........................................................1019 show ethernet-switching mac-learning-log ...................................................622 show ethernet-switching table .....................................................................624 show gvrp ...................................................................................................631 show gvrp statistics .....................................................................................633 show redundant-trunk-group .......................................................................635 show spanning-tree bridge ..........................................................................636 show spanning-tree interface ......................................................................640 show spanning-tree mstp configuration .......................................................644
xx
Table of Contents
Table of Contents
Part 9
Chapter 38
Layer 3 Protocols
Understanding Layer 3 Protocols 657
DHCP Services for EX-series Switches Overview .........................................657 DHCP/BOOTP Relay for EX-series Switches Overview .................................658 IGMP Snooping on EX-series Switches Overview .........................................659 How IGMP Snooping Works ..................................................................659 How IGMP Snooping Works with Routed VLAN Interfaces ....................660 How Hosts Join and Leave Multicast Groups .........................................662 Chapter 39 Examples of Configuring Layer 3 Protocols 663
Example: Configuring IGMP Snooping on EX-series Switches ......................663 Chapter 40 Configuring Layer 3 Protocols 667
Configuring BGP Sessions (J-Web Procedure) ...............................................667 Configuring DHCP Services (J-Web Procedure) ............................................668 Configuring IGMP Snooping (CLI Procedure) ...............................................671 Configuring an OSPF Network (J-Web Procedure) ........................................672 Configuring a RIP Network (J-Web Procedure) .............................................673 Configuring SNMP (J-Web Procedure) ..........................................................674 Configuring Static Routing (CLI Procedure) ..................................................678 Configuring Static Routing (J-Web Procedure) ..............................................679 Chapter 41 Verifying Layer 3 Protocols Monitoring Monitoring Monitoring Monitoring Monitoring Chapter 42 681
BGP Routing Information ..........................................................681 DHCP Services ..........................................................................683 OSPF Routing Information ........................................................684 RIP Routing Information ...........................................................686 Routing Information ..................................................................688 691
[edit protocols] Configuration Statement Hierarchy .....................................691 disable .........................................................................................................695 group .........................................................................................................1335 igmp-snooping ..........................................................................................1335 immediate-leave ........................................................................................1335 interface ....................................................................................................1335
Table of Contents
xxi
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
multicast-router-interface ..........................................................................1335 query-interval ............................................................................................1335 query-last-member-interval .......................................................................1335 query-response-interval .............................................................................1335 robust-count ..............................................................................................1335 traceoptions ..............................................................................................1335 vlan ...........................................................................................................1335 Chapter 43 Operational Mode Commands for Layer 3 Protocols 705
clear igmp-snooping membership .............................................................1306 clear igmp-snooping statistics ....................................................................1306 show igmp-snooping membership ..............................................................708 show igmp-snooping route ..........................................................................710 show igmp-snooping statistics .....................................................................712 show igmp-snooping vlans ..........................................................................713
Part 10
Chapter 44
802.1X for EX-series Switches Overview .....................................................718 Understanding 802.1X Authentication on EX-series Switches ......................719 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches ...............................................................................................723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches ...............................................................................................725 Understanding Dynamic VLANs for 802.1X on EX-series Switches ..............726 Understanding Guest VLANs for 802.1X on EX-series Switches ...................726 Understanding 802.1X and AAA Accounting on EX-series Switches ............727 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches .....728 Understanding 802.1X Static MAC on EX-series Switches ...........................730 Understanding 802.1X and VoIP on EX-series Switches ..............................732 Understanding 802.1X and VSAs on EX-series Switches ..............................734 Port Security for EX-series Switches Overview ............................................734 Understanding How to Protect Access Ports on EX-series Switches from Common Attacks ..................................................................................736 Mitigation of Ethernet Switching Table Overflow Attacks ......................736 Mitigation of Rogue DHCP Server Attacks .............................................736 Protection Against ARP Spoofing Attacks ..............................................737 Protection Against DHCP Snooping Database Alteration Attacks ...........737 Protection Against DHCP Starvation Attacks .........................................737 Understanding DHCP Snooping for Port Security on EX-series Switches .....738 DHCP Snooping Basics ..........................................................................738 DHCP Snooping Process .......................................................................739
xxii
Table of Contents
Table of Contents
DHCP Server Access .............................................................................740 Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN .......................................................................................740 Switch Acts as DHCP Server ...........................................................741 Switch Acts as Relay Agent .............................................................742 DHCP Snooping Table ...........................................................................743 Static IP Address Additions to the DHCP Snooping Database ................743 Understanding DAI for Port Security on EX-series Switches ........................744 Address Resolution Protocol .................................................................744 ARP Spoofing ........................................................................................744 DAI on EX-series Switches ....................................................................745 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches ................................................................................746 MAC Limiting ........................................................................................746 MAC Move Limiting ..............................................................................746 Actions for MAC Limiting and MAC Move Limiting ...............................747 MAC Addresses That Exceed the MAC Limit or MAC Move Limit ..........747 Understanding Trusted DHCP Servers for Port Security on EX-series Switches ...............................................................................................748 Understanding DHCP Option 82 for Port Security on EX-series Switches ....748 DHCP Option 82 Processing .................................................................748 Suboption Components of Option 82 ....................................................749 Configurations of the EX-series Switch That Support Option 82 ............750 Switch and Clients Are on Same VLAN as DHCP Server .................750 Switch Acts as Relay Agent .............................................................750 Understanding IP Source Guard for Port Security on EX-series Switches .....751 IP Address Spoofing ..............................................................................752 How IP Source Guard Works .................................................................752 The IP Source Guard Database ..............................................................752 Typical Uses of Other JUNOS Software Features with IP Source Guard .............................................................................................753 Chapter 45 Examples of Configuring 802.1X, Port Security, and VoIP 755
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch ...................................................................................................756 Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch .........................................761 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch .........................................766 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch ...................................................................................................770 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server ............................................................................775 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch ..................................................779 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch ...................................................................................................785 Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication ......................................................................................792
Table of Contents
xxiii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support ...............................................................................798 Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX-series Switch .......................802 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch ..................................808 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks ..................................................................................................815 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks ..............................................819 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server ...........................................822 Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server ..............................................825 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks .................................................................................829 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks ...........................................................................832 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks ........................................837 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch ...................................................................................................840 Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN .................................................................848 Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces ....855 Chapter 46 Configuring 802.1X, Port Security, and VoIP 865
Configuring 802.1X Authentication (CLI Procedure) ....................................866 Configuring the RADIUS Server .............................................................866 Configuring Static MAC Bypass .............................................................867 Configuring 802.1X Interface Settings ...................................................867 Configuring 802.1X Authentication (J-Web Procedure) ................................868 Configuring MAC RADIUS Authentication (CLI Procedure) ...........................871 Configuring Server Fail Fallback (CLI Procedure) .........................................872 Configuring 802.1X RADIUS Accounting (CLI Procedure) ............................874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) ............................................................................................875 Load the Juniper Dictionary ..................................................................876 Configure a Match Statement ................................................................878 Apply a Port Firewall Filter Directly to the RADIUS Server Configuration (Optional) .......................................................................................879 Configuring LLDP (CLI Procedure) ...............................................................880 Configuring LLDP (J-Web Procedure) ...........................................................881 Configuring LLDP-MED (CLI Procedure) .......................................................882 VSA Match Conditions and Actions for EX-series Switches ..........................883 Configuring Port Security (CLI Procedure) ...................................................886
xxiv
Table of Contents
Table of Contents
Configuring Port Security (J-Web Procedure) ...............................................887 Enabling DHCP Snooping (CLI Procedure) ...................................................889 Enabling DHCP Snooping (J-Web Procedure) ...............................................890 Enabling a Trusted DHCP Server (CLI Procedure) ........................................891 Enabling a Trusted DHCP Server (J-Web Procedure) ....................................891 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) .............................................892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) .........................................................895 Enabling Dynamic ARP Inspection (CLI Procedure) .....................................898 Enabling Dynamic ARP Inspection (J-Web Procedure) .................................898 Configuring MAC Limiting (CLI Procedure) ..................................................899 Configuring MAC Limiting (J-Web Procedure) ..............................................901 Configuring MAC Move Limiting (CLI Procedure) .........................................902 Configuring MAC Move Limiting (J-Web Procedure) .....................................903 Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) ................................................................904 Configuring IP Source Guard (CLI Procedure) ..............................................904 Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) ............................................................................................906 Chapter 47 Verifying 802.1X, Port Security, and VoIP 907
Verifying 802.1X Authentication .................................................................907 Monitoring 802.1X Authentication ..............................................................908 Monitoring Port Security .............................................................................909 Verifying That DHCP Snooping Is Working Correctly ...................................910 Verifying That a Trusted DHCP Server Is Working Correctly ........................911 Verifying That DAI Is Working Correctly ......................................................912 Verifying That MAC Limiting Is Working Correctly ......................................913 Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly ........................................................................................913 Verifying That Allowed MAC Addresses Are Working Correctly .............914 Verifying Results of Various Action Settings When the MAC Limit Is Exceeded ........................................................................................914 Customizing the Ethernet Switching Table Display to View Information for a Specific Interface ....................................................................916 Verifying That MAC Move Limiting Is Working Correctly .............................917 Verifying That IP Source Guard Is Working Correctly ...................................918 Chapter 48 Configuration Statements for 802.1X, Port Security, and VoIP 919
[edit access] Configuration Statement Hierarchy .........................................919 [edit ethernet-switching-options] Configuration Statement Hierarchy ..........919 [edit forwarding options] Configuration Statement Hierarchy .....................921 [edit protocols] Configuration Statement Hierarchy .....................................922 access ..........................................................................................................927 accounting ...................................................................................................971 accounting-server ........................................................................................929 advertisement-interval ................................................................................930
Table of Contents
xxv
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
allowed-mac ..............................................................................................1335 arp-inspection ...........................................................................................1335 authentication-order ....................................................................................933 authentication-profile-name ........................................................................934 authentication-server ...................................................................................935 authenticator .............................................................................................1335 ca-type ........................................................................................................937 ca-value .......................................................................................................938 circuit-id ....................................................................................................1335 civic-based ..................................................................................................947 country-code ...............................................................................................941 dhcp-option82 ...........................................................................................1335 dhcp-trusted ..............................................................................................1335 disable .......................................................................................................1335 disable .......................................................................................................1335 disable .......................................................................................................1335 dot1x ...........................................................................................................946 elin ..............................................................................................................947 ethernet-switching-options ........................................................................1296 examine-dhcp ...........................................................................................1335 fast-start ......................................................................................................951 forwarding-class ..........................................................................................952 guest-vlan ....................................................................................................953 hold-multiplier .............................................................................................954 interface ....................................................................................................1335 interface ......................................................................................................956 interface ......................................................................................................957 interface ......................................................................................................958 interface ......................................................................................................959 interface ......................................................................................................960 ip-source-guard ..........................................................................................1335 lldp ..............................................................................................................962 lldp-med ......................................................................................................963 location .....................................................................................................1335 mac ...........................................................................................................1335 mac-limit ...................................................................................................1335 mac-move-limit .........................................................................................1335 mac-radius ..................................................................................................968 maximum-requests .....................................................................................969 no-allowed-mac-log .....................................................................................970 no-reauthentication .....................................................................................970 order ...........................................................................................................971 prefix ........................................................................................................1335 prefix ........................................................................................................1335 profile ..........................................................................................................974 quiet-period .................................................................................................975 radius ..........................................................................................................976 reauthentication ..........................................................................................977 remote-id ..................................................................................................1335 retries ..........................................................................................................979 secure-access-port .....................................................................................1335
xxvi
Table of Contents
Table of Contents
server-fail ....................................................................................................982 server-reject-vlan .........................................................................................983 server-timeout .............................................................................................984 static ...........................................................................................................985 static-ip .....................................................................................................1335 stop-on-access-deny ....................................................................................986 stop-on-failure .............................................................................................987 supplicant ....................................................................................................988 supplicant-timeout .......................................................................................989 traceoptions ..............................................................................................1335 traceoptions ..............................................................................................1335 traceoptions ..............................................................................................1335 transmit-delay ...........................................................................................1335 transmit-period ...........................................................................................996 use-interface-description ...........................................................................1335 use-string ..................................................................................................1335 use-vlan-id .................................................................................................1335 vendor-id ...................................................................................................1000 vlan ...........................................................................................................1335 vlan ...........................................................................................................1335 vlan-assignment ........................................................................................1002 voip ...........................................................................................................1003 what ..........................................................................................................1004 Chapter 49 Operational Mode Commands for 802.1X, Port Security, and VoIP
1005
clear arp inspection statistics .....................................................................1006 clear dhcp snooping binding .....................................................................1007 clear dot1x ................................................................................................1008 clear lldp neighbors ...................................................................................1009 clear lldp statistics .....................................................................................1010 show arp inspection statistics ....................................................................1011 show dhcp snooping binding .....................................................................1012 show dot1x ...............................................................................................1013 show dot1x authentication-failed-users .....................................................1017 show dot1x static-mac-address .................................................................1018 show ethernet-switching interfaces ...........................................................1019 show ip-source-guard ................................................................................1306 show lldp ...................................................................................................1024 show lldp local-info ...................................................................................1029 show lldp neighbors ..................................................................................1031 show lldp statistics ....................................................................................1034 show network-access aaa statistics accounting ..........................................1036 show network-access aaa statistics authentication ....................................1038 show network-access aaa statistics dynamic-requests ...............................1038
Table of Contents
xxvii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Part 11
Chapter 50
Firewall Filters for EX-series Switches Overview ........................................1041 Firewall Filter Types ............................................................................1041 Firewall Filter Components .................................................................1042 Firewall Filter Processing ....................................................................1042 Understanding Planning of Firewall Filters ................................................1043 Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches ............................................................1045 Understanding How Firewall Filters Control Packet Flows .........................1047 Firewall Filter Match Conditions and Actions for EX-series Switches .........1048 Understanding How Firewall Filters Are Evaluated ....................................1057 Understanding Firewall Filter Match Conditions ........................................1059 Filter Match Conditions .......................................................................1059 Numeric Filter Match Conditions ........................................................1059 Interface Filter Match Conditions ........................................................1060 IP Address Filter Match Conditions .....................................................1060 MAC Address Filter Match Conditions .................................................1061 Bit-Field Filter Match Conditions .........................................................1061 Understanding How Firewall Filters Test a Packet's Protocol .....................1063 Understanding the Use of Policers in Firewall Filters .................................1063 Chapter 51 Examples of Configuring Firewall Filters 1065
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches ..............................................................................1065 Chapter 52 Configuring Firewall Filters 1087
Configuring Firewall Filters (CLI Procedure) ...............................................1087 Configuring a Firewall Filter ................................................................1087 Applying a Firewall Filter to a Port on a Switch ...................................1090 Applying a Firewall Filter to a VLAN on a Network ..............................1091 Applying a Firewall Filter to a Layer 3 (Routed) Interface ....................1091 Configuring Firewall Filters (J-Web Procedure) ..........................................1092 Configuring Policers to Control Traffic Rates (CLI Procedure) ....................1096 Configuring Policers ............................................................................1097 Specifying Policers in a Firewall Filter Configuration ...........................1098 Applying a Firewall Filter That Is Configured with a Policer ................1098 Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) ....................................................................1099
xxviii
Table of Contents
Table of Contents
Chapter 53
1101
Verifying That Firewall Filters Are Operational ..........................................1101 Verifying That Policers Are Operational .....................................................1102 Monitoring Firewall Filter Traffic ...............................................................1102 Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch ...............................................................................1103 Monitoring Traffic for a Specific Firewall Filter ....................................1103 Monitoring Traffic for a Specific Policer ..............................................1103 Chapter 54 Troubleshooting Firewall Filters 1105
Troubleshooting Firewall Filters .................................................................1105 Firewall Filter Configuration Returns a No Space Available in TCAM Message .......................................................................................1105 Chapter 55 Configuration Statements for Firewall Filters 1109
[edit firewall] Configuration Statement Hierarchy .....................................1109 Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches ..............................................................................1110 bandwidth-limit .........................................................................................1335 burst-size-limit ...........................................................................................1335 family ........................................................................................................1335 filter ..........................................................................................................1335 filter ..........................................................................................................1335 from ..........................................................................................................1335 if-exceeding ...............................................................................................1335 policer .......................................................................................................1335 term ..........................................................................................................1335 then ...........................................................................................................1335 then ...........................................................................................................1335 Chapter 56 Operational Mode Commands for Firewall Filters 1123
clear firewall ..............................................................................................1306 show firewall .............................................................................................1306 show interfaces filters ...............................................................................1306 show interfaces policers ............................................................................1306 show policer ..............................................................................................1306
Table of Contents
xxix
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Part 12
Chapter 57
CoS
Understanding CoS 1135
JUNOS CoS for EX-series Switches Overview .............................................1135 How JUNOS CoS Works ......................................................................1136 Default CoS Behavior on EX-series Switches .......................................1136 Understanding JUNOS CoS Components for EX-series Switches ................1137 Code-Point Aliases ..............................................................................1137 Policers ...............................................................................................1137 Classifiers ...........................................................................................1137 Forwarding Classes .............................................................................1138 Tail Drop Profiles ................................................................................1138 Schedulers ..........................................................................................1138 Rewrite Rules ......................................................................................1138 Understanding CoS Code-Point Aliases ......................................................1139 Default Code-Point Aliases ..................................................................1140 Understanding CoS Classifiers ...................................................................1142 Behavior Aggregate Classifiers ............................................................1142 Default Behavior Aggregate Classification .....................................1143 Multifield Classifiers ............................................................................1143 Understanding CoS Forwarding Classes .....................................................1144 Default Forwarding Classes .................................................................1144 Understanding CoS Tail Drop Profiles ........................................................1146 Understanding CoS Schedulers ..................................................................1146 Default Schedulers ..............................................................................1147 Transmission Rate ..............................................................................1147 Scheduler Buffer Size ..........................................................................1147 Priority Scheduling ..............................................................................1148 Scheduler Drop-Profile Maps ...............................................................1148 Scheduler Maps ...................................................................................1149 Understanding CoS Two-Color Marking .....................................................1149 Understanding CoS Rewrite Rules .............................................................1150 Default Rewrite Rule ...........................................................................1150 Understanding Port Shaping and Queue Shaping for CoS on EX-series Switches .............................................................................................1151 Port Shaping .......................................................................................1151 Queue Shaping ...................................................................................1151 Understanding JUNOS EZQoS for CoS Configurations on EX-series Switches .............................................................................................1151 Chapter 58 Examples of Configuring CoS 1153
Example: Configuring CoS on EX-series Switches ......................................1153 Chapter 59 Configuring CoS 1171
Configuring CoS (J-Web Procedure) ...........................................................1171 Defining CoS Code-Point Aliases (J-Web Procedure) ..................................1172
xxx
Table of Contents
Table of Contents
Defining CoS Code-Point Aliases (CLI Procedure) ......................................1174 Defining CoS Classifiers (CLI Procedure) ....................................................1175 Defining CoS Classifiers (J-Web Procedure) ...............................................1176 Defining CoS Forwarding Classes (CLI Procedure) .....................................1178 Defining CoS Forwarding Classes (J-Web Procedure) .................................1179 Defining CoS Schedulers (CLI Procedure) ..................................................1180 Defining CoS Schedulers (J-Web Procedure) ..............................................1180 Configuring CoS Tail Drop Profiles (CLI Procedure) ...................................1183 Defining CoS Rewrite Rules (CLI Procedure) ..............................................1184 Defining CoS Rewrite Rules (J-Web Procedure) ..........................................1184 Assigning CoS Components to Interfaces (CLI Procedure) .........................1186 Assigning CoS Components to Interfaces (J-Web Procedure) .....................1186 Configuring JUNOS EZQoS for CoS (CLI Procedure) ...................................1188 Chapter 60 Verifying CoS Monitoring Monitoring Monitoring Monitoring Monitoring Monitoring Chapter 61 1189
CoS Classifiers .........................................................................1189 CoS Forwarding Classes ..........................................................1190 Interfaces That Have CoS Components ...................................1191 CoS Rewrite Rules ...................................................................1192 CoS Scheduler Maps ................................................................1193 CoS Value Aliases ....................................................................1195 1197
[edit class-of-service] Configuration Statement Hierarchy ..........................1197 buffer-size .................................................................................................1335 class ..........................................................................................................1335 class-of-service ..........................................................................................1335 classifiers ..................................................................................................1335 code-point-aliases ......................................................................................1335 code-points ................................................................................................1335 drop-profile-map .......................................................................................1335 dscp ..........................................................................................................1335 forwarding-class ........................................................................................1335 forwarding-class ........................................................................................1335 ieee-802.1 .................................................................................................1335 import .......................................................................................................1335 inet-precedence .........................................................................................1335 interfaces ..................................................................................................1335 loss-priority ...............................................................................................1335 priority ......................................................................................................1335 protocol .....................................................................................................1335 rewrite-rules ..............................................................................................1335 scheduler-map ...........................................................................................1335 scheduler-maps .........................................................................................1335 schedulers .................................................................................................1335 shaping-rate ..............................................................................................1335 transmit-rate .............................................................................................1335 unit ...........................................................................................................1335
Table of Contents
xxxi
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Chapter 62
1221
Part 13
Chapter 63
PoE
Understanding PoE 1229
PoE and EX-series Switches Overview .......................................................1229 PoE and Power Supply Units in EX-series Switches .............................1229 Power Management Mode ..................................................................1230 Classes of Powered Devices ................................................................1230 Global and Specific PoE Parameters ....................................................1231 Chapter 64 Examples of Configuring PoE 1233
Example: Configuring PoE Interfaces on an EX-series Switch ....................1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch .................................................................................................1236 Chapter 65 Configuring PoE 1241
Configuring PoE (CLI Procedure) ...............................................................1241 Configuring PoE (J-Web Procedure) ...........................................................1243 Chapter 66 Verifying PoE 1245
Monitoring PoE .........................................................................................1245 Verifying Status of PoE Interfaces on an EX-series Switch .........................1246 Chapter 67 Configuration Statements for PoE 1247
[edit poe] Configuration Statement Hierarchy ...........................................1247 disable .......................................................................................................1335 duration ....................................................................................................1335 guard-band ................................................................................................1335 interface ....................................................................................................1335 interval ......................................................................................................1335 management .............................................................................................1335 maximum-power .......................................................................................1335 priority ......................................................................................................1335 telemetries ................................................................................................1335
xxxii
Table of Contents
Table of Contents
Chapter 68
1257
show poe controller ...................................................................................1258 show poe interface ....................................................................................1259 show poe telemetries interface ..................................................................1261
Part 14
Chapter 69
Understanding Real-Time Performance Monitoring on EX-series Switches .............................................................................................1265 RPM Packet Collection ........................................................................1266 Tests and Probe Types ........................................................................1266 Hardware Timestamps ........................................................................1266 Limitations of RPM .............................................................................1268 Chapter 70 Understanding Port Mirroring 1269
Port Mirroring on EX-series Switches Overview .........................................1269 Port Mirroring Overview .....................................................................1269 Limitations of Port Mirroring ........................................................1270 Port Mirroring Terminology ................................................................1271 Chapter 71 Examples of Configuring Port Mirroring 1273
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches ...................................................1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches ...................................................1279 Chapter 72 Configuring Port Mirroring 1285
Configuring Port Mirroring to Analyze Traffic (CLI Procedure) ...................1285 Configuring Port Mirroring for Local Traffic Analysis ...........................1286 Configuring Port Mirroring for Remote Traffic Analysis .......................1286 Filtering the Traffic Entering a Port Mirroring Analyzer .......................1287 Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) ...............1289 Chapter 73 Configuration Statements for Port Mirroring 1291
[edit ethernet-switching-options] Configuration Statement Hierarchy ........1291 analyzer ....................................................................................................1335 egress ........................................................................................................1335 ethernet-switching-options ........................................................................1296
Table of Contents
xxxiii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ingress .......................................................................................................1335 input .........................................................................................................1335 interface ....................................................................................................1335 loss-priority ...............................................................................................1335 output .......................................................................................................1335 ratio ..........................................................................................................1335 vlan ...........................................................................................................1335 Chapter 74 Operational Mode Commands for Port Mirroring 1305
Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch .................................................................................1307 Chapter 76 Example of sFlow Technology Configuration 1309
Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches .............................................................................................1309 Chapter 77 Configuring sFlow Technology 1315
Configuring sFlow Technology for Network Monitoring (CLI Procedure) ....1315 Chapter 78 Configuration Statements for sFlow Technology 1317
[edit protocols] Configuration Statement Hierarchy ...................................1317 collector ....................................................................................................1335 disable .......................................................................................................1335 interfaces ..................................................................................................1335 polling-interval ..........................................................................................1335 sample-rate ...............................................................................................1335 sflow .........................................................................................................1335 udp-port ....................................................................................................1335 Chapter 79 Operational Mode Commands for sFlow Technology 1327
show sflow ................................................................................................1328 show sflow collector ..................................................................................1329 show sflow interface .................................................................................1330
xxxiv
Table of Contents
Table of Contents
Chapter 80
1331
[edit snmp] Configuration Statement Hierarchy ........................................1331 bucket-size ................................................................................................1335 history .......................................................................................................1335 interface ....................................................................................................1335 owner ........................................................................................................1335 rmon .........................................................................................................1335
Table of Contents
xxxv
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
xxxvi
Table of Contents
List of Figures
Figure 1: Basic VRRP on EX-series Switches ..................................................15 Figure 2: VRRP on EX 4200 Virtual Chassis Switches ....................................16 Figure 3: LCD Panel .......................................................................................61 Figure 4: Connecting PC to Port 0 .................................................................61 Figure 5: Connecting to the Console Port on the EX-series Switch ...............121 Figure 6: Console Session Redirection .........................................................143 Figure 7: Management Ethernet Port Redirection to VME ............................144 Figure 8: Normal Traffic Flow in a Ring Topology Using Dedicated VCPs ....149 Figure 9: Traffic Redirected by Fast Failover After Dedicated VCP Link Failure ..................................................................................................150 Figure 10: Normal Traffic Flow in a Ring Topology Using SFP Uplink Module VCPs .....................................................................................................151 Figure 11: Traffic Redirected by Fast Failover After SFP Uplink Module VCP Link Failure ...........................................................................................152 Figure 12: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings ................................................................208 Figure 13: Basic Virtual Chassis with Master and Backup ............................161 Figure 14: Expanded Virtual Chassis in Single Wiring Closet .......................166 Figure 15: Default Configuration of Multimember Virtual Chassis in a Single Wiring Closet ........................................................................................171 Figure 16: A Virtual Chassis Interconnected Across Wiring Closets ..............179 Figure 17: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch .....................................................186 Figure 18: Maximum Size Virtual Chassis Interconnected Across Wiring Closets ..................................................................................................200 Figure 19: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings ................................................................208 Figure 20: Network Ports on the 24Port EX-series Switch ..........................282 Figure 21: Network Ports on the 48-Port EX-series Switch ...........................282 Figure 22: Symmetrically Routed Interfaces ................................................288 Figure 23: Asymmetrically Routed Interfaces ..............................................289 Figure 24: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch .....................................................293 Figure 25: Redundant Trunk Group, Link 1 Active .......................................402 Figure 26: Redundant Trunk Group, Link 2 Active .......................................402 Figure 27: Topology for Configuration .........................................................423 Figure 28: GVRP Configured on Two Access Switches and One Distribution Switch for Automatic VLAN Administration ..........................................434 Figure 29: Topology for Configuring the Redundant Trunk Links .................449 Figure 30: Network Topology for RSTP ........................................................492 Figure 31: Network Topology for MSTP .......................................................507 Figure 32: BPDU Protection Topology .........................................................528
List of Figures
xxxvii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 33: BPDU Protection Topology .........................................................533 Figure 34: Network Topology for Loop Protection .......................................537 Figure 35: Network Topology for Root Protection ........................................542 Figure 36: IGMP Traffic Flow with IGMP Snooping Enabled .........................660 Figure 37: IGMP Traffic Flow with Routed VLAN Intefaces ..........................661 Figure 38: Example 802.1X Topology .........................................................721 Figure 39: Authentication Process ...............................................................722 Figure 40: Process Flowchart for Nonresponsive Host Requests ..................724 Figure 41: Process Flowchart for Non-Responsive Host Requests ................731 Figure 42: VoIP Multiple Supplicant Topology .............................................732 Figure 43: VoIP Single Supplicant Topology .................................................733 Figure 44: DHCP Snooping ..........................................................................739 Figure 45: DHCP Server Connected Directly to Switch ................................740 Figure 46: DHCP Server Connected Directly to Switch 2, with Switch 2 Connected to Switch 1 Through a Trusted Trunk Port ...........................741 Figure 47: Switch Is the DHCP Server ..........................................................742 Figure 48: Switch Acting as Relay Agent Through Router to DHCP Server ....743 Figure 49: DHCP Clients, Switch, and DHCP Server Are All on Same VLAN ....................................................................................................750 Figure 50: Switch Relays DHCP Requests to Server .....................................751 Figure 51: Topology for Configuration .........................................................762 Figure 52: Topology for Configuration .........................................................762 Figure 53: Topology for Guest VLAN Example .............................................767 Figure 54: Topology for Static MAC Authentication Configuration ...............772 Figure 55: Topology for MAC RADIUS Authentication Configuration ...........776 Figure 56: Topology for Configuring Supplicant Modes ................................781 Figure 57: VoIP Topology ............................................................................787 Figure 58: Topology for Firewall Filter and RADIUS Server Attributes Configuration ........................................................................................804 Figure 59: Network Topology for Basic Port Security ...................................838 Figure 60: Network Topology for Basic Port Security ...................................838 Figure 61: Network Topology for Basic Port Security ...................................838 Figure 62: Network Topology for Configuring DHCP Option 82 on a Switch That Is on the Same VLAN as the DHCP Clients and the DHCP Server ...................................................................................................827 Figure 63: Network Topology for Basic Port Security ...................................838 Figure 64: Network Topology for Basic Port Security ...................................838 Figure 65: Network Topology for Basic Port Security ...................................838 Figure 66: Network Topology for Port Security Setup with Two Switches on Same VLAN ...........................................................................................842 Figure 67: Firewall Filter Processing Points in the Packet Forwarding Path ....................................................................................................1046 Figure 68: Application of Firewall Filters to Control Packet Flow ...............1048 Figure 69: Evaluation of Terms within a Firewall Filter ..............................1058 Figure 70: Application of Port, VLAN, and Layer 3 Routed Firewall Filters ...1067 Figure 71: Packet Flow Across the Network ...............................................1136 Figure 72: Topology for Configuring CoS ...................................................1154 Figure 73: RPM Timestamps .....................................................................1267 Figure 74: Network Topology for Local Port Mirroring Example ................1274 Figure 75: Remote Port Mirroring Example Network Topology .................1280 Figure 76: sFlow Technology Monitoring System ......................................1310
xxxviii
List of Figures
List of Tables
Table 1: Summary of Software Features Available on EX-series Switches ........3 Table 2: Supported JUNOS Layer 3 Protocol Statements and Features .............9 Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported ...............................................................................................10 Table 4: JUNOS Software Processes ...............................................................20 Table 5: EX 3200 Switch Models ...................................................................23 Table 6: EX 4200 Switch Models ...................................................................24 Table 7: J-Web Interface ................................................................................48 Table 8: J-Web Edit Point & Click Configuration Links ...................................50 Table 9: J-Web Edit Point & Click Configuration Icons ...................................51 Table 10: J-Web Edit Point & Click Configuration Buttons .............................51 Table 11: Switching Platform Configuration Interfaces ..................................53 Table 12: Install Remote Summary ...............................................................69 Table 13: Upload Package Summary .............................................................70 Table 14: Configuration File Terms ...............................................................74 Table 15: J-Web Configuration History Summary ..........................................75 Table 16: J-Web Configuration Database Information Summary ...................76 Table 17: Options for the load command ......................................................77 Table 18: Alarm Terms ..................................................................................93 Table 19: Secure Management Access Configuration Summary ....................96 Table 20: Date and Time Settings ..................................................................97 Table 21: J-Web Ping Host Field Summary ..................................................102 Table 22: Packet Capture Field Summary ....................................................103 Table 23: Traceroute field summary ............................................................106 Table 24: Summary of Key System Properties Output Fields .......................107 Table 25: Summary of System Process Information Output Fields ..............108 Table 26: User Management > Add a User Configuration Page Summary ..............................................................................................111 Table 27: Add an Authentication Server ......................................................111 Table 28: Summary of Key Alarm Output Fields .........................................116 Table 29: Filtering System Log Messages .....................................................117 Table 30: Viewing System Log Messages .....................................................118 Table 31: show smp rmon history Output Fields .........................................129 Table 32: Components of the Basic Virtual Chassis Access Switch Topology ...............................................................................................161 Table 33: Components of the Expanded Virtual Chassis Access Switch .......166 Table 34: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets .......................................................................................178 Table 35: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis Distribution Switch ..................................293 Table 36: Components of a Preprovisioned Virtual Chassis Interconnected Across Multiple Wiring Closets ..............................................................199
List of Tables
xxxix
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 37: Virtual Chassis Configuration Fields .............................................217 Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration ................................................................232 Table 39: Commands Relevant Only to the Master ......................................234 Table 40: show system uptime Output Fields ..............................................264 Table 41: show virtual-chassis active-topology Output Fields .......................266 Table 42: show virtual-chassis fast-failover Output Fields ..........................1306 Table 43: show virtual-chassis Output Fields .............................................1306 Table 44: show virtual-chassis vc-port Output Fields ...................................271 Table 45: show virtual-chassis vc-port statistics Output Fields .....................274 Table 46: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis Distribution Switch ..................................293 Table 47: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution Switch .....................................304 Table 48: Port Edit Options .........................................................................318 Table 49: Recommended CoS Settings for Port Roles ..................................320 Table 50: VLAN Options ..............................................................................325 Table 51: Port Role Configuration Summary ...............................................338 Table 52: Recommended CoS Settings for Port Roles ..................................341 Table 53: Gigabit Ethernet show interfaces Output Fields ............................368 Table 54: 10-Gigabit Ethernet show interfaces Output Fields .......................378 Table 55: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields ........................................................................................389 Table 56: Components of the Basic Bridging Configuration Topology ..........408 Table 57: Components of the Multiple VLAN Topology ................................415 Table 58: Components of the Topology for Connecting an Access Switch to a Distribution Switch .............................................................................423 Table 59: Components of the Network Topology .........................................434 Table 60: Components of the Redundant Trunk Link Topology ...................449 Table 61: Components of the Topology for Setting Up Q-in-Q Tunneling .....453 Table 62: Components of the Topology for Configuring a Private VLAN ......456 Table 63: VLAN Configuration Details ..........................................................466 Table 64: Components of the Topology for Configuring RSTP on EX-series Switches ...............................................................................................493 Table 65: Components of the Topology for Configuring MSTP on EX-series Switches ...............................................................................................507 Table 66: Components of the Topology for Configuring BPDU Protection on EX-series Switches ................................................................................533 Table 67: Components of the Topology for Configuring BPDU Protection on EX-series Switches ................................................................................533 Table 68: Components of the Topology for Configuring Loop Protection on EX-series Switches ................................................................................537 Table 69: Components of the Topology for Configuring Root Protection on EX-series Switches ................................................................................542 Table 70: show ethernet-switching interfaces Output Fields ......................1019 Table 71: show ethernet-switching mac-learning-log Output Fields .............622 Table 72: show ethernet-switching table Output Fields ................................625 Table 73: show gvrp Output Fields ..............................................................631 Table 74: show gvrp statistics Output Fields ................................................633 Table 75: show redundant-trunk-group Output Fields ..................................635 Table 76: show spanning-tree bridge Output Fields .....................................636
xl
List of Tables
List of Tables
Table 77: show spanning-tree interface Output Fields .................................640 Table 78: show spanning-tree mstp configuration Output Fields .................644 Table 79: show spanning-tree statistics Output Fields .................................645 Table 80: show vlans Output Fields ...........................................................1034 Table 81: Components of the IGMP Snooping Topology ..............................664 Table 82: BGP Routing Configuration Summary ..........................................667 Table 83: DHCP Server Configuration Pages Summary ...............................669 Table 84: OSPF Routing Configuration Summary ........................................672 Table 85: RIP Routing Configuration Summary ...........................................673 Table 86: SNMP Configuration Page ............................................................674 Table 87: Static Routing Configuration Summary ........................................679 Table 88: Summary of Key BGP Routing Output Fields ...............................681 Table 89: Summary of DHCP Output Fields .................................................683 Table 90: Summary of Key OSPF Routing Output Fields .............................685 Table 91: Summary of Key RIP Routing Output Fields ................................687 Table 92: Summary of Key Routing Information Output Fields ...................688 Table 93: show igmp-snooping membership Output Fields .......................1306 Table 94: show igmp-snooping route Output Fields ...................................1306 Table 95: show igmp-snooping statistics Output Fields ..............................1306 Table 96: show igmp-snooping vlans Output Fields ...................................1306 Table 97: Components of the Topology .......................................................804 Table 98: Components of the Topology .......................................................804 Table 99: Components of the Guest VLAN Topology ...................................768 Table 100: Components of the Static MAC Authentication Configuration Topology ...............................................................................................777 Table 101: Components of the MAC RADIUS Authentication Configuration Topology ...............................................................................................777 Table 102: Components of the Supplicant Mode Configuration Topology ....782 Table 103: Components of the VoIP Configuration Topology ......................787 Table 104: Components of the Firewall Filter and RADIUS Server Attributes Topology ...............................................................................................804 Table 105: Components of the Port Security Topology ................................838 Table 106: Components of the Port Security Topology ................................838 Table 107: Components of the Port Security Topology ................................838 Table 108: Components of the Port Security Topology ................................838 Table 109: Components of the Port Security Topology ................................838 Table 110: Components of the Port Security Topology ................................838 Table 111: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2 ...............................................................842 Table 112: RADIUS Server Settings .............................................................869 Table 113: 802.1X Exclusion List ................................................................869 Table 114: 802.1X Port Settings ..................................................................870 Table 115: Global Settings ...........................................................................881 Table 116: Edit Port Settings .......................................................................881 Table 117: Match Conditions .......................................................................884 Table 118: Actions for VSAs ........................................................................885 Table 119: Port Security Settings on VLANs .................................................888 Table 120: Port Security on Interfaces .........................................................888 Table 121: show arp inspection statistics Output Fields .............................1011 Table 122: show dhcp snooping binding Output Fields .............................1012 Table 123: show dot1x Output Fields ........................................................1013
List of Tables
xli
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 124: show dot1x static-mac-address Output Fields ..........................1018 Table 125: show dot1x static-mac-address Output Fields ..........................1018 Table 126: show ethernet-switching interfaces Output Fields ....................1019 Table 127: show ip-source-guard Output Fields .........................................1306 Table 128: show lldp Output Fields ...........................................................1024 Table 129: show lldp local-info Output Fields ............................................1029 Table 130: show lldp neighbors Output Fields ...........................................1031 Table 131: show lldp statistics Output Fields .............................................1034 Table 132: show network-access aaa statistics accounting Output Fields ...1036 Table 133: show network-access aaa statistics authentication Output Fields ..................................................................................................1037 Table 134: show network-access aaa statistics dynamic-requests Output Fields ..................................................................................................1038 Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches .............................................................................................1049 Table 136: Actions for Firewall Filters .......................................................1056 Table 137: Action Modifiers for Firewall Filters .........................................1056 Table 138: Actions for Firewall Filters .......................................................1062 Table 139: Configuration Components: Firewall Filters .............................1066 Table 140: Configuration Components: VLANs ..........................................1067 Table 141: Configuration Components: Switch Ports on a 48-Port All-PoE Switch .................................................................................................1068 Table 142: Create a New Filter ..................................................................1093 Table 143: Create a New Term ..................................................................1093 Table 144: Term-Advanced Options ..........................................................1094 Table 145: Supported Options for Firewall Filter Statements .....................1110 Table 146: Firewall Filter Statements That Are Not Supported byJUNOS Software for EX-series switches ..........................................................1112 Table 147: show firewall Output Fields ......................................................1306 Table 148: show interfaces filters Output Fields ........................................1306 Table 149: show interfaces policers Output Fields .....................................1306 Table 150: show policer Output Fields ......................................................1306 Table 151: Default Code-Point Aliases .......................................................1140 Table 152: Default BA Classification ..........................................................1143 Table 153: Default Forwarding Classes ......................................................1144 Table 154: Default Packet Header Rewrite Mappings ................................1150 Table 155: Configuration Components: VLANs ..........................................1155 Table 156: Configuration Components: Switch Ports on a 48-Port All-PoE Switch .................................................................................................1155 Table 157: CoS Value Aliases Configuration Pages Summary ....................1172 Table 158: BA-classifier Loss Priority Assignments ....................................1175 Table 159: Classifiers Configuration Page Summary ..................................1176 Table 160: Forwarding Classes Configuration Pages Summary ..................1179 Table 161: Schedulers Configuration Page Summary ................................1181 Table 162: Scheduler Maps Configuration Page Summary .........................1182 Table 163: Rewrite Rules Configuration Page Summary ............................1185 Table 164: Assigning CoS Components to Interfaces .................................1187 Table 165: Summary of Key CoS Classifier Output Fields ..........................1189 Table 166: Summary of Key CoS Forwarding Class Output Fields .............1191 Table 167: Summary of Key CoS Interfaces Output Fields .........................1191 Table 168: Summary of Key CoS Rewrite Rules Output Fields ...................1192
xlii
List of Tables
List of Tables
Table 169: Summary of Key CoS Scheduler Maps Output Fields ...............1193 Table 170: Summary of Key CoS Value Alias Output Fields .......................1195 Table 171: show class-of-service Output Fields ..........................................1222 Table 172: Class of Powered Device and Power Levels ..............................1230 Table 173: Components of the PoE Configuration Topology ......................1234 Table 174: Components of the PoE Configuration Topology ......................1237 Table 175: PoE Edit Settings ......................................................................1243 Table 176: System Settings .......................................................................1243 Table 177: show poe controller Output Fields ...........................................1258 Table 178: show poe interface Output Fields .............................................1259 Table 179: show poe telemetries interface Output Fields ..........................1261 Table 180: Port Mirroring Configuration Settings .......................................1289 Table 181: command-name Output Fields ................................................1306 Table 182: show sflow Output Fields .........................................................1328 Table 183: show sflow collector Output Fields ...........................................1329 Table 184: show sflow interface Output Fields ..........................................1330
List of Tables
xliii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
xliv
List of Tables
How To Use This Guide on page xlv List of EX-series Guides for JUNOS 9.3 on page xlv Downloading Software on page xlvi Documentation Symbols Key on page xlvii Documentation Feedback on page xlviii Getting Support on page xlix
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
xlv
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Title JUNOS Software for EX-series Switches, Release 9.3: Configuration and File Management JUNOS Software for EX-series Switches, Release 9.3: Class of Service JUNOS Software for EX-series Switches, Release 9.3: Device Security JUNOS Software for EX-series Switches, Release 9.3: Ethernet Switching JUNOS Software for EX-series Switches, Release 9.3: Interfaces JUNOS Software for EX-series Switches, Release 9.3: Layer 3 Protocols JUNOS Software for EX-series Switches, Release 9.3: Multicast JUNOS Software for EX-series Switches, Release 9.3: Network Management and Monitoring JUNOS Software for EX-series Switches, Release 9.3: Port Security JUNOS Software for EX-series Switches, Release 9.3: Routing Policy and Packet Filtering JUNOS Software for EX-series Switches, Release 9.3: Spanning-Tree Protocols JUNOS Software for EX-series Switches, Release 9.3: System Setup JUNOS Software for EX-series Switches, Release 9.3: User and Access Management JUNOS Software Guide for EX-series Switches, Release 9.3: Virtual Systems J-Web User Interface Guide for JUNOS Software for EX-series Switches
Description
How to use the J-Web graphical user interface (GUI) with JUNOS for EX-series software Summary of hardware and software features and known problems with the software and hardware
Downloading Software
You can download the JUNOS for EX-series software from the Download Software area at http://www.juniper.net/customers/support/. To download the software, you must have a Juniper Networks user account. For information about obtaining an account, see http://www.juniper.net/entitlement/setupAccountInfo.do.
xlvi
Downloading Software
Caution
Warning
Laser warning
Examples To enter configuration mode, type the configure command: user@host> configure
Introduces important new terms. Identifies book names. Identifies RFC and Internet draft titles.
A policy term is a named structure that defines match conditions and actions. JUNOS System Basics Configuration Guide RFC 1997, BGP Communities Attribute
Represents variables (options for which you substitute a value) in commands or configuration statements.
Configure the machines domain name: [edit] root@# set system domain-name domain-name
Represents names of configuration statements, commands, files, and directories; IP addresses; configuration hierarchy levels; or labels on routing platform components.
To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE.
xlvii
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Text and Syntax Conventions Convention | (pipe symbol) Description Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. Indicates a comment specified on the same line as the configuration statement to which it applies. Enclose a variable for which you can substitute one or more values. Identify a level in the configuration hierarchy. Examples
broadcast | multicast (string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
; (semicolon)
Represents J-Web graphical user interface (GUI) items you click or select.
In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send email to techpubs-comments@juniper.net with the following:
Document URL or title Page number if applicable Software version Your name and company
xlviii
Documentation Feedback
Getting Support
For technical support, open a support case with the Case Manager link at http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada, or Mexico) or 1-408-745-9500 (from elsewhere).
Getting Support
xlix
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Getting Support
Part 1
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Chapter 1
Product Overview
Software Overview
EX-series Switch Software Features Overview on page 3 Layer 3 Protocols Supported on EX-series Switches on page 9 Layer 3 Protocols Not Supported on EX-series Switches on page 10 Security Features for EX-series Switches Overview on page 12 High Availability Features for EX-series Switches Overview on page 14 Understanding Software Infrastructure and Processes on page 19
J-Web event view for system log messages Real-time performance monitoring (RPM) System log (syslog) Traceroute tool in J-Web interface
Software Overview
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Administration
Configuration rollback Confirmation of configuration changes Software upgrades Support for RADIUS external administrator databases Supports the following features for automating network operations and troubleshooting:
JUNOS 9.0R2
Commit scripts Operation scripts Event policies JUNOS 9.0R2 JUNOS 9.0R2
Encapsulation
Media access control (MAC) encapsulation 802.1p tagging JUNOS 9.0R2 JUNOS 9.3R2 JUNOS 9.1R1
Graceful protocol restart for OSPF and BGP Graceful protocol restart for IS-IS Graceful Routing Engine switchover (GRES) for EX 4200 Virtual Chassis configurations Link aggregation Redundant trunk groups Virtual Chassis atomic software upgrade Virtual Chassis fast failover Virtual Chassis split and merge Virtual Chassis support for SFP uplink module ports Virtual Router Redundancy Protocol (VRRP)
JUNOS 9.0R2 JUNOS 9.0R2 JUNOS 9.3R2 JUNOS 9.3R2 JUNOS 9.3R2 JUNOS 9.2R1
JUNOS 9.0R2
IP Address Management
Dynamic Host Configuration Protocol (DHCP) Local DHCP server Static addresses DHCPv6 and IPv6 DNS DHCP server and relay with option 82 for Layer 2 VLAN
Internet Protocols
JUNOS 9.0R2 JUNOS 9.3R2 JUNOS 9.1R1 JUNOS 9.1R1 JUNOS 9.0R2 JUNOS 9.0R2
BPDU protection for spanning-tree protocols GARP VLAN Registration Protocol (GVRP) Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol MediaEndpoint Discovery (LLDP-MED) with voice over IP (VoIP) integration Loop protection for spanning-tree protocols Private VLANs Q-in-Q tunneling Root protection for spanning-tree protocols Storm control Routed VLAN interfaces (RVIs) Spanning tree:
JUNOS 9.1R1 JUNOS 9.3R2 JUNOS 9.3R2 JUNOS 9.1R1 JUNOS 9.1R1 JUNOS 9.0R2 JUNOS 9.0R2
Spanning Tree Protocol (STP) Rapid Spanning Tree Protocol (RSTP) Multiple Spanning Tree Protocol (MSTP) JUNOS 9.3R2 JUNOS 9.2R1 JUNOS 9.2R1
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Layer 3 Protocols
Bidirectional Forwarding Detection (BFD) Border Gateway Protocol (BGP) A separate software license is required for BGP and MBGP. See Software Licenses for the EX-series Switch Overview on page 85. Distance Vector Multicast Routing Protocol (DVMRP) Intermediate System-to-Intermediate System (IS-IS) A separate software license is required for IS-IS. See Software Licenses for the EX-series Switch Overview on page 85. IGMP snooping IGMP snooping with routed VLAN interfaces (RVIs) Internet Group Management Protocol (IGMP) Open Shortest Path First (OSPF) Protocol Independent Multicast Sparse Mode (PIM SM) See the JUNOS Software Multicast Configuration Guide at http://www.juniper.net/techpubs/software/junos/. Protocol Independent Multicast Dense Mode (PIM DM) See the JUNOS Software Multicast Configuration Guide at http://www.juniper.net/techpubs/software/junos/. Protocol Independent Multicast Source Specific Multicast (PIM SSM) See the JUNOS Software Multicast Configuration Guide at http://www.juniper.net/techpubs/software/junos/. Routing Information Protocol version 1 (RIPv1) and RIPv2 Single-source multicast Static routes
JUNOS 9.0R2
JUNOS 9.0R2
JUNOS 9.3R2
JUNOS 9.3R2
JUNOS 9.0R2
Virtual routing and forwarding (VRF)virtual routing instances IPv6 protocols: OSPFv3, RIPng, IS-IS for IPv6, IPv6 BGP
Security
JUNOS 9.3R2
802.1X authentication Denial-of-service (DoS) and distributed DoS (DDoS) protection Firewall filters and rate limiting Dynamic firewall filters for 802.1X authentication Firewall filter processing points, additional Port security:
Dynamic ARP inspection (DAI) MAC limiting MAC move limiting Static ARP support JUNOS 9.2R1
Port security:
Port security:
DHCP option 82 JUNOS 9.2R1 JUNOS 9.3R2 JUNOS 9.3R2 JUNOS 9.3R2
MAC-based VLAN MAC RADIUS authentication Server fail fallback Unicast reverse-path forwarding (RPF)
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
System Management
JUNOS command-line interface (CLI)For switch configuration and management through the console, Telnet, SSH, or J-Web CLI editor J-Web interfaceFor switch configuration and management J-Web license-management tool J-Web Port Troubleshooting tool Power over Ethernet (PoE) power management mode Simple Network Management Protocol version 1 (SNMPv1) and SNMPv2 System logging (syslog) over IPv6
JUNOS 9.0R2
JUNOS 9.0R2
Traffic Management
Class of service (CoS)Class-based queuing with prioritization Class-of-service (CoS) support on LAG interfaces JUNOS EZQoS for CoS Policing Port shaping and queue shaping Port mirroring sFlow monitoring technology Transparent bridging
JUNOS 9.0R2
JUNOS 9.2R1
JUNOS 9.3R2 JUNOS 9.0R2 JUNOS 9.3R2 JUNOS 9.0R1 JUNOS 9.3R2 JUNOS 9.0R2
Related Topics
Features in JUNOS Software for EX-series Switches, Release 9.0 Features in JUNOS Software for EX-series Switches, Release 9.1 Features in JUNOS Software for EX-series Switches, Release 9.2 New Features in JUNOS Software for EX-series Switches, Release 9.3 EX 3200 and EX 4200 Switches Hardware Overview on page 21 High Availability Features for EX-series Switches Overview on page 14 Layer 3 Protocols Supported on EX-series Switches on page 9 Layer 3 Protocols Not Supported on EX-series Switches on page 10
BGP
Fully supported.
See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Multicast Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/ See the JUNOS Software Multicast Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Multicast Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Routing Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See the JUNOS Software Network Management Configuration Guide at http://www.juniper.net/techpubs/software/junos/. See High Availability Features for EX-series Switches Overview on page 14. See also the JUNOS Software High Availability Guide at http://www.juniper.net/techpubs/software/junos/.
BFD
Fully supported.
DVMRP
Supported, with the exceptions noted in Layer 3 Protocols Not Supported on EX-series Switches on page 10. Fully supported.
ICMP
IGMPv1, v2 and v3
Fully supported.
IS-IS
Supported, with the exceptions noted in Layer 3 Protocols Not Supported on EX-series Switches on page 10. Supported, with the exceptions noted in Layer 3 Protocols Not Supported on EX-series Switches on page 10. Supported, with the exception of IPv6.
OSPFv1, v2 and v3
PIM
RIP
Fully supported.
RIPng
Fully supported.
SNMP
Fully supported.
VRRP
Fully supported with exception of IPv6 support of VRRP on routed VLAN interfaces.
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Layer 3 Protocols Not Supported on EX-series Switches on page 10 EX-series Switch Software Features Overview on page 3
Not supported.
[edit services] statements related to IPSec clns-routing statement ipv6-multicast statement lsp-interval statement label-switched-path statement lsp-lifetime statement te-metric statement traffic-engineering and subordinate statements l2tp and subordinate statements
10
Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature Configuration Statements Not Supported on EX-Series Switches
MPLS:
ldp and all subordinate statements mpls and all subordinate statements
All of MPLS Label Distribution Protocol (LDP) Layer 3 VPNs Multiprotocol BGP (MP-BGP) for VPN-IPv4 family Pseudowire emulation (PWE3) Resource Reservation Protocol (RSVP) Routing policy statements related to Layer 3 VPNs and MPLS Traffic engineering (TE) extensions in OSPF and IS-IS
Traffic engineering
PIM:
IPv6
Routing instances:
l2vpn and subordinate statements ldp and subordinate statements vpls and subordinate statements sap and all subordinate statements auto-export and subordinate statements dynamic-tunnels and subordinate statements lsp-next-hop and subordinate statements multicast and subordinate statements p2mp-lsp-next-hop and subordinate statements route-distinguisher-id statement
11
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 3: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature Configuration Statements Not Supported on EX-Series Switches
accounting and subordinate statements family mpls and family multiservice under hash-key hierarchy
cflowd statement export-format-cflowd-version-5 statement flow-active-timeout statement flow-export-destination statement flow-inactive-timeout statement interface statement
port-mirroring statement (On EX-series switches, port mirroring is implemented using the analyzer statement.) sampling and subordinate statements
Related Topics
Layer 3 Protocols Supported on EX-series Switches on page 9 EX-series Switch Software Features Overview on page 3
User and group accounts with password encryption and authentication. Access privilege levels configurable for login classes and user templates.
12
RADIUS authentication, TACACS+ authentication, or both, for authenticating users who attempt to access the switch. Auditing of configuration changes through system logging or RADIUS/TACACS+.
802.1X AuthenticationProvides network access control. Supplicants (hosts) are authenticated when they initially connect to a LAN. Authenticating supplicants before they receive an IP address from a DHCP server prevents unauthorized supplicants from gaining access to the LAN. EX-series switches support Extensible Authentication Protocol (EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. Port SecurityAccess port security features include:
DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP-address/MAC-address binding database (called the DHCP snooping database). Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. MAC limitingProtects against flooding of the Ethernet switching table. MAC move limitingDetects MAC movement and MAC spoofing on access ports. Prevents hosts whose MAC addresses have not been learned by the switch from accessing the network. Trusted DHCP serverWith a DHCP server on a trusted port, protects against rogue DHCP servers sending leases. IP source guardMitigates the effects of IP address spoofing attacks on the Ethernet LAN. The source IP address in the packet sent from an untrusted access interface is validated against the source MAC address in the DHCP snooping database. The packet is allowed for further processing if the source IP address to source MAC address binding is valid; if the binding is not valid, the packet is discarded. DHCP option 82Also known as the DHCP relay agent information option. Helps protect the EX-series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.
Firewall FiltersAllow auditing of various types of security violations, including attempts to access the switch from unauthorized locations. Firewall filters can detect such attempts and create audit log entries when they occur. The filters can also restrict access by limiting traffic to source and destination MAC addresses, specific protocols, or, in combination with policers, to specified data rates to prevent denial of service (DoS) attacks. PolicersProvide rate-limiting capability to control the amount of traffic that enters an interface, which acts to counter DoS attacks. Encryption StandardsSupported standards include:
13
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
56-bit Data Encryption Standard (DES) and 168-bit 3DES 802.1X for EX-series Switches Overview on page 718 Firewall Filters for EX-series Switches Overview on page 1041 Port Security for EX-series Switches Overview on page 734 Understanding the Use of Policers in Firewall Filters on page 1063
Related Topics
VRRP on page 14 Graceful Protocol Restart on page 16 EX 4200 Redundant Routing Engines on page 17 EX 4200 Graceful Routing Engine Switchover on page 17 EX 4200 Virtual Chassis Software Upgrade and Failover Features on page 18 Link Aggregation on page 18 Additional High Availability Features of EX-series Switches on page 18
VRRP
For Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces on EX-series switches, you can configure the Virtual Router Redundancy Protocol (VRRP). The switches act as virtual routing platforms. VRRP enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. The VRRP routing platforms share the IP address corresponding to the default route configured on the hosts. At any time, one of the VRRP routing platforms is the master (active) and the others are backups. If the master routing platform fails, one of the backup routing platforms becomes the new master, providing a virtual default routing platform and enabling traffic on the LAN to be routed without relying on a single routing platform. Using VRRP, a backup EX-series switch can take over a failed default switch within few seconds. This is done with minimum VRRP traffic and without any interaction with the hosts.
NOTE: The VRRP master and backup routing platforms should not be confused with the master and backup member switches of a Virtual Chassis configuration. The master and backup members of a Virtual Chassis configuration compose a single host. In a VRRP topology, one host operates as a master routing platform and another host operates as a backup routing platform, as shown in Figure 2 on page 16. Switches running VRRP dynamically elect master and backup routing platforms. You can also force assignment of master and backup routing platforms using priorities from 1 through 255, with 255 being the highest priority. In VRRP operation, the
14
default master routing platform sends advertisements to backup routing platforms at regular intervals. The default interval is 1 second. If a backup routing platform does not receive an advertisement for a set period, the backup routing platform with the next highest priority takes over as master and begins forwarding packets. Figure 1 on page 15 illustrates a basic VRRP topology with EX-series switches. In this example, Switches A, B, and C are running VRRP and together they make up a virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1 (the same address as the physical interface of Switch A).
Figure 1: Basic VRRP on EX-series Switches
Figure 2 on page 16 illustrates a basic VRRP topology using Virtual Chassis configurations. Switch A, Switch B, and Switch C are each composed of multiple interconnected EX 4200 switches. Each Virtual Chassis configuration operates as a single switch, which is running VRRP, and together they make up a virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1 (the same address as the physical interface of Switch A).
15
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Because the virtual routing platform uses the IP address of the physical interface of Switch A, Switch A is the master VRRP routing platform, while switches B and C function as backup VRRP routing platforms. Clients 1 through 3 are configured with the default gateway IP address of 10.10.0.1. As the master router, Switch A forwards packets sent to its IP address. If the master virtual routing platform fails, the switch configured with the higher priority becomes the master virtual routing platform and provides uninterrupted service for the LAN hosts. When Switch A recovers, it becomes the master virtual routing platform again. VRRP is defined in RFC 3768, Virtual Router Redundancy Protocol.
16
rapid restoration of forwarding state information so it can resume the forwarding of network traffic. The helper switch assists the restarting switch in this process. Individual graceful restart configuration statements typically apply to either the restarting switch or the helper switch.
Runs various routing protocols Provides the forwarding table to the Packet Forwarding Engines (PFEs) in all the member switches of the Virtual Chassis configuration Runs other management and control processes for the entire Virtual Chassis configuration
The master Routing Engine, which is in the master of the Virtual Chassis configuration, runs JUNOS software in the master role. It receives and transmits routing information, builds and maintains routing tables, communicates with interfaces and Packet Forwarding Engine components of the member switches, and has full control over the Virtual Chassis configuration. The backup Routing Engine, which is in the backup of the Virtual Chassis configuration, runs JUNOS software in a backup role. It stays in sync with the master Routing Engine in terms of protocol states, forwarding tables, and so forth. If the master becomes unavailable, the backup Routing Engine takes over the functions that the master Routing Engine performs.
17
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Graceful Routing Engine switchover on EX 4200 switches supports software features in JUNOS Release 9.2 or later for EX-series switches.
Virtual Chassis atomic software upgradeWhen you upgrade software in a Virtual Chassis configuration, the upgrade will either succeed or fail on all member switches, preventing the situation in which only some Virtual Chassis member switches are upgraded. Virtual Chassis fast failoverA hardware-assisted failover mechanism that automatically reroutes traffic and reduces traffic loss in the event of a link failure. Virtual Chassis split and mergeIf there is a disruption to the Virtual Chassis configuration due to member switches failing or being removed from the configuration, the Virtual Chassis configuration splits into two separate Virtual Chassis.
Link Aggregation
You can combine multiple physical Ethernet ports to form a logical point-to-point link, known as a link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link can provide. Additionally, link aggregation provides network redundancy by load-balancing traffic across all available links. If one of the links should fail, the system automatically load-balances traffic across all remaining links. You can select up to eight Ethernet interfaces and include them within a link aggregation group. In an EX 4200 Virtual Chassis configuration composed of multiple members, the interfaces that compose a LAG can be on different members of the Virtual Chassis. See Understanding Virtual Chassis Configurations and Link Aggregation on page 146.
18
Related Topics
For more information on high availability features, see the JUNOS Software High Availability Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos90/index.html. Virtual Chassis Overview on page 135 Understanding Virtual Chassis Components on page 137 Understanding Virtual Chassis Configurations and Link Aggregation on page 146
Routing Engine and Packet Forwarding Engine on page 19 JUNOS Software Processes on page 19
Packet Forwarding EngineProcesses packets; applies filters, routing policies, and other features; and forwards packets to the next hop along the route to their final destination. Routing EngineProvides three main functions:
Creates the packet forwarding switch fabric for the switch, providing route lookup, filtering, and switching on incoming data packets, then directing outbound packets to the appropriate interface for transmission to the network Maintains the routing tables used by the switch and controls the routing protocols that run on the switch. Provides control and monitoring functions for the switch, including controlling power and monitoring system status.
19
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The separation of functions provides operational stability, because each process accesses its own protected memory space. In addition, because each process is a separate software package, you can selectively upgrade all or part of the JUNOS software, for added flexibility. Table 4 on page 20 describes the primary JUNOS software processes.
Table 4: JUNOS Software Processes
Process Chassis process Name chassisd Description Detects hardware on the system that is used to configure network interfaces. Monitors the physical status of hardware components and field-replaceable units (FRUs), detecting when environment sensors such as temperature sensors are triggered. Relays signals and interruptsfor example, when devices are taken offline, so that the system can close sessions and shut down gracefully. Ethernet switching process eswd Handles Layer 2 switching functionality such as MAC address learning, Spanning Tree protocol and access port security. The process is also responsible for managing Ethernet switching interfaces, VLANs, and VLAN interfaces. Manages Ethernet switching interfaces, VLANs, and VLAN interfaces. Forwarding process Interface process Management process pfem Defines how routing protocols operate on the switch. The overall performance of the switch is largely determined by the effectiveness of the forwarding process. Configures and monitors network interfaces by defining physical characteristics such as link encapsulation, hold times, and keepalive timers. Provides communication between the other processes and an interface to the configuration database. Populates the configuration database with configuration information and retrieves the information when queried by other processes to ensure that the system operates as configured. Interacts with the other processes when commands are issued through one of the user interfaces on the switch. If a process terminates or fails to start when called, the management process attempts to restart it a limited number of times to prevent thrashing and logs any failure information for further investigation. Routing protocol process rpd Defines how routing protocols such as RIP, OSPF, and BGP operate on the device, including selecting routes and maintaining forwarding tables.
dcd
mgd
Related Topics
For more information about processes, see the JUNOS Network Operations Guide at http://www.juniper.net/techpubs/software/junos/junos90/index.html. For more information about basic system parameters, supported protocols, and software processes, see JUNOS System Basics Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos93/index.html.
20
Supported Hardware
EX 3200 and EX 4200 Switches Hardware Overview on page 21 EX 3200 Switch Models on page 23 EX 4200 Switch Models on page 24
EX 3200 and EX 4200 Switch Types on page 21 EX 3200 Switches on page 21 EX 4200 Switches on page 22 Uplink Modules on page 23 Power over Ethernet (PoE) Ports on page 23
EX 3200 switchesTypically, you deploy these switches in branch environments or wiring closets. EX 4200 switchesYou can interconnect EX 4200 switches to form a virtual chassis that operates as a single network entity. You can deploy these switches wherever you need a high density of Gigabit Ethernet ports (24 to 480 ports), redundancy, or the ability to span a single switch across several wiring closets. Typically, EX 4200 switches are used in large branch offices, campus wiring closets, and top-of-rack locations in a data center.
Run under JUNOS software for EX-series switches Have options of 24-port and 48-port models Have options of full (all ports) or partial (8 ports) Power over Ethernet (PoE) capability Have optional uplink modules that provide connection to distribution switches
EX 3200 Switches
EX 3200 switches provide connectivity for low-density environments. Typically, you deploy these switches in branch environments or wiring closets where only one switch is required.
Supported Hardware
21
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
EX 3200 switches are available in models with either 24 or 48 ports and with either all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. All ports have 10/100/1000Base-T Gigabit Ethernet connectors. EX 3200 switches include:
A field-replaceable power supply and an optional additional connection to an external power source. A field-replaceable fan tray with single fan. JUNOS software with its modular design that enables failed system processes to gracefully restart.
EX 4200 Switches
EX 4200 switches provide connectivity for medium- and high-density environments and scalability for growing networks. These switches can be deployed wherever you need a high density of Gigabit Ethernet ports (24 to 480 ports) or redundancy. Typically, EX 4200 switches are used in large branch offices, campus wiring closets, and data centers where they can be positioned as the top device in a rack to provide connectivity for all the devices in the rack. You can connect individual EX 4200 switches together to form one unit and manage the unit as a single chassis, called a virtual chassis. You can add more member switches to the virtual chassis as needed, up to a total of 10 members. EX 4200 switches are available in models with 24 or 48 ports and with either all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. All models provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors and optional small form-factor pluggable (SFP) transceivers or 10-gigabit small form-factor pluggable (XFP) transceivers for use with fiber connections. Additionally, a 24-port model provides 100Base-FX/1000Base-X SFP transceivers. This model is typically used as a small distribution switch. All EX 4200 switches have dedicated 64-Gbps virtual chassis ports that allow you to connect the switches to each other. You can also use optional 10-Gbps uplink ports to connect members of a virtual chassis across multiple wiring closets. To provide carrier-class reliability, EX 4200 switches include:
Dual redundant power supplies that are field-replaceable and hot-swappable. An optional additional connection to an external power source is also available. A field-replaceable fan tray with three fans. The switch remains operational if a single fan fails. Redundant Routing Engines in a virtual chassis configuration. This redundancy enables GRES (Graceful Routing Engine Switchover) and nonstop active routing. JUNOS software with its modular design that enables failed system processes to gracefully restart.
22
Uplink Modules
Optional uplink modules are available for all EX 3200 and EX 4200 models. Uplink modules provide either two 10-gigabit small form-factor pluggable (XFP) transceivers or four 1-gigabit small form-factor pluggable (SFP) transceivers. You can use SFP or XFP ports to connect an access switch to a distribution switch or to interconnect member switches of a virtual chassis across multiple wiring closets.
NOTE: If you insert a transceiver in an SFP uplink module installed in an EX 3200 switch, a corresponding network port from the last four ports is disabled. For example, if you insert an SFP transceiver in ge-0/1/3, ge-0/0/23 is disabled. The disabled port is not listed in the output of show interface commands.
EX 3200 Switch Models on page 23 EX 4200 Switch Models on page 24 Field-Replaceable Units in EX 3200 and EX 4200 Switches Site Preparation Checklist for EX 3200 and EX 4200 Switches
EX 3200-24T
Access or Distribution switch Access switch Access or Distribution switch Access switch
24 Gigabit Ethernet
First 8 ports
320 W
EX 3200-24P EX 3200-48T
600 W 320 W
EX 3200-48P
48 Gigabit Ethernet
All 48 ports
930 W
23
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
EX 4200 Switch Models on page 24 Front Panel of an EX 3200 Switch Rear Panel of an EX 3200 Switch EX 3200 and EX 4200 Switches Hardware Overview on page 21
24 Gigabit Ethernet 24 Gigabit Ethernet 48 Gigabit Ethernet 48 Gigabit Ethernet 24 small form-factor pluggable (SFP) transceivers
First 8 ports All 24 ports First 8 ports All 48 ports Not applicable
Related Topics
EX 3200 Switch Models on page 23 Front Panel of an EX 4200 Switch Rear Panel of an EX 4200 Switch EX 3200 and EX 4200 Switches Hardware Overview on page 21
24
Part 2
25
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
26
Chapter 2
[edit access] Configuration Statement Hierarchy on page 27 [edit chassis] Configuration Statement Hierarchy on page 28 [edit class-of-service] Configuration Statement Hierarchy on page 28 [edit ethernet-switching-options] Configuration Statement Hierarchy on page 29 [edit firewall] Configuration Statement Hierarchy on page 31 [edit interfaces] Configuration Statement Hierarchy on page 32 [edit poe] Configuration Statement Hierarchy on page 33 [edit protocols] Configuration Statement Hierarchy on page 33 [edit snmp] Configuration Statement Hierarchy on page 37 [edit virtual-chassis] Configuration Statement Hierarchy on page 37 [edit vlans] Configuration Statement Hierarchy on page 38
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
27
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
28
scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name; priority priority; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } }
Related Topics
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186
29
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } } bpdu-block { interface (all | [interface-name]); disable-timeout timeout; } dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100]) } redundant-trunk-group { group-name name { interface interface-name <primary>; } } secure-access-port { interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection ); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp ); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } traceoptions {
30
file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } unknown-unicast-forwarding { vlan (all | vlan-name) { interface interface-name; } } voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ; forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } }
Related Topics
Port Mirroring on EX-series Switches Overview on page 1269 Port Security for EX-series Switches Overview on page 734 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
31
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } }
Related Topics
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches on page 1110 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Firewall Filters for EX-series Switches Overview on page 1041
aggregated-ether-options {
lacp mode { periodic interval; } } } ge-chassis/pic/port { description text; ether-options { 802.3ad aex; auto-negotiation; flow-control; link-mode mode; speed (speed | auto-negotiation | no-autonegotiation); } mtu bytes; unit logical-unit-number { family ethernet-switching { filter input filter-name; filter output filter-name; l3-interface interface-name-logical-unit-number; native-vlan-id vlan-id port-mode mode; vlan { members [ (all | names | vlan-ids) ]; } } vlan-id vlan-id-number; } vlan-tagging; } }
Related Topics
EX-series Switches Interfaces Overview on page 279 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321
32
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
33
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
server-reject-vlan (vlan-id | vlan-name); server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } } gvrp { disable; interface (all | [interface-name]) { disable; } join-timer millseconds; leave-timer milliseconds; leaveall-timer milliseconds; } igmp-snooping { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } vlan (vlan-id | vlan-number { disable{ interface interface-name } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } transmit-delay seconds; } lldp-med { disable;
34
fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mstp { disable; bpdu-block-on-edge; bridge-priority priority; configuration-name name; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; max-hops hops; msti msti-id { vlan (vlan-id | vlan-name); interface interface-name { disable; cost cost; edge; mode mode; priority priority; } } revision-level revision-level; traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } }
35
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
rstp { disable; bpdu-block-on-edge; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } stp { disable; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } sflow { collector { ip-address; udp-port port-number; } disable;
36
interfaces interface-name { disable; polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; }
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 IGMP Snooping on EX-series Switches Overview on page 659 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
37
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mac-persistence-timer seconds; member member-id { mastership-priority number; no-management-vlan; serial-number; role; } no-split-detection; preprovisioned; traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag ; } }
Related Topics
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Virtual Chassis Overview on page 135
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414
38
Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Connecting an Access Switch to a Distribution Switch on page 422 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472 Creating a Private VLAN (CLI Procedure) on page 471 Understanding Bridging and VLANs on EX-series Switches on page 395
39
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
40
Part 3
41
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
42
Chapter 3
JUNOS CLI
CLI Overview on page 43 CLI Help and Command Completion on page 43 CLI Command Modes on page 44
CLI Overview
JUNOS CLI is a Juniper Networks specific command shell that runs on top of a UNIX-based operating system kernel. The CLI provides command help and command completion. The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard sequences that allow you to move around on a command line and scroll through recently executed commands, regular expression matching to locate and replace values and identifiers in a configuration, filter command output, or log file entries, store and archive router files on a UNIX-based file system, and exit from the CLI environment and create a UNIX C shell or Bourne shell to navigate the file system, manage switch processes, and so on.
JUNOS CLI
43
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To complete a command, statement, or option that you have partially typed, press the Tab key or the Spacebar. If the partially typed letters uniquely identify a command, the complete command name appears. Otherwise, a beep indicates that you have entered an ambiguous command and the possible completions are displayed. This completion feature also applies to other strings, such as filenames, interface names, usernames, and configuration statements.
Configuration mode is indicated by the # prompt, and includes the current location in the configuration hierarchyfor example:
[edit interfaces ge-0/0/12] user@switch#
In configuration mode, you are actually viewing and changing the candidate configuration file. The candidate configuration allows you to make configuration changes without causing operational changes to the current operating configuration, called the active configuration. When you commit the changes you added to the candidate configuration, the system updates the active configuration. Candidate configurations enable you to alter your configuration without causing potential damage to your current network operations. To activate your configuration changes, enter the commit command. To return to operational mode, go to the top of the configuration hierarchy and then quitfor example:
[edit interfaces ge-0/0/12] user@switch# top [edit] user@switch# exit
You can also activate your configuration changes and exit configuration mode with a single command, commit and-quit. This command succeeds only if there are no mistakes or syntax errors in the configuration.
44
TIP: When you commit the candidate configuration, you can require an explicit confirmation for the commit to become permanent by using the commit confirmed command. This is useful for verifying that a configuration change works correctly and does not prevent management access to the switch. After you issue the commit confirmed command, you must issue another commit command within the defined period of time (10 minutes by default) or the system reverts to the previous configuration.
Related Topics
EX-series Switch Software Features Overview on page 3 JUNOS Software CLI User Guide at http://www.juniper.net/techpubs/software/junos.
45
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
46
Chapter 4
J-Web Interface
J-Web User Interface for EX-series Switches Overview on page 47 Using the CLI Viewer in the J-Web Interface to View Configuration Text on page 49 Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text on page 50 Using the CLI Editor in the J-Web Interface to Edit Configuration Text on page 51 Using the CLI Terminal on page 52 Understanding J-Web Configuration Tools on page 53 Starting the J-Web Interface on page 54 Understanding J-Web User Interface Sessions on page 55
NOTE: The browser and the network must support receiving and processing HTTP 1.1 GZIP compressed data. Each page of the J-Web interface is divided into panes.
J-Web Interface
47
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Main paneLocation where you monitor, configure, diagnose (troubleshoot), and manage (maintain) the switch by entering information in text boxes, making selections, and clicking buttons. Side paneDisplays suboptions of the Monitor, Configure, Troubleshoot, or Maintain task currently displayed in the main pane. Click a suboption to access it in the main pane.
The layout of the panes allows you to quickly navigate through the interface. Table 7 on page 48 summarizes the elements of the J-Web interface. The J-Web interface provides CLI tools that allow you to perform all of the tasks that you can perform from the JUNOS command-line interface (CLI), including a CLI Viewer to view the current configuration, a CLI Editor for viewing and modifying the configuration, and a Point & Click CLI editor that allows you to click through all of the available CLI statements.
Table 7: J-Web Interface
J-Web Interface Element
Top Pane
Description
Hostname of the switch. Username you used to log in to the switch. Link to context-sensitive help information. Displays information about the J-Web interface, such as the version number. Ends your current login session with the switch and returns you to the login page. Menu of J-Web main options. Click the tab to access the option.
DashboardDisplays a high-level, graphical view of the chassis and status of the switch. It displays system health information, alarms, and system status. ConfigureConfigure the switch, and view configuration history. MonitorView information about configuration and hardware on the switch. MaintainManage files and licenses, upgrade software, and reboot the switch. TroubleshootRun diagnostic tools to troubleshoot network issues.
Main Pane
Displays useful informationsuch as the definition, format, and valid range of an optionwhen you move the cursor over the question mark. Indicates a required field.
48
CComment. Move your cursor over the icon to view a comment about the configuration statement. IInactive. The configuration statement does not affect the switch. MModified. The configuration statement has been added or modified. *Mandatory. The configuration statement must have a value.
Task Pane
Configuration hierarchy
(Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of committed statements in the switch configuration.
Click Expand all to display the entire hierarchy. Click Hide all to display only the statements at the top level. Click plus signs (+) to expand individual items. Click minus signs (-) to hide individual items.
Related Topics
EX-series Switch Software Features Overview on page 3 EX 3200 and EX 4200 Switches Hardware Overview on page 21 EX-series Switch Software Features Overview on page 3 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 CLI User Interface Overview on page 43
Using the CLI Viewer in the J-Web Interface to View Configuration Text
To view the entire configuration file contents in text format, select Configure>CLI Tools >CLI Viewer. The main pane displays the configuration in text format. Each level in the hierarchy is indented to indicate each statement's relative position in the hierarchy. Each level is generally set off with braces, with an open brace ({) at the beginning of each hierarchy level and a closing brace (}) at the end. If the statement at a hierarchy level is empty, the braces are not displayed. Each leaf statement ends with a semicolon (;), as does the last statement in the hierarchy. This indented representation is used when the configuration is displayed or saved as an ASCII file. However, when you load an ASCII configuration file, the format of the file is not so strict. The braces and semicolons are required, but the indention and use of new lines are not required in ASCII configuration files.
Using the CLI Viewer in the J-Web Interface to View Configuration Text
49
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
To edit the configuration on a series of pages of clickable options that steps you through the hierarchy, select Configure>CLI Tools>Point&Click CLI. The side pane displays the top level of the configured hierarchy, and the main pane displays configured hierarchy options and the Icon Legend. To expand or hide the hierarchy of all the statements in the side pane, click Expand all or Hide all. To expand or hide an individual statement in the hierarchy, click the expand (+) or collapse () icon to the left of the statement.
TIP: Only those statements included in the committed configuration are displayed in the hierarchy. The configuration information in the main pane consists of configuration options that correspond to configuration statements. Configuration options that contain subordinate statements are identified by the term Nested. To include, edit, or delete statements in the candidate configuration, click one of the links described in Table 8 on page 50. Then specify configuration information by typing in a field, selecting a value from a list, or clicking a check box (toggle).
Table 8: J-Web Edit Point & Click Configuration Links
Link Add new entry Function Displays fields and lists for a statement identifier, allowing you to add a new identifier to a statement. Displays information for a configuration option that has not been configured, allowing you to include a statement. Deletes the corresponding statement or identifier from the configuration. All subordinate statements and identifiers contained within a deleted statement are also discarded. Displays information for a configuration option that has already been configured, allowing you to edit a statement. Displays fields and lists for an existing statement identifier, allowing you to edit the identifier.
Configure
Delete
Edit
Identifier
As you navigate through the configuration, the hierarchy level is displayed at the top of the main pane. You can click a statement or identifier in the hierarchy to display the corresponding configuration options in the main pane. The main pane includes icons that display information about statements and identifiers when you place your cursor over them. Table 9 on page 51 describes these icons.
50
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
After typing or selecting your configuration edits, click a button in the main pane (described in Table 10 on page 51) to apply your changes or cancel them, refresh the display, or discard parts of the candidate configuration. An updated configuration does not take effect until you commit it.
Table 10: J-Web Edit Point & Click Configuration Buttons
Button
Refresh Commit Discard
Function Updates the display with any changes to the configuration made by other users. Verifies edits and applies them to the current configuration file running on the switch. Removes edits applied to or deletes existing statements or identifiers from the candidate configuration.
Related Topics
CLI User Interface Overview on page 43 Understanding J-Web Configuration Tools on page 53
Using the CLI Editor in the J-Web Interface to Edit Configuration Text
Use the CLI Editor to edit configuration if you know the JUNOS CLI or prefer a command interface. To edit the entire configuration in text format:
CAUTION: We recommend that you use this method to edit and commit the configuration only if you have experience editing configurations through the CLI. Select Configure>CLI Tools>CLI Editor. The main pane displays the configuration in a text editor. Navigate to the hierarchy level you want to edit.
1. 2.
Using the CLI Editor in the J-Web Interface to Edit Configuration Text
51
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
You can edit the candidate configuration using standard text editor operationsinsert lines (by using the Enter key), delete lines, and modify, copy, and paste text.
3.
Click Commit to load and commit the configuration. The switching platform checks the configuration for the correct syntax before committing it.
Related Topics
CLI User Interface Overview on page 43 Understanding J-Web Configuration Tools on page 53
Before you can use you must configure the CLI terminal the domain name and hostname of the switch. See Configuring System Identity for the EX-Series Switch (J-Web Procedure) for more information. To access the CLI through the J-Web interface, your management device requires the following features:
SSH accessEnable Secure shell (SSH) on your system. SSH provides a secured method of logging in to the switch, to encrypt traffic so that it is not intercepted. If SSH is not enabled on the system, the CLI terminal page displays an error. Java applet supportMake sure that your Web browser supports Java applets. JRE installed on the clientInstall Java Runtime Environment (JRE) version 1.4 or later on your system. JRE is a software package that must be installed on a system to run Java applications. Download the latest JRE version from the Java Software Web site http://www.java.com/. Installing JRE installs Java plug-ins, which once installed, load automatically and transparently to render Java applets.
NOTE: The CLI terminal is supported on JRE version 1.4 and later only. To access the CLI terminal, select Troubleshoot >CLI Terminal.
Related Topics
CLI User Interface Overview on page 43 Understanding J-Web Configuration Tools on page 53
52
Configure menu
Web browser pages for setting up the switch quickly and easily without configuring each statement individually. For example, use the Virtual Chassis Configuration page to configure the virtual chassis parameters on the switch.
Interfaces Switching Virtual Chassis Security Services System Properties Routing Use for complete configuration if you are not familiar with the JUNOS CLI or prefer a graphical interface.
Web browser pages divided into panes in which you can do any of the following:
Expand the entire configuration hierarchy and click a configuration statement to view or edit. The main pane displays all the options for the statement, with a text box for each option. Paste a complete configuration hierarchy into a scrollable text box, or edit individual lines. Upload or download a complete configuration. Roll back to a previous configuration. Create or delete a rescue configuration.
System parameters User Accounting and Access Interfaces VLAN properties Virtual Chassis properties Secure Access Services Routing protocols
53
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Type commands on a line and press Enter to create a hierarchy of configuration statements. Create an ASCII text file that contains the statement hierarchy. Upload a complete configuration, or roll back to a previous configuration. Create or delete a rescue configuration.
System parameters User Accounting and Access Interfaces VLAN properties Virtual Chassis properties Secure Access Services Routing protocols
Use for complete configuration if you know the JUNOS CLI or prefer a command interface.
Related Topics
Understanding J-Web User Interface Sessions on page 55 J-Web User Interface for EX-series Switches Overview on page 47 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 Configuration Files Terms on page 74
Launch your HTTP-enabled or HTTPS-enabled Web browser. To use HTTPS, you must have installed a certificate on the switch and enabled HTTPS.
2.
After http:// or https:// in your Web browser, type the hostname or IP address of the switch and press Enter. The J-Web login page appears.
3.
On the login page, type your username and password, and click Log In. To correct or change the username or password you typed, click Reset, type the new entry or entries, and click Log In.
NOTE: The default username is root with no password. You must change this during initial configuration or the system does not accept the configuration. The Chassis Dashboard information page appears. To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics
54
J-Web User Interface for EX-series Switches Overview on page 47 Configuring Management Access for the EX-series Switch (J-Web Procedure) on page 95
55
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
56
Part 4
Initial Configuration on page 59 Software Installation on page 65 Configuration File Management on page 73 Licenses on page 85
57
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
58
Chapter 5
Initial Configuration
Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60
Connect the console port to a laptop or PC using the RJ-45 to DB-9 serial port adapter. The RJ-45 cable and RJ-45 to DB-9 serial port adapter are supplied with the switch. At the shell prompt type ezsetup. Enter the hostname. This is optional. Enter the root password. You are prompted to re-enter the root password. Enter yes to enable services like Telnet and SSH. By default, Telnet is not enabled and SSH is enabled.
2. 3. 4. 5.
NOTE: When Telnet is enabled, you will not be able to log into an EX 3200 or EX 4200 switch via Telnet using 'root' credentials. Root login is allowed only for SSH access. Next, select one of the switch management options:
6.
Configure in-band management. In this scenario you have the following two
options:
Use the default VLAN. Create a new VLANIf you select this option, you are prompted to specify the VLAN name, VLAN ID, management IP address, default gateway. Select the ports that must be part of this VLAN.
59
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
7. 8.
Specify the SNMP Read Community, Location, and Contact to configure SNMP parameters. These parameters are optional. Specify the system date and time. Select the time zone from the list. These options are optional. The configured parameters are displayed. Enter yes to commit the configuration. The configuration is committed as the active configuration for the switch. You can now log in with the CLI or the J-Web interface to continue configuring the switch. If you use the J-Web interface to continue configuring the switch, the Web session is redirected to the new management IP address. If the connection cannot be made, the J-Web interface displays instructions for starting a J-Web session.
Related Topics
Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 Installing and Connecting an EX 3200 or EX 4200 Switch LCD Panel in EX 3200 and EX 4200 Switches EX 3200 and EX 4200 Switches Hardware Overview on page 21 EX-series Switch Software Features Overview on page 3
NOTE: To obtain an IP address dynamically, you must enable a DHCP client on the management PC you connect to the switch. If you have configured a static IP on your PC, you will not be able to connect to the switch.
60
1.
To transition the switch into initial setup mode, use the Menu and Enter buttons to the right of the LCD panel on the front panel of the switch (see Figure 3 on page 61):
Press Menu until you see MAINTENANCE MENU. Then press Enter. Press Menu until you see ENTER EZSetup. Then press Enter.
NOTE: If EZSetup does not appear as an option in the Maintenance menu, select Factory Default to return the switch to the factory default configuration. EZSetup is displayed in the menu only when the switch is set to the factory default configuration.
The ge-0/0/0 interface on the front panel of the switch is configured as the DHCP server with the default IP address, 192.168.1.1. The switch can assign an IP address to the management PC in the IP address range 192.168.1.2 through 192.168.1.253.
NOTE: You must complete the initial configuration using the J-Web interface within 10 minutes. The LCD displays a count-down timer once you connect the switch to the management PC. The switch exits the EZSetup mode after 10 minutes and reverts to factory configuration, and the PC loses connectivity to the switch. Insert one end of the Ethernet cable into the Ethernet port on the PC and connect the other end to port 0 (ge-0/0/0) on the front panel of the switch (see Figure 4 on page 61).
2.
61
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
3. 4. 5. 6.
From the PC, open a Web browser, type http://192.168.1.1 in the address field, and press Enter. On the Login page, type root as the username, leave the password field blank, and click Login. On the Introduction page, click Next. On the Basic Settings page, modify the hostname, the root password, and date and time settings.
Enter the hostname. This is optional. Enter a password and reenter the password. Specify the time zone. Synchronize the date and time settings of the switch with the management PC or set them manually by selecting the appropriate option button. This is optional.
Click Next.
7.
In-band Management-Use VLAN 'default' for management. Select this option to configure all data interfaces as members of the default VLAN. Click Next. Specify the management IP address and the default gateway for the default VLAN.
In-band Management-Create new VLAN for management. Select this option to create a management VLAN. Click Next. Specify the VLAN name, VLAN ID, member interfaces, and management IP address and default gateway for the new VLAN.
Out-of-band Management-Configure management port. Select this option to configure only the management interface. Click Next. Specify the IP address and default gateway for the management interface.
8. 9.
Click Next. On the Manage Access page, you may select options to enable Telnet, SSH, and SNMP services. For SNMP, you can configure the read community, location, and contact.
10. Click Next. 11. The Summary screen displays the configured settings. Click Finish.
The configuration is committed as the active configuration for the switch. You can now log in with the CLI or the J-Web interface to continue configuring the switch. If you use the J-Web interface to continue configuring the switch, the Web session is redirected to the new management IP address. If the connection cannot be made, the J-Web interface displays instructions for starting a J-Web session.
62
NOTE: After the configuration takes effect, you might lose connectivity between the PC and the switch. To renew the connection, release and renew the IP address by executing the appropriate commands on the management PC or by removing and re-inserting the Ethernet cable.
Related Topics
Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 Installing and Connecting an EX 3200 or EX 4200 Switch EX 3200 and EX 4200 Switches Hardware Overview on page 21 EX-series Switch Software Features Overview on page 3 LCD Panel in EX 3200 and EX 4200 Switches
63
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
64
Chapter 6
Software Installation
Software Installation
Understanding Software Installation on EX-series Switches on page 65 JUNOS Software Package Names on page 67 Downloading Software Packages from Juniper Networks on page 67 Installing Software on EX-series Switches (CLI Procedure) on page 68 Installing Software on EX-series Switches (J-Web Procedure) on page 69 Troubleshooting Software Installation on page 70
Overview of the Software Installation Process on page 65 Installing Software on a Virtual Chassis on page 66 Software Package Security on page 66 Troubleshooting Software Installation on page 66
Software Installation
65
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
During a successful upgrade, the upgrade package removes all files from /var/tmp and completely reinstalls the existing software. It retains configuration files, and similar information, such as secure shell and host keys, from the previous version. The previous software package is preserved in a separate disk partition, and you can manually revert back to it if necessary. If the software installation fails for any reason, such as loss of power during the installation process, the system returns to the originally active installation when you reboot. After a successful upgrade, remember to back up the new current configuration to the secondary device.
NOTE: You can also use this procedure to load two versions of JUNOS software in separate partitions on the switch.
Related Topics
Downloading Software Packages from Juniper Networks on page 67 Installing Software on EX-series Switches (J-Web Procedure) on page 69 Installing Software on EX-series Switches (CLI Procedure) on page 68 Troubleshooting Software Installation on page 70
66
package-name is the name of the packagefor example, jinstall-ex. m.n is the software release, with m representing the major release number and n representing the minor release numberfor example, 9.1. Z indicates the type of software release. For example, R indicates released software, and B indicates beta-level software. x represents the version of the major software releasefor example, 2. distribution indicates the area for which the software package is providedFor most JUNOS packages, domestic is used for the United States and Canada and export for worldwide distribution. However, for EX-series software, the domestic
is used for worlwide distribution as well. A sample EX-series software package name is jinstall-ex-9.0R2-domestic.tgz.
Related Topics
Installing Software on EX-series Switches (J-Web Procedure) on page 69 Installing Software on EX-series Switches (CLI Procedure) on page 68 Understanding Software Installation on EX-series Switches on page 65
Using a Web browser, follow the links to the download URL on the Juniper Networks Web page. For EX-series, there are not separate software packages for Canada the U.S. and other locations. Therefore, select Canada and U.S. Version regardless of your location:
https://www.juniper.net/support/csc/swdist-domestic/
2.
Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
67
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
3. 4. Related Topics
Using the J-Web interface or the CLI, select the appropriate software package for your application. See JUNOS Software Package Names on page 67. Download the software to a local host or to an internal software distribution site. Installing Software on EX-series Switches (J-Web Procedure) on page 69 Installing Software on EX-series Switches (CLI Procedure) on page 68 Understanding Software Installation on EX-series Switches on page 65
Download the software package as described in Downloading Software Packages from Juniper Networks on page 67. Copy the software package to the switch. We recommend that you use FTP to copy the file to the /var/tmp directory. To install the new package on the switch, enter the following command:
user@switch> request system software add source [member member_id] reboot
Include the member option to install the software package on only one member of a virtual chassis. Other members of the virtual chassis are not affected. To install the software on all members of the virtual chassis, do not include the member option. Replace source with one of the following paths:
For a software package that is installed from a local directory on the switch/pathname/package-name , . For software packages that are downloaded and installed from a remote location:
ftp://hostname/pathname/package-name http://hostname/pathname/package-name
Installing Software on EX-series Switches (J-Web Procedure) on page 69 Troubleshooting Software Installation on page 70 See the JUNOS Software System Basics and Services Command Reference for details about the request system software add command. Understanding Software Installation on EX-series Switches on page 65
68
Download the software package as described in Downloading Software Packages from Juniper Networks on page 67. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. In the J-Web interface, select Maintain>Software>Install Package. On the Install Remote page, enter information into the fields described in Table 12 on page 69. Click Fetch and Install Package. The software is activated after the switch has rebooted.
3. 4. 5.
Password
Reboot If Required
Select the box if you want the switching platform to reboot automatically when the upgrade is complete.
69
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Download the software package. In the J-Web interface, select Maintain>Software>Upload Package. On the Upload Package page, enter information into the fields described in Table 13 on page 70. Click Upload Package. The software is activated after the switching platform has rebooted.
Your Action Type the location of the software package, or click Browse to navigate to the location. Select the check box if you want the switching platform to reboot automatically when the upgrade is complete.
Reboot If Required
Related Topics
Installing Software on EX-series Switches (CLI Procedure) on page 68 Understanding Software Installation on EX-series Switches on page 65 Troubleshooting Software Installation on page 70
Recovering from a Failed Software Upgrade on an EX-series Switch on page 70 Rebooting from the Non-Active Partition on page 71
If the JUNOS software loads but the CLI is not working for any reason, or if the switch has no software installed, you can use this recovery installation procedure to install the JUNOS software. If there is already a JUNOS image on the system, you can either install the new JUNOS package in a separate partition and both JUNOS images will remain on the system, or you can wipe the disk clean before the new installation proceeds. To perform a recovery installation:
1. 2.
Solution
Power on the switch. The loader script starts. After the message Loading /boot/defaults/loader.conf displays, you are prompted with:
Hit [Enter] to boot immediately, or space bar for command prompt.
70
Press the space bar to enter the manual loader. The loader> prompt displays.
3.
Where:
formatUse this option to wipe the installation media (internal disk or USB drive) before installing the software package. If you do not include this option, the system installs the new JUNOS software package in a different partition from that of the most recently installed JUNOS software package. externalUse this option to install the software package onto an external media. sourceRepresents the name and location of the JUNOS software package either on a server on the network or as a file on an external USB drive:
Network address of the server and the path on the server; for example,
tftp://192.17.1.28/junos/jinstall-ex-9.2R1-domestic.tgz
The JUNOS package on a USB device is commonly stored in the root drive as the only file; for example, file:///jinstall-ex-9.2R1-domestic.tgz
An EX-series switch ships with the JUNOS software loaded on the system disk in partition 1. The first time you upgrade, the new software package is installed in partition 2. When you finish the installation and reboot, partition 2 becomes the active partition. Similarly, subsequent software packages are installed in the non-active partition which becomes the active partition when you reboot at the end of the installation process. If you performed an upgrade and rebooted, the system resets the active partition. You can use this procedure to manually boot from the non-active partition.
NOTE: If you have completed the installation of the software image but have not yet rebooted, you can issue a request system software rollback to return to the original software installation package.
Solution
71
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: If you cannot access the CLI, you can reboot from the non-active partition using the following procedure from the loader script prompt:
1.
Unload and clear the interrupted boot from the active partition:
loader> unload loader> unset vfs.root.mountfrom
2.
Where media is either 0 (internal) or 1 (external) and partition indicates the partition number, either 1 or 2. You must include the colon (:) at the end of this command.
3.
Related Topics
Installing Software on EX-series Switches (CLI Procedure) on page 68 Installing Software on EX-series Switches (J-Web Procedure) on page 69 Understanding Software Installation on EX-series Switches on page 65
72
Chapter 7
Understanding Configuration Files for EX-series Switches on page 73 Configuration Files Terms on page 74 Managing Configuration Files Through the Configuration History (J-Web Procedure) on page 74 Uploading a Configuration File (CLI Procedure) on page 77 Uploading a Configuration File (J-Web Procedure) on page 79 Loading a Previous Configuration File (CLI Procedure) on page 79 EX 3200 and EX 4200 Default Configuration on page 80
To make changes to the configuration file, you have to work in the configuration mode in the CLI or use the configuration tools in the J-Web interface. When making changes to a configuration file, you are viewing and changing the candidate configuration file. The candidate configuration allows you to make configuration changes without causing operational changes to the active configuration or causing potential damage to your current network operations. Once you commit the changes made to the candidate configuration, the system updates the active configuration.
Related Topics
Managing Configuration Files Through the Configuration History (J-Web Procedure) on page 74 Uploading a Configuration File (CLI Procedure) on page 77 Uploading a Configuration File (J-Web Procedure) on page 79 Configuration Files Terms on page 74
73
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
configuration hierarchy
default configuration
Related Topics
EX 3200 and EX 4200 Default Configuration on page 80 Loading a Previous Configuration File (CLI Procedure) on page 79 Managing Configuration Files Through the Configuration History (J-Web Procedure) on page 74 Understanding Configuration Files for EX-series Switches on page 73
74
Table 15 on page 75 summarizes the contents of the display. The configuration history display allows you to:
View a configuration. Compare two configurations. Download a configuration file to your local system. Roll back the configuration to any of the previous versions stored on the switch.
cliA user entered a JUNOS CLI command. junoscriptA JUNOScript client performed the operation. Commit operations performed by users
snmpAn SNMP set request started the operation. otherAnother method was used to commit the configuration.
Imported via paste Configuration was edited and loaded with the Configure>CLI Tools>Edit Configuration Text option. Imported upload [filename]Configuration was uploaded with the Configure>CLI Tools>Point Click Editor option. Modified via JWeb Configure Configuration was modified with the J-Web Configure menu. Rolled back via user-interface Configuration was rolled back to a previous version through the user interface specified by user-interface, which can be Web Interface or CLI.
Action
Action to perform with the configuration file. The action can be Download or Rollback.
75
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Select Config Management >History. A list of the current and the previous 49 configurations is displayed as Configuration History in the main pane. Select the check boxes to the left of the two configuration versions you want to compare. Click Compare. The main pane displays the differences between the two configuration files at each hierarchy level as follows:
Lines that have changed are highlighted side by side in green. Lines that exist only in the more recent configuration file are displayed in red on the left. Lines that exist only in the older configuration file are displayed in blue on the right.
Select Config Management >History. A list of current and previous 49 configurations is displayed as Configuration History in the main pane. In the Action column, click Download for the version of the configuration you want to download. Select the options your Web browser provides that allow you to save the configuration file to a target directory on your local system. The file is saved as an ASCII file.
76
Select Config Management >History. A list of current and previous 49 configurations is displayed as Configuration History in the main pane. In the Action column, click Rollback for the version of the configuration you want to load. The main pane displays the results of the rollback operation.
NOTE: When you click Rollback, the switch loads and commits the selected configuration. This behavior is different from the switch's behavior that occurs after you enter the rollback configuration mode command from the CLI. In the latter case, the configuration is loaded but not committed.
Related Topics
Loading a Previous Configuration File (CLI Procedure) on page 79 Understanding Configuration Files for EX-series Switches on page 73 Understanding J-Web Configuration Tools on page 53
Create the configuration file using a text editor such as Notepad, making sure that the syntax of the configuration file is correct. For more information about testing the syntax of a configuration file see JUNOS Software System Basics and Services Command Reference at http://www.juniper.net/techpubs/software/junos/. In the configuration text file, use an option to perform the required action when the file is loaded. Table 17 on page 77 lists and describes some options for the load command.
2.
Combines the current active configuration and the configuration in filename or the one that you type at the terminal. A merge operation is useful when you are adding a new section to an existing configuration. If the active configuration and the incoming configuration contain conflicting statements, the statements in the incoming configuration override those in the active configuration.
77
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Discards the current candidate configuration and loads the configuration in filename or the one that you type at the terminal. When you use the override option and commit the configuration, all system processes reparse the configuration. You can use the override option at any level of the hierarchy. Searches for the replace tags, deletes the existing statements of the same name, if any, and replaces them with the incoming configuration. If there is no existing statement of the same name, the replace operation adds the statements marked with the replace tag to the active configuration. NOTE: For this operation to work, you must include replace tags in the text file or in the configuration you type at the terminal.
replace
3. 4. 5. 6.
Press Ctrl+A to select all the text in the configuration file. Press Ctrl+C to copy the contents of the configuration text file to the Clipboard. Log in to the switch using your username and password. To enter configuration mode:
user@switch> configure
You will see this output, with the hash or pound mark indicating configuration mode.
Entering configuration mode [edit] user@switch#
7.
8.
At the cursor, paste the contents of the Clipboard using the mouse and the Paste icon:
[edit] user@switch# load merge terminal [Type ^D at a new line to end input] >Cursor is here. Paste the contents of the clipboard here<
9.
Press Enter.
To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt.You can also edit the configuration interactively using the CLI and commit it at a later time.
Related Topics
78
Select Maintain > Config Management > Upload. The main pane displays the File to Upload box.
2.
Specify the name of the file to upload using one of the following methods:
Type the absolute path and filename in the File to Upload box. Click Browse to navigate to the file.
3.
Click Upload and Commit to upload and commit the configuration. The switch checks the configuration for the correct syntax before committing it.
Related Topics
Uploading a Configuration File (CLI Procedure) on page 77 Understanding J-Web Configuration Tools on page 53 Understanding Configuration Files for EX-series Switches on page 73
None Return to the most recently saved configuration. Number Configuration to return to.
Range: 0 through 49. The most recently saved configuration is number 0, and the oldest saved configuration is number 49. Default: 0
79
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
2.
Related Topics
Managing Configuration Files Through the Configuration History (J-Web Procedure) on page 74 For more information on rollback see CLI User Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html .
NOTE: In this example, ge-0/0/0 through ge-0/0/23 are the network interface ports. Optional uplink modules provide either two 10-gigabit small form-factor pluggable (XFP) transceivers (xe-0/1/0 and xe-0/1/1) or four 1-gigabit small form-factor pluggable (SFP) transceivers (ge-0/1/0 through ge-0/1/3). Although you can install only one uplink module, the interfaces for both are shown below. When you commit changes to the configuration, a new configuration file is created which becomes the active configuration. You can always revert to the factory default configuration. This topic shows the factory default configuration file of a 24-port EX 3200 or EX 4200 switch:
system { syslog { user * { any emergency; } file messages { any notice; authorization info;
80
} file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching;
81
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; }
82
} ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { lldp { interface all; }
83
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Reverting to the Default Factory Configuration for the EX-series Switch Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 Understanding Configuration Files for EX-series Switches on page 73 EX-series Switches Interfaces Overview on page 279
84
Chapter 8
Licenses
Software Licenses for the EX-series Switch Overview on page 85 License Key Components for the EX-series Switch on page 86 Managing Licenses for the EX-series Switch (CLI Procedure) on page 87 Managing Licenses for the EX-series Switch (J-Web Procedure) on page 87 Monitoring Licenses for the EX-series Switch on page 89
Obtained the needed licenses. For information about how to purchase software licenses, contact your Juniper Networks sales representative. Managing Licenses for the EX-series Switch (CLI Procedure) on page 87 Managing Licenses for the EX-series Switch (J-Web Procedure) on page 87
Related Topics
85
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Monitoring Licenses for the EX-series Switch on page 89 License Key Components for the EX-series Switch on page 86
License IDAlphanumeric string that uniquely identifies the license key. When a license is generated, it is given a license ID. License dataBlock of binary data that defines and stores all license key objects.
For example, in the following typical license key, the string li29183743 is the license ID, and the trailing block of data is the license data:
li29183743 4ky27y acasck 82fsj6 jzsn4q ix8i8d adj7kr 8uq38t ix8i8d jzsn4q ix8i8d 4ky27y acasck 82fsj6 ii8i7e adj7kr 8uq38t ks2923 a9382e
The license data defines the device ID for which the license is valid and the version of the license.
Related Topics
Managing Licenses for the EX-series Switch (CLI Procedure) on page 87 Managing Licenses for the EX-series Switch (J-Web Procedure) on page 87 Software Licenses for the EX-series Switch Overview on page 85
Obtained the needed licenses. For information about how to purchase software licenses, contact your Juniper Networks sales representative.
Adding New Licenses on page 87 Deleting Licenses on page 87 Saving License Keys on page 87
86
Chapter 8: Licenses
To add a license key from a file or URL, enter the following command, specifying the filename of the file or the URL where the key is located:
user@switch> request system license add filename | url
To add a license key from the terminal, enter the following command:
user@switch> request system license add terminal
2.
When prompted, enter the license key, separating multiple license keys with a blank line. If the license key you enter is invalid, an error appears in the CLI output when you press Ctrl+d to exit license entry mode.
Deleting Licenses
To delete one or more license keys from the switch with the CLI, enter the following operational mode CLI command for each license, specifying the license ID.
user@switch> request system license delete license-id
For example, the following command saves the installed license keys to a file named license.conf:
user@switch> request system license save ftp://user@switch/license.conf
Related Topics
Managing Licenses for the EX-series Switch (J-Web Procedure) on page 87 Monitoring Licenses for the EX-series Switch on page 89
87
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
licensed feature. The licenses are on an honor system, meaning that after you have configured the features, you have a 30-day grace period to install the license. You will see a warning message if the switch does not have a license for the feature after those 30 days. Before you begin managing licenses, be sure that you have:
Obtained the needed licenses. For information about how to purchase software licenses, contact your Juniper Networks sales representative. Adding New Licenses on page 88 Deleting Licenses on page 88 Displaying License Keys on page 88 Downloading Licenses on page 89
In the J-Web interface, select Maintain>Licenses. Under Installed Licenses, click Add to add a new license key. Do one of the following, using a blank line to separate multiple license keys:
In the License File URL box, type the full URL to the destination file containing the license key to be added. In the License Key Text box, paste the license key text, in plain-text format, for the license to be added.
4.
A list of features that use the license key is displayed. The table also lists the ID, state, and version of the license key.
Deleting Licenses
To delete one or more license keys from a switch with the J-Web license manager:
1. 2. 3.
In the J-Web interface, select Maintain>Licenses. Select the check box of the license or licenses you want to delete. Click Delete.
In the J-Web interface, select Maintain>Licenses. Under Installed Licenses, click Display Keys to display all the license keys installed on the switch.
88
Chapter 8: Licenses
A screen displaying the license keys in text format appears. Multiple licenses are separated by a blank line.
Downloading Licenses
To download the license keys installed on the switch with the J-Web license manager:
1. 2. 3.
In the J-Web interface, select Maintain>Licenses. Under Installed Licenses, click Download Keys to download all the license keys installed on the switch to a single file. Select Save it to disk and specify the file to which the license keys are to be written. You can also download the license file to your system. Managing Licenses for the EX-series Switch (CLI Procedure) on page 87 Monitoring Licenses for the EX-series Switch on page 89
Related Topics
Displaying Installed Licenses and License Usage Details on page 89 Displaying License Usage on page 90 Displaying Installed License Keys on page 90
Verify that the expected licenses are installed and active on the switch. From the CLI, enter the show system license command. The output shows a list of the license usage and a list of the licenses installed on the switch. Verify the following information:
Each license is present. Licenses are listed in ascending alphanumeric order by license ID. The state of each license is valid.
A state of invalid indicates that the license key is not a valid license key. Either it was entered incorrectly or it is not valid for the specific device.
The feature for each license is the expected feature. The features enabled are listed by license. An all-inclusive license has All features listed. All configured features have the required licenses installed. The Licenses needed column must show that no licenses are required.
Downloading Licenses
89
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verify that the licenses fully cover the feature configuration on the switch. From the CLI, enter the show system license usage command. The output shows a list of the licenses installed on the switch and how they are used. Verify the following information:
Each licensed feature and port is present. Features and ports are listed in ascending alphabetical order by license name. The number of licenses is shown in the fourth column. Verify that the appropriate number of licenses is installed. The number of used licenses matches the number of configured features and ports. If a licensed feature or port is configured, the feature or port is considered used. A license is installed on the switch for each configured feature and port. For every feature or port configured that does not have a license, one license is needed.
Verify that the expected license keys are installed on the switch. From the CLI, enter the show system license keys command. The output shows a list of the license keys installed on the switch. Verify that each expected license key is present.
Related Topics
Managing Licenses for the EX-series Switch (CLI Procedure) on page 87 Managing Licenses for the EX-series Switch (J-Web Procedure) on page 87
90
Part 5
System Basics
Understanding Basic System Concepts on page 93 Configuring Basic System Functions on page 95 Administering and Monitoring Basic System Functions on page 101 Troubleshooting Basic System Functions on page 121 Configuration Statements for Basic System Functions on page 125 Operational Mode Commands for Basic System Functions on page 127
System Basics
91
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
92
System Basics
Chapter 9
system alarm
Chassis alarms indicate a failure on the switch or one of its components. Chassis alarms are preset and cannot be modified. System alarms indicate a missing rescue configuration. System alarms are preset and cannot be modified, although you can configure them to appear automatically in the J-Web interface display or CLI display.
Alarm Severity Levels Alarms on a EX-series switch have two severity levels:
Major (red)Indicates a critical situation on the switch that has resulted from one of the following conditions. A red alarm condition requires immediate action.
93
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
One or more hardware components have failed. One or more hardware components have exceeded temperature thresholds. An alarm condition configured on an interface has triggered a critical warning.
Minor (yellow)Indicates a noncritical condition on the switch that, if left unchecked, might cause an interruption in service or degradation in performance. A yellow alarm condition requires monitoring or maintenance. A missing rescue configuration generates a yellow system alarm.
Related Topics
Checking Active Alarms on the Switch with the J-Web Interface Understanding How to Use the J-Web Interface to View System Information
94
Chapter 10
Configuring Management Access for the EX-series Switch (J-Web Procedure) on page 95 Configuring Date and Time for the EX-series Switch (J-Web Procedure) on page 97 Generating SSL Certificates to Be Used for Secure Web Access on page 98 Managing MS-CHAPv2 for password-change support on page 99
Click Edit to modify the configuration. Enter information into the Management Access Configuration page, as described in Table 19 on page 96. To verify that Web access is enabled correctly, connect to the switch using the appropriate method:
For HTTP accessIn your Web browser, type http://URL or http://IP address . For HTTPS accessIn your Web browser, type https://URL or https://IP address . For SSL JUNOScript access To use this option, you must have aJUNOScript client such as JUNOScope. For information about how to log into JUNOScope, see the JUNOScope Software User Guide.
95
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Management Port IP
Subnet Mask
Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. Type a 32-bit IP address, in dotted decimal notation.
Default Gateway
Defines a default gateway through which to direct packets addressed to networks that are not explicitly listed in the bridge table constructed by the switch. Specifies services to be enabled: telnet and SSH. Enables clear text access to the JUNOScript XML scripting API. Enables secure SSL access to the JUNOScript XML scripting API. Specifies SSL certificates to be used for encryption. This field is available only after you create at least one SSL certificate.
Services
Enable JUNOScript over Clear Text Enable JUNOScript over SSL JUNOScript Certificate
To enable clear text access, select the Enable JUNOScript over Clear Text check box. To enable SSL access, select the Enable JUNOScript over SSL check box. To enable an SSL certificate, select a certificate from the JUNOScript SSL Certificate listfor example, new.
To enable HTTP access, select the Enable HTTP access check box. Select and clear interfaces by clicking the direction arrows:
To enable HTTP access on an interface, add the interface to the HTTP Interfaces list. You can either select all interfaces or specific interfaces.
To enable HTTPS access, select the Enable HTTPS access check box. Select and deselect interfaces by clicking the direction arrows:
To enable HTTPS access on an interface, add the interface to the HTTPS Interfaces list. You can either select all interfaces or specific interfaces.
96
1.
Have a general SSL certificate available. See Generating SSL Certificates for more information. Click Add. The Add a Local Certificate page opens. Type a name in the Certificate Name boxfor example, new. Open the certificate file and copy its contents. Paste the generated certificate and RSA private key in the Certificate box.
2. 3. 4. 5.
To edit a certificate, select it and click Edit. To delete a certificate, select it and click Delete.
Related Topics
Security Features for EX-series Switches Overview on page 12 Understanding J-Web User Interface Sessions on page 55
Configuring Date and Time for the EX-series Switch (J-Web Procedure)
To configure date and time:
1. 2. 3.
Select Configure>System Properties>Date & Time. To modify the information, click Edit. Enter information into the Edit Date & Time page, as described in Table 20 on page 97. Click one:
To apply the configuration, click OK. To cancel your entries and return to the System Properties page, click Cancel.
Time Zone
Configuring Date and Time for the EX-series Switch (J-Web Procedure)
97
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ManualA pop-up window allows you to select the current date and time from a list.
Related Topics
Enter the following openssl command in your Secure Shell command-line interface. The openssl command generates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private key to the specified file.
% openssl req x509 nodes newkey rsa:1024 keyout filename.pem -out filename.pem
Replace filename with the name of a file in which you want the SSL certificate to be writtenfor example, new.pem.
2. 3.
When prompted, type the appropriate information in the identification form. For example, type US for the country name. Display the contents of the file new.pem.
cat new.pem
NOTE: When you are ready to install the SSL certificate, open this file and copy its contents so you can paste it into the Certificate box on the Secure Access Configuration page.
You can use either J-Web Configuration or a configuration editor to install the SSL certificate and enable HTTPS.
Related Topics
Security Features for EX-series Switches Overview on page 12 Configuring Management Access for the EX-series Switch (J-Web Procedure) on page 95
98
RADIUS server authentication. Set the first tried option in the authentication order to RADIUS server.
To configure MS-CHAP-v2, include the following statements at the [edit system radius-options] hierarchy level
[edit system radius-options] password-protocol mschap-v2;
Configuring Basic Settings for an EX-series Switch Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
99
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
100
Chapter 11
Monitoring Hosts Using the J-Web Ping Host Tool on page 101 Monitoring Switch Control Traffic on page 103 Monitoring Network Traffic Using Traceroute on page 105 Monitoring System Properties on page 107 Monitoring System Process Information on page 108 Rebooting or Halting the EX-series Switch (J-Web Procedure) on page 109 Managing Users (J-Web Procedure) on page 110 Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure) on page 112 Setting or Deleting the Rescue Configuration (CLI Procedure) on page 114 Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 115 Checking Active Alarms with the J-Web Interface on page 115 Monitoring System Log Messages on page 116
Use the J-Web ping host tool to verify that the host can be reached over the network. The output is useful for diagnosing host and network connectivity problems. The switch sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. To use the J-Web ping host tool:
1. 2. 3.
Action
Select Troubleshoot>Ping Host. Next to Advanced options, click the expand icon. Enter information into the Ping Host page, as described in Table 21 on page 102. The Remote Host field is the only required field.
4.
Click Start. The results of the ping operation are displayed in the main pane . If no options are specified, each ping response is in the following format:
101
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
5.
To suppress the display of the hop hostnames, select the check box. To display the hop hostnames, clear the check box.
Interface
Select the interface on which ping requests are sent from the list. If you select any, the ping requests are sent on all interfaces. Select the number of ping requests to send from the list.
Count
Don't Fragment
Specifies the Don't Fragment (DF) bit in the IP header of the ping request packet. Sets the record route option in the IP header of the ping request packet. The path of the ping request packet is recorded within the packet and displayed in the main pane. Specifies the type-of-service (TOS) value in the IP header of the ping request packet. Name of the routing instance for the ping attempt. Specifies the interval, in seconds, between transmissions of individual ping requests. Specifies the size of the ping request packet.
To set the DF bit, select the check box. To clear the DF bit, clear the check box. To record and display the path of the packet, select the check box. To suppress the recording and display of the path of the packet, clear the check box.
Record Route
Type-of-Service
Select the decimal value of the TOS field from the list. Select the routing instance name from the list. Select the interval from the list.
Packet Size
Type the size, in bytes, of the packet. The size can be from 0 through 65468. The switch adds 8 bytes of ICMP header to the size. Type the source IP address.
Source Address
Specifies the source address of the ping request packet. Specifies the time-to-live (TTL) hop count for the ping request packet.
Time-to-Live
102
To bypass the routing table and send the ping requests to hosts on the specified interface only, select the check box. To route the ping requests using the routing table, clear the check box.
Related Topics
Use the packet capture feature when you need to quickly capture and analyze switch control traffic on a switch. The packet capture feature allows you to capture traffic destined for or originating from the Routing Engine. To use the packet capture feature in the J-Web interface, select Troubleshoot>Packet Capture. To use the packet capture feature in the CLI, enter the following CLI command:
monitor traffic
Action
Meaning
You can use the packet capture feature to compose expressions with various matching criteria to specify the packets that you want to capture. You can decode and view the captured packets in the J-Web interface as they are captured. The packet capture feature does not capture transient traffic.
Detail level
BriefDisplays the minimum packet header information. This is the default. DetailDisplays packet header information in moderate detail. ExtensiveDisplays the maximum packet header information.
103
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Your Action From the list, select the number of packets to be capturedfor example, 10.
Addresses
1. 2. 3. 4.
From the Direction list, select source. From the Type list, select host. In the Address box, type 10.1.40.48. Click Add.
DirectionMatches the packet headers for IP address, hostname, or network address of the source, destination or both. TypeSpecifies if packet headers are matched for host address or network address.
You can add multiple entries to refine the match criteria for addresses. Protocols Matches the protocol for which packets are captured. You can choose to capture TCP, UDP, or ICMP packets or a combination of TCP, UDP, and ICMP packets. Matches packet headers containing the specified source or destination TCP or UDP port number or port name. From the list, select a protocolfor example, tcp.
Ports
From the Type list, select src. In the Port box, type 23.
Advanced Options Absolute TCP Sequence Layer 2 Headers Specifies that absolute TCP sequence numbers are to be displayed for the packet headers. Specifies that link-layer packet headers are to be displayed. Specifies not to place the interface in promiscuous mode, so that the interface reads only packets addressed to it. In promiscuous mode, the interface reads every packet that reaches it. Specifies that packet headers, except link-layer headers, are to be displayed in hexadecimal format. Specifies that packet headers are to be displayed in hexadecimal and ASCII format. Specifies the match condition for the packets to be captured. The match conditions you specify for Addresses, Protocols, and Ports are displayed in expression format in this field. To display absolute TCP sequence numbers in the packet headers, select this check box. To include link-layer packet headers while capturing packets, select this check box. To read all packets that reach the interface, select this check box.
Non-Promiscuous
Display Hex
To display the packet headers in hexadecimal format, select this check box. To display the packet headers in ASCII and hexadecimal formats, select this check box. You can enter match conditions directly in this field in expression format or modify the expression composed from the match conditions you specified for Addresses, Protocols, and Ports. If you change the match conditions specified for Addresses, Protocols, and Ports again, packet capture overwrites your changes with the new match conditions.
104
To prevent packet capture from resolving IP addresses to hostnames, select this check box. To stop displaying timestamps in the captured packet headers, select this check box. To decode and display the packet headers on the J-Web page, clear this check box.
No Timestamp
Writes the captured packets to a file in PCAP format in /var/tmp. The files are named with the prefix jweb-pcap and the extension .pcap. If you select this option, the decoded packet headers are not displayed on the packet capture page.
Related Topics
Use the Traceroute page in the J-Web interface to trace a route between the switch and a remote host. You can use a traceroute task to display a list of waypoints between the switch and a specified destination host. The output is useful for diagnosing a point of failure in the path from the switch platform to the destination host and addressing network traffic latency and throughput problems. To use the traceroute tool:
1. 2. 3.
Action
Select Troubleshoot>Traceroute. Next to Advanced options, click the expand icon. Enter information into the Traceroute page. The Remote Host field is the only required field.
4. 5.
Click Start. To stop the traceroute operation before it is complete, click OK while the results of the traceroute operation are being displayed.
Meaning
The switch generates the list of waypoints by sending a series of ICMP traceroute packets in which the time-to-live (TTL) value in the messages sent to each successive waypoint is incremented by 1. (The TTL value of the first traceroute packet is set to 1.) In this manner, each waypoint along the path to the destination host replies with a Time Exceeded packet from which the source IP address can be obtained.
105
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The results of the traceroute operation are displayed in the main pane. If no options are specified, each line of the traceroute display is in the following format:
hop-number host (ip-address) [as-number] time1 time2 time3
The switch sends a total of three traceroute packets to each waypoint along the path and displays the round-trip time for each traceroute operation. If the switch times out before receiving a Time Exceeded message, an asterisk (*) is displayed for that round-trip time.
Table 23: Traceroute field summary
Field Remote Host Function Identifies the destination host of the traceroute. Your Action Type the hostname or IP address of the destination host.
Advanced Options Don't Resolve Addresses Gateway Source Address Determines whether hostnames of the hops along the path are displayed, in addition to IP addresses. Specifies the IP address of the gateway to route through. Specifies the source address of the outgoing traceroute packets. Determines whether traceroute packets are routed by means of the routing table. If the routing table is not used, traceroute packets are sent only to hosts on the interface specified in the Interface box. If the host is not on that interface, traceroute responses are not sent. Specifies the interface on which the traceroute packets are sent. To suppress the display of the hop hostnames, select the check box. Type the gateway IP address. Type the source IP address.
Bypass Routing
To bypass the routing table and send the traceroute packets to hosts on the specified interface only, select the check box.
Interface
From the list, select the interface on which traceroute packets are sent. If you select any, the traceroute requests are sent on all interfaces. From the list, select the TTL.
Time-to-live
Specifies the maximum time-to-live (TTL) hop count for the traceroute request packet. Specifies the type-of-service (TOS) value to include in the IP header of the traceroute request packet. Determines whether the autonomous system (AS) number of each intermediate hop between the router and the destination host is displayed.
Type-of-Service
From the list, select the decimal value of the TOS field. To display the AS numbers, select the check box.
Resolve AS Numbers
Related Topics
Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60
106
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Monitoring Interface Status and Traffic on page 329
Use the monitoring functionality to view system properties such as the name and IP address of the switch and resource usage. To monitor system properties in the J-Web interface, select Monitor > System View > System Information. To monitor system properties in the CLI, enter the following commands:
Action
Meaning
Table 24 on page 107 summarizes key output fields in the system properties display.
General Information
Version of JUNOS software active on the switch, including whether the software is for domestic or export use.
Time Information
Current Time System Booted Time Protocol Started Time Last Configured Time
Current system time, in Coordinated Universal Time (UTC). Date and time when the switch was last booted and how long it has been running.
Date and time when the switching protocols were last started and how long they have been running.
Date and time when a configuration was last committed. This field also shows the name of the user who issued the last commit command, through either the J-Web interface or the CLI. The CPU load average for 1, 5, and 15 minutes.
Load Average
Used Memory
107
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
User
Username of any user logged in to the switching platform. Terminal through which the user is logged in. System from which the user has logged in. A hyphen indicates that the user is logged in through the console. Time when the user logged in. This is the LOGIN@ field in show system users command output.
Terminal From
Login Time
Idle Time
Related Topics
Monitoring System Process Information on page 108 Understanding J-Web User Interface Sessions on page 55
Use the monitoring functionality to view the processes running on the switch. To view the software processes running on the switch in the J-Web interface, select Monitor>System View>Process Details. To view the software processes running on the switch in the CLI, enter the following command.
show system processes
Meaning
Table 25 on page 108 summarizes the output fields in the system process information display. The display includes the total CPU load and total memory utilization.
108
Memory Utilization
Start Time
Related Topics
Monitoring System Properties on page 107 For more information about show system properties command, see show system uptime
Reboot ImmediatelyReboots the switching platform immediately. Reboot in number of minutesReboots the switch in the number of minutes from now that you specify. Reboot when the system time is hour:minute Reboots the switch at the absolute time that you specify, on the current day. You must select a 2-digit hour in 24-hour format and a 2-digit minute. Halt Immediately Stops the switching platform software immediately. After the switching platform software has stopped, you can access the switching platform through the console port only.
3. 4. 5.
(Optional) In the Message box, type a message to be displayed to any users on the switching platform before the reboot occurs. Click Schedule. The J-Web interface requests confirmation to perform the reboot or halt. Click OK to confirm the operation.
If the reboot is scheduled to occur immediately, the switch reboots. You cannot access the J-Web interface until the switch has restarted and the boot sequence is complete. After the reboot is complete, refresh the browser window to display the J-Web interface login page.
109
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If the reboot is scheduled to occur in the future, the Reboot page displays the time until reboot. You have the option to cancel the request by clicking Cancel Reboot on the J-Web interface Reboot page. If the switch is halted, all software processes stop and you can access the switching platform through the console port only. Reboot the switch by pressing any key on the keyboard.
Related Topics
In the J-Web interface, select Configure>System Properties>User Management. The User Management page displays details of users, the authentication order, the RADIUS servers and TACACS servers present.
2. 3.
Click Edit. Click any of the following options on the Users tab:
AddSelect this option to add a user. Enter details as described in Table 26 on page 111. EditSelect this option to edit an existing user's details. Enter details as described in Table 26 on page 111. DeleteSelect this option to delete a user.
4.
Click any desired option on the Authentication Methods and Order tab:
Authentication OrderDrag and drop the authentication type from the Available Methods section to the Selected Methods. Click the up or down buttons to modify the authentication order. RADIUS serverClick one:
AddSelect this option to add an authentication server. Enter details as described in Table 27 on page 111. EditSelect this option to modify the authentication server details. Enter details as described in Table 27 on page 111. DeleteSelect this option to delete an authentication server from the list.
AddSelect this option to add an authentication server. Enter details as described in Table 27 on page 111.
110
EditSelect this option to modify the authentication server details. Enter details as described in Table 27 on page 111. DeleteSelect this option to delete an authentication server from the list.
Table 26: User Management > Add a User Configuration Page Summary
Field
User Information
Function
Your Action
Username (required)
Type the username. It must be unique within the switching platform. Do not include spaces, colons, or commas in the username. Type the user's full name. If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas. Select the user's login class from the list:
Full Name
This list also includes any user-defined login classes. Login Password (required) Specifies the login password for this user. Type the login password for this user. The login password must meet these criteria:
The password must be at least 6 characters long. It can include alphabetic, numeric, and special characters, but not control characters. It must contain at least one change of case or character class.
Specifies the password of the server. Verifies that the password of the server is entered correctly. Specifies the port with which the server is associated.
111
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Retry Attempts
Related Topics
Configuring Management Access for the EX-series Switch (J-Web Procedure) on page 95
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
You can use the J-Web interface to rotate log files and delete unnecessary log, temporary, and crash files on the switching platform. 1. Cleaning Up Files on page 112 2. Downloading Files on page 113 3. Deleting Files on page 113
Cleaning Up Files
If you are running low on storage space, use the file cleanup procedure to quickly identify files to delete. The file cleanup procedure performs the following tasks:
Rotates log filesArchives the current log files, and creates fresh log files. Deletes log files in /var/logDeletes files that are not currently being written to. Deletes temporary files in /var/tmpDeletes files that have not been accessed within two days. Deletes all crash files in /var/crashDeletes core files that the switch has written during an error.
To rotate log files and delete unnecessary files with the J-Web interface:
1. 2.
Select Maintain>Files. In the Clean Up Files section, click Clean Up Files. The switching platform rotates log files and identifies files that can be safely deleted. The J-Web interface displays the files that you can delete and the amount of space that will be freed on the file system.
112
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
3.
Click one:
To delete the files and return to the Files page, click OK. To cancel your entries and return to the list of files in the directory, click Cancel.
Downloading Files
You can use the J-Web interface to download a copy of an individual log, temporary, or crash file from the switching platform. When you download a file, it is not deleted from the file system. To download files with the J-Web interface:
1. 2.
In the J-Web interface, select Maintain>Files. In the Download and Delete Files section, click one:
Log FilesLog files in the /var/log directory on the switch. Temporary FilesLists the temporary files in the /var/tmp directory on the switching platform. Jailed Temporary Files (Install, Session, etc)Lists the files in the /var/jail/tmp directory on the switching platform. Crash (Core) FilesLists the core files in the /var/crash directory on the switching platform. The J-Web interface displays the files located in the directory.
3. 4.
Select the files that you want to download and click Download. Choose a location for the saved file. The file is saved as a text file, with a .txt file extension.
Deleting Files
You can use the J-Web interface to delete an individual log, temporary, and crash file from the switching platform. When you delete the file, it is permanently removed from the file system.
CAUTION: If you are unsure whether to delete a file from the switching platform, we recommend using the Clean Up Files tool described in Cleaning Up Files. This tool determines which files can be safely deleted from the file system. To delete files with the J-Web interface:
1. 2.
Select Maintain>Files. In the Download and Delete Files section, click one:
Downloading Files
113
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Log FilesLists the log files in the /var/log directory on the switching platform. Temporary FilesLists the temporary files in the /var/tmp directory on the switching platform. Jailed Temporary Files (Install, Session, etc)Lists the files in the /var/jail/tmp directory on the switching platform. Crash (Core) FilesLists the core files in the /var/crash directory on the switching platform. The J-Web interface displays the files in the directory.
3. 4.
Select the box next to each file you plan to delete. Click Delete. The J-Web interface displays the files you can delete and the amount of space that will be freed on the file system.
5.
To delete the files and return to the Files page, click OK. To cancel your entries and return to the list of files in the directory, click Cancel.
114
NOTE: If the rescue configuration does not exist, or if the rescue configuration is not a complete, viable configuration, the rollback command fails, an error message appears, and the current configuration remains active.
Related Topics
Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 115 Loading a Previous Configuration File (CLI Procedure) on page 79
View the current rescue configurationClick View rescue configuration. Set the current running configuration as the rescue configurationClick Set rescue configuration. Delete the current rescue configurationClick Delete rescue configuration. Setting or Deleting the Rescue Configuration (CLI Procedure) on page 114 Configuration Files Terms on page 74
Related Topics
Use the monitoring functionality to view alarm information for the EX-series switches including alarm type, alarm severity, and a brief description for each active alarm on the switching platform. To view the active alarms:
1. 2. 3.
Action
Select Monitor> Events and Alarms > View Alarms in the J-Web interface. Select an alarm filter based on alarm type, severity, description, and date range. Click Go. All the alarms matching the filter are displayed.
115
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: When the switch is reset, the active alarms are displayed.
Meaning
ChassisIndicates an alarm condition on the chassis (typically an environmental alarm such as one related to temperature). SystemIndicates an alarm condition in the system.
Alarm severityeither major (red) or minor (yellow). Brief synopsis of the alarm. Date and time when the failure was detected.
Related Topics
Monitoring System Log Messages on page 116 Understanding How to Use the J-Web Interface to View System Information Understanding Alarm Types and Severity Levels on EX-series Switches on page 93
Use the monitoring functionality to filter and view system log messages. To view events in the J-Web interface, select Monitor > Events and Alarms > View Events. Apply a filter or a combination of filters to view messages. You can use filters to display relevant events. Table 29 on page 117 describes the different filters, their functions, and the associated actions. To view events in the CLI, enter the following command:
show log
116
Your Action To specify events recorded in a particular file, select the system log filename from the listfor example, messages.
To specify events with a specific ID, type the partial or complete IDfor example, TFTPD_AF_ERR.
To specify events with a specific description, type a text string from the description with regular expression. For example, type ^Initial* to display all messages with lines beginning with the term Initial. To specify events generated by a process, type the name of the process. For example, type mgd to list all messages generated by the management process.
Specifies the time period in which the events you want displayed are generated.
Select the Start Time check box and select the year, month, date, and timefor example, 02/10/2007 11:32. Select the End Time check box and select the year, month, date, and timefor example, 02/10/2007 3:32.
By default, the messages generated in the last hour are displayed. End Time shows the current time and Start Time shows the time one hour before End Time.
To select the current time as the start time, select local time. Number of Events to Display Specifies the number of events to be displayed on the View Events page. By default, the View Events page displays 25 events. To view a specified number of events, select the number from the listfor example, 50.
117
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Meaning
NOTE: By default, the View Events page in the J-Web interface displays the most recent 25 events, with severity levels highlighted in different colors. After you specify the filters, Event Summary displays the events matching the specified filters. Click First, Next, Prev, and Last links to navigate through messages.
Additional Information
Event ID
Displays a code that uniquely identifies the message. The prefix on each code identifies the message source, and the rest of the code indicates the specific event or error. Displays context-sensitive help that provides more information about the event:
HelpShort description of the message. DescriptionMore detailed explanation of the message. TypeCategory to which the message belongs. SeverityLevel of severity.
ErrorIndicates an error or failure condition that might require corrective action. EventIndicates a condition or occurrence that does not generally require corrective action.
Event Description
118
Additional Information A severity level indicates how seriously the triggering event affects switch functions. When you configure a location for logging a facility, you also specify a severity level for the facility. Only messages from the facility that are rated at that level or higher are logged to the specified file.
UnknownGrayIndicates no severity level is specified. Debug/Info/NoticeGreen Indicates conditions that are not errors but are of interest or might warrant special handling. WarningYellowIndicates conditions that warrant monitoring. ErrorBlue Indicates standard error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels. CriticalPinkIndicates critical conditions, such as hard drive errors. AlertOrangeIndicates conditions that require immediate correction, such as a corrupted system database. EmergencyRedIndicates system panic or other conditions that cause the switching platform to stop functioning.
Related Topics
Checking Active Alarms with the J-Web Interface on page 115 Understanding Alarm Types and Severity Levels on EX-series Switches on page 93
119
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
120
Chapter 12
If you forget the root password for the switch, you can use the password recovery procedure to reset the root password.
NOTE: You need physical access to the switch to recover the root password.
Solution
Power off your switch by unplugging the power cord or turning off the power at the wall switch. Insert one end of the Ethernet cable into the serial port on the management device and connect the other end to the console port on the back of the switch. See Figure 5 on page 121
3.
On the management device, start your asynchronous terminal emulation application (such as Microsoft Windows Hyperterminal) and select the appropriate COM port to use (for example, COM1). Configure the port settings as follows:
4.
121
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None
5. 6.
Power on your switch by plugging in the power cord or turning on the power at the wall switch. When the following prompt appears, press the Spacebar to access the switch's bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt. Booting [kernel] in 1 second...
7. 8.
At the following prompt, type boot -s to start up the system in single-user mode:
loader> boot -s
At the following prompt, type recovery to start the root password recovery procedure:
Enter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
A series of messages describe consistency checks, mounting of filesystems, and initialization and checkout of management services. Then the CLI prompt appears.
9.
12. At the second prompt, reenter the new root password. 13. If you are finished configuring the network, commit the configuration.
root@switch# commit
commit complete
root@switch# exit
15. Exit operational mode in the CLI.
root@switch> exit
16. At the prompt, enter y to reboot the switch.
122
Related Topics
Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 For information about configuring an encrypted root password, configuring SSH keys to authenticate root logins, and configuring special requirements for plain-text passwords, see the JUNOS System Basics Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos90/.
123
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
124
Chapter 13
Statement introduced in JUNOS Release 8.3. The MS-CHAPv2 password protocol configuration option introduced in JUNOS 9.2. Configure RADIUS options for NAS-IP address for outgoing RADIUS packets and password protocol used in RADIUS packets.
nas-ip-addressIP address of the network access server (NAS) that requests user
Options
authentication.
mschap-v2Password protocol MS-CHAPv2, used in RADIUS packets.
Required Privilege Level Related Topics
systemTo view this statement in the configuration. system-controlTo add this statement to the configuration.
Managing MS-CHAPv2 for password-change support on page 99 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
radius-options
125
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
126
radius-options
Chapter 14
127
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Delete the samples of Ethernet statistics collected, but do not delete the RMON history configuration. The clear snmp rmon history command deletes all the samples collected for the interface configured for the history group, but not the configuration of that group. If you want to delete the RMON history group configuration, you must use the delete snmp rmon history configuration-mode command.
Options
interface-nameDelete the samples of Ethernet statistics collected for this interface. allDelete the samples of Ethernet statistics collected for all interfaces that have
clear
128
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the contents of the RMON history group.
noneDisplay all the entries in the RMON history group. history-index(Optional) Display the contents of the specified entry in the RMON
history group.
sample-index(Optional) Display the statistics collected for the specified sample
view
show snmp rmon history 1 on page 130 show snmp rmon history 1 sample 15 on page 131 Table 31 on page 129 lists the output fields for the show smp rmon history command. Output fields are listed in the approximate order in which they appear.
Field Description Identifies this RMON history entry within the RMON history group. The entity that configured this entry. Range is 0 to 32 alphanumeric characters. The status of the RMON history entry. The ifndex object that identifies the interface that is being monitored.
The interval (in seconds) configured for this RMON history entry. The requested number of buckets (intervals) configured for this RMON history entry. The number of buckets granted for this RMON history entry.
Buckets Granted
129
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Manager ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism.
PacketsTotal number of packets. Broadcast PacketsNumber of broadcast packets. Multicast PacketsNumber of multicast packets. CRC errorsTotal number of packets received that had a length (excluding
framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, and had either a bad FCS with an integral number of octets (FCS error) or a bad FCS with a nonintegral number of octets (alignment error).
that were less than 64 octets long (excluding framing bits but including FCS octets) and were otherwise well formed.
that were longer than 1518 octets (excluding framing bits, but including FCS octets) but were otherwise well formed.
(excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted.
framing bits, but including FCS octets), and had either an FCS error or an alignment error. This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2). These documents define jabber as the condition in which any packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms to 150 ms.
supports only full-duplex operation, so for Gigabit Ethernet PICs, this number should always remain 0. If it is nonzero, there is a software bug.
user@host> show snmp rmon history 1 History Index 1: Interface Requested Buckets Interval
171 50 10
Sample Index 1: Interval Start: Tue Feb 12 04:12:32 2008 Drop Events 0 Octets 486 Packets 2 Broadcast Packet 0 Multicast Packets 2
130
CRC errors Undersize Pkts Oversize Pkts Fragments Jabbers Collisions Utilization(%)
0 0 0 0 0 0 0
Sample Index 2: Interval Start: Tue Feb 12 04:12:42 2008 Drop Events 0 Octets 486 Packets 2 Broadcast Packet 0 Multicast Packets 2 CRC errors 0 Undersize Pkts 0 Oversize Pkts 0 Fragments 0 Jabbers 0 Collisions 0 Utilization(%) 0 Sample Index 3: Interval Start: Tue Feb 12 04:12:52 2008 Drop Events 0 Octets 486 Packets 2 Broadcast Packet 0 Multicast Packets 2 CRC errors 0 Undersize Pkts 0 Oversize Pkts 0 Fragments 0 Jabbers 0 Collisions 0 Utilization(%) 0
user@host> show snmp rmon history 1 sample 15 Index 1 Owner = monitor Status = valid Data Source = ifIndex.17 Interval = 1800 Buckets Requested = 50 Buckets Granted = 50
Sample Index 44: Interval Start: Thu Jan Drop Events = 0 Octetes = 0 Packets = 0 Broadcast Pkts = 0 Multicast Pkts = 0 CRC Errors = 0 Undersize Pkts = 0 Oversize Pkts = 0 Fragments = 0 Jabbers = 0 Collisions = 0 Utilization (%) = 0
1 00:08:35 1970
131
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
132
Part 6
Virtual Chassis
Understanding Virtual Chassis on page 135 Examples of Configuring Virtual Chassis on page 159 Configuring Virtual Chassis on page 213 Verifying Virtual Chassis on page 231 Troubleshooting Virtual Chassis on page 241 Configuration Statements for Virtual Chassis on page 243 Operational Mode Commands for Virtual Chassis on page 257
Virtual Chassis
133
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
134
Virtual Chassis
Chapter 15
Virtual Chassis Overview on page 135 Understanding Virtual Chassis Components on page 137 Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142 Understanding Software Upgrade in a Virtual Chassis Configuration on page 142 Understanding Global Management of a Virtual Chassis Configuration on page 143 Understanding Nonvolatile Storage in a Virtual Chassis Configuration on page 145 Understanding the High-Speed Interconnection of the Virtual Chassis Members on page 145 Understanding Virtual Chassis Configurations and Link Aggregation on page 146 Understanding Virtual Chassis Configuration on page 146 Understanding Virtual Chassis EX 4200 Switch Version Compatibility on page 148 Understanding Fast Failover in a Virtual Chassis Configuration on page 148 Understanding Split and Merge in a Virtual Chassis Configuration on page 154
Basic Configuration of a Virtual Chassis with Master and Backup Switches on page 136 Expanding ConfigurationsWithin a Single Wiring Closet and Across Wiring Closets on page 136
135
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Global Management of Member Switches in a Virtual Chassis on page 136 High Availability Through Redundant Routing Engines on page 137 Adaptability as an Access Switch or Distribution Switch on page 137
136
a single device in the J-Web user interface and apply various device management functions to all members of the Virtual Chassis configuration. The serial console port and dedicated out-of-band management port that are on the rear panel of the individual switches have global virtual counterparts when the switches are interconnected in a Virtual Chassis configuration. A virtual console allows you to connect to the master by connecting a terminal directly to the console port of any member switch. A virtual management Ethernet (VME) interface allows you to remotely manage the Virtual Chassis configuration by connecting to the out-of-band management port of any member switch through a single IP address. See Understanding Global Management of a Virtual Chassis Configuration on page 143.
Understanding Virtual Chassis Components on page 137 Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142 Understanding Virtual Chassis EX 4200 Switch Version Compatibility on page 148 Understanding Virtual Chassis Configurations and Link Aggregation on page 146 EX 4200 Switch Models on page 24
137
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interconnected switches to take advantage of Virtual Chassis features, it is also true that any individual EX 4200 switch has some Virtual Chassis components. This topic covers:
Virtual Chassis Ports (VCPs) on page 138 Master Role on page 138 Backup Role on page 139 Linecard Role on page 139 Member Switch and Member ID on page 140 Mastership Priority on page 140 Virtual Chassis Identifier (VCID) on page 141
Master Role
The member that functions in the master role:
Manages the member switches. Runs JUNOS software for EX-series switches in a master role. Runs the chassis management processes and control protocols. Represents all the member switches interconnected within the Virtual Chassis configuration. (The hostname and other properties that you assign to this switch during setup apply to all members of the Virtual Chassis configuration.)
When an EX 4200 switch is powered on as a standalone switch, it is considered the master member. In a multimember Virtual Chassis, two members function as the master and the backup of the Virtual Chassis configuration:
138
In a preprovisioned configuration, one of the two members assigned as routing-engine functions as the master member. The selection of which member assigned as routing-engine functions as master and which as backup is determined by the software based on the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142. In a configuration that is not preprovisioned, the selection of the master and backup is determined by the mastership priority value and secondary factors in the master election algorithm.
Backup Role
The member that functions in the backup role:
Maintains a state of readiness to take over the master role if the master fails. Runs JUNOS software for EX-series switches in a backup role. Synchronizes with the master in terms of protocol states, forwarding tables, and so forth, so that it is prepared to preserve routing information and maintain network connectivity without disruption in case the master is unavailable.
You must have at least two member switches in a Virtual Chassis configuration in order to have a backup member.
In a preprovisioned configuration, one of the two members assigned as routing-engine functions in the backup role. The selection of which member assigned as routing-engine functions as master and which as backup is determined by the software based on the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142. In a configuration that is not preprovisioned, the selection of the master and backup is determined by the mastership priority value and secondary factors in the master election algorithm.
Linecard Role
A member that functions in the linecard role:
Runs only a subset of JUNOS software for EX-series switches. Does not run the chassis control protocols. Can detect certain error conditions (such as an unplugged cable) on any interfaces that have been configured on it through the master.
A Virtual Chassis configuration must have at least three members in order to include a linecard member.
In a preprovisioned configuration, you can explicitly configure a member with the role of linecard, which makes it ineligible for functioning as a master or backup. In a configuration that is not preprovisioned, the members that are not selected as master or backup function as linecard members of the Virtual Chassis
139
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
configuration. The selection of the master and backup is determined by the mastership priority value and secondary factors in the master election algorithm.
To assign a mastership priority value to a member switch To configure interfaces for a member switch (the function is similar to a slot number on Juniper Networks routers) To apply some operational commands to a member switch To display status or characteristics of a member switch
Mastership Priority
In a configuration that is not preprovisioned, you can designate the role (master, backup, or linecard) that a member switch performs within the Virtual Chassis configuration by configuring its mastership priority (from 1 to 255). The mastership priority value is the factor with the highest precedence for selecting the master of the Virtual Chassis configuration. The default value for mastership priority is 128. When an EX 4200 switch is powered on, it receives the default mastership priority value. Because it is the only member of the Virtual Chassis configuration, it is also the master. When you interconnect a standalone switch to an existing Virtual Chassis configuration (which implicitly includes its own master), we recommend that you explicitly configure the mastership priority of the members that you want to function as the master and backup. We recommend that you specify the same mastership priority value for both the master and backup members.
140
NOTE: Configuring the same mastership priority value for both the master and backup helps to ensure a smooth transition from master to backup in case the master becomes unavailable. It prevents the old master from preempting control from the backup in situations where the backup has taken control of the Virtual Chassis configuration due to the original master being unavailable. We also recommend that you configure the highest possible mastership priority value (255) for those two members, because that guarantees that these two members continue to function as the master and backup when other members are added to the Virtual Chassis configuration. Any other members of the Virtual Chassis configuration (members with lower mastership priority) are considered linecard members. In a preprovisioned configuration, the mastership priority value is assigned by the software, based on the specified role.
Virtual Chassis Overview on page 135 Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223 Command Forwarding Usage with a Virtual Chassis Configuration on page 231
141
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Choose the member with the highest user-configured mastership priority (255 is the highest possible value). Choose the member that was master the last time the Virtual Chassis configuration booted. Choose the member that has been included in the Virtual Chassis configuration for the longest period of time. (For this to be a deciding factor, there has to be a minimum time lapse of one minute between the power-ons of the individual interconnected member switches.) Choose the member with the lowest MAC address.
4.
The variations among switch models, such as whether the switch has 48 or 24 ports, do not impact the master election algorithm. To ensure that a specific member is elected as the master:
1. 2. 3. 4. Related Topics
Power on only the switch that you want to configure as master of the Virtual Chassis configuration. Configure the mastership priority of that member to have the highest possible value (255). Continue to configure other members through the master member, as desired. Power on the other members. Virtual Chassis Overview on page 135 Understanding Virtual Chassis Components on page 137 Understanding Virtual Chassis Configuration on page 146
142
Chassis configuration or to all members of the Virtual Chassis configuration at the same time.
Related Topics
Virtual Chassis Overview on page 135 Understanding Virtual Chassis Components on page 137 Installing Software on EX-series Switches (CLI Procedure) on page 68
143
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If the master becomes unavailable, the console session is disconnected from the old master and a new session is established with the newly elected master. An out-of-band management Ethernet port is often referred to simply as a management Ethernet port. It uses a dedicated management channel for device maintenance and allows a system administrator to monitor and manage the switch by remote control. The Virtual Chassis configuration can be managed remotely through SSH or Telnet using a global management interface called the virtual management Ethernet (VME) interface. VME is a logical interface representing any and all of the out-of-band management ports on the member switches. When you connect to the Virtual Chassis configuration using the VME IP address, the connection is redirected to the master member as shown in Figure 7 on page 144.
Figure 7: Management Ethernet Port Redirection to VME
144
If the master management Ethernet link is unavailable, the session is redirected through the backup management Ethernet link. If there is no active management Ethernet link on the backup, the VME interface chooses a management Ethernet link on one of the linecard members, selecting the linecard member with the lowest member ID as its first choice. You can configure an IP address for the VME global management interface at any time. You can perform remote configuration and administration of all members of the Virtual Chassis configuration through the VME interface.
Related Topics
Understanding Virtual Chassis Components on page 137 Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure) on page 226
If the master is not available, the backup switch takes on the role of the master and its internal flash memory takes over as the alternate location for maintaining nonvolatile configuration memory. If a member switch is taken offline for repair, the master stores the configuration of the member switch. Command Forwarding Usage with a Virtual Chassis Configuration on page 231 Monitoring System Properties on page 107
Related Topics
145
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Understanding Virtual Chassis Components on page 137 Virtual Chassis Cabling Configuration Examples for EX 4200 Switches
NOTE: The interfaces that are included within a LAG are sometimes referred to as member interfaces. Do not confuse member interfaces and member switches. The member switches are individual EX 4200 switches that have been interconnected with their Virtual Chassis ports (VCPs) to operate as a single network entity. In a Virtual Chassis configuration, you can create a LAG formed of member interfaces that represent ports belonging to different member switches.
Related Topics
Virtual Chassis Overview on page 135 Understanding Aggregated Ethernet Interfaces and LACP on page 283 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190
146
the Virtual Chassis configuration. When a switch is located too far away to be interconnected with the dedicated Virtual Chassis ports, you can specify an uplink as a Virtual Chassis port using the request virtual-chassis vc-port command. The request virtual-chassis vc-port command must be executed on the standalone switch, because it is not yet part of the Virtual Chassis configuration. Without an uplink VCP, the standalone switch cannot be recognized by the master as belonging to the Virtual Chassis configuration. While an uplink port is set as a VCP interface, it cannot be used for any additional purpose. If you want to use the uplink port for another purpose, you can delete the VCP setting by using the request virtual-chassis vc-port command. You can execute this command directly on the member whose uplink VCP setting you want to delete or through the master of the Virtual Chassis configuration.
WARNING: Deleting a VCP in a Virtual Chassis chain configuration can cause the Virtual Chassis configuration to split. For more information, see Understanding Split and Merge in a Virtual Chassis Configuration on page 154. In addition, you may choose to create a preprovisioned configuration. This type of configuration allows you to deterministically control the member ID and role assigned to a member switch by associating the switch to its serial number. For an example of a preprovisioned configuration, see Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196.
NOTE: If an EX 4200 switch is interconnected with other switches in a Virtual Chassis configuration, each individual switch that is included as a member of the configuration is identified with a member ID. The member ID functions as an FPC slot number. When you are configuring interfaces for a Virtual Chassis configuration, you specify the appropriate member ID (0 through 9) as the slot element of the interface name. The default factory settings for a Virtual Chassis configuration include FPC 0 as a member of the default VLAN because FPC 0 is configured as part of the ethernet-switching family. In order to include FPC 1 through FPC 9 in the default VLAN, add the ethernet-switching family to the configurations for those interfaces. Understanding Virtual Chassis Components on page 137 Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159
Related Topics
147
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding Virtual Chassis Components on page 137 Understanding Software Upgrade in a Virtual Chassis Configuration on page 142 Understanding Software Installation on EX-series Switches on page 65 Installing Software on EX-series Switches (CLI Procedure) on page 68 Installing Software on EX-series Switches (J-Web Procedure) on page 69
Supported Topologies for Fast Failover on page 148 How Fast Failover Works on page 148 Effects of Topology Changes on a Fast Failover Configuration on page 153
148
fails, its backup port is used to send traffic. These backup ports act as standby ports and are not meant for load-balancing purposes. Fast Failover in a Ring Topology using Dedicated VCPs When fast failover is activated in a ring topology that uses dedicated VCPs, each VCP is automatically configured with a backup port of the same type. If a VCP fails, its backup port is used to send traffic. Figure 8 on page 149 shows normal traffic flow in a ring topology using dedicated VCPs.
Figure 8: Normal Traffic Flow in a Ring Topology Using Dedicated VCPs
149
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 9: Traffic Redirected by Fast Failover After Dedicated VCP Link Failure
When the failed link is restored, the Virtual Chassis reconfigures the topology to the topology's original state. Fast Failover in a Ring Topology Using Uplink Module VCPs In a ring topology that uses uplink module VCPs, each uplink module VCP is automatically configured with a backup uplink module VCP. If an uplink module VCP fails, its backup port is used to send traffic. Figure 10 on page 151 shows normal traffic flow in a ring topology using SFP uplink module VCPs. Normal traffic flow in a ring topology using XFP uplink module VCPs is the same.
150
NOTE: In order to use SFP or XFP uplink module ports as VCPs, you must configure them to be VCPs using the request virtual-chassis vc-port command. Once configured, they will be converted into VCPs. For example xe-0/1/0 will become vcp-255/1/0 after you configure it to be a VCP.
Figure 10: Normal Traffic Flow in a Ring Topology Using SFP Uplink Module VCPs
151
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 11: Traffic Redirected by Fast Failover After SFP Uplink Module VCP Link Failure
In a ring topology that uses SFP uplink module VCPs, there are four ports per module. Consecutive pair of ports are automatically configured as backup ports for each other. For example, if a Virtual Chassis member has an SFP uplink module installed, uplink module VCPs ge-0/1/0 and ge-0/1/1 are automatically configured as the backup port for the other port in the pair. Similarly, ports ge-0/1/2 and ge-0/1/3 are automatically configured as the backup port for the other port in the pair. Similarly, in a ring topology that uses XFP uplink module VCPs, there are only two ports per uplink module. Each port is automatically configured to back up the other port in the uplink module (for example, xe-0/1/0 is the backup for xe-0/1/1). Fast Failover in a Virtual Chassis Configuration Using Multiple Ring Topologies Fast failover is supported in a Virtual Chassis configuration with a multiple-ring topology, as shown in Figure 12 on page 208.
152
Figure 12: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings
In this scenario, the Virtual Chassis configuration has three rings: two rings that use dedicated VCPs and one ring that uses SFP uplink module VCPs. Fast failover works independently on each ring. Each dedicated VCP in a ring is backed up by another dedicated VCP. Similarly, each SFP uplink module VCP is backed up by another SFP uplink module VCP. Fast failover does not support a ring topology consisting of a mix of dedicated VCPs and uplink module VCPs.
153
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Understanding Virtual Chassis Configuration on page 146 Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 207 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223
NOTE: If a Virtual Chassis configuration splits into separate parts, we recommend that you resolve the problem that caused the Virtual Chassis configuration to split as soon as possible. You can also use this feature to merge two active but separate Virtual Chassis that have not previously been part of the same configuration into one Virtual Chassis configuration.
NOTE: The split and merge feature is enabled by default on EX 4200 switches. You can disable the split and merge feature by using the set virtual-chassis no-split-detection command. This topic describes:
What Happens When a Virtual Chassis Configuration Splits on page 154 Merging Virtual Chassis Configurations on page 155
It contains both the stable master and the stable backup (that is, the master and backup from the original Virtual Chassis configuration before the split).
154
It contains the stable master and the configuration is greater than half the Virtual Chassis size. It contains the stable backup and is at least half the Virtual Chassis size.
Due to the rules given in the second and third list items, if the Virtual Chassis configuration splits into two equal parts and the stable master and stable backup are in different parts, then the part that contains the stable backup will become active.
NOTE: The number of members in the Virtual Chassis configuration includes all member switches connected to date minus the number whose Virtual Chassis member IDs have been recycled. Therefore, the size of the Virtual Chassis configuration increases when a new member switch is detected and decreases when a member switch's ID is recycled (that is, made available for reassignment). These rules ensure that only one of the two separate Virtual Chassis configurations created by the split remains active. The member switches in the inactive Virtual Chassis configuration remain in a linecard role. For the inactive members to become active again, one of the following things must happen:
The problem that caused the original Virtual Chassis configuration to split is resolved, allowing the two Virtual Chassis configurations to merge. You load the factory default configuration on the inactive members, which causes the inactive members to function as standalone switches or become part of a different Virtual Chassis configuration.
NOTE: When you remove a member switch from a Virtual Chassis configuration, you should recycle the member ID using the request virtual-chassis recycle command.
A Virtual Chassis configuration that had split into two is now merging back into a single configuration because the problem that had caused it to split has been resolved. You want to merge two Virtual Chassis that had not previously been configured together.
Every Virtual Chassis configuration has a unique ID that is automatically assigned when the Virtual Chassis configuration is formed. You can also explicitly assign a Virtual Chassis ID using the set virtual-chassis id command. A Virtual Chassis ID that you assign takes precedence over automatically assigned Virtual Chassis IDs. When you reconnect the separate Virtual Chassis configurations or connect them for the first time, the members determine whether or not the separate Virtual Chassis configurations can merge. The members use the following rules to determine whether a merge is possible:
155
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If the Virtual Chassis configurations have the same Virtual Chassis ID, then the configurations can merge. If the two Virtual Chassis were formed as the result of a split, they will have the same Virtual Chassis ID. If the Virtual Chassis IDs are different, then the two configurations can merge only if both are active (inactive configurations cannot merge, ensuring that members removed from one Virtual Chassis configuration do not become members of another Virtual Chassis configuration). If the configurations to merge are both active and one of them has a user-configured Virtual Chassis ID, this ID becomes the ID of the merged Virtual Chassis. If neither Virtual Chassis has a user-configured Virtual Chassis ID, then the Virtual Chassis ID of the configuration with the highest mastership priority becomes the ID of the merged Virtual Chassis. The resulting merged Virtual Chassis configuration will be active.
When you connect two Virtual Chassis configurations, the following events occur:
1.
Connecting the two split Virtual Chassis configurations triggers the shortest-path-first (SPF) algorithm. The SPF algorithm computes the network topology and then triggers the master election algorithm. The master election algorithm waits for the members to synchronize the topology information before running. The master election algorithm merges the Virtual Chassis IDs of all the members. Each member runs the master election algorithm to select a master and a backup from among all members with the same Virtual Chassis IDs. For more information, see Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142. The master determines whether the Virtual Chassis configuration is active or inactive. (See What Happens When a Virtual Chassis Configuration Splits on page 154.) If the Virtual Chassis configuration is active, the master assigns roles to all members. If the Virtual Chassis configuration is inactive, the master assigns all members the role of linecard. When the other members receive their role from the master, they change their role to backup or linecard. They also use the active or inactive state information sent by the master to set their own state to active or inactive and to construct the Virtual Chassis member list from the information sent by the master. If the Virtual Chassis state is active, the master waits for messages from the members indicating that they have changed their roles to the assigned roles, and then the master changes its own role to master.
2. 3.
4.
5.
6.
7.
NOTE: When you merge two Virtual Chassis that had not previously been part of the same Virtual Chassis configuration, any configuration settings (such as the settings for Telnet/FTP services, GRES, fast failover, VLANs, and so on) that exist on the new master will become the configuration settings for all members of the new Virtual Chassis, overwriting any other configuration settings.
156
Related Topics
Understanding Virtual Chassis Configuration on page 146 Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge on page 210 Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure) on page 229 Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure) on page 230
157
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
158
Chapter 16
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet on page 164 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 207 Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge on page 210
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet
A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant network accessibility with a basic two-member Virtual Chassis configuration and later expand the Virtual Chassis configuration to provide additional access ports as your office grows. This example describes how to configure a Virtual Chassis with a master and backup in a single wiring closet:
159
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuration on page 162 Verification on page 162 Troubleshooting the Virtual Chassis on page 164
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX 4200-48P switch One EX 4200-24T switch One EX-UM-2XFP uplink module
Rack-mounted the switches. See Mounting an EX 3200 or EX 4200 Switch on a Rack or Cabinet or Mounting an EX 3200 or EX 4200 Switch on a Desk or Other Level Surface. Installed the uplink module. See Installing an Uplink Module in an EX 3200 or EX 4200 Switch. Cabled the switches. See Connecting a Virtual Chassis Cable to an EX 4200 Switch.
2. 3.
160
Requirements
NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis. The Virtual Chassis configuration provides networking access for 50 onsite workers, who are sitting within range of a single wiring closet. The workers all use personal computers and VoIP phones. As the office grows, you can add more EX 4200 switches to meet increased needs for access ports. The topology for this example consists of two switches, one of which contains an uplink module:
One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports that support PoE One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support PoE One EX-UM-2XFP uplink module, with two 10Gigabit Ethernet ports, is installed in the EX 4200-48P switch
Table 32 on page 161 shows the default configuration settings for the two-member Virtual Chassis.
Table 32: Components of the Basic Virtual Chassis Access Switch Topology
Member Switch Hardware Member ID Role and Priority
SWA-0
EX 4200-48P switch
SWA-1
EX 4200-24T switch
Figure 13 on page 161 shows that SWA-0 and SWA-1 are interconnected with their dedicated VCPs on the rear panel. The LCD on the front displays the Member ID and Role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect to a distribution switch.
Figure 13: Basic Virtual Chassis with Master and Backup
161
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuration
Configure a Virtual Chassis with a default master and backup in a single wiring closet:
Step-by-Step Procedure
Make sure the VCPs on the rear panel of the member switches are properly cabled. See Virtual Chassis Cabling Configuration Examples for EX 4200 Switches. Power on SWA-0 (the member switch that you want to function as the master). Check the front-panel LCD to confirm that the switch has powered on correctly. Run the EZ Setup program on SWA-0, specifying the identification parameters. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details. Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired.
[edit] user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
5.
6.
Power on SWA-1.
Verification
To confirm that the Virtual Chassis configuration is operational, perform these tasks:
Verifying That the Mastership Priority Is Assigned Appropriately on page 162 Verifying That the VCPs Are Operational on page 163
Verify that the master, which has been selected by default, is the member switch that you want to function in that role.
1. 2.
Action
Check the front-panel LCD to confirm that the switch has powered on correctly and that a member ID has been assigned. List the member switches of the Virtual Chassis configuration.
user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mastership Serial No Model priority AK0207360276 ex4200-48p 128 AK0207360281 ex4200-24t 128 Role Master* Backup Neighbor List ID Interface 1 vcp-0 1 vcp-1 0 vcp-0 0 vcp-1
162
Configuration
Meaning
The show virtual-chassis status command lists the member switches interconnected in a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected. The output shows that SWA-0, member 0, has been assigned default mastership priority 128. Because SWA-0 is the first member to be powered on, it has the most seniority and is therefore assigned the role of master. SWA-1 is powered on after member 0, so it is assigned the role of backup. The member IDs are displayed on the front panel of the switches. Check and confirm whether the default assignment is satisfactory. Verifying That the VCPs Are Operational
Purpose
Verify that the dedicated Virtual Chassis ports interconnecting the switches are operational. Display the Virtual Chassis ports of all the members:
user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up
Action
Meaning
The show virtual-chassis vc-port command lists the interfaces that are enabled for the member switches of the Virtual Chassis configuration and shows the status of the interfaces. The output in this example shows that two of the VCPs are operational and two VCPs are not. A single cable has been used to interconnect vcp-0 of member ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the switch to be operational. However, we recommend that you connect the second set of VCPs for redundancy.
163
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The master and backup roles are not assigned to the member switches that you want to function in these roles. Modify the mastership priority values. To quickly modify the mastership priority of SWA-1 (member ID 1), copy the following command and paste it into the switch terminal window:
[edit virtual-chassis] user@SWA-1# set member 1 mastership-priority 255
Solution
Check to make sure that you have cabled the appropriate ports. Check to make sure that the cables are seated properly.
You should generally cable and interconnect both of the VCPs on the member switches, for redundancy and high availability.
Related Topics
Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet on page 164 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216
Requirements on page 165 Overview and Topology on page 165 Configuration on page 167
164
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX 4200-48P switch One EX 4200-24T switch One EX 4200-24P switch One EX-UM-2XFP uplink module
Confirmed that the existing Virtual Chassis configuration is operating correctly. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159.
One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports that support PoE One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support Power over Ethernet (PoE)
Requirements
165
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
One EX 4200-24P switch (SWA-2) with 24 access ports, all of which support PoE One uplink module with two 10-gigabit ports is installed in the EX 4200-48P switch. These ports can be configured as trunk ports to connect to a distribution switch or customer edge (CE) router or as Virtual Chassis ports (VCPs) to interconnect with a member switch that is located too far for dedicated VCP cabling. For information on configuring the uplink ports as trunk ports to a distribution switch, see Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 or Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317. For information on configuring uplink ports as Virtual Chassis ports, see Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223.
Table 33 on page 166 shows the configuration settings for the expanded Virtual Chassis.
Table 33: Components of the Expanded Virtual Chassis Access Switch
Member Switch Hardware Member ID Role in Virtual Chassis
SWA-0
EX 4200-48P switch
master; mastership priority 255 backup; mastership priority 255 linecard; mastership priority 128
SWA-1
EX 4200-24T switch
SWA-2
EX 4200-24P switch
Figure 14 on page 166 shows that the three member switches ( SWA-0, SWA-1 and SWA-2) are interconnected with their dedicated VCPs on the rear panel. The LCD on the front displays the member ID and role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect to a distribution switch.
Figure 14: Expanded Virtual Chassis in Single Wiring Closet
166
Configuration
To expand a Virtual Chassis configuration to include additional member switches within a single wiring closet, perform these tasks:
NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration
To maintain the master and backup roles of the existing members and ensure that the new member switch functions in a linecard role, copy the following commands and paste them into the terminal window:
[edit] user@SWA-0# set virtual-chassis member 0 mastership-priority 255 user@SWA-1# set virtual-chassis member 1 mastership-priority 255
Step-by-Step Procedure
To ensure that the existing member switches retain their current roles and to add another member switch in a linecard role:
1.
Configure the mastership priority of SWA-0 (member 0) to be the highest possible value, thereby ensuring that it functions as the master of the expanded Virtual Chassis configuration.
[edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255
2.
Configure the mastership priority of SWA-1 (member 1) to be the highest possible value. This setting is recommended for high availability and smooth transition of mastership in case the original master becomes unavailable.
[edit virtual-chassis] user@SWA-1# set member 1 mastership-priority 255
3.
Interconnect the unpowered SWA-2 with SWA-0 and SWA-1 using the dedicated VCPs on the rear panel. See Virtual Chassis Cabling Configuration Examples for EX 4200 Switches for additional information. Power on SWA-2. You do not need to configure or run EZ Setup on SWA-2. The identification parameters that were set up for the master apply implicitly to all members of the Virtual Chassis configuration. SWA-2 functions in a linecard role, since SWA-0 and SWA-1 have been configured to the highest mastership priority values.
4.
Verification
To verify that the new switch has been added as a linecard and that its VCPs are operational, perform these tasks:
Verifying That the New Switch Has Been Added as a Linecard on page 168 Verifying That the VCPs Are Operational on page 168
Configuration
167
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verify that SWA-2 has been added in a linecard role to the Virtual Chassis configuration. Use the show virtual-chassis status command to list the member switches with their member IDs, mastership priority values, and assigned roles.
user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0000.e255.00e0 Mastership Priority 255 Neighbor List ID Interface 1 vcp-0 2 vcp-1 2 vcp-0 0 vcp-1 0 vcp-0 1 vcp-1
Action
Member ID 0 (FPC 0)
Status Prsnt
Serial No abc123
Model
Role Master*
ex4200-48p
1 (FPC 1)
Prsnt
def456
ex4200-24t
255
Backup
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
Meaning
The show virtual-chassis status command lists the member switches of the Virtual Chassis configuration with the member IDs and mastership priority values. It also displays the neighbor members with which each member is interconnected. This output shows that SWA-2 has been assigned member ID 2 and has the default mastership priority value 128. Because the mastership priority is lower than the mastership priority of the other members, SWA-2 functions in the linecard role. You can continue to add more member switches, following the same procedure. It is possible to have multiple members in linecard roles with the same mastership priority value. Verifying That the VCPs Are Operational
Purpose Action
Verify that the dedicated VCPs interconnecting the member switches are operational. List the VCP interfaces on the Virtual Chassis configuration.
user@SWA-0>show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2:
168
Meaning
The show virtual-chassis vc-port all-members command lists all the interfaces for the Virtual Chassis configuration. In this case, no VCP uplinks have been configured. However, the VCP interfaces are automatically configured and enabled when you interconnect member switches using the dedicated Virtual Chassis ports. There are two dedicated VCPs on the rear panel of each EX 4200 switch. It is recommended that you interconnect the member switches using both VCPs for redundancy. The VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same as the member ID.
Troubleshooting
To troubleshoot the configuration of an expanded Virtual Chassis, perform these tasks: Troubleshooting Mastership Priority
Problem Solution
You want to designate a different member as the master. Change the mastership priority value or values of the switches, designating the highest mastership priority value for the switch that you want to be master.
1.
2.
Set the mastership priority of the member that you want to be the master to the highest possible value (255):
[edit virtual-chassis] user@SWA-2# set member 2 mastership-priority 255
The VCP interface shows a status of down. Check the cable to make sure that it is properly and securely connected to the VCPs.
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216
Troubleshooting
169
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration
You can configure a multimember Virtual Chassis access switch in a single wiring closet without setting any parametersby simply cabling the switches together, using the dedicated Virtual Chassis ports (VCPs). You do not need to modify the default configuration to enable these ports. They are operational by default. The Virtual Chassis configuration automatically assigns the master, backup, and linecard roles, based on the sequence in which the switches are powered on and other factors in the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142.
TIP: We recommend that you explicitly configure the mastership priority of the switches to ensure that the switches continue to perform the desired roles when additional switches are added or other changes occur. However, it is possible to use the default configuration described in this example. This example describes how to configure a multimember Virtual Chassis in a single wiring closet, using the default role assignments:
Requirements on page 170 Overview and Topology on page 170 Configuration on page 171 Verification on page 172 Troubleshooting on page 174
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches Two EX 4200-48P switches Four EX 4200-24P switches
170
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration
The topology for this example (see Figure 1) consists of six switches:
Two EX 4200-48P switches (SWA-0 and SWA-1) with 48 access ports, all of which support Power over Ethernet (PoE) Four EX 4200-24P switches (SWA-2, SWA-3, SWA-4, and SWA-5) with 24 access ports, all of which support PoE
Figure 15 on page 171 shows that all the member switches are interconnected with the dedicated VCPs on the rear panel. The LCD on the front displays the member ID and role.
Figure 15: Default Configuration of Multimember Virtual Chassis in a Single Wiring Closet
Configuration
Configure a multimember Virtual Chassis access switch in a single wiring closet using the factory defaults:
CLI Quick Configuration
By default, after you interconnect the switches with the dedicated VCPs and power on the switches, the VCPs are operational. The mastership priorities and member IDs are assigned by the software. To determine which switch has been selected as the master, check the LCD on the front panel. It should be the first switch that you power on. The backup should be the second switch that you power on. The other switches are all linecards. Wait at least one minute after powering on the master, before continuing to power on the other switches.
Configuration
171
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
Make sure the dedicated VCPs on the rear panel are properly cabled. See Virtual Chassis Cabling Configuration Examples for EX 4200 Switches for additional information. Power on the switch that you want to function as the master (SWA-0). This examples uses one of the larger switches (EX 4200-48P) as the master. Check the front panel LCD to confirm that the switch has powered on correctly and that a member ID has been assigned. Run the EZ Setup program on SWA-0, the master, specifying the identification parameters. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details. Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired.
[edit] user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
2. 3. 4.
5.
6. 7. 8. 9.
After a lapse of at least one minute, power on SWA-1. This example uses the second EX 4200-48P switch as the backup. Check the front panel LCD to confirm that the switch has powered on correctly and that a member ID has been assigned. Power on SWA-2, and check the front panels to make sure that the switch is operating correctly. Continue to power on the member switches one by one, checking the front panels as you proceed.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Member IDs and Roles of the Member Switches on page 172 Verifying That the VCPs Are Operational on page 173
Verify that all the interconnected member switches are included within the Virtual Chassis configuration and that their roles are assigned appropriately. Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status
Action
Member ID
Status
Serial No
Model
Role
172
Verification
0 (FPC 0)
Prsnt
abc123
ex4200-48p
128
Master*
1 vcp-0 5 vcp-1 2 vcp-0 0 vcp-1 3 vcp-0 1 vcp-1 4 vcp-0 2 vcp-1 5 vcp-0 3 vcp-1 0 vcp-0 4 vcp-1
1 (FPC 1)
Prsnt
def123
ex4200-48p
128
Backup
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
3 (FPC 3)
Prsnt
cab123
ex4200-24p
128
Linecard
4 (FPC 4)
Prsnt
fed456
ex4200-24p
128
Linecard
5 (FPC 5)
Prsnt
jkl231
ex4200-24p
128
Linecard
Meaning
The show virtual-chassis status command lists the member switches of the Virtual Chassis configuration with the member IDs and mastership priority values. It also displays the neighbor members with which each member is interconnected. The fpc number is the same as the member ID. Verifying That the VCPs Are Operational
Purpose Action
Verify that the dedicated VCPs interconnecting the member switches are operational. Display the Virtual Chassis interfaces.
user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc3: -------------------------------------------------------------------------Interface Type Status or
173
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Dedicated Dedicated
Up Up
fpc4: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc5: Interface or PIC / Port vcp-0 vcp-1 Type Status
Dedicated Dedicated
Up Up
Meaning
The show virtual-chassis vc-port all-members command lists the Virtual Chassis interfaces that are enabled for the member switches of the Virtual Chassis configuration and shows the status of the interfaces. In this case, no VCP uplinks have been configured. However, the VCP interfaces are automatically configured and enabled when you interconnect member switches using the dedicated VCPs. There are two dedicated VCPs on the rear panel of each EX 4200 switch. The dedicated VCP interfaces are identified simply as vcp-0 and vcp-1. They do not use the standard interface address (in which the member ID is represented by the first digit). The output in this example shows that all interfaces are operational. The fpc number is the same as the member ID.
Troubleshooting
To troubleshoot the configuration of a multimember Virtual Chassis in a single wiring closet, perform these tasks: Troubleshooting Mastership Priority
Problem Solution
You want to explicitly designate one member as the master and another as backup. Change the mastership priority value of the member that you want to function as master, designating the highest mastership priority value that member.
NOTE: These configuration changes are made through the current master, SWA-0. Configure mastership priority of member 0 to be the highest possible value.
[edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255
1.
2.
Set the mastership priority of another member that you want to function as the backup member as the same value:
174
Troubleshooting
The VCP interface shows a status of down. Check the cable to make sure that it is properly and securely connected to the VCPs.
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216
Requirements on page 175 Overview and Topology on page 176 Configuration on page 179 Verification on page 182 Troubleshooting on page 184
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches Two EX 4200-48P switches Two EX 4200-24T switches Four EX-UM-2XFP uplink modules
175
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Before you interconnect the members of the Virtual Chassis configuration across wiring closets, be sure you have:
1.
Installed an EX-UM-2XFP uplink module in the member switches that will be interconnected across wiring closets. See Installing an Uplink Module in an EX 3200 or EX 4200 Switch. Powered on, connected and run the EZ Setup program on SWA-0. Follow the prompts to specify the host name and other identification, time zone, and network properties. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details. SWA-0 is going to be configured in the example to function as the master of the Virtual Chassis. Thus, the properties that you specified for SWA-0 apply to the entire Virtual Chassis configuration, including all the member switches that you later interconnect with the master. Configured SWA-0 with the virtual management Ethernet (VME) for remote, out-of-band management of the Virtual Chassis configuration, if desired.
[edit] user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
2.
3.
4.
Interconnected SWA-0 and SWA-1 (the two member switches in wiring closet A) using the dedicated VCPs on the rear panel. SWA-1 should not be powered on at this time. Interconnected SWA-2 and SWA-3 (the two member switches in wiring closet B) using the dedicated VCPs on the rear panel. SWA-2 and SWA-3 should not be powered on at this time.
5.
NOTE: Beginning with JUNOS Release 9.2 for EX-series switches, you can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps Ethernet uplink port (EX-UM-4SFP) as a VCP interface. When an uplink port is set as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set one port as a VCP interface and configure the other port in trunk mode as an uplink to a distribution switch.
176
closets, you do not need to add any more uplink modules. Simply use the dedicated VCPs on the rear panel. The redundancy of uplink VCPs provided in this example is sufficient. First, we will complete the Virtual Chassis configuration of the member switches in wiring closet A. We have decided that SWA-0 will function as the master, so we set its mastership priority value to the highest possible value (255). The switches (SWA-0 and SWA-1) in wiring closet A have been interconnected using the dedicated Virtual Chassis ports (VCPs) . The interfaces for the rear panel, dedicated VCPs are operational by default. They do not need to be configured. However, the rear-panel Virtual Chassis cables that interconnect the VCPs of member switches within a single wiring closet are not long enough to connect member switches across wiring closets. Instead, you can use the fiber cable connections in the uplink modules to interconnect the member switches in wiring closet A to the member switch in wiring closet B. For redundancy, this example connects uplink ports from the two member switches in wiring closet A to the two member switches in wiring closet B. After specifying the highest mastership priority value (255) for SWA-0, we power on SWA-1. Because SWA-0 and SWA-1 are interconnected with the dedicated VCPs, the master detects that SWA-1 is a member of its Virtual Chassis configuration and assigns a member ID. We can now set the VCP uplinks for both SWA-0 and SWA-1 through the master in preparation for interconnecting them with the member switches in wiring closet B. However, in order for the master to recognize the existence of SWA-2, you must first set one of the SWA-2 uplinks as a VCP. You cannot set the SWA-2 uplink through the master of the Virtual Chassis configuration, because SWA-2 is not yet interconnected as a member switch. We will power on and configure SWA-2 prior to powering on SWA-3. When you power on SWA-2, its member ID is 0, its default mastership priority is 128, and it is functioning in the master role. You can configure SWA-2 without running EZ Setup by directly connecting to the console port. If you wish, you can run EZ Setup and specify identification parameters. Later, when you interconnect SWA-2 with the master of the Virtual Chassis configuration, the master overwrites any conflicting parameters. We want to use SWA-2 as the backup of the Virtual Chassis configuration. If a problem occurs in wiring closet A, SWA-2 would take control of the Virtual Chassis configuration and maintain the network connections. We configure the same mastership priority value for SWA-2 (255) that we configured for the master. Because SWA-0 has already been powered on prior to SWA-2, it has additional prioritization properties that allow it to retain mastership of the Virtual Chassis configuration. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142. We recommend setting identical mastership priority values for the master and backup members for high availability and smooth transition of mastership in case the original master becomes unavailable. (Setting identical mastership priority values for the master and
177
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
backup members prevents the previous master from pre-empting the master role from the new master when the previous master comes back online.) After SWA-2 has been configured and its uplink port has been set as a VCP interface, interconnect its VCP uplink port with the VCP uplink of SWA-0 in wiring closet A. SWA-2 reboots and joins the Virtual Chassis configuration as member 2 and as backup of the expanded Virtual Chassis configuration. Now, power on SWA-3. Because SWA-3 is interconnected with SWA-2 using the dedicated VCPs on the rear panel, the master detects that SWA-3 is part of the expanded Virtual Chassis configuration and assigns it member ID 3. For redundancy, configure a VCP uplink on member 3 through the master and interconnect this uplink with the VCP uplink of SWA-1 in wiring closet A. The topology for this example consists of:
Two EX 4200-48P switches Two EX 4200-24T switches Four EX-UM-2XFP uplink modules.
Table 34 on page 178 shows the Virtual Chassis configuration settings for a Virtual Chassis composed of member switches in different wiring closets.
Table 34: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch Member ID Role and Priority Uplinks Connecting Member Switches xe-0/1/0 Hardware Location
SWA-0
master; mastership priority 255 linecard; mastership priority 128 backup; mastership priority 255 linecard; mastership priority 128
EX 4200-48P and EX-UM-2XFP uplink module EX 4200-24T and EX-UM-2XFP uplink module EX 4200-48P and EX-UM-2XFP uplink module EX 4200-24T and EX-UM-2XFP uplink module
Wiring closet A
SWA-1
xe-1/1/0
Wiring closet A
SWA-2
xe-0/1/0
Wiring closet B
SWA-3
xe-3/1/0
Wiring closet B
Figure 16 on page 179 shows the different types of interconnections used for this Virtual Chassis configuration. The rear view shows that the member switches within each wiring closet are interconnected to each other using the dedicated VCPs. The front view shows that the uplink ports that have been set as VCP interfaces and interconnected across the wiring closets. The uplink ports that are not used as VCPs can be configured as trunk ports to connect to a distribution switch.
178
Configuration
To configure the Virtual Chassis across multiple wiring closets, perform these tasks:
NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis.
CLI Quick Configuration
To quickly configure a Virtual Chassis across multiple wiring closets, configure a master in one closet and a backup in the other by copying the following commands into the specified terminal windows (SWA-0 and SWA-2):
[edit] user@SWA-0#set virtual-chassis member 0 mastership-priority 255 [edit] user@SWA-2#set virtual-chassis member 0 mastership-priority 255
Configuration
179
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
Configure the mastership priority of SWA-0 (member 0) to be the highest possible value (255), thereby ensuring that it functions as the master of the expanded Virtual Chassis configuration.
[edit virtual-chassis] user@SWA-0#set member 0 mastership-priority 255
2.
Prepare the members in wiring closet A for interconnecting with the member switches in wiring closet B by setting uplink VCPs for member 0 and member 1:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 1
NOTE: For redundancy, this example configures an uplink VCP in both SWA-0 and SWA-1.
This example omits the specification of the member member-id option in configuring the uplink for SWA-0. The command applies by default to the switch where it is executed.
3.
Prepare the potential member switch (SWA-2) in wiring closet B for interconnecting with the Virtual Chassis configuration by configuring its mastership priority to be the highest possible value (255). Its member ID is currently 0, because it is not yet interconnected with the other members of the Virtual Chassis configuration. It is operating as a standalone switch. Its member ID will change when it is interconnected.
[edit virtual-chassis] user@SWA-2# set member 0 mastership-priority 255
NOTE: SWA-2 is configured with the same mastership priority value that we configured for SWA-0. However, the longer uptime of SWA-0 ensures that it functions as the master and that SWA-2 functions as the backup. Specify one uplink port in SWA-2 as a VCP interface. Its member ID is 0, because it is not yet interconnected with the other members of the Virtual Chassis configuration. Its member ID will change when it is interconnected with the Virtual Chassis configuration.
4.
180
Configuration
NOTE: The setting of the VCP interface remains intact when SWA-2 reboots and joins the Virtual Chassis configuration as member 2.
This example omits the specification of the member member-id option. The command applies by default to the switch where it is executed.
5.
After you have set the uplink VCP in SWA-2, you should physically interconnect SWA-0 and SWA-2 across wiring closets using their uplink VCPs. Although SWA-0 and SWA-2 have the same mastership priority value (255), SWA-0 was powered on first and thus has longer uptime. This results in SWA-0 retaining mastership while SWA-2 reboots and joins the now expanded Virtual Chassis configuration as a backup with member ID 2. Power on SWA-3, which is interconnected with SWA-2 using the dedicated VCPs on the rear panel. It joins the expanded Virtual Chassis configuration as member 3.
6.
NOTE: We have assumed that the member ID assigned to SWA-3 is 3, because it was powered on in that sequence. Since SWA-3 is now interconnected as a member of the Virtual Chassis configuration, you can specify a redundant VCP uplink on SWA-3 through the master of the Virtual Chassis configuration.
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 3
7.
8.
After you have configured the uplink VCP of SWA-3, you should physically interconnect SWA-3 and SWA-1 across wiring closets using their uplink VCPs. Both SWA-1 and SWA-3 have the default mastership priority value (128) and function in a linecard role.
Results
Configuration
181
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Member IDs and Roles of the Member Switches on page 182 Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 183
Verify that all the interconnected member switches are included within the Virtual Chassis configuration and that their roles are assigned appropriately. Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status
Action
Virtual Chassis ID: 0000.e255.00e0 Mastership Member ID 0 (FPC 0) 1 vcp-0 Status Prsnt Serial No abc123 1 vcp-1 2 1/0 1 (FPC 1) Prsnt def456 ex4200-24t 128 Linecard 0 vcp-0 0 vcp-1 3 1/0 Model ex4200-48p Priority 255 Role Master* Neighbor List ID Interface
2 (FPC 2)
Prsnt
ghi789
ex4200-48p 3 vcp-1
255
Backup
3 vcp-0
0 1/0 3 (FPC 3) Prsnt jkl012 ex4200-24t 128 Linecard 2 vcp-0 2 vcp-1 1 1/0
Meaning
The show virtual-chassis status command lists the member switches interconnected as a Virtual Chassis configuration with the member IDs that have been assigned by the master, the mastership priority values, and the roles. It also displays the neighbor members with which each member is interconnected.
182
Verification
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose
Verify that the dedicated VCPs interconnecting the member switches in wiring closet A and the uplink VCPs interconnecting the member switches between wiring closets are operational. Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
Action
fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
fpc3: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
Meaning
The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks configured as VCPs are displayed as 1/0. The fpc number is the same as the member ID.
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
183
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Troubleshooting
To troubleshoot a Virtual Chassis configuration that is interconnected across wiring closets, perform these tasks: Troubleshooting Nonoperational VCPs
Problem Solution
Check the cable to make sure that it is properly and securely connected to the ports. If the VCP is an uplink port, make sure that the uplink port has been explicitly set as a VCP. If the VCP is an uplink port, make sure that you have specified the options (pic-slot, port-number, member-id) correctly. Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet on page 164 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223
Related Topics
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. This example describes how to configure uplink LAGs to connect a virtual chassis access switch to a virtual chassis distribution switch:
Requirements on page 184 Overview and Topology on page 185 Configuration on page 187 Verification on page 189 Troubleshooting on page 190
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches Two EX-series 4200-48P switches
184
Troubleshooting
Configured the virtual chassis switches. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159. Configured the uplink ports on the switches as trunk ports. See Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321.
Link Aggregation Control Protocol (LACP) can optionally be configured for link negotiation. It doubles the speed of each uplink from 10 Gbps to 20 Gbps. If one physical port is lost for any reason (a cable is unplugged or a switch port fails, or one member switch is unavailable), the logical port transparently continues to function over the remaining physical port.
The topology used in this example consists of one virtual chassis access switch and one virtual chassis distribution switch. The access switch is composed of two EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with their VCPs as member switches of Host-D. Each member of the access switch has an uplink module installed. Each uplink module has two ports. The uplinks are configured to act as trunk ports, connecting the access switch with the distribution switch. One uplink port from SWA-0 and one uplink port from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN. If the remote end is a security device LACP may not be supported since security devices demand a deterministic configuration. In this case do not configure LACP. All links in the LAG will be permanently up unless a link failure within the Ethernet physical or the data link layers has been detected. The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second LAG connection (ae1) to SWD-1. LAG ae1, which is used for another VLAN.
185
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 17: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch
Table 35 on page 293 details the topology used in this configuration example.
Table 35: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis Distribution Switch
Switch Hostname and VCID Base Hardware Uplink Module Member ID Trunk Port xe-0/1/0 to SWD-0 xe-0/1/1 to SWD-1
SWA-0
EX 4200-48P switch
SWA-1
EX 4200-48P switch
186
Table 35: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis Distribution Switch (continued)
SWD-0 Host-D Distribution switch VCID 4 SWD-1 Host-D Distribution switch VCID 4 EX-series EX 4200 L-24F switch One EX-UM-2XFP uplink module 1
xe-1/1/0 to SWA-0 xe-1/1/1 to SWA-1
Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual chassis distribution switch:
CLI Quick Configuration
To quickly configure aggregated Ethernet high-speed uplinks between a virtual chassis access switch and a virtual chassis distribution switch, copy the following commands and paste them into the switch terminal window:
[edit] set chassis aggregated-devices ethernet device-count 2 set interfaces ae0 aggregated-ether-options minimum-links 2 set interfaces ae0 aggregated-ether-options link-speed 10g set interfaces ae1 aggregated-ether-options minimum-links 2 set interfaces ae1 aggregated-ether-options link-speed 10g set interfaces ae0 unit 0 family inet address 192.0.2.0/25 set interfaces ae1 unit 1 family inet address 192.0.2.128/25 set interfaces xe-0/1/0 ether-options 802.ad ae0 set interfaces xe-1/1/0 ether-options 802.ad ae0 set interfaces xe-0/1/1 ether-options 802.ad ae1 set interfaces xe-1/1/1 ether-options 802.ad ae1
Step-by-Step Procedure
To configure aggregated Ethernet high-speed uplinks between a virtual chassis access switch and a virtual chassis distribution switch:
1.
2.
Specify the number of links that need to be present for the ae0 LAG interface to be up:
[edit interfaces] user@Host-A# set ae0 aggregated-ether-options minimum-links 2
3.
Specify the number of links that need to be present for the ae1 LAG interface to be up:
[edit interfaces] user@Host-A# set ae1 aggregated-ether-options minimum-links 2
Configuration
187
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
4.
5.
6.
7.
8.
Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces] user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9.
Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces] user@Host-A# set ae1 unit 1 family inet address 192.0.2.128/25
Results
188
Configuration
} } } ae1 { aggregated-ether-options { link-speed 10g; minimum-links 2; } unit 0 { family inet { address 192.0.2.128/25; } } xe0/1/0 { ether-options { 802.ad ae0; } } xe1/1/0 { ether-options { 802.ad ae0; } } xe0/1/1 { ether-options { 802.ad ae1; } } xe1/1/1 { ether-options { 802.ad ae1; } } }
Verification
To verify that switching is operational and two LAGs have been created, perform these tasks:
Verifying That LAG ae0 Has Been Created on page 189 Verifying That LAG ae1 Has Been Created on page 190
inet
10.10.10.2/24
Verification
189
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Meaning
The output confirms that the ae0 link is up and shows the family and IP address assigned to this link. Verifying That LAG ae1 Has Been Created
Purpose Action
Meaning
Troubleshooting
Troubleshooting a LAG That Is Down
Problem Solution
The show interfaces terse command shows that the LAG is down: Check the following:
Verify that there is no configuration mismatch. Verify that all member ports are up. Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet (Layer 3 LAG). Verify that the LAG member is connected to the correct LAG at the other end. Verify that the LAG members belong to the same switch (or the same virtual chassis). Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Example: Connecting an Access Switch to a Distribution Switch on page 422. Virtual Chassis Cabling Configuration Examples for EX 4200 Switches Installing an Uplink Module in an EX 3200 or EX 4200 Switch
Related Topics
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches
190
allow you to further enhance these links by configuring Link Aggregation Control Protocol (LACP). This example describes how to overlay LACP on the LAG configurations that were created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184:
Requirements on page 191 Overview and Topology on page 191 Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 192 Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch on page 192 Verification on page 193 Troubleshooting on page 194
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches Two EX-series 4200-48P switches Two EX-series 4200-24F switches Four EX-series EX-UM-2XFP uplink modules
Installed your EX-series switches. Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159. Configured the uplink ports on the switches as trunk ports. See Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321. Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184
Requirements
191
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP packets, which results in the aggregated Ethernet links not coming up. By default, LACP is in passive mode. To initiate transmission of LACP packets and responses to LACP packets, you must enable LACP in active mode. By default, the actor and partner send LACP packets every second. You can configure the interval at which the interfaces send LACP packets by including the periodic statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy level. The interval can be fast (every second) or slow (every 30 seconds).
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
CLI Quick Configuration
To quickly configure LACP for the access switch LAGs, copy the following commands and paste them into the switch terminal window:
set interfaces ae0 aggregated-ether-options lacp active periodic fast set interfaces ae1 aggregated-ether-options lacp active periodic fast
Step-by-Step Procedure
Results
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the virtual chassis access switch to the virtual chassis distribution switch, perform these tasks:
CLI Quick Configuration
To quickly configure LACP for the distribution switch LAGs, copy the following commands and paste them into the switch terminal window:
[edit interfaces] set ae0 aggregated-ether-options lacp passive periodic fast set ae1 aggregated-ether-options lacp passive periodic fast
192
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
Step-by-Step Procedure
Results
Verification
To verify that LACP packets are being exchanged, perform these tasks:
Verifying the LACP Settings on page 193 Verifying That the LACP Packets Are Being Exchanged on page 194
To verify that the LACP has been set up correctly. Use the show lacp interfaces interface-name command to check that LACP has been enabled as active on one end.
show lacp interfaces xe-0/1/0 show lacp interfaces xe-0/1/0 Aggregated interface: ae0 LACP state: xe-0/1/0 xe-0/1/0 LACP protocol: xe-0/1/0 Role Actor Partner Exp No No Def Yes Yes Dist No No Col No No Syn No No Aggr Yes Yes Timeout Fast Fast Activity Active Passive
Meaning
The output indicates that the LACP has been set up correctly and is active at one end.
Verification
193
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To verify that LACP packets are being exchanged. Use the show interfaces lag-name statisticscommand to display LACP information.
show interfaces ae0 statistics Physical interface: ae0, Enabled, Physical link is Down Interface index: 153, SNMP ifIndex: 30 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0 Last flapped : Never Statistics last cleared: Never Input packets : 0 Output packets: 0 Input errors: 0, Output errors: 0 Logical interface ae0.0 (Index 71) (SNMP ifIndex 34) Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255
Meaning
The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting: Troubleshooting Nonworking LACP Link
Problem Solution
Remove the LACP configuration and verify whether the static LAG is up. Verify that LACP is configured at both ends. Verify that LACP is not passive at both ends. Verify whether LACP protocol data units are being exchanged by running the monitor traffic-interface lag-member detail command. Example: Connecting an Access Switch to a Distribution Switch on page 422 Virtual Chassis Cabling Configuration Examples for EX 4200 Switches
Related Topics
194
195
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: When you use a preprovisioned configuration, you cannot modify the mastership priority or member ID of member switches through the user interfaces. This example describes how to configure a Virtual Chassis across multiple wiring closets using a preprovisioned configuration file:
Requirements on page 196 Overview and Topology on page 197 Configuration on page 201 Verification on page 203 Troubleshooting on page 206
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches Five EX 4200-48P switches Five EX 4200-24T switches Four EX-UM-2XFP uplink modules
196
Before you create the preprovisioned configuration of the Virtual Chassis and interconnect the members across the wiring closets, be sure you have:
1. 2.
Made a list of the serial numbers of all the switches to be connected as a Virtual Chassis configuration. Noted the desired role (routing-engine or linecard) of each switch. If you configure the member with a routing-engine role, it is eligible to function as a master or backup. If you configure the member with a linecard role , it is not eligible to become a master or backup. Installed an EX-UM-2XFP uplink module in the member switches that will be interconnected across wiring closets. See Installing an Uplink Module in an EX 3200 or EX 4200 Switch. Interconnected the member switches within each wiring closet using the dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis Cable to an EX 4200 Switch. Powered on the switch that you plan to use as the master switch (SWA-0). Run the EZ Setup program on SWA-0, specifying the identification parameters. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 for details. SWA-0 is going to be configured in the example to function as the master of the Virtual Chassis configuration. Thus, the properties that you specified for SWA-0 apply to the entire Virtual Chassis configuration, including all the member switches that you specify in the preprovisioned configuration file.
3.
4.
5. 6.
7.
Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired.
[edit] user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
197
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
configuration file. The master detects the connection of the members through the dedicated VCPs and applies the parameters specified in the preprovisioned configuration file. However, the Virtual Chassis cables that interconnect the VCPs of member switches within a single wiring closet are not long enough to connect member switches across wiring closets. Instead, you can use the fiber cable connections in the EX-UM-2XFP or EX-UM-4SFP uplink modules to interconnect the member switches in wiring closet A to the member switch in wiring closet B. For redundancy, this example connects uplink ports from two member switches in wiring closet A (SWA0 and SWA2) to two member switches (SWA-5 and SWA-7) in wiring closet B.
NOTE: You can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps Ethernet uplink port (EX_UM-4SFP) as a VCP interface. When an uplink port is set as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set one port as a VCP interface and configure the other port in trunk mode as an uplink to a distribution switch. Because this particular preprovisioned configuration is for a Virtual Chassis that is interconnected across wiring closets, we will bring up the Virtual Chassis configuration in stages. First, we power on SWA-0 (without powering on any other switches) and create the preprovisioned configuration file. Then we power on the remaining switches in wiring closet A. If we check the status of the Virtual Chassis configuration at this point by using the show virtual-chassis status command, it will display only member 0 through member 4. The members that have not yet been interconnected will not be listed. Next power on SWA-5 without powering on the remaining switches (SWA-6 through SWA-9) in wiring closet B. Bring up SWA-5 as a standalone switch and set one of its uplinks as a VCP interface prior to interconnecting it with the Virtual Chassis configuration in wiring closet A. Without this setting, SWA-5 cannot be detected as a member switch by the master of the Virtual Chassis configuration. You can set the uplink VCP of SWA5 without running the EZ Setup program by directly connecting to the console port. If you wish, you can run EZ Setup program and specify identification parameters. When you interconnect SWA-5 with the master of the Virtual Chassis configuration, the master overwrites any conflicting parameters. After setting the VCP uplink in SWA-5, connect this VCP uplink with the VCP uplink of SWA-0 in wiring closet A. SWA-5 (serial number pqr678) is specified as a routing-engine in the preprovisioned configuration file. This example uses SWA-5 as the backup of the Virtual Chassis configuration. If a problem occurs in wiring closet A, SWA-5 would take control of the Virtual Chassis configuration and maintain the network connections. Specify both SWA-0 and SWA-5 as routing-engine. Because SWA-0 is powered on prior to SWA-5, it has additional prioritization properties that cause it to be elected as master of the Virtual Chassis configuration. After being physically interconnected with SWA-0, SWA-5 reboots and comes up as member 5 and as the backup of the Virtual Chassis configuration.
198
Power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. The master can now detect that all members are present. Finally, for redundancy, configure an additional VCP uplink on SWA-7 through the master. The topology for this example consists of:
Three EX 4200-48P switches (SWA-0 , SWA-2, and SWA-4) in wiring closet A. Two EX 4200-48P switches (SWA-5 and SWA-9) in wiring closet B. Two EX 4200-24T switches (SWA-1 and SWA-3) in wiring closet A. Three EX 4200-24T switches (SWA-6, SWA-7, and SWA-8) in wiring closet B. Four EX-UM-2XFP uplink modules. Two are installed in wiring closet A and two are installed in wiring closet B.
Table 36 on page 199 shows the Virtual Chassis configuration settings for a preprovisioned Virtual Chassis composed of member switches in different wiring closets.
Table 36: Components of a Preprovisioned Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch Serial number Member ID Role Uplink Ports xe-0/1/0 Hardware Location
SWA-0
abc123
routing-engine
Wiring closet A
1 2 3 4 5
Wiring closet A Wiring closet A Wiring closet A Wiring closet A Wiring closet B
NOTE: The member ID of SWA-5 is 0 at the time that its uplink port is configured as a VCP. SWA-6 SWA-7 SWA-8 SWA-9 stu901 vwx234 yza567 bcd890 6 7 8 9 linecard linecard linecard linecard
xe-7/1/0
199
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 18 on page 200 shows the different types of interconnections used for this Virtual Chassis configuration. The rear view shows that the member switches within each wiring closet are interconnected to each other using the dedicated VCPs. The front view shows that the uplink ports that have been set as VCPs and interconnected across the wiring closets. The uplink ports that are not set as VCPs can be configured as trunk ports to connect to a distribution switch.
NOTE: The interconnections shown in this figure are the same as they would be for a configuration that was not preprovisioned across wiring closets.
Figure 18: Maximum Size Virtual Chassis Interconnected Across Wiring Closets
200
Configuration
To configure the Virtual Chassis across multiple wiring closets using a preprovisioned configuration, perform these tasks:
NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration
To quickly configure SWA-0 with a preprovisioned configuration, copy the following commands and paste them into the switch terminal window:
[edit] set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis set virtual-chassis
preprovisioned member 0 serial-number member 1 serial-number member 2 serial-number member 3 serial-number member 4 serial-number member 5 serial-number member 6 serial-number member 7 serial-number member 8 serial-number member 9 serial-number
abc123 def456 ghi789 jkl012 mno345 pqr678 stu901 vwx234 yza567 bcd890
role role role role role role role role role role
routing-engine linecard linecard linecard linecard routing-engine linecard linecard linecard linecard
Step-by-Step Procedure
2.
Specify all the members that will be included in the Virtual Chassis configuration, listing each switch's serial number with the desired member ID and the desired role:
[edit virtual-chassis] user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA-0# set member user@SWA0# set member
0 1 2 3 4 5 6 7 8 9
serial-number serial-number serial-number serial-number serial-number serial-number serial-number serial-number serial-number serial-number
abc123 def456 ghi789 jkl012 mno345 pqr678 stu901 vwx234 yza567 bcd890
role role role role role role role role role role
routing-engine linecard linecard linecard linecard routing-engine linecard linecard linecard linecard
3. 4.
Power on the member switches in wiring closet A. Prepare the members in wiring closet A for interconnecting with the member switches in wiring closet B by setting uplink VCPs for member 0 and member 2:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0
Configuration
201
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: For redundancy, this example sets an uplink VCP interface in both SWA-0 and SWA-2.
This example omits the specification of the member0 in setting the uplink for SWA-0. The command applies by default to the switch where it is executed.
5.
Power on and connect to SWA-5. This switch comes up as member ID 0 and functions as master of itself. Although SWA-5 is listed in the preprovisioned configuration file, it is not a present member of the Virtual Chassis configuration that has been powered on thus far. In order for the master to detect SWA-5 as a connected member, you must first set an uplink VCP on SWA-5 and interconnect that VCP uplink with the VCP uplink of SWA-0. Set the first uplink of SWA-5 to function as a VCP interface. Because SWA-5 has been powered on as a separate switch and is still operating independently at this point, its member ID is 0.
user@SWA-5>request virtual-chassis vc-port set pic-slot 1 port 0
6.
NOTE: This example omits the specification of the member0 in configuring the uplink for SWA-5 (at this point the member ID of SWA-5 is still 0). The command applies by default to the switch where it is executed. Power off SWA-5 and connect the fiber cable from SWA-5 uplink port xe-0/1/0 to the uplink port xe-0/1/0 on SWA-0. Power on SWA-5. Now that SWA-5 has been brought up as member 5 of the Virtual Chassis configuration, power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. They are interconnected with SWA-5 using the dedicated VCPs on the rear panel and are therefore detected by the master as interconnected members. If you check the status of the Virtual Chassis configuration at this point, all the members that were specified in the preprovisioned configuration file should be displayed as present. Additional configuration for member switches can now be done through the master switch. Set one uplink port of SWA-7 to function as a VCP:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member 7
7. 8. 9.
10.
202
Configuration
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Member IDs and Roles of the Member Switches on page 204 Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 205
Verification
203
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verify that the member IDs and roles are all set as expected. Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status Preprovisioned Virtual Chassis Virtual Chassis ID: 0000.e255.0000 Member ID 0 (FPC 0) Status Prsnt Serial No abc123 Model ex4200-48p Mastership Priority Role 129 Master* Neighbor List ID Interface 1 4 5 2 0 vcp-0 vcp-1 1/0 vcp-0 vcp1
1 (FPC 1)
Prsnt
def456
ex4200-24t
Linecard
2 (FPC 2)
Prsnt
ghi789
ex4200-48p
Linecard
3 1 7 4 2 0 3 6 9 0 7 5
vcp-0 vcp-1 1/0 vcp-0 vcp-1 vcp-0 vcp-1 vcp-0 vcp-1 1/0 vcp-0 vcp-1
3 (FPC 3)
Prsnt
jkl012
ex4200-24t
Linecard
4 (FPC 4)
Prsnt
mno345
ex4200-48p
Linecard
FPC 5)
Prsnt
pqr678
ex4200-48p
129
Backup
6 (FPC 6)
Prsnt
stu901
ex4200-24t
Linecard
7 (FPC 7)
Prsnt
vwx234
ex4200-24t
Linecard
8 6 2 9 7 5 8
8 (FPC 8)
Prsnt
yza567
ex4200-24t
Linecard
9 (FPC 9)
Prsnt
bc7890
ex4200-48p
Linecard
Meaning
The output shows that all members listed in the preprovisioned configuration file are connected to the Virtual Chassis configuration. It confirms that SWA-0 (member 0) is functioning as the master of the Virtual Chassis configuration, which was the intention of the configuration procedure. The other configured routing-engine (SWA-5) is functioning as the backup. The Neighbor List displays the interconnections of the member VCPs.
204
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose
Verify that the dedicated VCPs interconnecting the member switches within each wiring closet and the uplink VCPs interconnecting the member switches across wiring closets are operational. Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc3: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc4: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc5: Interface or PIC / Port vcp-0 vcp-1 1/0 Type Status
Action
Up Up Up
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
205
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
fpc6: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc7: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up fpc8: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc9: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up
Meaning
The dedicated VCPs interconnecting the member switches within wiring closets are displayed as vcp-0 and vcp-1. The uplink VCP ports interconnecting member switches (members 0, 2, 5 and 7) across wiring closets are displayed as 1/0 and 1/1 and identified as Configured.
Troubleshooting
To troubleshoot a preprovisioned Virtual Chassis configuration that is interconnected across wiring closets, perform these tasks: Troubleshooting Nonoperational VCPs
Problem Solution Related Topics
A VCP interface shows a status of down. Check the cable to make sure that it is properly and securely connected to the ports.
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175
206
Troubleshooting
Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails
The Virtual Chassis fast failover feature is a hardware-assisted failover mechanism that automatically reroutes traffic and reduces traffic loss in the event of a link or switch failure. If a link between two members fails, traffic flow between those members must be rerouted quickly so that there is minimal traffic loss. Fast failover is enabled by default on all dedicated Virtual Chassis ports (VCPs). This example describes how to configure fast failover on uplink module VCPs in a Virtual Chassis configuration:
Requirements on page 207 Overview and Topology on page 207 Configuration on page 209 Verification on page 209
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.3 or later for EX-series switches Six EX 4200-24T switches Four EX-UM-4SFP uplink modules
Mounted the switches. See Mounting an EX 3200 or EX 4200 Switch on a Rack or Cabinet, Mounting an EX 3200 or EX 4200 Switch on a Desk or Other Level Surface, or Mounting an EX 3200 or EX 4200 Switch on a Wall. Cabled the switches in a multiple-ring topology to create the Virtual Chassis configuration. See Connecting a Virtual Chassis Cable to an EX 4200 Switch and Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175. See Figure 12 on page 208 for an illustration of a multiple-ring topology.
2.
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails
207
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
For fast failover to be effective, the Virtual Chassis members must be configured in a ring topology. The ring topology can be formed by using either dedicated Virtual Chassis ports (VCPs) or user-configured uplink module VCPs. Fast failover is supported only in a ring topology that uses identical port types, for example, either a topology that uses all dedicated VCPs or one that uses all uplink module VCPs. Fast failover is not supported in a ring topology that includes both dedicated VCPs and uplink module VCPs. Fast failover is supported, however, in a Virtual Chassis configuration that consists of multiple rings. Figure 12 on page 208 shows an example of a multiple-ring topology.
Figure 19: Traffic Redirected by Fast Failover After VCP Link Failures in a Topology with Multiple Rings
This example shows how to enable fast failover on uplink module VCPs.
208
Six EX 4200-24T switches, four of which have an EX-UM-4SFP uplink module installed (switches 1, 3, 4, and 6)
Configuration
To configure the fast failover feature on uplink module VCPs:
CLI Quick Configuration
To configure fast failover on all SFP uplink module VCPs, copy the following command and paste it into the terminal window on switch 1:
[edit] set virtual-chassis fast-failover ge
Step-by-Step Procedure
Enable fast failover on all SFP uplink module VCPs in the Virtual Chassis configuration:
[edit] user@switch1# set virtual-chassis fast-failover ge
NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis.
Results
Verification
To confirm that fast failover is enabled on SFP uplink module VCPs in the Virtual Chassis configuration, perform these tasks:
Verify that fast failover has been enabled in a Virtual Chassis configuration.
1. 2.
Issue the show virtual-chassis fast-failover command. Check to see that fast failover is enabled.
Configuration
209
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Fast failover on dedicated VCP ports: Enabled Fast failover on XE uplink VCP ports: Disabled Fast failover on GE uplink VCP ports: Enabled
Meaning
Fast failover is enabled on all dedicated VCPs and SFP uplink module VCPs in the Virtual Chassis configuration.
Related Topics
Configuring Fast Failover in a Virtual Chassis Configuration on page 228 Disabling Fast Failover in a Virtual Chassis Configuration on page 229 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge
You can explicitly assign a Virtual Chassis ID so that, when two Virtual Chassis configurations merge, the ID that you assigned takes precedence over the automatically assigned Virtual Chassis IDs and becomes the ID of the newly merged Virtual Chassis configuration. This example describes how to assign the Virtual Chassis ID in a Virtual Chassis configuration:
Requirements on page 210 Overview and Topology on page 211 Configuration on page 211 Verification on page 211
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.3 or later for EX-series switches Two EX 4200-48P switches Two EX 4200-24T switches
Installed the switches. See Mounting an EX 3200 or EX 4200 Switch on a Rack or Cabinet, Mounting an EX 3200 or EX 4200 Switch on a Desk or Other Level Surface, or Mounting an EX 3200 or EX 4200 Switch on a Wall. Cabled the switches to create the Virtual Chassis configuration. See Connecting a Virtual Chassis Cable to an EX 4200 Switch.
2.
210
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge
The switches are connected as a four-member Virtual Chassis configuration and are identified as switch-A, switch-B, switch-C, and switch-D. The master is switch-A.
Configuration
Assign the Virtual Chassis ID in a Virtual Chassis configuration:
CLI Quick Configuration
To assign a Virtual Chassis ID so that, when two Virtual Chassis configurations merge, the ID that you assigned takes precedence over the automatically assigned Virtual Chassis IDs and becomes the ID of the newly merged Virtual Chassis configuration, copy the following command and paste it into the terminal window:
[edit] set virtual-chassis id 9622.6ac8.5345
Step-by-Step Procedure
NOTE: We recommend that you use the commit synchronize command to save any configuration changes that you make to a multimember Virtual Chassis configuration.
Verification
To verify that the Virtual Chassis ID has been assigned as you intended, perform these tasks:
211
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verify that the Virtual Chassis ID has been assigned in a Virtual Chassis configuration.
1. 2.
Issue the show configuration virtual-chassis id command. Check to see that the Virtual Chassis ID number is listed.
Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure) on page 229 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216
212
Chapter 17
Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure) on page 218 Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 221 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223 Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure) on page 226 Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI Procedure) on page 227 Configuring Fast Failover in a Virtual Chassis Configuration on page 228 Disabling Fast Failover in a Virtual Chassis Configuration on page 229 Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure) on page 229 Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure) on page 230
213
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one in the master and the other in the backup. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis. This ensures that the configuration changes are saved in both Routing Engines. A Virtual Chassis can be configured with either:
preprovisioned configurationAllows you to deterministically control the member ID and role assigned to a member switch by tying it to its serial number. nonprovisioned configurationThe master sequentially assigns a member ID to other member switches. The role is determined by the mastership priority value and other factors in the master election algorithm. Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 214 Configuring a Virtual Chassis with a Nonprovisioned Configuration File on page 215
Make a list of the serial numbers of all the switches to be connected in a Virtual Chassis configuration. Note the desired role (routing-engine or linecard) of each switch. If you configure the member with a routing-engine role, it is eligible to function as a master or backup. If you configure the member with a linecard role, it is not eligible to become a master or backup. Interconnect the member switches using the dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis Cable to an EX 4200 Switch.
3.
NOTE: Arrange the switches in sequence, either from top to bottom or from bottom to top (09). Power on only the switch that you plan to use as the master switch (SWA-0). Do not power on the other switches at this time. Run the EZ Setup program on SWA-0, specifying the identification parameters. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 for details.
4. 5.
NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis configuration, including all the member listed in the preprovisioned configuration file. Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired.
6.
214
7.
8.
Specify all the members that you want to included in the Virtual Chassis configuration, listing each switchs serial number with the desired member ID and the desired role:
[edit virtual-chassis] user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA0# set member user@SWA-0# set member user@SWA0# set member
0 1 2 3 4 5 6 7 8 9
serial-number serial-number serial-number serial-number serial-number serial-number serial-number serial-number serial-number serial-number
abc123 def456 ghi789 jkl012 mno345 pqr678 stu901 vwx234 yza567 bcd890
role role role role role role role role role role
routing-engine linecard linecard linecard linecard routing-engine linecard linecard linecard linecard
9.
NOTE: You cannot modify the mastership-priority when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file. The two routing engines are assigned the same mastership priority value. However, the member that was powered on first has higher prioritization according to the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142.
Interconnect the member switches using the dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis Cable to an EX 4200 Switch.
NOTE: Arrange the switches in sequence, either from top to bottom or from bottom to top (09). Power on only the switch that you plan to use as the master switch (SWA-0). Do not power on the other switches at this time. Run the EZ Setup program on SWA-0, specifying the identification parameters. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 for details.
2. 3.
215
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis configuration, including all the members interconnected through VCPs.. Configure SWA-0 with the virtual management Ethernet (VME) interface for out-of-band management of the Virtual Chassis configuration, if desired.
[edit] user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
4.
5.
Configure mastership priority for the master, backup, and other members, if desired:
[edit virtual-chassis] user@SWA0# set member 0 mastership-priority 255 user@SWA0# set member 5 mastership-priority 255
6.
NOTE: If you do not edit the Virtual Chassis configuration file, a nonprovisioned configuration is generated by default. The mastership priority value for each member switch is 128. The master role is selected by default. You can change the role that is performed by the members by modifying the mastership-priority. See Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 221. We recommend that you specify the same mastership priority value for the desired master and backup members. We have assigned the highest possible mastership priority to two members. However, the member that was powered on first has higher prioritization according to the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142. We have allowed the other members to use the default mastership priority, which qualifies them to function in the role of linecard.
NOTE: If you want to change the member ID that the master has assigned to a member switch, use the request virtual-chassis renumber command.
Related Topics
Configuring a Virtual Chassis (J-Web Procedure) on page 216 Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 221 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223 Monitoring Virtual Chassis Configuration Status and Statistics on page 237
216
the switch. You do not have to configure the interface for the dedicated VCPs. If you want to interconnect member switches that are located in different racks or wiring closets, interconnect them using uplinks configured as VCP interfaces. See Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223. To configure a Virtual Chassis using the J-Web interface:
1.
NOTE: The Virtual Chassis option is not available for EX 3200 switches. The properties you can configure are displayed . The first section of the Virtual Chassis configuration page displays the Virtual Chassis member configuration. the display includes a list of member switches, their member IDs, and the mastership priority. The second section displays the operational status of the Virtual Chassis configuration, member details, and the dedicated and configured Virtual Chassis ports (VCPs).
3. 4.
2.
Enter information into the page as described in Table 37 on page 217. Click one:
Add To add a member's configuration to the Virtual Chassis configuration, click Add. Edit To modify an existing member's configuration, click Edit. Delete To delete the configuration of a member, click Delete.
5.
To configure an uplink as a VCP, select the member in the Virtual Chassis members list and select Action > Select Uplink Port as VCP. Select the port from the list. To delete an uplink VCP from a member, select the member in the Virtual Chassis members list and select Action > Delete Uplink Port as VCP.
6.
Function
Your Action
Member ID
Specifies the identifier for the member switch. The master switch assigns member IDs. Specifies the mastership priority to be assigned to the member.
Select an identifier from the list. Select an ID from 0 through 9. Select a number from 1 through 255, with 255 being the highest priority (128 is the default). Click to disable management VLAN on the port.
Priority
If you want to reserve an individual member's management Ethernet port for local troubleshooting, you can remove that port from being part of the Virtual Management Ethernet (VME).
217
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Configuring a Virtual Chassis (CLI Procedure) on page 213 Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Virtual Chassis Cabling Configuration Examples for EX 4200 Switches Virtual Chassis Overview on page 135
Adding a New Switch to an Existing Virtual Chassis Configuration Within the Same Wiring Closet on page 218 Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration on page 219
Adding a New Switch to an Existing Virtual Chassis Configuration Within the Same Wiring Closet
Before you begin, be sure you have:
Installed the hardware components. Mounted the new switch in a rack. Confirmed that the new switch is powered off. If you are expanding a preprovisioned configuration, made a note of the serial number (on the back of the switch). You will need to edit the Virtual Chassis configuration to include the serial number of the new member switch. If you are expanding a preprovisioned configuration, edited the existing Virtual Chassis configuration to include the serial number of the new member switch.
218
To add a new member switch to an existing Virtual Chassis configuration within the same wiring closet:
1.
If the new member switch has been previously configured, reverted that switchs configuration to the factory defaults. See Reverting to the Default Factory Configuration for the EX-series Switch. Interconnect the unpowered new switch to at least one member of the existing Virtual Chassis configuration, using the dedicated Virtual Chassis ports (VCPs). Power on the new switch. Confirm that the new member switch is now included within the Virtual Chassis configuration by checking the front-panel display for the member ID. It should display a member ID that is higher than 0 ( 1 through 9), because there is already at least one member of the Virtual Chassis configuration.
2. 3. 4.
NOTE: If you are using a preprovisioned configuration, the member ID is assigned to the members serial number in the configuration file.
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration
To add a new switch from a different wiring closet to an existing Virtual Chassis configuration, you must use a longer cable to connect the new member switch across wiring closets. An EX-UM-2XFP or EX-UM-4SFP uplink port and fiber optic cable can be used for this purpose. The uplink ports on both sides of the link must be configured as Virtual Chassis port (VCPs). The new member switch in the other wiring closet must first be powered on as a standalone switch in order to configure its uplinks as VCPs. Otherwise, it cannot be recognized as a member switch by the master. Before you begin, be sure you have:
Installed the hardware components. Mounted the new switch in a rack. If the new member switch has been previously configured, reverted to factory defaults. See Reverting to the Default Factory Configuration for the EX-series Switch. If you are expanding a preprovisioned configuration, made a note of the serial number (on the back of the switch). You will need to edit the Virtual Chassis configuration to include the serial number of the new member switch. If you are expanding a preprovisioned configuration, edited the existing Virtual Chassis configuration to include the serial number of the new member switch. You can specify the role of the new member switch when you add its serial number in the Virtual Chassis configuration file. The parameters specified in the master Virtual Chassis configuration file are applied after the new member switch has been interconnected with its uplink VCP.
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration
219
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Confirmed that the new, currently standalone switch is powered off. Prepared an existing member for interconnecting with the new switch through an uplink port by configuring an uplink port as a VCP on the existing member.
To add a new member switch that is going to be interconnected with the existing Virtual Chassis configuration across wiring closets:
1. 2.
Power on the new switch. Connect a laptop or terminal to the console port of the switch, or use EZ Setup on the standalone switch to specify temporary identification parameters. (When you interconnect the new member switch with the existing Virtual Chassis configuration, the master will overwrite and disable any specified parameters that conflict with the Virtual Chassis parameters or assigned member configuration.) Use the CLI or the J-Web interface to set the uplink ports as VCP interfaces.
3.
NOTE: If you are using a nonprovisioned configuration, you may wish to configure the new member switch with a mastership priority value that is less than that of the existing member switches. Doing so ensures that the new member switch will function in a linecard role when it is included within the Virtual Chassis configuration. Power off the new switch. Interconnect the new member switch to at least one member of the existing Virtual Chassis configuration, using the uplink ports that have been configured as VCPs. Power on the new member switch. Confirm that the new member switch is now included within the Virtual Chassis configuration by checking the front-panel display for the member ID. It should display a member ID that is higher than 0 (1 through 9), because there is already at least one member of the Virtual Chassis configuration.
4. 5.
6. 7.
NOTE: If you are using a preprovisioned configuration, the member-id is assigned to the member's serial number in the configuration file.
Related Topics
Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet on page 164 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Monitoring Virtual Chassis Configuration Status and Statistics on page 237
220
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration
Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237 Reverting to the Default Factory Configuration for the EX-series Switch
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one in the master and the other in the backup. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis. This ensures that the configuration changes are saved in both Routing Engines. This topic describes:
Configuring Mastership Using a Preprovisioned Configuration File on page 221 Configuring Mastership Using a Configuration File That Is Not Preprovisioned on page 222
Note the serial numbers of the switches that you want to function in the master role and backup role. Power on only the switch (SWA-0) that you want to function in the master role. Edit the configuration to specify the preprovisioned configuration mode:
[edit virtual-chassis] user@SWA-0# set preprovisioned
4.
List the serial numbers of the member switches that you want to function as master and backup, specifying their role as routing-engine:
[edit] user@SWA-0# set virtual-chassis member 0 serial-number abc123 role routing-engine user@SWA-0# set virtual-chassis member 2 serial-number def456 role routing-engine
221
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: You cannot directly modify the mastership priority value when you are using a preprovisioned configuration. The mastership priority values are generated automatically and controlled by the role that is assigned to the member switch in the configuration file. The two members assigned the routing-engine role are assigned the same mastership priority value (128). However, the member that was powered on first has higher prioritization according to the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142. Only two members can be specified with the routing-engine role. List the serial numbers of any other member switches that you want to include in the Virtual Chassis configuration. You may also specify their role as linecard, if desired.
5.
Power on only the switch that you want to function in the master role (SWA-0). Configure the highest possible mastership priority value (255) for the member that you want to function in the master role:
[edit virtual-chassis] user@SWA-0# set member 0 mastership-priority 255
3.
Configure the same mastership priority value (continue to edit the Virtual Chassis configuration on the master) for the member that you want to be the backup (SWA-1):
[edit virtual-chassis] user@SWA-0# set member 1 mastership-priority 255
NOTE: We recommend that the master and backup have the same mastership priority value to prevent the master and backup status from switching back and forth between master and backup members in failover conditions. Use the default mastership priority value (128) for the remaining member switches or configure the mastership priority to a value that is lower than the value specified for members functioning in the master and backup roles. Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet on page 164
4.
Related Topics
222
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member on page 234 Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Virtual Chassis Configuration on page 146
NOTE: You can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps Ethernet uplink port (EX_UM-4SFP) as a VCP interface. When an uplink port is set as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set one port as a VCP interface and configure the other port in trunk mode as an uplink to a distribution switch. Before you set an uplink as a VCP:
1. 2.
Install the uplink module (EX-UM-2XFP or EX-UM-4SFP) in the member switches that you want to interconnect. Power on and connect to the switch that you plan to designate as the master of the Virtual Chassis configuration.
NOTE: Do not power on the other switches at this point. Run EZ Setup on the switch that you are configuring to be the master. Follow the prompts to specify the host name and other identification, time zone, and network properties. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details. The properties that you specify for the master apply to the entire Virtual Chassis configuration, including all the member switches that you later interconnect with the master. If you want to configure and manage the Virtual Chassis configuration remotely, specify the VME global management interface. You can configure the VME global management interface when you are setting up the master or you can do it after completing the other configuration steps for the Virtual Chassis. See Configuring
3.
4.
223
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure) on page 226.
5.
Configure mastership of the Virtual Chassis using either the nonprovisioned or preprovisioned configuration. See Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 221 for details.
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one in the master and the other in the backup. Therefore, we recommend that you always use commit synchronize rather than simply commit to save configuration changes made for a Virtual Chassis configuration. This ensures that the configuration changes are saved in both Routing Engines. To interconnect a Virtual Chassis configuration across longer distances, such as wiring closets, you need to:
Prepare the existing Virtual Chassis configuration for interconnecting with a potential member switch that is beyond the reach of a Virtual Chassis cable by setting at least one uplink VCP on an existing member of Virtual Chassis configuration. Prepare the potential member switch for interconnecting with the existing Virtual Chassis configuration by setting at least one uplink VCP on the standalone switch.
NOTE: We recommend that you set two uplink VCPs within each wiring closet for redundancy. This topic describes: 1. Setting an Uplink VCP Between Two Member Switches on page 224 2. Setting an Uplink VCP on a Standalone Switch on page 225
Set one uplink port of member 0 as a VCP interface. You do not need to specify the member member-id option, because the command applies by default on the member where it is executed.
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0
2.
224
This example includes the member member-id option, because it is executed on a different member switch than the local member switch.
Power on the standalone switch. Set one uplink port as a VCP interface. You do not need to specify the member member-id option, because the command applies by default on the member where it is executed.
user@SWA-2> request virtual-chassis vc-port set pic-slot 1 port 0
NOTE: If you do specify the member member-id option, use member ID 0. Because the switch is not yet interconnected with the other members of the Virtual Chassis configuration, its current member ID is 0. Its member ID will change when it is interconnected with the Virtual Chassis configuration. It does not impact the functioning of the uplink VCP that its VCP interface is set with 0 as the member ID. The VCP interface has significance only on the local switch. After you have set the uplink VCP on the standalone switch, physically interconnect its uplink port with the VCP uplink ports of the members in the existing Virtual Chassis configuration. The new member switch reboots and joins the now expanded Virtual Chassis configuration with a different member ID.
3.
4.
NOTE: The setting for the new member switch's uplink VCP remains intact and is not affected by the change of member ID. If you have additional members in the second wiring closet, set a redundant VCP uplink on another member switch by issuing the request virtual-chassis vc-port command. Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175
5.
Related Topics
225
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Monitoring Virtual Chassis Configuration Status and Statistics on page 237
Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure)
If you want to configure and manage a Virtual Chassis remotely through SSH or Telnet, configure the virtual management Ethernet (VME) interface on the master of the Virtual Chassis. You can configure and manage all members of the Virtual Chassis through this single global interface.
1. 2. 3.
Power on the switch that you want to function as the master. Check the front-panel LCD to confirm that the switch has powered on correctly. Run the EZ Setup program on the switch, specifying the identification parameters. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details.
Related Topics
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Understanding Global Management of a Virtual Chassis Configuration on page 143
226
Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure)
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI Procedure)
When a backup member takes control of a Virtual Chassis configuration because of a reset or other temporary failure, the backup uses the MAC address of the old master. This helps to ensure a smooth transition of mastership with no disruption to network connectivity. The MAC persistence timer is used in situations when the master is no longer a member of the Virtual Chassis configuration, because it has been physically disconnected or removed. If the old master does not rejoin the Virtual Chassis configuration before the timer elapses, the new master starts using its own MAC address. The default timer value is 10 minutes. There are no minimum or maximum limits. Before you begin configuring the timer, ensure that you have at least two member switches in the Virtual Chassis configuration. To configure or modify the MAC persistence timer, use the following command:
[edit virtual-chassis] user@switch# set mac-persistence-timer 30
This command modifies the MAC persistence timer value to specify a timer value of 30 minutes rather than the default timer value of 10 minutes.
Related Topics
Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Virtual Chassis Components on page 137
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI Procedure)
227
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To configure the fast failover feature on all XFP uplink module VCPs in a ring:
[edit] user@switch# set virtual-chassis fast-failover xe
To configure the fast failover feature on all SFP uplink module VCPs in a ring:
[edit] user@switch# set virtual-chassis fast-failover ge
Related Topics
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 207 Disabling Fast Failover in a Virtual Chassis Configuration on page 229 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Fast Failover in a Virtual Chassis Configuration on page 148
228
To disable the fast failover feature on all XFP uplink module VCPs in a ring:
[edit] user@switch# delete virtual-chassis fast-failover xe
To disable the fast failover feature on all SFP uplink module VCPs in a ring:
[edit] user@switch# delete virtual-chassis fast-failover ge
Related Topics
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 207 Configuring Fast Failover in a Virtual Chassis Configuration on page 228 Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 223 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Fast Failover in a Virtual Chassis Configuration on page 148
Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure)
Every Virtual Chassis configuration has a unique ID that is automatically assigned when the Virtual Chassis configuration is formed. You can also explicitly assign a Virtual Chassis ID using the set virtual-chassis id command. When two Virtual Chassis configurations attempt to merge, the Virtual Chassis ID that you assigned takes precedence over the automatically assigned Virtual Chassis IDs and becomes the ID for the newly merged Virtual Chassis configuration. To configure the Virtual Chassis ID:
[edit] user@switch# set virtual-chassis id id
Related Topics
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge on page 210 Configuring a Virtual Chassis (CLI Procedure) on page 213
229
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Split and Merge in a Virtual Chassis Configuration on page 154 Understanding Virtual Chassis Configuration on page 146
Related Topics
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge on page 210 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Split and Merge in a Virtual Chassis Configuration on page 154 Understanding Virtual Chassis Configuration on page 146
230
Chapter 18
Command Forwarding Usage with a Virtual Chassis Configuration on page 231 Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member on page 234 Verifying That the Virtual Chassis Ports Are Operational on page 235 Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237
231
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration
Commands Available for Command Forwarding request support information Purpose all-members member-member-id
Use this command when you contact JTAC about your component problem. This command is the equivalent of using the following CLI commands:
show version show chassis firmware show chassis hardware show chassis environment show interfaces extensive
show configuration
Set up the hard disk for partitioning. After this command is issued, the hard disk is partitioned the next time the system is rebooted. When the hard disk is partitioned, the contents of /altroot and /altconfig are saved and restored. All other data on the hard disk is at risk of being lost. Reboot JUNOS for EX-series software after a software upgrade and occasionally to recover from an error condition. Back up the currently running and active file system.
Partitions the hard disk on all members of the Virtual Chassis configuration.
Backs up the file systems on all members of the Virtual Chassis configuration. Runs cleanup on all members of the Virtual Chassis configuration.
Free storage space on the switch by rotating log files and proposing a list of files for deletion. User input is required for file deletion. Display users who are viewing the system log.
232
Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Commands Available for Command Forwarding show system alarms Purpose all-members member-member-id
Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration.
Display the state and checksum values for file systems. Display initial messages generated by the system kernel upon startup. These messages are the contents of /var/run/dmesg.boot. Display a core file generated by an internal JUNOS process.
Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration.
Display information about the backup software that is located in the /altroot and /altconfig file systems. To back up software, use the request system snapshot command. Display the JUNOS extensions loaded on your switch.
Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration.
Display statistics about the amount of free disk space in the switch's file systems. Display the current time and information about how long the switch, the switch software, and any existing protocols have been running
233
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Commands Available for Command Forwarding show system users Purpose all-members member-member-id
Shows all users who are currently logged in to any members of the Virtual Chassis configuration. Displays information for all members of the Virtual Chassis configuration.
Shows all users who are currently logged in to the specified member switch.
Display the usage of JUNOS kernel memory, listed first by size of allocation and then by type of usage. Use show system virtual-memory for troubleshooting with JTAC.
Table 39 on page 234 shows a list of commands that are relevant only to the master. Do not use the options all-members or member-member-id with these commands.
Table 39: Commands Relevant Only to the Master
Commands Relevant Only to the Master set date show system buffers Purpose
Set the data and time. Display information about the buffer pool that the Routing Engine uses for local traffic. Local traffic is the routing and management traffic that is exchanged between the Routing Engine and the Packet Forwarding Engine within the switch, as well as the routing and management traffic from IP (that is, from OSPF, BGP, SNMP, ping operations, and so on). Display information about the active IP sockets on the Routing Engine. Use this command to verify which servers are active on a system and which connections are currently in progress. Display information about software processes that are running on the switch and that have controlling terminals.
Related Topics
Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Understanding Virtual Chassis Components on page 137 JUNOS System Basics and Services Command Reference at
http://www.juniper.net/techpubs/software/junos/junos90
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member
Purpose
You can designate the role that a member performs within a Virtual Chassis configuration or you can allow the role to be assigned by default. You can designate the member ID that is assigned to a specific switch by creating a permanent association between the switchs serial number and a member ID, using a preprovisioned configuration. Or you can let the member ID be assigned by the
234
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member
master, based on the sequence in which the member switch is powered on and on which member IDs are currently available. The role and member ID of the member switch are displayed on the front-panel LCD. Each member switch can be cabled to one or two other member switches, using either the dedicated Virtual Chassis ports (VCPs) on the rear panel or an uplink port that has been set as a VCP. The members that are cabled together are considered neighbor members.
Action
To display the role and member ID assignments using the CLI, use the show virtual-chassis status command:
user@SWA-0> show virtual-chassis status
Virtual Chassis ID: 0000.e255.00e0 Mastership Priority 255 Neighbor List ID, Interface 1 vcp-0 2 vcp-1 2 vcp-0 0 vcp-1 0 vcp-0 1 vcp-1
Member ID 0 (FPC 0)
Status Prsnt
Serial No abc123
Model
Role Master*
ex4200-48p
1 (FPC 1)
Prsnt
def456
ex4200-24t
255
Backup
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
Meaning
This output verifies that three EX 4200 switches have been interconnected as a Virtual Chassis configuration using their dedicated VCPs . The display shows which of the VCPs is connected to which neighbor. The first port (vcp-0) of member 0 is connected to member 1 and the second port of member 0 (vcp-1) is connected to member 2. The FPC slots for EX-series switches are the same as the member IDs. The Mastership Priority values indicate that the master and backup members have been explicitly configured, because they are not using the default value (128).
Related Topics
Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 221 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet on page 164 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Monitoring Virtual Chassis Configuration Status and Statistics on page 237
Use the show virtual-chassis vc-port command to display the status of Virtual Chassis ports (VCPs).
235
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: The interfaces for VCPs are not displayed when you issue the show interfaces command.
Action
fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
fpc3: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Up
Meaning
The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks set as VCPs are displayed as 1/0. The FPC slots for EX-series switches are the same as the member IDs.
Related Topics
Monitoring Virtual Chassis Status and Statistics Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175
236
Use the monitoring functionality to view the following information about Virtual Chassis members and ports:
Member details and how members are connected with each other. Traffic statistics between the Virtual Chassis ports of selected members.
Action
To view Virtual Chassis monitoring details in the J-Web interface, select Monitor > Virtual Chassis. To view member details for all members in the CLI, enter the following command:
show virtual-chassis status
To view Virtual Chassis port traffic statistics for a specific member in the CLI, enter the following command:
show virtual-chassis vc-port statistics member member-id
Meaning
In the J-Web interface the top half of the screen displays details of the Virtual Chassis configuration, such as:
In the bottom half of the screen, select a member ID to view input and output rates. Select the interval at which the charts must be refreshed. Click the Stop button to stop fetching values from the switch, and click the Start button to start plotting data again from the point where it was stopped. For details about the output from CLI commands, refer to show virtual-chassis status and show virtual-chassis vc-port statistics.
Related Topics
Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member on page 234
237
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
the member switch and apply it to a new member switch, or you can free up the member ID and make it available for assignment to a new member switch. To replace a member switch, use the procedure that matches what you need to accomplish:
Remove, Repair, and Reinstall the Same Switch on page 238 Remove a Member Switch, Replace with a Different Switch, and Reapply the Old Configuration on page 238 Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch on page 239
Power off and disconnect the member switch to be repaired. Repair, as necessary. Reconnect and power on the member switch.
Remove a Member Switch, Replace with a Different Switch, and Reapply the Old Configuration
If you are unable to repair a member switch, you can replace it with a different member switch and retain the old configuration. The master stores the configuration of the member that was removed. When you connect a different member switch, the master assigns a new member ID. But the old configuration is still stored under the previous member ID of the previous member switch.
NOTE: If you have used a preprovisioned configuration, use the replace command to change the serial number in the Virtual Chassis configuration file. Substitute the serial number of the replacement member switch (on the back of the switch) for the serial number of the member switch that was removed. Power off and disconnect the member switch to be replaced. If the replacement member switch has been previously configured, revert that switchs configuration to the factory defaults. See Reverting to the Default Factory Configuration for the EX-series Switch. Connect and power on the replacement member switch. Note the member ID displayed on the front panel. Issue the request virtual-chassis renumber command from the Virtual Chassis master to change the member switchs current member ID to the member ID that belonged to the member switch that was removed from the Virtual Chassis configuration).
1. 2.
3. 4. 5.
238
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch
When you remove a member switch from the Virtual Chassis configuration, the master keeps its member ID on reserve. To make that member switchs member ID available for reassignment, issue the request virtual-chassis recycle command from the Virtual Chassis master.
NOTE: When you add or delete members in a Virtual Chassis configuration, internal routing changes might cause temporary traffic loss for a few seconds.
Related Topics
Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure) on page 218
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch
239
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
240
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch
Chapter 19
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment on page 241 Load Factory Default Does Not Commit on a Multimember Virtual Chassis on page 241 Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis on page 241
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment
Problem
You disconnected an EX 4200 from the Virtual Chassis configuration, but the disconnected switchs member ID is still displayed in the status output. You cannot reassign that member ID to another switch. When you disconnect a member of a Virtual Chassis configuration, the master retains the member ID and member configuration in its configuration database. The show virtual-chassis status command continues to display the member ID of the disconnected member with a status of NotPrsnt. If want to permanently disconnect the member switch, you can free up the member ID by using the request virtual-chassis recycle command. This will also clear the status of that member.
Solution
The load factory default command fails on a multimember Virtual Chassis configuration. The load factory default command is not supported on a multimember Virtual Chassis configuration. For information on how to revert to factory default settings, see Reverting to the Default Factory Configuration for the EX-series Switch.
Solution
Gigabit Ethernet interfaces retain their previous slot numbers when a member switch is disconnected from the Virtual Chassis configuration.
241
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Solution
If a switch had been previously connected as a member of a Virtual Chassis configuration, it retains the member ID that it was assigned as a member of that configuration even after it is disconnected and operating as a standalone switch. The interfaces that were configured while the switch was a member of the Virtual Chassis configuration retain the old member ID as the first digit of the interface name. For example, if the switch was previously member 1, its interfaces are named ge-1/0/0 and so on. To change the switchs member ID, so that its member ID is 0, and to rename the switchs interfaces accordingly, enter the following operational-mode commands:
1.
2.
Related Topics
Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 For more information about the replace command, see JUNOS Software CLI User Guide at http://www.juniper.net/techpubs/software/junos/junos90/
242
Chapter 20
Virtual Chassis Configuration Statement Hierarchy on page 243 Individual Virtual Chassis Configuration Statements on page 244
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213
243
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring a Virtual Chassis (J-Web Procedure) on page 216 Virtual Chassis Overview on page 135
Statement introduced in JUNOS Release 9.3 for EX-series switches. Enable the fast failover feature on all SFP uplink module Virtual Chassis ports (VCPs) or all XFP uplink module VCPs or disable the fast failover feature on all dedicated VCPs in a ring topology. Fast failover is enabled on dedicated VCPs; it is not enabled on uplink module VCPs.
Default Options
geEnable fast failover on all Gigabit Ethernet uplink module VCPs in the ring. vcp disableDisable fast failover on all dedicated VCPs in the ring. xeEnable fast failover on all 10-Gigabit Ethernet uplink module VCPs in the
ring.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 207 Configuring Fast Failover in a Virtual Chassis Configuration on page 228 Disabling Fast Failover in a Virtual Chassis Configuration on page 229
244
id
Syntax Hierarchy Level Release Information Description Options
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the alphanumeric string that identifies a Virtual Chassis configuration.
idID of the Virtual Chassis configuration, which uses the ISO family address formatfor example, 9622.6ac8.5345.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge on page 210 Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure) on page 229 Understanding Split and Merge in a Virtual Chassis Configuration on page 154
mac-persistence-timer
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. If the master is physically disconnected or removed from the Virtual Chassis configuration, the MAC persistence timer determines how long the backup (new master) continues to use the address of the old master. When the MAC persistence timer expires, the backup (new master) begins to use its own MAC address. There are no minimum or maximum timer limits.
10 minutes routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI Procedure) on page 227 Understanding Virtual Chassis Components on page 137
id
245
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mastership-priority
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. The mastership priority value is the most important factor in determining the role of the EX 4200 member switch within the Virtual Chassis configuration. Other factors (see Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142) also affect the election of the master. The mastership priority value takes the highest precedence in the master election algorithm. The member switch with highest mastership priority becomes the master of the Virtual Chassis configuration. Toggling back and forth between master and backup status in failover conditions is undesirable, so we recommend that you assign the same mastership priority value to both the master and the backup. Secondary factors in the master election algorithm determine which of these two members (that is, the two members that are assigned the highest mastership priority value) functions as the master of the Virtual Chassis configuration.
128
numberMastership priority value.
Range: 1 through 255 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 175 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Virtual Chassis Components on page 137
246
mastership-priority
member
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure an EX 4200 switch as a member of a Virtual Chassis configuration. When an EX 4200 is powered on as a standalone switch (not interconnected through its Virtual Chassis ports with other EX 4200 switches), its default member ID is 0.
member-idIdentifies a specific member switch of a Virtual Chassis configuration.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Virtual Chassis Components on page 137
member
247
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
no-management-vlan
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Remove the specified members out-of-band management port from the Virtual Management Ethernet (VME) global management VLAN of the Virtual Chassis configuration. For a member that is functioning in a linecard role, you can use this configuration to reserve the member's management Ethernet port for local troubleshooting:
virtual-chassis { member 2 { no-management-vlan; } }
You cannot configure the IP address for a local management Ethernet port using the CLI or the J-Web interface. To do this, you need to use the shell ifconfig command.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure) on page 226 Understanding Global Management of a Virtual Chassis Configuration on page 143
248
no-management-vlan
no-split-detection
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Disable the split and merge feature in a Virtual Chassis configuration. The split and merge feature is enabled by default on EX 4200 switches. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge on page 210 Disabling Split and Merge in a Virtual Chassis Configuration (CLI Procedure) on page 230 Assigning the Virtual Chassis ID to Determine Precedence During a Virtual Chassis Merge (CLI Procedure) on page 229 Understanding Split and Merge in a Virtual Chassis Configuration on page 154
no-split-detection
249
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
preprovisioned
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Enable the preprovisioned configuration mode for a Virtual Chassis configuration. When preprovisioned configuration mode is enabled, you cannot use the CLI or the J-Web interface to change the mastership priority or member ID of member switches.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure) on page 218 Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237 Understanding Virtual Chassis Configuration on page 146
250
preprovisioned
role
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. In a preprovisioned Virtual Chassis configuration, specify the role to be performed by each EX 4200 member switch. Associate the role permanently with the members serial number.
routing-engineEnables the member eligible to function as a master or backup of
Options
the Virtual Chassis configuration. The master manages all the members of the Virtual Chassis configuration and runs the chassis management processes and control protocols. The backup synchronizes with the master in terms of protocol states, forwarding tables, and so forth, so that it is prepared to preserve routing information and maintain network connectivity without disruption in case the master is unavailable. Specify two and only two members as routing-engine. The software determines which of the two members assigned the routing-engine role functions as master, based on the master election algorithm. See Understanding How the Master in a Virtual Chassis Configuration Is Elected on page 142.
line-cardEnables the member to be eligible to function only in the linecard role.
Any member of the Virtual Chassis configuration other than the master or backup functions in the linecard role and runs only a subset of JUNOS software for EX-series switches. A member functioning in the linecard role does not run the chassis control protocols. A Virtual Chassis configuration must have at least three members in order to include a member that functions in the linecard role. When you use a preprovisioned configuration, you cannot modify the mastership priority or member ID of member switches through the user interfaces. The mastership priority value is generated by the software, based on the assigned role:
A member configured as routing-engine is assigned the mastership priority 129. A member configured as line-card is assigned the mastership priority 0. A member listed in the preprovisioned configuration without an explicitly specified role is assigned the mastership priority 128.
The configured role specifications are permanent. If both routing-engine members should fail, a line-card member cannot take over as master of the Virtual Chassis configuration. You must delete the preprovisioned configuration in order to change the specified roles. It is possible to explicitly configure two members as routing-engine and to configure additional switches as members of the preprovisioned Virtual Chassis by specifying only their serial numbers. If you do not explicitly configure the role
role
251
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
of the additional members, they function in a linecard role by default. In that case, a member that is functioning in a linecard role can take over mastership if the members functioning as master and backup (routing-engine role) both fail.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure) on page 218 Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237 Understanding Virtual Chassis Configuration on page 146
serial-number
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. In a preprovisioned Virtual Chassis configuration, specify the serial number of each EX 4200 member switch to be included in the Virtual Chassis configuration. If you do not include the serial number within the Virtual Chassis configuration, the switch cannot be recognized as a member of a preprovisioned configuration.
serial-numberThe switchs permanent serial number, which is located on the back
Options
of the switch.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 196 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure) on page 218 Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237 Understanding Virtual Chassis Configuration on page 146
252
serial-number
traceoptions
Syntax
traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag ; } [edit virtual-chassis]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define tracing operations for the Virtual Chassis configuration. Tracing operations are disabled.
file filenameName of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. file number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify GBnumber of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the sizeoption. Range: 2 through 1000 Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
allAll tracing operations. csnTrace Virtual Chassis complete sequence number (CSN) packets. errorTrace Virtual Chassis errored packets. helloTrace Virtual Chassis hello packets. krtTrace Virtual Chassis KRT events. lspTrace Virtual Chassis link-state packets. lsp-generationTrace Virtual Chassis link-state packet generation. meTrace Virtual Chassis ME events. packetsTrace Virtual Chassis packets. parseTrace reading of the configuration. routeTrace Virtual Chassis routing information. spfTrace Virtual Chassis SPF events. stateTrace Virtual Chassis state transitions.
traceoptions
253
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file. size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the filesoption. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member on page 234 Verifying That the Virtual Chassis Ports Are Operational on page 235 Troubleshooting a Virtual Chassis Configuration on page 241
254
traceoptions
virtual-chassis
Syntax
virtual-chassis { mac-persistence-timer seconds; preprovisioned; member member-id { mastership-priority number; no-management-vlan; serial-number; role; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag ; } } [edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Virtual Chassis information on an EX 4200 switch. The statements are explained separately.
Default
A standalone EX 4200 switch is a Virtual Chassis by default. It has a default member ID of 0, a default mastership priority of 128, and a default role as master. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Configuring a Virtual Chassis (CLI Procedure) on page 213 Configuring a Virtual Chassis (J-Web Procedure) on page 216 Understanding Virtual Chassis Components on page 137
virtual-chassis
255
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
256
virtual-chassis
Chapter 21
257
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Reset the statistics of all the Virtual Chassis ports for the specified Virtual Chassis member.
interface-name(Optional) Name of the interface to be cleared of its traffic statistics. Specify either vcp-0 or vcp-1 member member-idReset the VCP traffic statistics on the specified member of the
Options
clear
show virtual-chassis vc-port statistics show virtual-chassis vc-port Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Understanding Virtual Chassis Components on page 137
258
Command introduced in JUNOS Release 9.0 for EX-series switches. Starts a session with the specified member of a Virtual Chassis configuration.
member-idSelect the specific member of the Virtual Chassis configuration with
maintenance
259
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Make a previously used member ID available for reassignment. When you remove a member switch from the Virtual Chassis configuration, the master reserves that member ID. To make the member ID available for reassignment, you must use this command.
NOTE: You can run this command from the Virtual Chassis master only.
Options
member-id member-idSpecify the member id that you want to make available for
maintenance
request virtual-chassis renumber Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237
260
Command introduced in JUNOS Release 9.0 for EX-series switches. Renumber a member of a Virtual Chassis configuration.
NOTE: You can run this command from the Virtual Chassis master only.
Options
member-id old-member-idSpecify the ID of the member that you wish to renumber. new-member-id new-member-idSpecify an unassigned member ID (from 0 through
9).
Required Privilege Level Related Topics
maintenance
request virtual-chassis recycle Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure) on page 237
261
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
request virtual-chassis vc-port set | delete pic-slot pic-slot port port-number <member member-id>
Command introduced in JUNOS Release 9.0 for EX-series switches. Enable or disable an uplink port (on an EX-UM-2XFP or EX-UM-4SFP uplink module) as a Virtual Chassis port (VCP) interface.
pic-slot pic-slotNumber of the PIC slot for the uplink. Specify 1 to represent the
Options
If you omit member member-id, this command defaults to enabling or disabling the uplink VCP interface on the switch where the command is issued. maintenance
request virtual-chassis vc-port show virtual-chassis vc-port show virtual-chassis vc-port statistics clear virtual-chassis vc-port statistics Understanding Virtual Chassis Components on page 137
request virtual-chassis vc-port set pic-slot 1 port 0 on page 262 request virtual-chassis vc-port set pic-slot 1 port 1 member 3 on page 262 request virtual-chassis vc-port delete pic-slot 1 port 1 member 3 on page 262
user@host>request virtual-chassis vc-port set pic-slot 1 port 0
request virtual-chassis vc-port set pic-slot 1 port 0 request virtual-chassis vc-port set pic-slot 1 port 1 member 3 request virtual-chassis vc-port delete pic-slot 1 port 1 member 3
To check the results of this command, use the show virtual-chassis vc-port command.
user@host>request virtual-chassis vc-port set pic-slot 1 port 1 member 3
To check the results of this command, use the show virtual-chassis vc-port command.
user@host>request virtual-chassis vc-port delete pic-slot 1 port 1 member 3
To check the results of this command, use the show virtual-chassis vc-port command.
262
Command introduced in JUNOS Release 9.0 for EX-series switches. Disable or enable a Virtual Chassis port (VCP) interface for a dedicated VCP on the rear panel of the Virtual Chassis.
interface vcp-interface-name Name of the interface to enable or disable. Specify either vcp-0 or vcp-1. member member-id (Optional) Enable or disable the specified VCP interface on the
Options
If you omit member member-id, this command defaults to disabling or enabling the dedicated VCP interface on the switch where the command is issued. The dedicated VCP interfaces are enabled in the factory default configuration. maintenance
request virtual-chassis vc-port show virtual-chassis vc-port show virtual-chassis vc-port statistics clear virtual-chassis vc-port statistics Understanding Virtual Chassis Components on page 137
List of Sample Output request virtual-chassis vc-port set interface vcp-0 disable request virtual-chassis vc-port set interface vcp-0 member 3 disable
request virtual-chassis vc-port set interface vcp-0 disable on page 263 request virtual-chassis vc-port set interface vcp-0 member 3 disable on page 263
user@host> request virtual-chassis vc-port set interface vcp-0 disable
To check the results of this command, use the show virtual-chassis vc-port command.
user@host> request virtual-chassis vc-port set interface vcp-0 member 3 disable
To check the results of this command, use the show virtual-chassis vc-port command.
263
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Options introduced in JUNOS Release 9.0 for EX-series switches. Display the current time and information about how long the Virtual Chassis, Virtual Chassis software, and routing protocols have been running.
all-membersDisplay the current time and information about how long the Virtual
Options
Chassis, Virtual Chassis software, and routing protocols have been running for all the member switches of the Virtual Chassis configuration.
member member-idDisplay the current time and information about how long the
Virtual Chassis, Virtual Chassis software, and routing protocols have been running for the specific member of the Virtual Chassis configuration.
Required Privilege Level Related Topics
view
virtual-chassis Monitoring System Properties on page 107 For more information about show system uptime, see the JUNOS Software System Basics Services and Command Reference at http://www.juniper.net/techpubs/software/junos/junos91/index.html.
show system uptime member 0 on page 265 Table 40 on page 264 lists the output fields for the show system uptime command. Output fields are listed in the approximate order in which they appear.
Field Description Current system time in UTC. Date and time when the switch was last booted and how long it has been running. Date and time when the routing protocols were last started and how long they have been running. Date and time when a configuration was last committed. Also shows the name of the user who issued the last commit command. Current time, in the local time zone, and how long the switch has been operational. Number of users logged into the switch.
Level of Output
Protocols started
Last configured
Time and up
Users
264
Field Description Load averages for the last 1 minute, 5 minutes, and 15 minutes.
Level of Output
user@host>show system uptime member 0 fpc0: -----------------------------------------------------------------------Current time: 2008-02-06 05:24:20 UTC System booted: 2008-01-31 08:26:54 UTC (5d 20:57 ago) Protocols started: 2008-01-31 08:27:56 UTC (5d 20:56 ago) Last configured: 2008-02-05 03:26:43 UTC (1d 01:57 ago) by root 5:24AM up 5 days, 20:57, 1 user, load averages: 0.14, 0.06, 0.01
265
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the active topology of the Virtual Chassis configuration with reachability information.
noneDisplay the active topology of the member switch where the command is
Options
issued.
all-membersDisplay the active topology of all members of the Virtual Chassis
configuration.
member member-idDisplay the active topology of a specified member of the Virtual
Chassis configuration.
Required Privilege Level Related Topics
view
Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Understanding Virtual Chassis Configuration on page 146
show virtual-chassis active-topology on page 266 Table 41 on page 266 lists the output fields for the show virtual-chassis active-topology command. Output fields are listed in the approximate order in which they appear.
Field Description Specifies the member ID of the destination. Specifies the member ID and VCP of the next-hop to which packets for the destination ID are forwarded.
1(vcp-1)
1(vcp-1)
266
1(vcp-1)
8(vcp-0)
1(vcp-1)
8(vcp-0)
8(vcp-0)
8(vcp-0)
267
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.3 for EX-series switches. Display information about the fast failover feature in a Virtual Chassis configuration. view
Example: Configuring Fast Failover on Uplink Module VCPs to Reroute Traffic When a Virtual Chassis Member Switch or Inter-Member Link Fails on page 207 Configuring Fast Failover in a Virtual Chassis Configuration on page 228 Disabling Fast Failover in a Virtual Chassis Configuration on page 229 Understanding Fast Failover in a Virtual Chassis Configuration on page 148
show virtual-chassis fast-failover on page 268 Table 42 on page 1306 lists the output fields for the show virtual-chassis fast-failover command. Output fields are listed in the approximate order in which they appear.
show virtual-chassis fast-failover on dedicated VCP ports: Enabled on XE uplink VCP ports: Disabled on GE uplink VCP ports: Enabled
268
Command introduced in JUNOS Release 9.0 for EX-series switches. Display information about all the members of the Virtual Chassis configuration.
noneDisplay all information for all member switches of the Virtual Chassis
configuration.
Required Privilege Level Related Topics
view
Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Understanding Virtual Chassis Configuration on page 146
Output Fields
Table 42 on page 1306 lists the output fields for the show virtual-chassis command. Output fields are listed in the approximate order in which they appear.
Field Description Assigned ID that applies to the entire Virtual Chassis configuration. Assigned member ID and FPC slot (from 0 through 9). For a nonprovisioned configuration:
configuration
NotPrsnt for a member ID that has been assigned but is not currently
Serial number of the member switch. Model number of the member switch. Mastership priority value of the member switch. Role of the member switch. Member ID of the neighbor member to which this members VCP interface is connected.
269
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@SWA-0> show virtual-chassis status Virtual Chassis ID: 0019.e250.47a0 Member ID 0 (FPC 0) 1 (FPC 1) 2 (FPC 2) 3 (FPC 3) 4 (FPC 4) 5 (FPC 5) 6 (FPC 6) 7 (FPC 7) 8 (FPC 8) Status Prsnt Prsnt Prsnt Prsnt Prsnt Prsnt Prsnt Prsnt Prsnt Mastership Serial No Model priority AK0207360276 ex4200-24t 249 AK0207360281 ex4200-24t AJ0207391130 ex4200-48p AK0207360280 ex4200-24t AJ0207391113 ex4200-48p BP0207452204 ex4200-48t BP0207452222 ex4200-48t BR0207432028 ex4200-24f BR0207431996 ex4200-24f 248 247 246 245 244 243 242 241 Role Master* Backup Linecard Linecard Linecard Linecard Linecard Linecard Linecard Neighbor List ID Interface 8 vcp-0 1 vcp-1 0 vcp-0 2 vcp-1 1 vcp-0 3 vcp-1 2 vcp-0 4 vcp-1 3 vcp-0 5 vcp-1 4 vcp-0 6 vcp-1 5 vcp-0 7 vcp-1 6 vcp-0 8 vcp-1 7 vcp-0 0 vcp-1
270
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the status of the Virtual Chassis ports (VCPs), including both the dedicated VCPs and the uplinks set as VCPs.
noneDisplay the operational status of all the Virtual Chassis ports of the member
Options
view
show virtual-chassis vc-port statistics clear virtual-chassis vc-port statistics Monitoring Virtual Chassis Configuration Status and Statistics on page 237 Understanding Virtual Chassis Configuration on page 146
show virtual-chassis vc-port on page 272 show virtual-chassis vc-port all-members on page 272 Table 44 on page 271 lists the output fields for the show virtual-chassis vc-port command. Output fields are listed in the approximate order in which they appear.
Field Description The fpc number is the same as the member ID. VCP interface name. Unlike network interfaces, a VCP interface name does not include a slot number (member ID).
The dedicated VCP interfaces are vcp-0 and vcp-1. The uplink ports set as a VCP interfaces are named 1/0 and 1/1, representing the PIC number and port number.
Type
Type of VCP:
dedicated (on the rear panel) configured (uplink port configured as a VCP)
Status
271
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@SWA-0> show virtual-chassis vc-port Interface or PIC / Port vcp-0 vcp-1 1/0 1/1 Type Status
Up Up Down Up
user@SWA-0> show virtual-chassis vc-port all-members fpc0: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up 1/0 Configured Down 1/1 Configured Up fpc1: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc2: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc3: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc4: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc5: Interface or PIC / Port Type Status
272
vcp-0 vcp-1
Dedicated Dedicated
Up Up
fpc6: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc7: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up fpc8: -------------------------------------------------------------------------Interface Type Status or PIC / Port vcp-0 Dedicated Up vcp-1 Dedicated Up
273
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the traffic statistics of the Virtual Chassis ports for the selected Virtual Chassis member.
member member-idDisplay the traffic statistics for the Virtual Chassis ports of the
Options
view
clear virtual-chassis vc-port statistics show virtual-chassis vc-port Monitoring Virtual Chassis Configuration Status and Statistics on page 237
show virtual-chassis vc-port statistics member 0 on page 274 Table 45 on page 274 lists the output fields for the show virtual-chassis vc-port statistics command. Output fields are listed in the approximate order in which they appear.
user@SWA-0>show virtual-chassis vc-port statistics member 0 Member ID: 0 Port: internal-0/24 RX TX Total octets: 0 0 Total packets: 0 0
Member ID: 0
TX 0 0
Member ID: 0
TX 0 0
274
Member ID: 0
TX 0 0
Port: vcp-1 RX 0 0 TX 0 0
275
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
276
Part 7
Interfaces
Understanding Interfaces on page 279 Examples of Configuring Interfaces on page 291 Configuring Interfaces on page 317 Verifying Interfaces on page 329 Troubleshooting Interfaces on page 337 Configuration Statements for Interfaces on page 345 Operational Mode Commands for Interfaces on page 367
Interfaces
277
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
278
Interfaces
Chapter 22
Understanding Interfaces
EX-series Switches Interfaces Overview on page 279 Understanding Interface Naming Conventions on EX-series Switches on page 281 Understanding Aggregated Ethernet Interfaces and LACP on page 283 Understanding Layer 3 Subinterfaces on page 285 Understanding Unicast RPF for EX-series Switches on page 285
Network Interfaces
Network interfaces connect to the network and carry network traffic. EX-series switches support the following types of network interfaces:
LAN access interfacesEX-series switches provide either 24 or 48 network ports, depending on the switch model. These ports can be used to connect a personal computer, laptop, file server, or printer to the network. When you power on an EX-series switch and use the factory-default configuration, the software automatically configures interfaces in access mode for each of the network ports. The default configuration also enables auto-negotiation for both speed and for link mode. Trunk interfacesEX-series access switches can be connected to a distribution switch or customer edge (CE) router. To use a port for this type of connection, you must explicitly configure the port interface for trunk mode. The interfaces from the distribution switch to the access switches should also be configured for trunk mode. Power over Ethernet (PoE) interfaces EX-series switches provide PoE network ports with the various switch models providing either 8, 24, or 48 PoE ports. These ports can be used to connect VoIP telephones, wireless access points, video cameras, and point-of-sale devices to safely receive power from the same
279
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
access ports that are used to connect personal computers to the network. PoE interfaces are enabled by default in the factory configuration.
Aggregated Ethernet interfacesEX 3200 and EX 4200 switches allow you to group Ethernet interfaces at the physical layer to form a single link layer interface, also known as a link aggregation group (LAG) or bundle. These aggregated Ethernet interfaces help to balance traffic and increase the uplink bandwidth.
Special Interfaces
Special interfaces include:
Virtual chassis port (VCP) interfacesEach EX 4200 switch has two dedicated virtual chassis ports (VCPs) on its rear panel. These ports can be used to interconnect two to ten EX 4200 switches as a virtual chassis, which functions as a single network entity. See Understanding the High-Speed Interconnection of the Virtual Chassis Members on page 145. When you power on EX-series switches that are interconnected in this manner, the software automatically configures the VCP interfaces for the dedicated ports that have been interconnected. These VCP interfaces, which are called vcp-0 and vcp-1, are not configurable or modifiable. It is also possible to interconnect EX 4200 switches across wider distances (up to 40 km) by using the EX-UM-2XFP uplink module ports. To use an EX-UM-2XFP uplink module port as a virtual chassis port, you must explicitly set the uplink VCP interface using the request virtual-chassis vc-port command. Management interfaceThe JUNOS software for EX-series switches automatically creates the switch's management Ethernet interface, me0. The management Ethernet interface provides an out-of-band method for connecting to the switch. To use me0 as a management port, you must configure its logical port, me0.0, with a valid IP address. You can connect to the management interface over the network using utilities such as ssh and telnet. Simple Network Management Protocol (SNMP) can use the management interface to gather statistics from the switch. (The management interface me0 is analogous to the fxp0 interfaces on JUNOS routers.) Virtual Management Ethernet (VME) interfaceOn EX 4200 series switches, there is a VME interface. This is a logical interface that is used for virtual chassis configurations and allows you to manage all the members of the virtual chassis through the master. For more information on VME, see Understanding Global Management of a Virtual Chassis Configuration on page 143. Console portEach EX-series switch has a serial port, labeled console, for connecting tty-type terminals to the switch using standard PC-type tty cables. The console port does not have a physical address or IP address associated with it. However, it is an interface in the sense that it provide access to the switch. On EX 4200 switches that are configured as a virtual chassis, you can access the master and configure all members of the virtual chassis through any member's console port. For more information on the console port in a virtual chassis, see Understanding Global Management of a Virtual Chassis Configuration on page 143. LoopbackA software-only virtual interface that is always up. This interface provides a stable and consistent interface and IP address on the switch.
280
Related Topics
EX 3200 and EX 4200 Switches Hardware Overview on page 21 PoE and EX-series Switches Overview on page 1229 Understanding Interface Naming Conventions on EX-series Switches on page 281 Understanding Aggregated Ethernet Interfaces and LACP on page 283 Understanding Layer 3 Subinterfaces on page 285 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190
Physical Part of an Interface Name on page 281 Logical Part of an Interface Name on page 282 Wildcard Characters in Interface Names on page 283
geGigabit Ethernet interface xe10 Gigabit Ethernet interface (These are the ports on the EX-UM-2XFP
uplink module.)
slot number/member-idEX-series interfaces use the following slot numbers (equivalent to member ID):
EX 3200 switches have only one FPC slot for the network ports. It is slot number 0. An individual, standalone EX 4200 switch has only one FPC slot number. It is slot number 0.
281
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If an EX 4200 switch is interconnected with other switches in a virtual chassis, each individual switch that is included as a member of the virtual chassis is identified with a member ID. The member ID functions as an FPC slot number. When you are configuring interfaces for a virtual chassis, you specify the appropriate member ID 0 through 9 as the slot of the interface name.
Use the number 0 to specify the PIC for any network port on the switch itself. If you are configuring a port on an uplink module, use the number 1 as the PIC.
port numberEX-series interfaces use the following port numbers: The network ports are on the front panel of the switch and are labeled from left to right starting with 0 followed by the remaining even numbered ports in the top row and 1 followed by the remaining odd numbered ports in the bottom row. (On the partial PoE switches, port numbers 0 through 7 have a label that is a different color from the labels on the remaining ports to indicate that these first eight ports are PoE ports.)
Figure 20 on page 282 shows the network ports on a 24port EX-series switch.
Figure 20: Network Ports on the 24Port EX-series Switch
Figure 21 on page 282 shows the network ports on a 48port EX-series switch.
Figure 21: Network Ports on the 48-Port EX-series Switch
282
with a default VLAN, the resulting display shows the logical interfaces associated with the VLAN:
Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/10.0 State down down down VLAN members remote-analyzer default default Blocking unblocked unblocked unblocked
When you configure aggregated Ethernet interfaces, you configure a logical interface that is called a bundle or a LAG. Each LAG can include up to eight Ethernet interfaces.
Link Aggregation Group (LAG) on page 283 Link Aggregation Control Protocol (LACP) on page 284
Up to 8 Ethernet ports can be created in each bundle. Up to 64 LAGs are supported in a virtual chassis configuration. LAG must be configured on both sides of the link. The ports on either side of the link must be set to the same speed.
283
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: The interfaces that are included within a bundle or LAG are sometimes referred to as member interfaces. Do not confused this term with member switches, which refers to EX 4200 switches that are interconnected as a virtual chassis. It is possible to create a LAG that is composed of member interfaces that are located in different member switches of a virtual chassis. A typical deployment for LAG would be to aggregate trunk links between an access switch and a distribution switch or customer edge (CE) router. LAG is not supported on virtual chassis port links. LAG can only be used for a point-to-point connection.
When LACP is not enabled, a local LAG might attempt to transmit packets to a remote single interface, which causes the communication to fail. When LACP is enabled, a local LAG cannot transmit packets unless a LAG with LACP is also configured on the remote end of the link.
By default, Ethernet links do not exchange protocol data units (PDUs), which contain information about the state of the link. You can configure Ethernet links to actively transmit PDUs, or you can configure the links to passively transmit them, sending out LACP PDUs only when they receive them from another link. The transmitting link is known as the actor and the receiving link is known as the partner.
Related Topics
Understanding Virtual Chassis Configurations and Link Aggregation on page 146 Understanding Redundant Trunk Links on EX-series Switches on page 401 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 JUNOS Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
284
EX-series Switches Interfaces Overview on page 279 Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch on page 303 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
Unicast RPF for EX-series Switches Overview on page 286 Unicast RPF Implementation for EX-series Switches on page 286 When to Enable Unicast RPF on page 287
285
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
When Not to Enable Unicast RPF on page 289 ECMP Traffic Handling with Unicast RPF Enabled on page 289
Global Unicast RPF Implementation on page 286 Unicast RPF Packet Filtering on page 287 Bootstrap Protocol (BOOTP) and DHCP Requests on page 287 Default Route Handling on page 287
When you enable unicast RPF on any interface, it is automatically enabled on all switch interfaces, including link aggregation groups (LAGs) and routed VLAN interfaces (RVIs). When you disable unicast RPF on the interface (or interfaces) on which you enabled unicast RPF, it is automatically disabled on all switch interfaces.
286
NOTE: You must explicitly disable unicast RPF on every interface on which it was explicitly enabled or unicast RPF remains enabled on all switch interfaces.
If the switch receives a packet on the interface that is the best return path to the unicast source address of that packet, the switch forwards the packet. If the best return path from the switch to the packet's unicast source address is not the receiving interface, the switch discards the packet. If the switch receives a packet that has a source IP address that does not have a routing entry in the forwarding table, the switch discards the packet.
287
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Enabling unicast RPF on asymmetrically routed interfaces (where different interfaces receive a packet and reply to its source) results in packets from legitimate sources being filtered (discarded) because the best return path is not the same interface that received the packet. The following switch interfaces are most likely to be symmetrically routed and thus are candidates for unicast RPF enabling:
The service provider edge to a customer The customer edge to a service provider A single access point out of the network (usually on the network perimeter) A terminal network that has only one link
NOTE: Because unicast RPF is enabled globally on the switch, ensure that all interfaces are symmetrically routed before you enable unicast RPF. Enabling unicast RPF on asymmetrically routed interfaces results in packets from legitimate sources being filtered.
TIP: Enabling unicast RPF as close as possible to the traffic source stops spoofed traffic before it can proliferate or reach interfaces that do not have unicast RPF enabled.
TIP: It is best to enable unicast RPF explicitly on either all interfaces or only one interface:
Enabling unicast RPF explicitly on only one interface makes it easier if you choose to disable it in the future because you must explicitly disable unicast RPF on every interface on which you explicitly enabled it. If you explicitly enable unicast RPF on two interfaces and you disable it on only one interface, unicast RPF is still globally enabled on the switch. The drawback to this approach is that the switch displays unicast RPF status as enabled only on interfaces on which unicast RPF is explicitly enabled, so even though unicast RPF is enabled on all interfaces, its status does not display as enabled on all interfaces. Enabling unicast RPF explicitly on all interfaces makes it easier to know if unicast RPF is enabled on the switch because every interface shows the correct status. (Only interfaces on which you explicitly enable unicast RPF display unicast RPF
288
as enabled.) The drawback to this approach is that if you want to disable unicast RPF, you must explicitly disable it on every interface. If unicast RPF is enabled on any interface, it is enabled on all interfaces.
Switch interfaces are multihomed. Switch interfaces are trusted interfaces. BGP is carrying prefixes and some of those prefixes are not advertised or are not accepted by the ISP under its policy. (The effect in this case is the same as filtering an interface by using an incomplete access list.) Switch interfaces face the network core. Core-facing interfaces are usually asymmetrically routed.
An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, as shown in Figure 23 on page 289. This means that if an interface receives a packet, that interface does not match the forwarding table entry as the best return path back to the source. If the receiving interface is not the best return path to the source of a packet, unicast RPF causes the switch to discard the packet even though it comes from a valid source.
Figure 23: Asymmetrically Routed Interfaces
NOTE: Do not enable unicast RPF if any switch interfaces are asymmetrically routed because unicast RPF is enabled globally on all interfaces. All switch interfaces must be symmetrically routed for you to enable unicast RPF without the risk of the switch's discarding traffic that you want to forward.
289
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
you want to forward because the unicast RPF filter does not examine the entire ECMP address block.
Related Topics
Example: Configuring Unicast RPF on an EX-series Switch on page 311 Configuring Unicast RPF (CLI Procedure) on page 326 Disabling Unicast RPF (CLI Procedure) on page 327
290
Chapter 23
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 291 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 297 Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch on page 303 Example: Configuring Unicast RPF on an EX-series Switch on page 311
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. This example describes how to configure uplink LAGs to connect a virtual chassis access switch to a virtual chassis distribution switch:
Requirements on page 291 Overview and Topology on page 292 Configuration on page 294 Verification on page 296 Troubleshooting on page 297
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches Two EX-series 4200-48P switches Two EX-series 4200-24F switches Four EX-UM-2XFP uplink modules
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
291
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configured the virtual chassis switches. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159. Configured the uplink ports on the switches as trunk ports. See Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321.
Link Aggregation Control Protocol (LACP) can optionally be configured for link negotiation. It doubles the speed of each uplink from 10 Gbps to 20 Gbps. If one physical port is lost for any reason (a cable is unplugged or a switch port fails, or one member switch is unavailable), the logical port transparently continues to function over the remaining physical port.
The topology used in this example consists of one virtual chassis access switch and one virtual chassis distribution switch. The access switch is composed of two EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with their VCPs as member switches of Host-D. Each member of the access switch has an uplink module installed. Each uplink module has two ports. The uplinks are configured to act as trunk ports, connecting the access switch with the distribution switch. One uplink port from SWA-0 and one uplink port from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN. If the remote end is a security device LACP may not be supported since security devices demand a deterministic configuration. In this case do not configure LACP. All links in the LAG will be permanently up unless a link failure within the Ethernet physical or the data link layers has been detected. The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second LAG connection (ae1) to SWD-1. LAG ae1, which is used for another VLAN.
292
Figure 24: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual Chassis Distribution Switch
Table 35 on page 293 details the topology used in this configuration example.
Table 46: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis Distribution Switch
Switch Hostname and VCID Base Hardware Uplink Module Member ID Trunk Port xe-0/1/0 to SWD-0 xe-0/1/1 to SWD-1
SWA-0
EX 4200-48P switch
SWA-1
EX 4200-48P switch
293
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 46: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis Distribution Switch (continued)
SWD-0 Host-D Distribution switch VCID 4 SWD-1 Host-D Distribution switch VCID 4 EX-series EX 4200 L-24F switch One EX-UM-2XFP uplink module 1
xe-1/1/0 to SWA-0 xe-1/1/1 to SWA-1
Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual chassis distribution switch:
CLI Quick Configuration
To quickly configure aggregated Ethernet high-speed uplinks between a virtual chassis access switch and a virtual chassis distribution switch, copy the following commands and paste them into the switch terminal window:
[edit] set chassis aggregated-devices ethernet device-count 2 set interfaces ae0 aggregated-ether-options minimum-links 2 set interfaces ae0 aggregated-ether-options link-speed 10g set interfaces ae1 aggregated-ether-options minimum-links 2 set interfaces ae1 aggregated-ether-options link-speed 10g set interfaces ae0 unit 0 family inet address 192.0.2.0/25 set interfaces ae1 unit 1 family inet address 192.0.2.128/25 set interfaces xe-0/1/0 ether-options 802.ad ae0 set interfaces xe-1/1/0 ether-options 802.ad ae0 set interfaces xe-0/1/1 ether-options 802.ad ae1 set interfaces xe-1/1/1 ether-options 802.ad ae1
Step-by-Step Procedure
To configure aggregated Ethernet high-speed uplinks between a virtual chassis access switch and a virtual chassis distribution switch:
1.
2.
Specify the number of links that need to be present for the ae0 LAG interface to be up:
[edit interfaces] user@Host-A# set ae0 aggregated-ether-options minimum-links 2
3.
Specify the number of links that need to be present for the ae1 LAG interface to be up:
[edit interfaces] user@Host-A# set ae1 aggregated-ether-options minimum-links 2
294
Configuration
4.
5.
6.
7.
8.
Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces] user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9.
Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces] user@Host-A# set ae1 unit 1 family inet address 192.0.2.128/25
Results
Configuration
295
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } } ae1 { aggregated-ether-options { link-speed 10g; minimum-links 2; } unit 0 { family inet { address 192.0.2.128/25; } } xe0/1/0 { ether-options { 802.ad ae0; } } xe1/1/0 { ether-options { 802.ad ae0; } } xe0/1/1 { ether-options { 802.ad ae1; } } xe1/1/1 { ether-options { 802.ad ae1; } } }
Verification
To verify that switching is operational and two LAGs have been created, perform these tasks:
Verifying That LAG ae0 Has Been Created on page 296 Verifying That LAG ae1 Has Been Created on page 297
inet
10.10.10.2/24
296
Verification
Meaning
The output confirms that the ae0 link is up and shows the family and IP address assigned to this link.
Meaning
Troubleshooting
Troubleshooting a LAG That Is Down
Problem Solution
The show interfaces terse command shows that the LAG is down: Check the following:
Verify that there is no configuration mismatch. Verify that all member ports are up. Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet (Layer 3 LAG). Verify that the LAG member is connected to the correct LAG at the other end. Verify that the LAG members belong to the same switch (or the same virtual chassis). Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Example: Connecting an Access Switch to a Distribution Switch on page 422. Virtual Chassis Cabling Configuration Examples for EX 4200 Switches Installing an Uplink Module in an EX 3200 or EX 4200 Switch
Related Topics
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical interface for higher bandwidth and redundancy. The ports that are combined in this manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches
297
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
allow you to further enhance these links by configuring Link Aggregation Control Protocol (LACP). This example describes how to overlay LACP on the LAG configurations that were created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184:
Requirements on page 298 Overview and Topology on page 298 Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 299 Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch on page 299 Verification on page 300 Troubleshooting on page 301
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches Two EX-series 4200-48P switches Two EX-series 4200-24F switches Four EX-series EX-UM-2XFP uplink modules
Installed your EX-series switches. Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet on page 159. Configured the uplink ports on the switches as trunk ports. See Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321. Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184
298
Requirements
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP packets, which results in the aggregated Ethernet links not coming up. By default, LACP is in passive mode. To initiate transmission of LACP packets and responses to LACP packets, you must enable LACP in active mode. By default, the actor and partner send LACP packets every second. You can configure the interval at which the interfaces send LACP packets by including the periodic statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy level. The interval can be fast (every second) or slow (every 30 seconds).
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
To quickly configure LACP for the access switch LAGs, copy the following commands and paste them into the switch terminal window:
set interfaces ae0 aggregated-ether-options lacp active periodic fast set interfaces ae1 aggregated-ether-options lacp active periodic fast
Step-by-Step Procedure
Results
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the virtual chassis access switch to the virtual chassis distribution switch, perform these tasks:
To quickly configure LACP for the distribution switch LAGs, copy the following commands and paste them into the switch terminal window:
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
299
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit interfaces] set ae0 aggregated-ether-options lacp passive periodic fast set ae1 aggregated-ether-options lacp passive periodic fast
Step-by-Step Procedure
Results
Verification
To verify that LACP packets are being exchanged, perform these tasks:
Verifying the LACP Settings on page 300 Verifying That the LACP Packets Are Being Exchanged on page 301
To verify that the LACP has been set up correctly. Use the show lacp interfaces interface-name command to check that LACP has been enabled as active on one end.
show lacp interfaces xe-0/1/0 show lacp interfaces xe-0/1/0 Aggregated interface: ae0 LACP state: xe-0/1/0 xe-0/1/0 LACP protocol: xe-0/1/0 Role Actor Partner Exp No No Def Yes Yes Dist No No Col No No Syn No No Aggr Yes Yes Timeout Fast Fast Activity Active Passive
300
Verification
Meaning
The output indicates that the LACP has been set up correctly and is active at one end.
To verify that LACP packets are being exchanged. Use the show interfaces lag-name statisticscommand to display LACP information.
show interfaces ae0 statistics Physical interface: ae0, Enabled, Physical link is Down Interface index: 153, SNMP ifIndex: 30 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0 Last flapped : Never Statistics last cleared: Never Input packets : 0 Output packets: 0 Input errors: 0, Output errors: 0 Logical interface ae0.0 (Index 71) (SNMP ifIndex 34) Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255
Meaning
The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting:
Remove the LACP configuration and verify whether the static LAG is up. Verify that LACP is configured at both ends. Verify that LACP is not passive at both ends. Verify whether LACP protocol data units are being exchanged by running the monitor traffic-interface lag-member detail command.
301
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Example: Connecting an Access Switch to a Distribution Switch on page 422 Virtual Chassis Cabling Configuration Examples for EX 4200 Switches Installing an Uplink Module in an EX 3200 or EX 4200 Switch
302
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch
In a large LAN, you commonly need to partition the network into multiple VLANs. You can configure Layer 3 subinterfaces to route traffic between the VLANs. In one common topology, known as a router on a stick or a one-armed router, you connect a router to an access switch with connections to multiple VLANs. This example describes how to create Layer 3 subinterfaces on trunk interfaces of a distribution switch and access switch so that you can route traffic among multiple VLANs:
Requirements on page 303 Overview and Topology on page 303 Configuring the Access Switch Subinterfaces on page 304 Configuring the Distribution Switch Subinterfaces on page 306 Verification on page 309
Requirements
This example uses the following hardware and software components:
For the distribution switch, one EX 4200-24F switch. This model is designed to be used as a distribution switch for aggregation or collapsed core network topologies and in space-constrained data centers. It has twenty-four 1-Gigabit Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit Ethernet XFP ports. For the access switch, any Layer 2 switch that supports 802.1Q VLAN tags. JUNOS Release 9.2 or later for EX-series switches.
Connected the two switches. Configured the necessary VLANs. See Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 or Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465.
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch
303
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 47 on page 304 lists the settings for the example topology.
Table 47: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution Switch
Property Settings
Any Layer 2 switch with multiple 1-Gigabit Ethernet ports and at least one 1-Gigabit Ethernet uplink module EX 4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one 2-port 10-Gigabit Ethernet XFP uplink module (EX-UM-4SFP) vlan1, tag 101 vlan2, tag 102 vlan3, tag 103 vlan4, tag 104 vlan5, tag 105
VLAN subnets
vlan1: 1.1.1.0/24 (addresses 1.1.1.1 through 1.1.1.254) vlan2: 2.1.1.0/24 (addresses 2.1.1.1 through 2.1.1.254) vlan3: 3.1.1.0/24 (addresses 3.1.1.1 through 3.1.1.254) vlan4: 4.1.1.0/24 (addresses 4.1.1.1 through 4.1.1.254) vlan5: 5.1.1.0/24 (addresses 5.1.1.1 through 5.1.1.254)
Port interfaces
To quickly create and configure subinterfaces on the access switch, copy the following commands and paste them into the switch terminal window:
[edit] set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces
vlan-tagging unit 0 vlan-id unit 1 vlan-id unit 2 vlan-id unit 3 vlan-id unit 4 vlan-id
304
Step-by-Step Procedure
Step-by-Step Procedure
2.
3.
4.
5.
6.
7.
8.
9.
10.
Step-by-Step Procedure
305
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
11.
Results
To quickly create and configure subinterfaces on the distribution switch, copy the following commands and paste them into the switch terminal window:
306
[edit] set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces
vlan-tagging unit 0 vlan-id unit 1 vlan-id unit 2 vlan-id unit 3 vlan-id unit 4 vlan-id
Step-by-Step Procedure
2.
3.
4.
5.
6.
7.
8.
9.
307
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit interfaces ge-0/0/0] user@distribution-switch# set unit 3 family inet address 4.1.1.2/24
10.
11.
Results
user@distribution-switch> show configuration interfaces { ge-0/0/0 { vlan-tagging; unit 0 { vlan-id 101; family inet { address 1.1.1.2/24; } } unit 1 { vlan-id 102; family inet { address 2.1.1.2/24; } } unit 2 { vlan-id 103; family inet { address 3.1.1.2/24; } } unit 3 { vlan-id 104; family inet { address 4.1.1.2/24; } } unit 4 { vlan-id 105; family inet { address 5.1.1.2/24; } } }
308
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That Subinterfaces Were Created on page 309 Verifying That Traffic Passes Between VLANs on page 309
Verify that the subinterfaces were properly created on the access switch and distribution switch.
1.
Action
2.
Meaning
Each subinterface created is displayed as a ge-chassis/slot/port.x logical interface, where x is the unit number in the configuration. The status is listed as up, indicating the link is working.
Verify that the distribution switch is correctly routing traffic from one VLAN to another.
Verification
309
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action
Ping from the access switch to the distribution switch on each subinterface.
1.
From the access switch, ping the address of the vlan1 subinterface on the distribution switch:
user@access-switch> ping 1.1.1.2 count 4 PING 1.1.1.2 (1.1.1.2): 56 data bytes 64 bytes from 1.1.1.2: icmp_seq=0 ttl=64 64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 64 bytes from 1.1.1.2: icmp_seq=3 ttl=64
ms ms ms ms
--- 1.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.112/0.179/0.333/0.091 ms
2.
From the access switch, ping the address of the vlan2 subinterface on the distribution switch:
user@access-switch> ping 2.1.1.2 count 4 PING 2.1.1.2 (2.1.1.2): 56 data bytes 64 bytes from 2.1.1.2: icmp_seq=0 ttl=64 64 bytes from 2.1.1.2: icmp_seq=1 ttl=64 64 bytes from 2.1.1.2: icmp_seq=2 ttl=64 64 bytes from 2.1.1.2: icmp_seq=3 ttl=64
ms ms ms ms
--- 2.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.113/0.171/0.241/0.046 ms
3.
From the access switch, ping the address of the vlan3 subinterface on the distribution switch:
user@access-switch> ping 3.1.1.2 count 4 PING 3.1.1.2 (3.1.1.2): 56 data bytes 64 bytes from 3.1.1.2: icmp_seq=0 ttl=64 64 bytes from 3.1.1.2: icmp_seq=1 ttl=64 64 bytes from 3.1.1.2: icmp_seq=2 ttl=64 64 bytes from 3.1.1.2: icmp_seq=3 ttl=64
ms ms ms ms
--- 3.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.112/0.206/0.341/0.085 ms
4.
From the access switch, ping the address of the vlan4 subinterface on the distribution switch:
user@access-switch> ping 4.1.1.2 count 4 PING 4.1.1.2 (4.1.1.2): 56 data bytes 64 bytes from 4.1.1.2: icmp_seq=0 ttl=64 64 bytes from 4.1.1.2: icmp_seq=1 ttl=64 64 bytes from 4.1.1.2: icmp_seq=2 ttl=64 64 bytes from 4.1.1.2: icmp_seq=3 ttl=64
ms ms ms ms
310
--- 4.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.107/0.180/0.226/0.048 ms
5.
From the access switch, ping the address of the vlan5 subinterface on the distribution switch:
user@access-switch> ping 5.1.1.2 count 4 PING 5.1.1.2 (5.1.1.2): 56 data bytes 64 bytes from 5.1.1.2: icmp_seq=0 ttl=64 64 bytes from 5.1.1.2: icmp_seq=1 ttl=64 64 bytes from 5.1.1.2: icmp_seq=2 ttl=64 64 bytes from 5.1.1.2: icmp_seq=3 ttl=64
ms ms ms ms
--- 5.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.102/0.150/0.224/0.051 ms
Meaning
If all the ping packets are transmitted and are received by the destination address, the subinterfaces are up and working.
Related Topics
Example: Connecting an Access Switch to a Distribution Switch on page 422 Configuring a Layer 3 Subinterface (CLI Procedure)
Requirements on page 311 Overview and Topology on page 312 Configuration on page 312 Verification on page 313
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.3 or later for EX-series switches Two EX 3200 switches
311
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Before you configure unicast RPF, make sure that all of the switch interfaces are symmetrically routed (the switch uses the same path in both directions between the source and the destination).
Switch A is on the edge of an enterprise network. The interface ge-1/0/10 on Switch A connects to the interface ge-1/0/5 on Switch B. Switch B is on the edge of the service provider network that connects the enterprise network to the Internet.
Configuration
To enable unicast RPF globally on all Switch A interfaces:
CLI Quick Configuration
To quickly configure unicast RPF on a switch to help prevent DoS/DDoS attacks, copy the following command and paste it into the switch terminal window:
[edit interfaces] set ge-1/0/10 unit 0 family inet rpf-check
312
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is correct, perform these tasks:
Verify that unicast RPF is enabled. Verify that unicast RPF is enabled on interface ge-1/0/10 by using the show interfaces ge-1/0/10 extensive or show interfaces ge-1/0/10 detail command.
user@switch> show interfaces ge-1/0/10 extensive Physical interface: ge-1/0/10, Enabled, Physical link is Down Interface index: 139, SNMP ifIndex: 58, Generation: 140 Link-level type: Ethernet, MTU: 1514, Speed: Auto, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:95:ab, Hardware address: 00:19:e2:50:95:ab Last flapped : Never Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0
Action
Verification
313
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 1 assured-forw 5 expedited-fo 7 network-cont 0 0 0 0 0 0 0 0 0 0 0 0
Active alarms : LINK Active defects : LINK MAC statistics: Receive Total octets 0 Total packets 0 Unicast packets 0 Broadcast packets 0 Multicast packets 0 CRC/Align errors 0 FIFO errors 0 MAC control frames 0 MAC pause frames 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count Output packet pad count Output packet error count CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Incomplete Packet Forwarding Engine configuration: Destination slot: 1
Transmit 0 0 0 0 0 0 0 0 0
0 0 0
Logical interface ge-1/0/10.0 (Index 69) (SNMP ifIndex 59) (Generation 135) Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0
314
Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol inet, MTU: 1500, Generation: 144, Route table: 0 Flags: uRPF Addresses, Flags: Is-Preferred Is-Primary
Meaning
The second-to-last line of the display shows the unicast RPF flag enabled. This confirms that unicast RPF is enabled on interface ge-1/0/10 and thereby on all switch interfaces. Only the interface on which you configured unicast RPF shows the correct unicast RPF configuration status. If you check the unicast RPF status on an interface on which you did not explicitly configure it, the unicast RPF flag is not displayed, even though unicast RPF is implicitly enabled.
Related Topics
Configuring Unicast RPF (CLI Procedure) on page 326 Disabling Unicast RPF (CLI Procedure) on page 327
315
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
316
Chapter 24
Configuring Interfaces
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323 Configuring Link Aggregation (J-Web Procedure) on page 324 Configuring Aggregated Ethernet LACP (CLI Procedure) on page 325 Configuring Unicast RPF (CLI Procedure) on page 326 Disabling Unicast RPF (CLI Procedure) on page 327
Select the Interfaces option from the Configure menu. Select the option Ports. The page lists all the Gigabit Ethernet and 10Gigabit Ethernet interfaces and their link status. When you select a particular interface, the interface details are displayed. The properties you can configure on the interface are displayed.
3.
Configure the interface by selecting options in the Edit menu. See Table 48 on page 318 for details on the options. You can select multiple interfaces and modify their settings.
NOTE: When you select multiple interfaces at the same time, you cannot modify the IP address and enable or disable the administrative status of the selected interfaces. Click Enable Port/Disable Port to enable or disable the administrative status on the selected port.
4.
317
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Function
Your Action
Port Role
Specifies the role assigned to the port. NOTE: Once a port role is configured on the interface, you cannot specify VLAN options and IP options. Depending on the profile selected, the corresponding configuration is applied:
DefaultThe default configuration is applied. Desktop Select an existing VLAN configuration or a new VLAN configuration to be associated with the port.
DefaultInterface family is set to ethernet-switching, port mode is set to access, and RSTP protocol is enabled if redundant trunk groups are not configured. DesktopInterface family is set to ethernet-switching, port mode is set to access, RSTP is enabled with the edge and point-to-point options if the interfaces are not part of any redundant trunk groups, and port security parameters (MAC limit =1; dynamic ARP Inspection and DHCP snooping enabled) are set. Desktop and PhoneInterface family is set to ethernet-switching, port mode is set to access, port security parameters (MAC limit =1; dynamic ARP Inspection, DHCP snooping enabled) are set, and recommended CoS parameters are specified for forwarding classes, schedulers, and classifiers. See Table 49 on page 320 for more information. Wireless Access PointInterface family is set to ethernet-switching, port mode is set to access, RSTP is enabled with the edge and point-to-point options if the interfaces are not part of any redundant trunk groups. Routed UplinkPort family is set to inet, and recommended CoS parameters are set for schedulers and classifiers. See Table 49 on page 320 for more information. Layer 2 UplinkInterface family is set to ethernet-switching, port mode is set to trunk, RSTP is enabled with the edge and point-to-point options if the interfaces are not part of any redundant trunk groups, and port security is set to dhcp-trusted.
Desktop and Phone Select an existing VLAN configuration or a new VLAN configuration to be associated with the port. You can also select an existing VoIP VLAN configuration or a new VoIP VLAN configuration to be associated with the port.
Wireless Access Point Select an existing VLAN configuration or a new VLAN configuration to be associated with the port. For a new VLAN, VLAN ID is a mandatory options.
Layer 2 Uplink For this port role you can associate a native VLAN. To create a redundant trunk group, specify the group name and select the secondary interface.
Select the option and click OK. NOTE: Refer to Port Role Configuration with the J-Web InterfaceCLI Reference on page 338 for the CLI command reference.
318
Function
Your Action
Port Mode
1. 2. 3.
Click Add to add a VLAN member. Select the VLAN and click OK. (Optional) Associate a native VLAN with the interface.
1. 2.
Select the VLAN member to be associated with the interface. (Optional) Associate a VoIP VLAN with the interface. Only a VLAN with a VLAN ID can be associated as a VoIP VLAN. Click OK.
3.
Link Options
MTU (bytes)
Type a value from 256 through 9216 bytes. The default MTU for Gigabit Ethernet interfaces is 1514. Select one of the following values: 10 Mbps, 100 Mbps, 1000 Mbps, or 10 Gbps. Select one: automatic, half-duplex, or full-duplex. Enter a brief description for the link.
Speed
Duplex
Description
Describes the link. NOTE: If the port is part of an aggregate, only the option Description is enabled.
Select the check box to enable autonegotiation, or clear the check box to disable it. By default, autonegotiation is enabled. Select the check box to enable flow control to regulate the amount of traffic sent out of the interface, or clear the check box to disable flow control and permit unrestricted traffic. Flow control is disabled by default.
IP Options
319
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1. 2. 3.
Click the check box to enable IP settings Type an IP address, for example:
10.10.10.10
Enter the subnet mask or address prefix. For example, 24 bits represents 255.255.255.0. Click OK.
4.
voiceQueue number is set to 7. expedited-forwardingQueue number is set to 5. assured-forwardingQueue number is set to 1. best-effortQueue number is set to 0.
Schedulers
Strict-priorityTransmission rate is set to 10 percent, buffer size to 5 percent, and priority to strict-high Expedited-schedulerTransmission rate is set to 30 percent, buffer size to 30 percent , and priority is set to low. Assured-schedulerTransmission rate is set to 25 percent, buffer size to 25 percent, and priority is set to low. Best-effort schedulerTransmission-rate is set to 35 percent, buffer size to 40 percent, and priority is set to low.
Scheduler maps
When a desktop and phone, routed uplink, or Layer 2 uplink roles are applied on interfaces, the forwarding classes and schedulers are mapped using the scheduler map. Imports the default ieee-802.1 classifier configuration, and sets loss-priority to low for the code point 101 for the voice forwarding class. Imports the default dscp classifier configuration, and sets loss-priority to low for the code points 101110 for the voice forwarding class.
ieee-802.1 classifier
dscp classifier
Related Topics
Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 EX-series Switches Interfaces Overview on page 279 Monitoring Interface Status and Traffic on page 329
320
Enables all the network interfaces on the switch Sets a default port mode (access) Sets default link settings Specifies a logical unit (unit 0) and assigns it to family ethernet-switching Specifies Spanning Tree Protocol (STP) and Link Layer Discovery Protocol (LLDP)
Configuring VLAN Options and Port Mode on page 321 Configuring the Link Settings on page 321 Configuring the IP Options on page 322
All the Gigabit Ethernet interfaces are set to auto-negotiation. The speed for Gigabit Ethernet interfaces is set to auto, allowing the interface to operate at 10m, 100m or 1g. The link operates at the highest possible speed, depending on the capabilities of the remote end.
321
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The flow control for Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces is set to enabled. The link mode is set to auto, allowing the interface to operate as either full duplex or half duplex. The link operates as full duplex unless this mode is not supported at the remote end. The 10-Gigabit Ethernet interfaces (for the EX-UM-2XFP uplink module) default to no auto-negotiation. The default speed is 10g and the default link mode is full duplex.
NOTE: An uplink module in an EX-series switch is always PIC 1. The 10-Gigabit Ethernet interface is available only with the EX-UM-2XFP uplink module.
802.3adSpecify an aggregated Ethernet bundle. See Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323. auto-negotiationEnable or disable auto-negotation of flow control, link mode, and speed. flow-controlEnable or disable flow control. link-modeSpecify full-duplex, half-duplex, or automatic. speedSpecify 10m, 100m, 1g, or autonegotiation.
Related Topics
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Monitoring Interface Status and Traffic on page 329
322
show interfaces show interfaces Understanding Interface Naming Conventions on EX-series Switches on page 281
NOTE: An interface with an already configured IP address cannot form part of the aggregation group. To configure aggregated Ethernet interfaces, using the CLI:
1.
device-count
2.
Specify the minimum number of links for the aggregated Ethernet interface (aex), that is, the defined bundle, to be labeled up:
NOTE: By default only one link must be up for the bundle to be labeled up.
aggregated-ether-options
minimum-links 2
3.
4.
5.
323
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
For information about adding LACP to a LAG, see Configuring Aggregated Ethernet LACP (CLI Procedure) on page 325.
Related Topics
Configuring Link Aggregation (J-Web Procedure) on page 324 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Verifying the Status of a LAG Interface on page 330 Understanding Aggregated Ethernet Interfaces and LACP on page 283
NOTE: Interfaces that are already configured with MTU, speed, duplex, auto-negotiation, flow-control, and logical interfaces are not available for aggregation. To configure link aggregation:
1.
From the Configure menu, select Interfaces > Link Aggregation. The Aggregated Interfaces list is displayed.
2.
Click one:
Add a description for the aggregation. Click >> or << to move interfaces between the Available Interfaces and Member Interfaces columns. Click Activate Aggregated Link to activate the link.
Edit > Edit AggregationModifies an existing aggregation. Edit > VLAN OptionsSpecifies VLAN options for the aggregation. See
DeleteDeletes an aggregation. Enable Port/Disable Port Enables or disables the administrative status on
324
1. 2. 3.
Click Add to add a VLAN member. Select the VLAN and click OK. (Optional) Associate a native VLAN with the port.
1. 2.
Select the VLAN member to be associated with the port. (Optional) Associate a VoIP VLAN with the interface. Only a VLAN with a VLAN ID can be associated as a VoIP VLAN. Click OK.
3. Related Topics
Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323 Verifying the Status of a LAG Interface on page 330 Understanding Aggregated Ethernet Interfaces and LACP on page 283 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190
Configured the aggregated ethernet bundles. See Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323
When LACP is enabled, the local and remote sides of the aggregated Ethernet links exchange protocol data units (PDUs), containing information about the state of the link. You can configure Ethernet links to actively transmit PDUs, or you can configure the links to passively transmit them, sending out LACP PDUs only when they receive them from another link. One side of the link must be configured as active in order for the link to be up.
325
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To configure LACP:
1.
From the [edit interfaces interface-name aggregated-ether-options] hierarchy level, enable one side of the link as active:
NOTE: Do not add LACP to a LAG if the remote side is a security device unless the security device supports LACP. Security devices often do not support LACP since they require a deterministic configuration.
Related Topics
Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323 Configuring Link Aggregation (J-Web Procedure) on page 324 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Verifying the Status of a LAG Interface on page 330 Understanding Aggregated Ethernet Interfaces and LACP on page 283
NOTE: On EX-series switches, you can only enable unicast RPF globally, on all switch interfaces. You cannot enable unicast RPF on a per-interface basis. Before you begin:
326
Ensure that all switch interfaces are symmetrically routed before you enable unicast RPF on an interface. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. When you enable unicast RPF on any interface, it is enabled globally on all switch interfaces. Do not enable unicast RPF on asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination.
To enable unicast RPF globally on all switch interfaces, you only need to configure it explicitly on one interface. However, you can configure it explicitly on every interface or only on some interfaces. Regardless of how many interfaces on which you explicitly enable unicast RPF, unicast RPF is implicitly enabled globally after you explicitly configure it on one interface. We recommend that you enable unicast RPF explicitly on either all interfaces or only one interface, but that you do not enable it on only some interfaces:
Enabling unicast RPF explicitly on only one interface makes it easier if you choose to disable it in the future because you must explicitly disable unicast RPF on every interface on which you explicitly enabled it. If you explicitly enable unicast RPF on two interfaces and you disable it on only one interface, unicast RPF is still implicitly enabled globally on the switch. The drawback to this approach is that the switch displays unicast RPF status as enabled only on interfaces on which unicast RPF is explicitly enabled, so even though unicast RPF is enabled on all interfaces, its status does not display as enabled on all interfaces. Enabling unicast RPF explicitly on all interfaces makes it easier to know if unicast RPF is enabled on the switch because every interface shows the correct status. (Only interfaces on which you explicitly enable unicast RPF display unicast RPF as enabled.) The drawback to this approach is that if you want to disable unicast RPF, you must explicitly disable it on every interface. If unicast RPF is enabled on any interface, it is implicitly enabled on all interfaces.
To enable unicast RPF to filter incoming traffic on all switch interfaces by enabling it on one interface: [edit interfaces] user@switch# set ge-1/0/10 unit 0 family inet rpf-check
Related Topics
Example: Configuring Unicast RPF on an EX-series Switch on page 311 Verifying Unicast RPF Status on page 332 Disabling Unicast RPF (CLI Procedure) on page 327 Troubleshooting Unicast RPF on page 343 Understanding Unicast RPF for EX-series Switches on page 285
327
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
incoming interface as the best return path back to the source. If the network configuration changes so that an interface that has unicast RPF enabled becomes a trusted interface or becomes asymmetrically routed (the interface that receives a packet is not the best return path to the packets source), you should disable unicast RPF. To disable unicast RPF on an EX-series switch, you must delete it from every interface on which you explicitly configured it. If you attempt to delete unicast RPF from an interface on which it was not explicitly enabled, the message warning: statement not found displays. If you do not disable unicast RPF on every interface on which you explicitly enabled it, unicast RPF remains implicitly enabled on all switch interfaces. To disable unicast RPF on all switch interfaces, explicitly disable unicast RPF on every interface on which it was explicitly enabled: [edit interfaces] user@switch# delete ge-1/0/10 unit 0 family inet rpf-check
Related Topics
Example: Configuring Unicast RPF on an EX-series Switch on page 311 Verifying Unicast RPF Status on page 332 Configuring Unicast RPF (CLI Procedure) on page 326 Understanding Unicast RPF for EX-series Switches on page 285
328
Chapter 25
Verifying Interfaces
Monitoring Interface Status and Traffic on page 329 Verifying the Status of a LAG Interface on page 330 Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets on page 330 Verifying That Layer 3 Subinterfaces Are Working on page 332 Verifying Unicast RPF Status on page 332
Use the monitoring functionality to view interface status or to monitor interface bandwidth utilization and traffic statistics on the EX-series switch. The J-Web interface monitors interface bandwidth utilization and plots real-time charts to display input and output rates in bytes per second. In addition, the Interface monitoring page displays input and output error counters in the form of charts. Alternatively, you can enter the show commands in the CLI to view interface status and traffic statistics.
Action
To view general interface information in the J-Web interface such as available interfaces, select Monitor>Interfaces. You can click any interface to view details about its status. Using the CLI:
To view interface status for all the interfaces, enter show interfaces . To view status and statistics for a specific interface, enter show interfaces interface-name . To view status and traffic statistics for all interfaces, enter either show interfaces detail or show interfaces extensive.
Meaning
Bar chartsDisplay the input and output error counters. Pie chartsDisplay the number of broadcast, unicast, and multicast packet counters.
To clear the statistics in the J-Web Interface monitoring page, click Clear Statistics.
329
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
For details about output from the CLI commands, see show interfaces (Gigabit Ethernet) or show interfaces (10-Gigabit Ethernet).
Related Topics
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321
ae0 ae0.0
up up
up up inet 10.10.10.2/24
Meaning
The output confirms that the ae0 link is up and shows the family and IP address assigned to this link.
Related Topics
Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323 Configuring Link Aggregation (J-Web Procedure) on page 324 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging LACP Protocol Packets
To verify that LACP has been set up correctly and that the bundle members are transmitting LACP protocol packets. 1. Verifying the LACP Setup on page 330 2. Verifying That the LACP Packets Are Being Exchanged on page 331
Verify that the LACP has been set up correctly. Use the show lacp interfaces interface-name command to check that LACP has been enabled as active on one end.
show lacp interfaces xe-0/1/0 show lacp interfaces xe-0/1/0
330
Aggregated interface: ae0 LACP state: xe-0/1/0 xe-0/1/0 LACP protocol: xe-0/1/0 Role Actor Partner Exp No No Def Yes Yes Dist No No Col No No Syn No No Aggr Yes Yes Timeout Fast Fast Activity Active Passive
Meaning
This example shows that LACP has been configured with one side as active and the other as passive. When LACP is enabled, one side must be set as active in order for the bundled link to be up.
Verify that LACP packets are being exchanged between interfaces. Use the show interfaces aex statistics command to display LACP BPDU exchange information.
show interfaces ae0 statistics Physical interface: ae0, Enabled, Physical link is Down Interface index: 153, SNMP ifIndex: 30 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0 Last flapped : Never Statistics last cleared: Never Input packets : 0 Output packets: 0 Input errors: 0, Output errors: 0 Logical interface ae0.0 (Index 71) (SNMP ifIndex 34) Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol inet, MTU: 1500 Flags: None Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255
Meaning
The output here shows that the link is down and that no PDUs are being exchanged (when there is no other traffic flowing on the link).
331
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Configuring Aggregated Ethernet LACP (CLI Procedure) on page 325 Verifying the Status of a LAG Interface on page 330 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190
After configuring Layer 3 subinterfaces, verify they are set up properly and transmitting data.
1.
Action
Use the show interfaces command to determine if you successfully created the subinterfaces and the links are up:
user@switch> show interfaces ge-chassis/slot/port terse Interface ge-0/0/0 ge-0/0/0.0 ge-0/0/0.1 ge-0/0/0.2 ge-0/0/0.3 ge-0/0/0.4 ge-0/0/0.32767 Admin up up up up up up up Link up up up up up up up Proto inet inet inet inet inet Local 1.1.1.1/24 2.1.1.1/24 3.1.1.1/24 4.1.1.1/24 5.1.1.1/24 Remote
2.
Use the ping command from a device on one subnet to an address on another subnet to determine if packets were transmitted correctly on the subinterface VLANs:
user@switch> ping ip-address PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.157 ms 64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.238 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.255 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.128 ms --- 1.1.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
The output confirms that the subinterfaces are created and the links are up.
Configuring a Layer 3 Subinterface (CLI Procedure) Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch on page 303
Verify that unicast reverse-path forwarding (RPF) is enabled and is working on the interface.
332
Action
Use either the show interfaces extensive command or the show interfaces detail command to verify that unicast RPF is enabled and working on the switch. The example below displays output from the show interfaces extensive command.
user@switch> show interfaces ge-1/0/10 extensive Physical interface: ge-1/0/10, Enabled, Physical link is Down Interface index: 139, SNMP ifIndex: 58, Generation: 140 Link-level type: Ethernet, MTU: 1514, Speed: Auto, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:95:ab, Hardware address: 00:19:e2:50:95:ab Last flapped : Never Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 1 assured-forw 5 expedited-fo 7 network-cont Active alarms : LINK Active defects : LINK MAC statistics: Total octets Total packets Unicast packets Broadcast packets Multicast packets CRC/Align errors FIFO errors MAC control frames MAC pause frames Oversized frames 0 0 0 0 0 0 0 0 0 0 0 0
Receive 0 0 0 0 0 0 0 0 0 0
Transmit 0 0 0 0 0 0 0 0 0
333
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count Output packet pad count Output packet error count CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Incomplete Packet Forwarding Engine configuration: Destination slot: 1
0 0 0
Logical interface ge-1/0/10.0 (Index 69) (SNMP ifIndex 59) (Generation 135) Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps IPv6 transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Protocol inet, MTU: 1500, Generation: 144, Route table: 0 Flags: uRPF Addresses, Flags: Is-Preferred Is-Primary
Meaning
The show interfaces ge-1/0/10 extensive command (and the show interfaces ge-1/0/10 detail command) displays in-depth information about the interface. The Flags: output field near the bottom of the display reports the unicast RPF status. If unicast RPF has not been enabled, the uRPF flag does not display.
334
NOTE: The unicast RPF status displays as enabled only on interfaces for which you have explicitly configured unicast RPF. When you enable unicast RPF on one interface, it is automatically enabled on all switch interfaces including LAGs and RVIs. However, the uRPF flag does not display on interfaces for which you have not explicitly configured unicast RPF even though unicast RPF is implicitly enabled on those interfaces.
Related Topics
show interfaces (for 10 Gigabit Ethernet interfaces) Example: Configuring Unicast RPF on an EX-series Switch on page 311 Configuring Unicast RPF (CLI Procedure) on page 326 Disabling Unicast RPF (CLI Procedure) on page 327 Troubleshooting Unicast RPF on page 343
335
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
336
Chapter 26
Troubleshooting Interfaces
Troubleshooting an Aggregated Ethernet Interface on page 337 Troubleshooting Disabled or Down Interfaces on page 337 Port Role Configuration with the J-Web InterfaceCLI Reference on page 338 Troubleshooting Interface Configuration and Cable Faults on page 343 Troubleshooting Unicast RPF on page 343
The show interfaces terse command shows that the LAG is down. Check the following:
Verify that there is no configuration mismatch. Verify that all member ports are up. Verify that a LAG is part of family ethernetswitching (Layer 2 LAG) or family inet (Layer 3 LAG). Verify that the LAG member is connected to the correct LAG at the other end. Verify that the LAG members belong to the same switch (or the same virtual chassis). Verifying the Status of a LAG Interface on page 330 Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190
Related Topics
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) installed on page 338
337
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) installed
Problem
One of the last four base ports (ge-0/0/20 through ge-0/0/23 on 24 port models or ge-0/0/44 through ge-0/0/47 on 48 port models) of an EX 3200 switch is disabled. The 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) is installed. When you check status with the show interfaces command or with the J-Web user interface, the disabled port is not listed.
Cause
The last four base ports use the same ASIC as the 4-port Gigabit Ethernet uplink module. Therefore, if you insert a transceiver in a 4-port Gigabit Ethernet uplink module installed in an EX 3200 switch, a corresponding base port from the last four base ports is disabled. If you need to use the disabled base port, you should remove the transceiver from the 4port Gigabit Ethernet uplink module. You can install the 2port 10Gigabit Ethernet uplink module (EX-UM-2XFP) instead. There is no ASIC conflict with the EX-UM-2XFP uplink module.
Solution
Related Topics
Monitoring Interface Status and Traffic on page 329 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Removing a Transceiver from an EX-series Switch Installing a Transceiver in an EX-series Switch EX 3200 and EX 4200 Switches Hardware Overview on page 21 EX-series Switches Interfaces Overview on page 279
NOTE: If there is an existing port role configuration, it is cleared before the new port role configuration is applied.
338
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) installed
CLI Commands
set interfaces interfaceapply-macro juniper-port-profile Default set interfaces interface unit 0 family ethernet-switching port-mode access
339
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
CLI Commands
set class-of-service interfaces interfacescheduler-map juniper-port-profile-map set class-of-service interfaces interface unit 0 classifiers ieee-802.1 juniper_ieee_classifier set class-of-service interfaces interfaceunit 0 classifiers dscp juniper-dscp-classifier
Set CoS Configuration Wireless Access Point Port Role Set the port role to wireless access point. Set VLAN on VLANs stanza. Set port family to ethernet-ewitching Set port mode to Access. Set VLAN on port stanza. Set RSTP protocol with edge option. RSTP protocol is disabled if redundant trunk groups are configured. Routed Uplink Port Role Set the port role to Routed Uplink. Set port family to inet. Set IP address on the port. Set class-of-service parameters
SCHEDULER_MAP=juniper-port-profile-map IEEE_CLASSIFIER=juniper-ieee-classifier DSCP_CLASSIFIER=juniper-dscp-classifier
set interfaces interface apply-macro juniper-port-profile Wireless Access Point set vlans vlan namevlan-id vlan-id set interfaces interface unit 0 family ethernet-switching port-mode access
set interfaces interface unit 0 family ethernet-switching vlan members vlan-members set protocols rstp interface interface edge set protocols rstp interface interface disable
set interfaces interface apply-macro juniper-port-profile Routed Uplink set interfaces interfaceunit 0 family inet address ipaddress
set class-of-service interfaces interfacescheduler-map juniper-port-profile-map set class-of-service interfaces interface unit 0 classifiers ieee-802.1 juniper_ieee_classifier set class-of-service interfaces interfaceunit 0 classifiers dscp juniper-dscp-classifier
Set CoS configuration Layer 2 Uplink Port Role Set the port role to Layer 2 Uplink. Set port family to ethernet-switching Set port mode to trunk.
set interfaces interface apply-macro juniper-port-profile Layer2 Uplink set interfaces interface unit 0 family ethernet-switching port-mode trunk
340
CLI Commands
set interfaces interface unit 0 family ethernet-switching native-vlan-id vlan-name set interfaces interface unit 0 family ethernet-switching vlan members vlan-members set ethernet-switching-options secure-access-port dhcp-trusted set protocols rstp interface interface mode point-to-point set protocols rstp interface interface disable
set class-of-service interfaces interfacescheduler-map juniper-port-profile-map set class-of-service interfaces interface unit 0 classifiers ieee-802.1 juniper_ieee_classifier set class-of-service interfaces interfaceunit 0 classifiers dscp juniper-dscp-classifier
Table 52 on page 341 lists the CLI commands for the recommended CoS settings that are committed when the CoS configuration is set.
Table 52: Recommended CoS Settings for Port Roles
CoS Parameter Forwarding Classes voice expedited-forwarding assured-forwarding best-effort Schedulers
set class-of-service forwarding-classes class voice queue-num 7 set class-of-service forwarding-classes class expedited-forwarding queue-num 5 set class-of-service forwarding-classes class assured-forwarding queue-num 1 set class-of-service forwarding-classes class best-effort queue-num 0
CLI Command
341
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
expedited-scheduler
assured-scheduler
best-effort-scheduler
Classifiers
Related Topics
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321
342
You encounter errors when you attempt to configure an interface on the switch, or the interface is exhibiting connectivity problems. Use the port troubleshooter feature in the J-Web interface to identify and rectify port configuration and connectivity related problems. To use the J-Web interface port troubleshooter:
1. 2. 3. 4.
Solution
Select the option Troubleshoot from the main menu. Click Troubleshoot Port. The Port Troubleshooting wizard is displayed. Click Next. Select the ports to troubleshoot. Select the test cases to be executed on the selected port. Click Next. When the selected test cases are executed, the final result and the recommended action is displayed.
If there is a cable fault, the port troubleshooter displays details and the recommended action. For example, the cable must be replaced. If the port configuration needs to be modified, the port troubleshooter displays details and the recommended action.
Related Topics
Monitoring Interface Status and Traffic on page 329 Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60
The switch filters valid packets from legitimate sources, which results in the switch's discarding packets that should be forwarded.
343
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Solution
The interface or interfaces on which legitimate packets are discarded are asymmetrically routed interfaces. An asymmetrically routed interface uses different paths to send and receive packets between the source and the destination, so the interface that receives a packet is not the same interface the switch uses to reply to the packet's source. Unicast RPF works properly only on symmetrically routed interfaces. A symmetrically routed interface is an interface that uses the same route in both directions between the source and the destination. Unicast RPF filters packets by checking the forwarding table for the best return path to the source of an incoming packet. If the best return path uses the same interface as the interface that received the packet, the switch forwards the packet. If the best return path uses a different interface than the interface that received the packet, the switch discards the packet. To avoid having the switch discard legitimate packets, ensure that all switch interfaces (including LAGs and RVIs) are symmetrically routed before you enable unicast RPF, because unicast RPF is enabled globally on all switch interfaces. If one or more switch interfaces are asymmetrically routed, do not enable unicast RPF on the switch.
Related Topics
Verifying Unicast RPF Status on page 332 show interfaces (for Gigabit Ethernet interfaces) show interfaces (for 10 Gigabit Ethernet interfaces) Understanding Unicast RPF for EX-series Switches on page 285
344
Chapter 27
Interface Configuration Statement Hierarchy on page 345 Individual Interface Configuration Statements on page 346
aggregated-ether-options {
lacp mode { periodic interval; } } } ge-chassis/pic/port { description text; ether-options { 802.3ad aex; auto-negotiation; flow-control; link-mode mode; speed (speed | auto-negotiation | no-autonegotiation); } mtu bytes; unit logical-unit-number { family ethernet-switching { filter input filter-name; filter output filter-name; l3-interface interface-name-logical-unit-number; native-vlan-id vlan-id port-mode mode; vlan { members [ (all | names | vlan-ids) ]; } } vlan-id vlan-id-number; }
345
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan-tagging; } }
Related Topics
EX-series Switches Interfaces Overview on page 279 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Configuring a Layer 3 Subinterface (CLI Procedure)
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the aggregated Ethernet logical interface number.
ae xAggregated Ethernet logical interface number.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 184 Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 323 Configuring Aggregated Ethernet LACP (CLI Procedure) on page 325 Understanding Aggregated Ethernet Interfaces and LACP on page 283
346
auto-negotiation
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Explicitly enable or disable autonegotiation.
Autonegotiation is automatically enabled. No explicit action is taken after the autonegotiation is complete or if the negotiation fails. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
auto-negotiation
347
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
chassis
Syntax
chassis {
[edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure chassis-specific properties. Most standard JUNOS configuration statements are available in the JUNOS for EX-series software. This page lists JUNOS statements that you commonly use when configuring EX-series software as well as statements added to support only EX-series switches. The statements are explained separately.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
348
chassis
description
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Provide a textual description of the interface or the logical unit. Any descriptive text you include is displayed in the output of the show interfaces commands, and is also exposed in the ifAlias Management Information Base (MIB) object. It has no effect on the operation of the interface or the switch. No textual description is configured textText to describe the interface. If the text includes spaces, enclose the entire text in straight quotation marks. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Default Options
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
description
349
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ether-options
Syntax
ether-options { 802.3ad aex; auto-negotiation; flow-control; link-mode mode; speed } [edit interfaces interface-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure ether-options properties for Gigabit-Ethernet interface on EX-series switch. The statements are explained separately.
Enabled. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
350
ether-options
family
Syntax
family ethernet-switching { filter input filter-name filter output filter-name l3-interface interface-name-logical-unit-number; native-vlan-id vlan-id; port-mode mode; vlan { [ (names | vlan-ids) ]; [ (names | vlan-ids) ]; translate vlan-id1 vlan-id2 } } [edit interfaces ge-chassis/slot/port unit logical-unit-number]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure protocol family information for the logical interface. You must configure a logical interface to be able to use the physical device.
ethernet-switchingEthernet switch protocol family.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
family
351
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
filter
Syntax Hierarchy Level Release Information Description
filter (input | output) filter-name; [edit interfaces ge-chassis/slot/port unit logical-unit-number family family-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the Layer 3 interface. All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all outgoing traffic is sent unmodified from the port or Layer 3 interface.
filter-name Name of a firewall filter defined in the filter statement.
Default
Options
inputApply a firewall filter to traffic entering the port or Layer 3 interface. outputApply a firewall filter to traffic exiting the Layer 3 interface.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Firewall Filters for EX-series Switches Overview on page 1041 JUNOS Software Network Interfaces Configuration Guide at www.juniper.net/techpubs/software/junos/
352
filter
flow-control
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Explicitly enable flow control, which regulates the flow of packets from the switch to the remote side of the connection, or disable it.
Ethernet switch.
Flow control enabled. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
l3-interface
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk ports to allow the interface to transfer traffic between multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is routed. No Layer 3 (routing) interface is associated with the VLAN. interface-namelogical-unit-numberName of a logical interface. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
flow-control
353
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
lacp
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the Link Aggregation Control Protocol (LACP). LACP is not enabled.
mode LACP mode:
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Configuring Aggregated Ethernet LACP (CLI Procedure) on page 325 Configuring Link Aggregation (J-Web Procedure) on page 324 Understanding Aggregated Ethernet Interfaces and LACP on page 283
354
lacp
link-mode
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Set the devices link-connection characteristic. The automatic mode is enabled.
mode Link characteristic:
If no-auto-negotiation is specified in ether-options, you can select only full-duplex or half-duplex. If auto-negotiation is specified in ether-options, you can select any mode.
Required Privilege Level Related Topics
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
link-mode
355
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
members
Syntax Hierarchy Level
members [ (all | names | vlan-ids) ]; [edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching vlan]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For trunk interfaces, configure the VLANs for which the interface can carry traffic.
allSpecifies that this trunk interface is a member of all the VLANs that are configured
on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.
NOTE: Each VLAN that is configured must have a specified VLAN ID when you attempt to commit the configuration; otherwise, the configuration commit fails. Also, all cannot be the name of a VLAN on the switch.
names Name of one or more VLANs. vlan-ids Numeric identifier of one or more VLANs. For a series of tagged VLANs, specify a range; for example, 10-20.
Required Privilege Level Related Topics
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Example: Connecting an Access Switch to a Distribution Switch on page 422 Creating a Series of Tagged VLANs (CLI Procedure) on page 470 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
356
members
mtu
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Maximum transmission unit (MTU) size for the media. Changing the media MTU causes an interface to be deleted and added again. 1514 bytes
bytes MTU size.
Default Options
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
native-vlan-id
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the VLAN identifier to associate with untagged packets received on the interface. vlan-idNumeric identifier of the VLAN. Range: 0 through 4095 interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
mtu
357
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
periodic
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the interval for periodic transmission of LACP packets.
fast interval Interval at which to periodically transmit LACP packets:
fastTransmit packets every second. This is the default. slowTransmit packets every 30 seconds.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 190 Configuring Aggregated Ethernet LACP (CLI Procedure) on page 325 Understanding Aggregated Ethernet Interfaces and LACP on page 283
358
periodic
port-mode
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure whether an interface on the switch operates in access or trunk mode. All switch interfaces are in access mode.
accessHave the interface operate in access mode. In this mode, the interface can
be in a single VLAN only. Access interfaces typically connect to network devices such as PCs, printers, IP telephones, and IP cameras.
trunkHave the interface operate in trunk mode. In this mode, the interface can be
in multiple VLANs and can multiplex traffic between different VLANs. Trunk interfaces typically connect to other switches and to routers on the LAN.
Required Privilege Level Related Topics
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
port-mode
359
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
rpf-check
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Enable a reverse-path forwarding check on unicast traffic (except ECMP packets) on all ingress interfaces. Unicast RPF is disabled on all interfaces. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Example: Configuring Unicast RPF on an EX-series Switch on page 311 Configuring Unicast RPF (CLI Procedure) on page 326 Disabling Unicast RPF (CLI Procedure) on page 327 Understanding Unicast RPF for EX-series Switches on page 285
360
rpf-check
speed
Syntax Hierarchy Level Release Information Description Default
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the interfaces speed: If the auto-negotiation statement at the [edit interfaces interface-name ether-options] hierarchy level is enabled, the auto-negotiation option is enabled by default.
Options
speed Specify the interface speed. If the auto-negotiation statement at the [edit interfaces interface-name ether-options] hierarchy level is disabled, you must
specify a specific value. This value sets the speed that is used on the link. If the auto-negotiation statement is enabled, you might want to configure a specific speed value to advertise the desired speed to the remote end.
other end of the link. This option is available only when the auto-negotiation statement at the [edit interfaces interface-name ether-options] hierarchy level is enabled.
Required Privilege Level Related Topics
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
speed
361
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
translate
Syntax Hierarchy Level Release Information Description
translate vlan-id1 vlan-id2; [edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching vlan]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For trunk interfaces, have the interface change the VLAN identifier on received packets to a different identifier.
vlan-id1Number of the VLAN identifier in received packets. This identifier is removed
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show ethernet-switching interfaces Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Understanding Bridging and VLANs on EX-series Switches on page 395
362
translate
unit
Syntax
unit logical-unit-number { family ethernet-switching { l3-interface interface-name-logical-unit-number; native-vlan-id vlan-id; port-mode mode; vlan { [ (names | vlan-ids) ]; [ (names | vlan-ids) ]; translate vlan-id1 vlan-id2 } } vlan-id vlan-id-number; } [edit interfaces ge-chassis/slot/port]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device. You must configure a logical interface to be able to use the physical device. logical-unit-numberNumber of the logical unit. Range: 0 through 16,384 The remaining statements are explained separately.
Default Options
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
unit
363
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan
Syntax
vlan { [ (names | vlan-ids) ]; [ (names | vlan-ids) ]; translate vlan-id1 vlan-id2 } [edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Gigabit Ethernet and aggregated Ethernet interfaces, binds an 802.1Q VLAN tag ID to a logical interface. The statements are explained separately.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 JUNOS Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
364
vlan
vlan-id
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.2 for EX-series switches. For Gigabit Ethernet and aggregated Ethernet interfaces only, bind an 802.1Q VLAN tag ID to a logical interface. vlan-id-numberA valid VLAN identifier. Range: 1 through 4094. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
vlan-tagging Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch on page 303 Configuring a Layer 3 Subinterface (CLI Procedure)
vlan-id
365
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan-tagging
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.2 for EX-series switches. Enable VLAN tagging. The platform will receive and forward single-tag frames with 802.1Q VLAN tags. VLAN tagging is disabled by default. interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
vlan-id Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch on page 303 Configuring a Layer 3 Subinterface (CLI Procedure) JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
366
vlan-tagging
Chapter 28
367
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show interfaces
Syntax
show interfaces ge-fpc/pic/port <brief | detail | extensive | terse> <descriptions> <media> <snmp-index snmp-index> <statistics>
Command introduced in JUNOS Release 9.0 for EX-series switches. Display status information about the specified Gigabit Ethernet interface.
ge-fpc/pic/port Display standard information about the specified Gigabit Ethernet
interface.
brief | detail | extensive | terse(Optional) Display the specified level of output. descriptions(Optional) Display interface description strings. media(Optional) Display media-specific information about network interfaces. snmp-index snmp-index (Optional) Display information for the specified SNMP index
of the interface.
statistics(Optional) Display static interface statistics.
Required Privilege Level Related Topics
view
Monitoring Interface Status and Traffic on page 329 Troubleshooting an Aggregated Ethernet Interface on page 337 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
(Gigabit Ethernet) on page 374 brief (Gigabit Ethernet) on page 375 detail (Gigabit Ethernet) on page 375 extensive (Gigabit Ethernet) on page 376
Output Fields
Table 53 on page 368 lists the output fields for the show interfaces command. Output fields are listed in the approximate order in which they appear.
Field Description
Level of Output
368
show interfaces
Field Description Index number of the physical interface, which reflects its initialization sequence. SNMP index number for the physical interface. Unique number for use by Juniper Networks technical support only. Optional user-specified description. Encapsulation being used on the physical interface. Maximum transmission unit size on the physical interface. Default is 1514. Speed at which the interface is running. Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback: Local or Remote. Source filtering status: Enabled or Disabled. Flow control status: Enabled or Disabled. Autonegotiation status: Enabled or Disabled. Remote fault status:
Level of Output
detail extensive none detail extensive none detail extensive brief detail extensive
Device flags Interface flags Link flags CoS queues Hold-times Current address Hardware address Last flapped
Information about the physical device. Information about the interface. Information about the link. Number of CoS queues configured. Current interface hold-time up and hold-time down, in milliseconds. Configured MAC address. MAC address of the hardware. Date, time, and how long ago the interface went from down to up. The format is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago). Time when the statistics for the interface were last set to zero.
detail extensive
show interfaces
369
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description Number and rate of bytes and packets received and transmitted on the physical interface.
Level of Output
detail extensive
Input bytesNumber of bytes received on the interface. Output bytesNumber of bytes transmitted on the interface. Input packetsNumber of packets received on the interface Output packetsNumber of packets transmitted on the interface.
Input errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious:
extensive
ErrorsSum of the incoming frame aborts and FCS errors. DropsNumber of packets dropped by the input queue of the I/O Manager
ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism.
checksum (FCS).
RuntsNumber of frames received that are smaller than the runt threshold. Policed discardsNumber of frames that the incoming packet match code
discarded because they were not recognized or not of interest. Usually, this field reports protocols that the JUNOS software does not handle.
failed Layer 3 sanity checks of the headers. For example, a frame with less than 20 bytes of available IP header is discarded.
L2 channel errorsNumber of times the software did not find a valid logical
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
370
show interfaces
Field Description Output errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious:
Level of Output
extensive
Carrier transitionsNumber of times the interface has gone from down to up. This number does not normally increment quickly, increasing only
when the cable is unplugged, the far-end system is powered down and then up, or another problem occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, the far-end system, or the PIC or PIM is malfunctioning.
ErrorsSum of the outgoing frame aborts and FCS errors. DropsNumber of packets dropped by the output queue of the I/O
Manager ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism.
supports only full-duplex operation, so for Gigabit Ethernet PICs, this number should always remain 0. If it is nonzero, there is a software bug.
so long that the system automatically purged them. The value in this field should never increment. If it does, it is most likely a software bug or possibly malfunctioning hardware.
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
interface.
Total number of egress queues supported on the specified interface. CoS queue number and its associated user-configured forwarding class name.
Queued packetsNumber of queued packets. Transmitted packetsNumber of transmitted packets. Dropped packetsNumber of packets dropped by the ASIC's RED
mechanism.
Active alarms and Active defects
Ethernet-specific defects that can prevent the interface from passing packets. When a defect persists for a certain amount of time, it is promoted to an alarm. Based on the switch configuration, an alarm can ring the red or yellow alarm bell on the switch, or turn on the red or yellow alarm LED on the craft interface. These fields can contain the value None or Link.
NoneThere are no active defects or alarms. LinkInterface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is malfunctioning.
show interfaces
371
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description
Receive and Transmit statistics reported by the PIC's MAC subsystem.
Level of Output
extensive
Total octets and total packetsTotal number of octets and packets. For
Gigabit Ethernet IQ PICs, the received octets count varies by interface type.
(excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error).
FIFO errorNumber of FIFO errors that are reported by the ASIC on the
MAC control framesNumber of MAC control frames. MAC pause framesNumber of MAC control frames with pause operational
code.
Oversized framesNumber of frames that exceed 1518 octets. Jabber framesNumber of frames that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2). These documents define jabber as the condition in which any packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms to 150 ms.
in length (excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted.
VLAN tagged framesNumber of frames that are VLAN tagged. The system
uses the TPID of 0x8100 in the frame to determine whether a frame is tagged or not. NOTE: This counter is not supported on EX-series switches; the field value is always displayed as 0.
subsystem.
372
show interfaces
Level of Output
extensive
Negotiation status:
IncompleteEthernet interface has the speed or link mode configured. No autonegotiationRemote Ethernet interface has the speed or link
Link partner:
Link modeDepending on the capability of the attached Ethernet device, either Full-duplex or Half-duplex. Flow controlTypes of flow control supported by the remote Ethernet device. For Gigabit Ethernet interfaces, types are Symmetric (link partner supports PAUSE on receive and transmit), Asymmetric (link partner supports PAUSE on transmit), and Symmetric/Asymmetric (link partner supports both PAUSE on receive and transmit or only PAUSE
receive).
Remote faultRemote fault information from the link partnerFailure indicates a receive link error. OK indicates that the link partner is receiving. Negotiation error indicates a negotiation error. Offline
Flow controlTypes of flow control supported by the remote Ethernet device. For Gigabit Ethernet interfaces, types are Symmetric (link partner supports PAUSE on receive and transmit), Asymmetric (link partner supports PAUSE on transmit), and Symmetric/Asymmetric (link partner supports both PAUSE on receive and transmit or only PAUSE
receive).
Remote faultRemote fault information. Link OK (no error detected on receive), Offline (local interface is offline), and Link Failure (link
extensive
Name of the logical interface. Index number of the logical interface, which reflects its initialization sequence. SNMP interface index number for the logical interface. Unique number for use by Juniper Networks technical support only. Information about the logical interface.
All levels
detail extensive none detail extensive none detail extensive
All levels
show interfaces
373
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description Encapsulation on the logical interface. Protocol family. This field is not supported for logical interfaces on EX-series switches. Unique number for use by Juniper Networks technical support only. Route table in which the logical interface address is located. For example, 0 refers to the routing table inet.0. Information about protocol family flags. If unicast Reverse Path Forwarding (uRPF) is explicitly configured on the specified interface, the uRPF flag displays. If uRPF was configured on a different interface (and therefore is enabled on all switch interfaces) but was not explicitly configured on the specified interface, the uRPF flag does not display even though uRPF is enabled.
Flags
detail extensive
protocol-family
Protocol family configured on the logical interface. If the protocol is inet, the IP address of the interface is also displayed. Information about address flag. IP address of the remote side of the connection. IP address of the logical interface. Broadcast address of the logical interlace. Unique number for use by Juniper Networks technical support only.
brief
detail extensive none detail extensive none detail extensive none detail extensive none detail extensive
user@host> show interfaces ge-0/0/0 Physical interface: ge-0/0/0, Enabled, Physical link is Down Interface index: 129, SNMP ifIndex: 21 Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled Remote fault: Online Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:3f:41, Hardware address: 00:19:e2:50:3f:41 Last flapped : 2008-01-16 11:40:53 UTC (4d 02:30 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Ingress rate at Packet Forwarding Engine : 0 bps (0 pps) Ingress drop rate at Packet Forwarding Engine : 0 bps (0 pps) Active alarms : None Active defects : None Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 22) Flags: SNMP-Traps
374
show interfaces
Encapsulation: ENET2 Input packets : 0 Output packets: 0 Protocol eth-switch, MTU: 0 Flags: None
user@host> show interfaces ge-0/0/0 brief Physical interface: ge-0/0/0, Enabled, Physical link is Down Description: voice priority and tcp and icmp traffic rate-limiting filter at i ngress port Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Down Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None Logical interface ge-0/0/0.0 Flags: Device-Down SNMP-Traps Encapsulation: ENET2 eth-switch
user@host> show interfaces ge-0/0/0 detail Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 129, SNMP ifIndex: 21, Generation: 130 Link-level type: Ethernet, MTU: 1514, Speed: Auto, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:a8:a1, Hardware address: 00:19:e2:50:a8:a1 Last flapped : 2008-01-29 10:54:31 UTC (01:36:47 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 368613240000 0 bps Output bytes : 368642493760 0 bps Input packets: 5759581881 0 pps Output packets: 5760038969 0 pps Egress queues: 8 supported, 0 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 1 assured-forw 5 expedited-fo 7 network-cont Active alarms : None Active defects : None 0 0 0 0 5760782572 0 0 0 0 0 0 0
Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 60 Output bytes : 0 Input packets: 1 Output packets: 0 Local statistics:
show interfaces
375
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Input bytes : 60 Output bytes : 0 Input packets: 1 Output packets: 0 Transit statistics: Input bytes : 0 0 Output bytes : 0 0 Input packets: 0 0 Output packets: 0 0 Protocol eth-switch, MTU: 0, Generation: 143, Route table: Flags: Is-Primary
user@host> show interfaces ge-0/0/0 extensive Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 129, SNMP ifIndex: 21, Generation: 130 Link-level type: Ethernet, MTU: 1514, Speed: Auto, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:a8:a1, Hardware address: 00:19:e2:50:a8:a1 Last flapped : 2008-01-29 10:54:31 UTC (01:40:54 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 386327695808 0 bps Output bytes : 386356949568 0 bps Input packets: 6036370253 0 pps Output packets: 6036827341 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 0 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 6036979415 0 1 assured-forw 0 0 0 5 expedited-fo 0 0 0 7 network-cont 0 0 0 Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 386327695808 386356949568 Total packets 6036370253 6036827341 Unicast packets 6036370252 6036827341 Broadcast packets 0 0 Multicast packets 1 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0
376
show interfaces
Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps Local resolution: Flow control: None, Remote fault: Link OK Packet Forwarding Engine configuration: Destination slot: 0 Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 60 Output bytes : 0 Input packets: 1 Output packets: 0 Local statistics: Input bytes : 60 Output bytes : 0 Input packets: 1 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol eth-switch, MTU: 0, Generation: 143, Route table: 0 Flags: Is-Primary
show interfaces
377
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show interfaces
Syntax
show interfaces xe-fpc/pic/port <brief | detail | extensive | terse> <descriptions> <media> <snmp-index snmp-index> <statistics>
Command introduced in JUNOS Release 9.0 for EX-series switches. Display status information about the specified 10-Gigabit Ethernet interface.
xe-fpc/pic/port Display standard information about the specified 10-Gigabit Ethernet
interface.
brief | detail | extensive | terse(Optional) Display the specified level of output. descriptions(Optional) Display interface description strings. media(Optional) Display media-specific information about network interfaces. snmp-index snmp-index (Optional) Display information for the specified SNMP index
of the interface.
statistics(Optional) Display static interface statistics.
Required Privilege Level Related Topics
view
Monitoring Interface Status and Traffic on page 329 Troubleshooting an Aggregated Ethernet Interface on page 337 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
(10-Gigabit Ethernet) on page 385 brief (10-Gigabit Ethernet) on page 385 detail (10-Gigabit Ethernet) on page 385 extensive (10-Gigabit Ethernet) on page 386
Output Fields
Table 54 on page 378 lists the output fields for the show interfaces command. Output fields are listed in the approximate order in which they appear.
Field Description
Level of Output
All levels
378
show interfaces
Field Description State of the interface. Index number of the physical interface, which reflects its initialization sequence. SNMP index number for the physical interface. Unique number for use by Juniper Networks technical support only. Encapsulation being used on the physical interface. Maximum transmission unit size on the physical interface. Speed at which the interface is running. Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback: Local or Remote. Source filtering status: Enabled or Disabled. 10-Gigabit Ethernet interface operating in Local Area Network Physical Layer Device (LAN PHY) mode. LAN PHY allows 10-Gigabit Ethernet wide area links to use existing Ethernet applications. Unidirectional link mode status for 10-Gigabit Ethernet interface: Enabled or Disabled for parent interface; Rx-only or Tx-only for child interfaces. Flow control status: Enabled or Disabled. Autonegotiation status: Enabled or Disabled. Remote fault status:
Unidirectional
All levels
Device flags Interface flags Link flags Wavelength Frequency CoS queues Schedulers Hold-times Current address Hardware address
Information about the physical device. Information about the interface. Information about the link. Configured wavelength, in nanometers (nm). Frequency associated with the configured wavelength, in terahertz (THz). Number of CoS queues configured. Number of CoS schedulers configured. Current interface hold-time up and hold-time down, in milliseconds. Configured MAC address. Hardware MAC address.
All levels All levels All levels All levels All levels
detail extensive none extensive detail extensive detail extensive none detail extensive none
show interfaces
379
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description Date, time, and how long ago the interface went from down to up. The format is Last flapped: year-month-day hour: :minute:second:timezone ( hour:minute:second ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago). Input rate in bits per second (bps) and packets per second (pps). Output rate in bps and pps. Time when the statistics for the interface were last set to zero.
Level of Output
detail extensive none
Number and rate of bytes and packets received and transmitted on the physical interface.
detail extensive
Input bytesNumber of bytes received on the interface. Output bytesNumber of bytes transmitted on the interface. Input packetsNumber of packets received on the interface Output packetsNumber of packets transmitted on the interface.
Input errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious:
extensive
ErrorsSum of the incoming frame aborts and FCS errors. DropsNumber of packets dropped by the input queue of the I/O Manager
ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism.
checksum (FCS).
RuntsNumber of frames received that are smaller than the runt threshold. Policed discardsNumber of frames that the incoming packet match code
discarded because they were not recognized or not of interest. Usually, this field reports protocols that the JUNOS software does not handle.
failed Layer 3 sanity checks of the header. For example, a frame with less than 20 bytes of available IP header is discarded. L3 incomplete errors can be ignored by if you configure the ignore-l3-incompletes statement.
L2 channel errorsNumber of times the software did not find a valid logical
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
380
show interfaces
Field Description Output errors on the interface. The following paragraphs explain the counters whose meaning might not be obvious:
Level of Output
extensive
Carrier transitionsNumber of times the interface has gone from down to up. This number does not normally increment quickly, increasing only
when the cable is unplugged, the far-end system is powered down and then up, or another problem occurs. If the number of carrier transitions increments quickly (perhaps once every 10 seconds), the cable, the far-end system, or the PIC or PIM is malfunctioning.
ErrorsSum of the outgoing frame aborts and FCS errors. DropsNumber of packets dropped by the output queue of the I/O
Manager ASIC. If the interface is saturated, this number increments once for every packet that is dropped by the ASIC's RED mechanism.
supports only full-duplex operation, so for Gigabit Ethernet PICs, this number should always remain 0. If it is nonzero, there is a software bug.
so long that the system automatically purged them. The value in this field should never increment. If it does, it is most likely a software bug or possibly malfunctioning hardware.
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
interface.
Total number of egress queues supported on the specified interface. CoS queue number and its associated user-configured forwarding class name.
Queued packetsNumber of queued packets. Transmitted packetsNumber of transmitted packets. Dropped packetsNumber of packets dropped by the ASIC's RED
mechanism.
Ingress queues Queue counters (Ingress)
Total number of ingress queues supported on the specified interface. CoS queue number and its associated user-configured forwarding class name.
extensive extensive
Queued packetsNumber of queued packets. Transmitted packetsNumber of transmitted packets. Dropped packetsNumber of packets dropped by the ASIC's RED
mechanism.
show interfaces
381
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description Ethernet-specific defects that can prevent the interface from passing packets. When a defect persists for a certain amount of time, it is promoted to an alarm. Based on the router configuration, an alarm can ring the red or yellow alarm bell on the router, or turn on the red or yellow alarm LED on the craft interface. These fields can contain the value None or Link.
Level of Output
detail extensive none
NoneThere are no active defects or alarms. LinkInterface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is malfunctioning.
PCS statistics MAC statistics
Physical Coding Sublayer (PCS) fault conditions from the LAN PHY device.
Receive and Transmit statistics reported by the PIC's MAC subsystem.
Total octets and total packetsTotal number of octets and packets. For
Gigabit Ethernet IQ PICs, the received octets count varies by interface type.
(excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error).
FIFO errorNumber of FIFO errors that are reported by the ASIC on the
MAC control framesNumber of MAC control frames. MAC pause framesNumber of MAC control frames with pause operational
code.
Oversized framesNumber of frames that exceed 1518 octets. Jabber framesNumber of frames that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. This definition of jabber is different from the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2). These documents define jabber as the condition in which any packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms to 150 ms.
in length (excluding framing bits, but including FCS octets), and had either an FCS error or an alignment error. Fragment frames normally increment because both runts (which are normal occurrences caused by collisions) and noise hits are counted.
VLAN tagged framesNumber of frames that are VLAN tagged. The system
uses the TPID of 0x8100 in the frame to determine whether a frame is tagged or not. This counter is not supported on EX-series switches and is always displayed as 0.
subsystem.
382
show interfaces
Level of Output
extensive
Negotiation status:
IncompleteEthernet interface has the speed or link mode configured. No autonegotiationRemote Ethernet interface has the speed or link
Link partner:
Link modeDepending on the capability of the attached Ethernet device, either Full-duplex or Half-duplex. Flow controlTypes of flow control supported by the remote Ethernet device. For Fast Ethernet interfaces, the type is None. For Gigabit Ethernet interfaces, types are Symmetric (link partner supports PAUSE on receive and transmit), Asymmetric (link partner supports PAUSE on transmit), and Symmetric/Asymmetric (link partner supports both PAUSE on receive and transmit or only PAUSE receive). Remote faultRemote fault information from the link partnerFailure indicates a receive link error. OK indicates that the link partner is receiving. Negotiation error indicates a negotiation error. Offline
Flow controlTypes of flow control supported by the remote Ethernet device. For Gigabit Ethernet interfaces, types are Symmetric (link partner supports PAUSE on receive and transmit), Asymmetric (link partner supports PAUSE on transmit), and Symmetric/Asymmetric (link partner supports both PAUSE on receive and transmit or only PAUSE
receive).
Remote faultRemote fault information. Link OK (no error detected on receive), Offline (local interface is offline), and Link Failure (link
show interfaces
383
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description Information about the configuration of the Packet Forwarding Engine:
Level of Output
extensive
Destination slotFPC slot number. CoS transmit queueQueue number and its associated user-configured
Bandwidth %Percentage of bandwidth allocated to the queue. Bandwidth bpsBandwidth allocated to the queue (in bps). Buffer %Percentage of buffer space allocated to the queue. Buffer usecAmount of buffer space allocated to the queue, in
microseconds. This value is nonzero only if the buffer size is configured in terms of time.
PriorityQueue priority: low or high. LimitDisplayed if rate limiting is configured for the queue. Possible values are none and exact. If exact is configured, the queue transmits only up to the configured bandwidth, even if excess bandwidth is available. If none
is configured, the queue transmits beyond the configured bandwidth if bandwidth is available.
Logical Interface Logical interface Index SNMP ifIndex Generation Flags Encapsulation Protocol MTU Generation Route Table
Name of the logical interface. Index number of the logical interface, which reflects its initialization sequence. SNMP interface index number for the logical interface. Unique number for use by Juniper Networks technical support only. Information about the logical interface. Encapsulation on the logical interface. Protocol family. This field is not supported for logical interfaces on EX-series switches. Unique number for use by Juniper Networks technical support only. Route table in which the logical interface address is located. For example, 0 refers to the routing table inet.0. Information about protocol family flags. If unicast Reverse Path Forwarding (uRPF) is explicitly configured on the specified interface, the uRPF flag displays. If uRPF was configured on a different interface (and therefore is enabled on all switch interfaces) but was not explicitly configured on the specified interface, the uRPF flag does not display even though uRPF is enabled.
All levels
detail extensive none detail extensive none detail extensive
Flags
detail extensive
Addresses, Flags
384
show interfaces
Field Description Protocol family configured on the logical interface. If the protocol is inet, the IP address of the interface is also displayed. Information about address flag. IP address of the remote side of the connection. IP address of the logical interface. Broadcast address of the logical interlace. Unique number for use by Juniper Networks technical support only.
Level of Output
brief
detail extensive none detail extensive none detail extensive none detail extensive none detail extensive
user@host> show interfaces xe-0/1/0 Physical interface: xe-0/1/0, Enabled, Physical link is Up Interface index: 153, SNMP ifIndex: 69 Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99 Last flapped : 2008-02-25 05:28:08 UTC (00:12:49 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) Flags: SNMP-Traps Encapsulation: ENET2 Input packets : 0 Output packets: 0 Protocol eth-switch, MTU: 0 Flags: None
user@host> show interfaces brief xe-0/1/0 Physical interface: xe-0/1/0, Enabled, Physical link is Up Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None Logical interface xe-0/1/0.0 Flags: SNMP-Traps Encapsulation: ENET2 eth-switch
user@host> show interfaces detail xe-0/1/0 Physical interface: xe-0/1/0, Enabled, Physical link is Up Interface index: 153, SNMP ifIndex: 69, Generation: 154 Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled
show interfaces
385
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99 Last flapped : 2008-02-25 05:28:08 UTC (00:16:29 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Egress queues: 8 supported, 0 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 1 assured-forw 5 expedited-fo 7 network-cont Active alarms : None Active defects : None Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol eth-switch, MTU: 0, Generation: 166, Route table: 0 Flags: None 0 0 0 0 0 0 0 0 0 0 0 0
user@host> show interfaces extensive xe-0/1/0 Physical interface: xe-0/1/0, Enabled, Physical link is Up Interface index: 153, SNMP ifIndex: 69, Generation: 154 Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99 Last flapped : 2008-02-25 05:28:08 UTC (00:17:30 ago) Statistics last cleared: Never
386
show interfaces
Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 0 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 1 assured-forw 5 expedited-fo 7 network-cont 0 0 0 0 0 0 0 0 0 0 0 0
Active alarms : None Active defects : None MAC statistics: Receive Total octets 0 Total packets 0 Unicast packets 0 Broadcast packets 0 Multicast packets 0 CRC/Align errors 0 FIFO errors 0 MAC control frames 0 MAC pause frames 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count Output packet pad count Output packet error count CAM destination filters: 0, CAM source filters: 0 Autonegotiation information: Negotiation status: Incomplete Packet Forwarding Engine configuration: Destination slot: 0 Direction : Output CoS transmit queue Bandwidth Limit % bps % 0 best-effort 95 950000000 95 none 7 network-control 5 50000000 5
Transmit 0 0 0 0 0 0 0 0 0
0 0 0
low low
show interfaces
387
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
none Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154) Flags: SNMP-Traps Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol eth-switch, MTU: 0, Generation: 166, Route table: 0 Flags: None
388
show interfaces
Command introduced in JUNOS Release 9.0 for EX-series switches. Display diagnostics data and alarms for 10-Gigabit Ethernet dense wavelength-division multiplexing (DWDM) interfaces. Thresholds that trigger a high alarm, low alarm, high warning, or low warning are set by the transponder vendors. Generally, a high alarm or low alarm indicates that the optics module is not operating properly. This information can be used to diagnose why a PIC is not working.
view
Monitoring Interface Status and Traffic on page 329 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
show interfaces diagnostics optics (XFP Optics) on page 392 Table 55 on page 389 lists the output fields for the show interfaces diagnostics optics command when the switch is operating with XFP optics. Output fields are listed in the approximate order in which they appear.
Table 55: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields
Field Name
Physical interface Laser bias current
Field Description Name of the physical interface. Magnitude of the laser bias power setting current, in milliamperes. The laser bias provides direct modulation of laser diodes and modulates currents. Laser output power, in milliwatts (mW) and decibels, referenced to 1.0 mW (dBm). This is a software equivalent to the LsPOWMON pin in hardware. Temperature of the XFP optics module, in Celsius and Fahrenheit. Laser received optical power, in mW and dBm. Laser bias power setting high alarm. Displays on or off.
Module temperature Laser rx power Laser bias current high alarm Laser bias current low alarm Laser bias current high warning
389
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 55: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Field Name
Laser bias current low warning Laser output power high alarm Laser output power low alarm Laser output power high warning Laser output power low warning Module temperature high alarm Module temperature low alarm Module temperature high warning Module temperature low warning Laser rx power high alarm Laser rx power low alarm Laser rx power high warning Laser rx power low warning Module not ready alarm Module power down alarm Tx data not ready alarm Tx not ready alarm Tx laser fault alarm Tx CDR loss of lock alarm Rx not ready alarm
Field Description Laser bias power setting low warning. Displays on or off.
Module not ready alarm. When on, indicates the module has an operational fault. Displays on or off. Module power down alarm. When on, module is in a limited power mode, low for normal operation. Displays on or off. Any condition leading to invalid data on the transmit path. Displays on or off. Any condition leading to invalid data on the transmit path. Displays on or off. Laser fault condition. Displays on or off. Transmit clock and data recovery (CDR) loss of lock. Loss of lock on the transmit side of the CDR. Displays on or off. Any condition leading to invalid data on the receive path. Displays on or off.
390
Table 55: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Field Name
Rx loss of signal alarm
Field Description Receive Loss of Signal alarm. When on, indicates insufficient optical input power to the module. Displays on or off. Receive CDR loss of lock. Loss of lock on the receive side of the CDR. Displays on or off.
Rx CDR loss of lock alarm Laser bias current high alarm threshold Laser bias current low alarm threshold Laser bias current high warning threshold Laser bias current low warning threshold Laser output power high alarm threshold Laser output power low alarm threshold Laser output power high warning threshold Laser output power low warning threshold Module temperature high alarm threshold Module temperature low alarm threshold Module temperature high warning threshold Module temperature low warning threshold Laser rx power high alarm threshold Laser rx power low alarm threshold Laser rx power high warning threshold Laser rx power low warning threshold
Vendor-specified threshold for the laser bias current high alarm: 130.000 mA.
Vendor-specified threshold for the laser bias current low alarm: 10.000 mA.
Vendor-specified threshold for the laser bias current high warning: 120.000 mA.
Vendor-specified threshold for the laser bias current low warning: 12.000 mA.
Vendor-specified threshold for the laser output power high alarm: 0.8910 mW or -0.50 dBm.
Vendor-specified threshold for the laser output power low alarm: 0.2230 mW or -6.52 dBm.
Vendor-specified threshold for the laser output power high warning: 0.7940 mW or -100 dBm.
Vendor-specified threshold for the laser output power low warning: 0.2510 mW or -600 dBm.
Vendor-specified threshold for the laser Rx power high alarm: 1.2589 mW or 1.00 dBm.
Vendor-specified threshold for the laser Rx power low alarm: 0.0323 mW or -14.91 dBm.
Vendor-specified threshold for the laser Rx power high warning: 1.1220 mW or 0.50 dBm.
Vendor-specified threshold for the laser Rx power low warning: 0.0363 mW or -14.40 dBm.
391
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@host> show interfaces diagnostics optics Physical interface: xe-2/1/0 Laser bias current Laser output power Module temperature Laser rx power Laser bias current high alarm Laser bias current low alarm Laser bias current high warning Laser bias current low warning Laser output power high alarm Laser output power low alarm Laser output power high warning Laser output power low warning Module temperature high alarm Module temperature low alarm Module temperature high warning Module temperature low warning Laser rx power high alarm Laser rx power low alarm Laser rx power high warning Laser rx power low warning Module not ready alarm Module power down alarm Tx data not ready alarm Tx not ready alarm Tx laser fault alarm Tx CDR loss of lock alarm Rx not ready alarm Rx loss of signal alarm Rx CDR loss of lock alarm Laser bias current high alarm threshold Laser bias current low alarm threshold Laser bias current high warning threshold Laser bias current low warning threshold Laser output power high alarm threshold Laser output power low alarm threshold Laser output power high warning threshold Laser output power low warning threshold Module temperature high alarm threshold Module temperature low alarm threshold Module temperature high warning threshold Module temperature low warning threshold Laser rx power high alarm threshold Laser rx power low alarm threshold Laser rx power high warning threshold Laser rx power low warning threshold
xe-2/1/0 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 52.060 mA 0.5640 mW / -2.49 dBm 31 degrees C / 88 degrees F 0.0844 mW / -10.74 dBm Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off 130.000 mA 10.000 mA 120.000 mA 12.000 mA 0.8910 mW / -0.50 dBm 0.2230 mW / -6.52 dBm 0.7940 mW / -1.00 dBm 0.2510 mW / -6.00 dBm 90 degrees C / 194 degrees F -5 degrees C / 23 degrees F 85 degrees C / 185 degrees F 0 degrees C / 32 degrees F 1.2589 mW / 1.00 dBm 0.0323 mW / -14.91 dBm 1.1220 mW / 0.50 dBm 0.0363 mW / -14.40 dBm
392
Part 8
Understanding Layer 2 Bridging, VLANs, and GVRP on page 395 Examples of Configuring Layer 2 Bridging, VLANs, and GVRP on page 407 Configuring Layer 2 Bridging, VLANs, and GVRP on page 465 Verifying Layer 2 Bridging, VLANs, and GVRP on page 477 Understanding Spanning Trees on page 485 Examples of Configuring Spanning Trees on page 491 Configuring Spanning Trees on page 547 Configuration Statements for Bridging, VLANs, and Spanning Trees on page 549 Operational Mode Commands for Bridging, VLANs, and Spanning Trees on page 615
393
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
394
Chapter 29
Understanding Bridging and VLANs on EX-series Switches on page 395 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding Virtual Routing Instances on EX-series Switches on page 403 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405 Understanding Private VLANs on EX-series Switches on page 405
Ethernet LANs, Transparent Bridging, and VLANs on page 395 How Bridging Works on page 396 Types of Switch Ports on page 398 IEEE 802.1Q Encapsulation and Tags on page 398 Assignment of Traffic to VLANs on page 398 Ethernet switching tables on page 399 Layer 2 and Layer 3 Forwarding of VLAN Traffic on page 399 GVRP on page 399 Routed VLAN Interface on page 400
395
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The network devices, called nodes, on the LAN transmit data in bundles that are generally called frames or packets. Each node on a LAN has a unique identifier so that it can be unambiguously located on the network. Ethernet uses the Layer 2 media access control (MAC) address for this purpose. MAC addresses are hardware addresses that are programmed (burned) into the Ethernet processor in the node. A characteristic of Ethernet is that nodes on a LAN can transmit data frames at any time. However, the physical connecting cable between the nodeseither coaxial, copper-based (Category 5), or optical cablecan carry only a single stream of data at a time. One result of this design is that when two nodes transmit at the same time, their frames can collide on the cable and generate an error. Ethernet uses a protocol called carrier-sense multiple access with collision detection (CSMA/CD) to detect frame collisions. If a node receives a collision error message, it stops transmitting immediately and waits for a period of time before trying to send the frame again. If the node continues to detect collisions, it progressively increases the time between retransmissions in an attempt to find a time when no other data is being transmitted on the LAN. The node uses a backoff algorithm to calculate the increasing retransmission time intervals. Ethernet LANs were originally implemented for small, simple networks that carried primarily text. Over time, LANs have become larger and more complex; the type of data they carry has grown to include voice, graphics, and video; and the increased speed of Ethernet interfaces on LANs has resulted in exponential increases in traffic on the network. The IEEE 802.1D-2004 standard addresses some of the problems caused by the increase in LAN and complexity. This standard defines transparent bridging (generally called simply bridging). Bridging divides a single physical LAN (a single broadcast domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network nodes that are grouped together to form separate broadcast domains. On an Ethernet network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On VLANs, frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains. VLANs thus limit the amount of traffic flowing across the entire LAN, reducing the possible number of collisions and packet retransmissions within a VLAN and on the LAN as a whole. On an Ethernet LAN, all network nodes must be physically connected to the same network. On VLANs, the physical location of the nodes is not important, so you can group network devices in any way that makes sense for your organization, such as by department or business function, types of network nodes, or even physical location. Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q encapsulation (discussed below).
396
Transparent bridging uses five mechanisms to create and maintain Ethernet switching tables on the switch:
The first bridging mechanism is learning. When a switch is first connected to an Ethernet LAN or VLAN, it has no information about other nodes on the network. The switch goes through a learning process to obtain the MAC addresses of all the nodes on the network. It stores these in the Ethernet switching table. To learn MAC addresses, the switch reads all packets that it detects on the LAN or on the local VLAN, looking for MAC addresses of sending nodes. It places these addresses into its Ethernet switching table, along with two other pieces of informationthe interface (or port) on which the traffic was received and the time when the address was learned. The second bridging mechanism is forwarding. Switches forward traffic, passing it from an incoming interface to an outgoing interface that leads to or toward the destination. To forward frames, the switch consults the Ethernet switching table to see whether the table contains the MAC address corresponding to the frames' destination. If the Ethernet switching table contains an entry for the desired destination address, the switch sends the traffic out the interface associated with the MAC address. The switch also consults the Ethernet switching table in the same way when transmitting frames that originate on devices connected directly to the switch. If the Ethernet switching table does not contain an entry for the desired destination address, the switch uses flooding, which is the third bridging mechanism. Flooding is how the switch learns about destinations not in its Ethernet switching table. If this table has no entry for a particular destination MAC address, the switch floods the traffic out all interfaces except the interface on which it was received. (If traffic originates on the switch, the switch floods it out all interfaces.) When the destination node receives the flooded traffic, it sends an acknowledgment packet back to the switch, allowing it to learn the MAC address of the node and to add the address to its Ethernet switching table. Filtering, the fourth bridging mechanism, is how broadcast traffic is limited to the local VLAN whenever possible. As the number of entries in the Ethernet switching table grows, the switch pieces together an increasingly complete picture of the VLAN and the larger LANof which nodes are in the local VLAN and which are on other network segments. The switch uses this information to filter traffic. Specifically, for traffic whose source and destination MAC addresses are in the local VLAN, filtering prevents the switch from forwarding this traffic to other network segments. Finally, the switch uses aging, the fifth bridging mechanism, to keep the entries in the Ethernet switching table current. For each MAC address in the Ethernet switching table, the switch records a timestamp of when the information about the network node was learned. Each time the switch detects traffic from a MAC address, it updates the timestamp. A timer on the switch periodically checks the timestamp, and if it is older than a user-configured value, the switch removes the node's MAC address from
397
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
the Ethernet switching table. This aging process ensures that the switch tracks only active nodes on the network and that it is able to flush out network nodes that are no longer available.
By interface (port) on the switch. You specify that all traffic received on a particular interface on the switch is assigned to a specific VLAN. If you use the default factory switch settings, all traffic received on an access interface is untagged. This traffic is part of a default VLAN, but it is not tagged with an 802.1Q tag. When configuring the switch, you specify which VLAN to assign the traffic to. You configure the VLAN either by using a VLAN number (called a VLAN ID) or by using a name, which the switch translates into a numeric VLAN ID. By MAC address. You can specify that all traffic received from a specific MAC address be forwarded to a specific egress interface (next hop) on the switch. This method is administratively cumbersome to configure manually, but it can be
398
useful when you are using automated databases to manage the switches on your network.
NOTE: If an EX 4200 switch is interconnected with other switches in a Virtual Chassis configuration, each individual switch that is included as a member of the configuration is identified with a member ID. The member ID functions as an FPC slot number. When you are configuring interfaces for a Virtual Chassis configuration, you specify the appropriate member ID (0 through 9) as the slot element of the interface name. The default factory settings for a Virtual Chassis configuration include FPC 0 as a member of the default VLAN because FPC 0 is configured as part of the ethernet-switching family. In order to include FPC 1 through FPC 9 in the default VLAN, add the ethernet-switching family to the configurations for those interfaces.
GVRP
The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard. GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding trunk port to the VLAN if the advertised VLAN is preconfigured on the switch. The VLAN registration information sent by GVRP includes the current VLANs membershipthat is, which switches are members of which VLANsand which switch ports are in which VLAN. GVRP shares all VLAN information configured manually on a local switch. As part of ensuring that VLAN membership information is current, GVRP removes switches and ports from the VLAN information when they become unavailable. Pruning VLAN information:
399
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Limits the network VLAN configuration to active participants only, reducing network overhead. Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to interested devices only.
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Connecting an Access Switch to a Distribution Switch on page 422
400
401
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 26 on page 402 illustrates how the redundant trunk link topology works when the primary link goes down.
Figure 26: Redundant Trunk Group, Link 2 Active
402
Link 1 is down between Switch 3 and Switch 1. Link 2 takes over as the active link. Traffic between the access layer and the distribution layer is automatically switched to Link 2 between Switch 1 and Switch 2.
Related Topics
Example: Configuring Redundant Trunk Links for Faster Recovery on page 447 redundant-trunk-group
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451
Understanding Layer 3 Subinterfaces on page 285 Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches on page 460
403
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring Virtual Routing Instances Using VRF (CLI Procedure) on page 473
How Q-in-Q Tunneling Works on page 404 Limitations for Q-in-Q Tunneling on page 404
404
Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472
Understanding Storm Control on EX-series Switches on page 403 Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Configuring Unknown Unicast Forwarding (CLI Procedure) on page 476
PrimaryA VLAN used to forward frames downstream to isolated and community VLANs. IsolatedA secondary VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN. CommunityA secondary VLAN that transports frames among community interfaces within the same community and forwards frames upstream to the primary VLAN.
Private VLANs provide IP address conservation and efficient allocation of those IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In private VLANs, the hosts in all the secondary VLANs still belong to the same IP subnet as the subnet allocated to the primary VLAN. Hosts within the secondary VLAN are numbered out of IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet. Any primary routed
405
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
VLAN interfaces (RVIs) perform functions similar to proxy ARP to enable communication between hosts that are members of a different secondary VLAN.
Related Topics
Understanding Bridging and VLANs on EX-series Switches on page 395 Example: Configuring a Private VLAN on an EX-series Switch on page 455 Creating a Private VLAN (CLI Procedure) on page 471
406
Chapter 30
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Connecting an Access Switch to a Distribution Switch on page 422 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Configuring Redundant Trunk Links for Faster Recovery on page 447 Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Example: Configuring a Private VLAN on an EX-series Switch on page 455 Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches on page 460
Requirements on page 407 Overview and Topology on page 408 Configuration on page 409 Verification on page 413
Requirements
This example uses the following software and hardware components:
407
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
JUNOS Release 9.0 or later for EX-series switches One EX-series 4200 virtual chassis switch
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60.
Switch hardware
EX 4200-24T switch, with 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
default
VLAN name
408
Configuration
CLI Quick Configuration
By default, after you perform the initial configuration on the EX 4200 switch, switching is enabled on all interfaces, a VLAN named default is created, and all interfaces are placed into this VLAN. You do not need to perform any other configuration on the switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs, file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20. To configure bridging and VLANs:
1. 2. 3. 4. 5. 6.
Step-by-Step Procedure
Make sure the switch is powered on. Connect the wireless access point to switch port ge-0/0/0. Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7. Connect the five PCs to ports ge-0/0/8 through ge-0/0/12. Connect the two file servers to ports ge-0/0/17 and ge-0/0/18. Connect the two printers to ports ge-0/0/19 and ge-0/0/20.
Results
Configuration
409
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit { factory-settings { reset-chassis-lcd-menu; reset-virtual-chassis-configuration; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; }
410
Configuration
} ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } }
Configuration
411
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } }
412
Configuration
Verification
To verify that switching is operational and that a VLAN has been created, perform these tasks:
Verifying That the VLAN Has Been Created on page 413 Verifying That Interfaces Are Associated with the Proper VLANs on page 413
Verify that the VLAN named default has been created on the switch. List all VLANs configured on the switch:
user@switch> Name default show vlans Tag Interfaces ge-0/0/0.0*, ge-0/0/4.0, ge-0/0/8.0*, ge-0/0/12.0, ge-0/0/16.0, ge-0/0/20.0, ge-0/1/0.0*, mgmt me0.0* ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0*, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0*, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
Action
Meaning
The show vlans command lists the VLANs configured on the switch. This output shows that the VLAN default has been created.
Verify that Ethernet switching is enabled on switch interfaces and that all interfaces are included in the VLAN. List all interfaces on which switching is enabled:
user@switch> Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 show ethernet-switching interfaces State up down down VLAN members default default default Blocking unblocked blocked - blocked by STP/RTG blocked - blocked by STP/RTG
Action
Verification
413
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ge-0/0/8.0 ge-0/0/9.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/12.0 ge-0/0/13.0 ge-0/0/14.0 ge-0/0/15.0 ge-0/0/16.0 ge-0/0/17.0 ge-0/0/18.0 ge-0/0/19.0 ge-0/0/20.0 ge-0/0/21.0 ge-0/0/22.0 ge-0/0/23.0 ge-0/1/0.0 ge-0/1/1.0 ge-0/1/2.0 ge-0/1/3.0 me0.0
down down down down down up down down up down down down down down down down up down down down down up up up up up
default default default default default default default default default default default default default default default default default default default default default default default default default mgmt
blocked blocked blocked blocked blocked unblocked blocked blocked unblocked blocked blocked blocked blocked blocked blocked blocked unblocked blocked blocked blocked blocked unblocked unblocked unblocked unblocked unblocked
by by by by by
blocked by STP/RTG blocked by STP/RTG blocked blocked blocked blocked blocked blocked blocked blocked blocked blocked blocked by by by by by by by by by by by STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG STP/RTG
Meaning
The show ethernet-switching interfaces command lists all interfaces on which switching is enabled (in the Interfaces column), along with the VLANs that are active on the interfaces (in the VLAN members column). The output in this example shows all the connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20 and that they are all part of VLAN default. Notice that the interfaces listed are the logical interfaces, not the physical interfaces. For example, the output shows ge-0/0/0.0 instead of ge-0/0/0. This is because JUNOS software creates VLANs on logical interfaces, not directly on physical interfaces.
Related Topics
Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Connecting an Access Switch to a Distribution Switch on page 422 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Understanding Bridging and VLANs on EX-series Switches on page 395
414
This example describes how to configure bridging for an EX-series switch and how to create two VLANs to segment the LAN:
Requirements on page 415 Overview and Topology on page 415 Configuration on page 416 Verification on page 420
Requirements
This example uses the following hardware and software components:
One EX 4200-48P virtual chassis switch JUNOS Release 9.0 or later for EXseries switches
Installed the EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60.
Requirements
415
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
VLAN subnets
Avaya IP telephones: ge-0/0/3 through ge-0/0/19 Wireless access points: ge-0/0/0 and ge-0/0/1 Printers: ge-0/0/22 and ge-0/0/23 File servers: ge-0/0/20 and ge-0/0/21 Avaya IP telephones: ge-0/0/25 through ge-0/0/43 Wireless access points: ge-0/0/24 Printers: ge-0/0/44 and ge-0/0/45 File servers: ge-0/0/46 and ge-0/0/47
ge-0/0/2 and ge-0/0/25
Unused interfaces
This configuration example creates two IP subnets, one for the sales VLAN and the second for the support VLAN. The switch bridges traffic within a VLAN. For traffic passing between two VLANs, the switch routes the traffic using a Layer 3 routing interface on which you have configured the address of the IP subnet. To keep the example simple, the configuration steps show only a few devices in each of the VLANs. Use the same configuration procedure to add more LAN devices.
Configuration
Configure Layer 2 switching for two VLANs:
CLI Quick Configuration
To quickly configure Layer 2 switching for the two VLANs (sales and support) and to quickly configure Layer 3 routing of traffic between the two VLANs, copy the following commands and paste them into the switch terminal window:
[edit] set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces set interfaces
ge-0/0/0 unit 0 description Sales wireless access point port ge-0/0/0 unit 0 family ethernet-switching vlan members sales ge-0/0/3 unit 0 description Sales phone port ge-0/0/3 unit 0 family ethernet-switching vlan members sales ge-0/0/22 unit 0 description Sales printer port ge-0/0/22 unit 0 family ethernet-switching vlan members sales ge-0/0/20 unit 0 description Sales file server port ge-0/0/20 unit 0 family ethernet-switching vlan members sales ge-0/0/24 unit 0 description Support wireless access point port ge-0/0/24 unit 0 family ethernet-switching vlan members support ge-0/0/26 unit 0 description Support phone port ge-0/0/26 unit 0 family ethernet-switching vlan members support ge-0/0/44 unit 0 description Support printer port ge-0/0/44 unit 0 family ethernet-switching vlan members support
416
Configuration
interfaces ge-0/0/46 unit 0 description Support file server port interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support interfaces vlan unit 0 family inet address 192.0.2.0/25 interfaces vlan unit 1 family inet address 192.0.2.128/25 vlans sales l3interface vlan.0 vlans sales vlan-id 100 vlans support vlan-id 200 vlans support l3-interface vlan.1
Step-by-Step Procedure
Configure the switch interfaces and the VLANs to which they belong. By default, all interfaces are in access mode, so you do not have to configure the port mode.
1.
Configure the interface for the wireless access point in the sales VLAN:
[edit interfaces ge-0/0/0 unit 0] user@switch# set description Sales wireless access point port user@switch# set family ethernet-switching vlan members sales
2.
Configure the interface for the Avaya IP phone in the sales VLAN:
[edit interfaces ge-0/0/3 unit 0] user@switch# set description Sales phone port user@switch# set family ethernet-switching vlan members sales
3.
4.
Configure the interface for the file server in the sales VLAN:
[edit interfaces ge-0/0/20 unit 0] user@switch# set description Sales file server port user@switch# set family ethernet-switching vlan members sales
5.
Configure the interface for the wireless access point in the support VLAN:
[edit interfaces ge-0/0/24 unit 0] user@switch# set description Support wireless access point port user@switch# set family ethernet-switching vlan members support
6.
Configure the interface for the Avaya IP phone in the support VLAN:
[edit interfaces ge-0/0/26 unit 0] user@switch# set description Support phone port user@switch# set family ethernet-switching vlan members support
7.
Configuration
417
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
8.
Configure the interface for the file server in the support VLAN:
[edit interfaces ge-0/0/46 unit 0] user@switch# set description Support file server port user@switch# set family ethernet-switching vlan members support
9.
10.
11.
Configure the VLAN tag IDs for the sales and support VLANs:
[edit vlans] user@switch# set sales vlan-id 100 user@switch# set support vlan-id 200
12.
To route traffic between the sales and support VLANs, define the interfaces that are members of each VLAN and associate a Layer 3 interface:
[edit vlans] user@switch# set sales l3-interface vlan.0 user@switch# set support l3-interface vlan.1
418
Configuration
family ethernet-switching { vlan members sales; } } } ge-0/0/20 { unit 0 { description Sales file server port; family ethernet-switching { vlan members sales; } } } ge-0/0/24 { unit 0 { description Support wireless access point port; family ethernet-switching { vlan members support; } } } ge-0/0/26 { unit 0 { description Support phone port; family ethernet-switching { vlan members support; } } } ge-0/0/44 { unit 0 { description Support printer port; family ethernet-switching { vlan members support; } } } ge-0/0/46 { unit 0 { description Support file server port; family ethernet-switching { vlan members support; } } vlans { unit 0 { family inet address 192.0.2.0/25; } unit 1 { family inet address 192.0.2.128/25; } } } } vlans { sales {
Configuration
419
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan-id 100; interface ge-0/0/0.0: interface ge-0/0/3/0; interface ge-0/0/20.0; interface ge-0/0/22.0; l3-interface vlan 0; } support { vlan-id 200; interface ge-0/0/24.0: interface ge-0/0/26.0; interface ge-0/0/44.0; interface ge-0/0/46.0; l3-interface vlan 1; } }
TIP: To quickly configure the sales and support VLAN interfaces, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.
Verification
Verify that the sales and support VLANs have been created and are operating properly, perform these tasks:
Verifying That the VLANs Have Been Created and Associated to the Correct Interfaces on page 420 Verifying That Traffic Is Being Routed Between the Two VLANs on page 421 Verifying That Traffic Is Being Switched Between the Two VLANs on page 421
Verifying That the VLANs Have Been Created and Associated to the Correct Interfaces
Purpose
Verify that the VLANs sales and support have been created on the switch and that all connected interfaces on the switch are members of the correct VLAN. List all VLANs configured on the switch: Use the operational mode commands:
user@switch> Name default show vlans Tag Interfaces ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0*, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/21.0, ge-0/0/23.0*, ge-0/0/25.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0,
Action
420
Verification
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0 support mgmt me0.0* 200 ge-0/0/0.24, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0*
Meaning
The show vlans command lists all VLANs configured on the switch and which interfaces are members of each VLAN. This command output shows that the sales and support VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with interfaces ge-0/0/0.0, ge-0/0/3.0, ge-0/0/20.0, and ge-0/0/22.0. VLAN support has a tag ID of 200 and is associated with interfaces ge-0/0/24.0, ge-0/0/26.0, ge-0/0/44.0, and ge-0/0/46.0.
Verify routing between the two VLANs. List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table:
user@switch> show arp MAC Address Address 00:00:0c:06:2c:0d 00:13:e2:50:62:e0
Meaning
Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address). The ARP table displays the mapping between the IP address and MAC address for both vlan.0 (associated with sales) and vlan.1 (associated with support). These VLANs can route traffic to each other.
Verify that learned entries are being added to the Ethernet switching table. List the contents of the Ethernet switching table:
user@switch> show ethernet-switching table Ethernet-switching table: 8 entries, 5 learned VLAN MAC address Type default * Flood default 00:00:05:00:00:01 Learn default 00:00:5e:00:01:09 Learn default 00:19:e2:50:63:e0 Learn sales * Flood sales 00:00:5e:00:07:09 Learn
Age -
421
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
support support
Allmembers ge-0/0/46.0
Meaning
The output shows that learned entries for the sales and support VLANs have been added to the Ethernet switching table, and are associated with interfaces ge-0/0/0.0 and ge-0/0/46.0. Even though the VLANs were associated with more than one interface in the configuration, these interfaces are the only ones that are currently operating.
Related Topics
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Connecting an Access Switch to a Distribution Switch on page 422 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Understanding Bridging and VLANs on EX-series Switches on page 395
Requirements on page 422 Overview and Topology on page 423 Configuring the Access Switch on page 424 Configuring the Distribution Switch on page 429 Verification on page 431
Requirements
This example uses the following hardware and software components:
For the distribution switch, one EX 4200-24F switch. This model is designed to be used as a distribution switch for aggregation or collapsed core network topologies and in space-constrained data centers. It has twenty-four 1-Gigabit Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit Ethernet XFP ports. For the access switch, one EX 3200-24P, which has twenty-four 1-Gigabit Ethernet ports, all of which support Power over Ethernet (PoE), and an uplink module with four 1-Gigabit Ethernet ports. JUNOS Release 9.0 or later for EX-series switches
Before you connect an access switch to a distribution switch, be sure you have:
Installed the two switches. See Installing and Connecting an EX 3200 or EX 4200 Switch.
422
Performed the initial software configuration on both switches. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60.
Table 58 on page 423 explains the components of the example topology. The example shows how to configure one of the three access switches. The other access switches could be configured in the same manner.
Table 58: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property Settings
EX 3200-24P, 24 1-Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through ge-0/0/23); one 4-port 1Gigabit Ethernet uplink module (EX-UM-4SFP)
423
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 58: Components of the Topology for Connecting an Access Switch to a Distribution Switch (continued)
Distribution switch hardware EX 4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one 2port 10Gigabit Ethernet XFP uplink module (EX-UM-4SFP)
sales, tag 100 support, tag 200 sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126) support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)
VLAN subnets
On the access switch: ge-0/1/0 On the distribution switch: ge-0/0/0 Avaya IP telephones: ge-0/0/3 through ge-0/0/19 Wireless access points: ge-0/0/0 and ge-0/0/1 Printers: ge-0/0/22 and ge-0/0/23 File servers: ge-0/0/20 and ge-0/0/21 Avaya IP telephones: ge-0/0/25 through ge-0/0/43 Wireless access points: ge-0/0/24 Printers: ge-0/0/44 and ge-0/0/45 File servers: ge-0/0/46 and ge-0/0/47
ge-0/0/2 and ge-0/0/25
To quickly configure the access switch, copy the following commands and paste them into the switch terminal window:
[edit] set interfaces ge-0/0/0 unit 0 description Sales Wireless access point port set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/3 unit 0 description Sales phone port set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/22 unit 0 description Sales printer port set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/20 unit 0 description Sales file server port set interfaces ge-0/0/20 unit 0 family ethernet-switching vlan members sales set interfaces ge-0/0/24 unit 0 description Support wireless access point port set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/26 unit 0 description Support phone port set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/44 unit 0 description Support printer port set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members support set interfaces ge-0/0/46 unit 0 description Support file server port set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support set interfaces ge-0/1/0 unit 0 description Uplink module port connection to distribution switch set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/1/0 unit 0 family ethernet-switching native-vlan-id 1 set interfaces ge-0/1/0 unit 0 family ethernet switching vlan members [sales support] set interfaces vlan unit 0 family inet address 192.0.2.1/25
424
set set set set set set set set set set set set set set set
interfaces vlan unit 1 family inet address 192.0.2.129/25 vlans sales interface ge-0/0/0.0 vlans sales interface ge-0/0/3.0 vlans sales interface ge-0/0/22.0 vlans sales interface ge-0/0/20.0 vlans sales l3-interface vlan.0 vlans sales vlan-id 100 vlans sales vlan-description Sales VLAN vlans support interface ge-0/0/24.0 vlans support interface ge-0/0/26.0 vlans support interface ge-0/0/44.0 vlans support interface ge-0/0/46.0 vlans support vlan-id 200 vlans support l3interface vlan.1 vlans support vlan-description Support VLAN
Step-by-Step Procedure
Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk port that connects to the distribution switch:
[edit interfaces ge-0/1/0 unit 0] user@access-switch# set description Uplink module port connection to distribution switch user@access-switch# set ethernet-switching port-mode trunk
2.
members
[ sales support
3.
Configure the VLAN ID to use for packets that are received with no dot1q tag (untagged packets):
[edit interfaces ge-0/1/0 unit 0] user@access-switch# set ethernet-switching native-vlan-id 1
4.
5.
6.
425
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit interfaces] user@access-switch# set vlan unit 0 family inet address 192.0.2.1/25
7.
8.
set ge-0/0/0 unit 0 description Sales wireless access set ge-0/0/0 unit 0 family ethernet-switching vlan set ge-0/0/3 unit 0 description Sales phone port set ge-0/0/3 unit 0 family ethernet-switching vlan set ge-0/0/20 unit 0 description Sales file server set ge-0/0/20 unit 0 family ethernet-switching vlan set ge-0/0/22 unit 0 description Sales printer port set ge-0/0/22 unit 0 family ethernet-switching vlan
9.
set ge-0/0/24 unit 0 description Support wireless set ge-0/0/24 unit 0 family ethernet-switching vlan set ge-0/0/26 unit 0 description Support phone port set ge-0/0/26 unit 0 family ethernet-switching vlan set ge-0/0/44 unit 0 description Support printer set ge-0/0/44 unit 0 family ethernet-switching vlan set ge-0/0/46 unit 0 description Support file server set ge-0/0/46 unit 0 family ethernet-switching vlan
10.
Configure descriptions and VLAN tag IDs for the sales and support VLANs:
[edit vlans] user@access-switch# user@access-switch# user@access-switch# user@access-switch#
sales vlan-description Sales VLAN sales vlan-id 100 support vlan-description Support VLAN support vlan-id 200
11.
To route traffic between the sales and support VLANs and associate a Layer 3 interface with each VLAN:
426
[edit vlans] user@access-switch# set sales l3-interface vlan.0 user@access-switch# set support l3-interface vlan.1
Results
427
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } } ge-0/0/44 { unit 0 { description Support printer port; family ethernet-switching { vlan members sales; } } } ge-0/0/46 { unit 0 { description Support file server port; family ethernet-switching { vlan members support; } } } ge-0/1/0 { unit 0 { description Uplink module port connection to distribution switch; family ethernet-switching { port-mode trunk; vlan members [ sales support ]; native-vlan-id 1; } } } vlan { unit 0 { family inet address 192.0.2.1/25; } unit 1 { family inet address 192.0.2.129/25; } } } vlans { sales { vlan-id 100; vlan-description Sales VLAN; l3-interface vlan.0; } support { vlan-id 200; vlan-description Support VLAN; l3-interface vlan.1; } }
TIP: To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.
428
To quickly configure the distribution switch, copy the following commands and paste them into the switch terminal window:
set set set set set set set set set set set set interfaces ge-0/0/0 description Connection to access switch interfaces ge-0/0/0 ethernet-switching port-mode trunk interfaces ge-0/0/0 ethernet-switching vlan members [ sales support ] interfaces ge-0/0/0 ethernet-switching native-vlan-id 1 interfaces vlan unit 0 family inet address 192.0.2.2/25 interfaces vlan unit 1 family inet address 192.0.2.130/25 vlans sales vlan-description Sales VLAN vlans sales vlan-id 100 vlans sales l3-interface vlan.0 vlans support vlan-description Support VLAN vlans support vlan-id 200 vlans support l3-interface vlan.1
Step-by-Step Procedure
Configure the interface on the switch to be the trunk port that connects to the access switch:
[edit interfaces ge-0/0/0 unit 0] user@distribution-switch# set description Connection to access switch user@distribution-switch# set ethernet-switching port-mode trunk
2.
members
[ sales
3.
Configure the VLAN ID to use for packets that are received with no dot1q tag (untagged packets):
[edit interfaces] user@distribution-switch# set ge-0/0/0 ethernet-switching native-vlan-id
4.
5.
429
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
6.
7.
Results
TIP: To quickly configure the distribution switch, issue the load merge terminal command, then copy the hierarchy and paste it into the switch terminal window.
430
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the VLAN Members and Interfaces on the Access Switch on page 431 Verifying the VLAN Members and Interfaces on the Distribution Switch on page 431
Verify that the sales and support have been created on the switch. List all VLANs configured on the switch:
user@switch> Name default show vlans Tag Interfaces ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0*, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/14.0, ge-0/0/18.0, ge-0/0/25.0, ge-0/0/30.0, ge-0/0/34.0, ge-0/0/38.0, ge-0/0/42.0, ge-0/1/1.0*, sales 100 ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0, ge-0/1/0.0*, support 200 ge-0/0/24.0*, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0, mgmt me0.0* ge-0/0/11.0*, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/19.0*,ge-0/0/21.0, ge-0/0/23.0, ge-0/0/27.0*,ge-0/0/28.0, ge-0/0/29.0, ge-0/0/31.0*,ge-0/0/32.0, ge-0/0/33.0, ge-0/0/35.0*,ge-0/0/36.0, ge-0/0/37.0, ge-0/0/39.0*,ge-0/0/40.0, ge-0/0/41.0, ge-0/0/43.0*,ge-0/0/45.0, ge-0/0/47.0, ge-0/1/2.0*, ge-0/1/3.0*
Action
Meaning
The output shows the sales and support VLANs and the interfaces associated with them.
Verify that the sales and support have been created on the switch. List all VLANs configured on the switch:
user@switch> Name default show vlans Tag Interfaces ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0*, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0,
Action
Verification
431
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ge-0/0/13.0, ge-0/0/17.0, ge-0/0/21.0, ge-0/1/2.0*, sales 100 ge-0/0/0.0* support 200 ge-0/0/0.0* mgmt me0.0*
ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/22.0*, ge-0/0/23.0, ge-0/1/1.0*, ge-0/1/3.0*
Meaning
The output shows the sales and support VLANs associated to interface ge-0/0/0.0. Interface ge-0/0/0.0 is the trunk interface connected to the access switch.
Related Topics
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Understanding Bridging and VLANs on EX-series Switches on page 395
NOTE: Only trunk interfaces can be enabled for GVRP. This example describes how to use GVRP to automate administration of VLAN membership changes within your network:
Requirements on page 433 Overview and Topology on page 433 Configuring VLANs and GVRP on Access Switch A on page 435 Configuring VLANs and GVRP on Access Switch B on page 438 Configuring VLANS and GVRP on the Distribution Switch on page 442 Verification on page 444
432
Requirements
This example uses the following hardware and software components:
Two EX 3200 access switches One EX 4200 distribution switch JUNOS Release 9.0 or later for EX-series switches
Before you configure GVRP on the access switches and on the distribution switch, be sure you have:
Performed the initial software configuration on the switches. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Configured the VLANs on both the access switches and on the distribution switch. (Dynamic VLAN configuration is not supported.) Configured a trunk interface on all the switches.
ge-0/0/1 Connects PC1 as member of finance vlan, VLAN ID 100 ge-0/0/2 Connects PC2 as member of lab vlan, VLAN ID 200 ge-0/0/3 Connects PC3 as member of sales vlan, VLAN ID 300
Access Switch B has also been configured to support three VLANS. However, currently only two VLANs are active, bound to interfaces that are connected to personal computers:
ge-0/0/0 Connects PC4 as member of finance vlan, VLAN ID 100 ge-0/0/1 Connects PC5 as member of lab vlan, VLAN ID 200
Requirements
433
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The Distribution Switch is also configured to support the three VLANs (finance, lab, sales). However, the Distribution Switch does not have any access interfaces that are connecting devices as members of these VLANs. The Distribution Switch has two trunk interfaces:
xe-0/1/1 Connects Distribution Switch to Access Switch A. xe-0/1/0 Connects Distribution Switch to Access Switch B.
Figure 28 on page 434 shows GVRP configured on two access switches and one distribution switch.
Figure 28: GVRP Configured on Two Access Switches and One Distribution Switch for Automatic VLAN Administration
Switch hardware
Access Switch AEX 3200 switch Access Switch BEX 3200 access switch Distribution SwitchEX 4200 switch
434
ge-0/0/1 Connects PC1 to Access Switch A. ge-0/0/2 Connects PC2 to Access Switch A. ge-0/0/3 Connects PC3 to Access Switch A. xe-0/1/1 Connects Access Switch A to Distribution
ge-0/0/0 Connects PC4 to Access Switch B. ge-0/0/1 Connects PC5 to Access Switch B. xe-0/1/0 Connects Access Switch B to Distribution
A. (trunk)
B. (trunk)
When VLAN access interfaces become active or inactive, GVRP ensures that the updated information is advertised on the trunk interface. Thus, the Distribution Switch does not forward traffic to inactive VLANs.
To quickly configure Access Switch A to support the three VLANs, bind interfaces for the three PCs to the appropriate VLANs, and enable GVRP on the trunk interface, copy the following commands and paste them into the switch terminal window of Switch A:
[edit] set vlans finance vlan-id 100 set vlans lab vlan-id 200 set vlans sales vlan-id 300 set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces ge-0/0/2 unit 0 family ethernet-switching set interfaces ge-0/0/3 unit 0 family ethernet-switching set interfaces xe-0/1/1 unit 0 family ethernet-switching set protocols gvrp interface xe-0/1/1.0
vlan members finance vlan members lab vlan members sales port-mode trunk
435
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: As we recommend, default GVRP timers are used in this example. The default values associated with each GVRP timer are: 200 ms for the join-timer, 600 ms for the leave-timer, and 1000 cs (10000 ms) for the leaveall-timer. Modifying timers to inappropriate values may cause an imbalance in the operation of GVRP. Refer to IEEE 802.1D [2004] Clause 12 for more information. The timer values are displayed when you use the show gvrp command to verify that GVRP is enabled. For more information on the timers, see gvrp and its associated configuration statements.
Step-by-Step Procedure
To configure Access Switch A to support the three VLANs, bind interfaces for the three PCs to the appropriate VLANs, and enable GVRP on the trunk interface, copy the following commands and paste them into the switch terminal window of Switch A:
1.
2.
3.
4.
5.
6.
7.
436
8.
Results
437
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } gvrp { interface xe-0/1/1.0; } rstp; } ethernet-switching-options { storm-control { interface all { level 50; } } } vlans { finance { vlan-id 100; } lab { vlan-id 200; } sales { vlan-id 300; }
To quickly configure Access Switch B to support the three VLANs, bind interfaces for the two PCs to the appropriate VLANs, and enable GVRP on the trunk interface, copy the following commands and paste them into the switch terminal window of Switch B:
[edit]
438
vlans finance vlan-id 100 vlans lab vlan-id 200 vlans sales vlan-id 300 interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members finance interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members lab interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk protocols gvrp interface xe-0/1/0.0
Step-by-Step Procedure
To configure Access Switch B to support the three VLANs, bind interfaces for the two PCs to the appropriate VLAN, and enable GVRP on the trunk interface, copy the following commands and paste them into the switch terminal window of Switch B:
1.
2.
3.
4.
5.
6.
7.
439
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: As we recommend, default GVRP timers are used in this example. The default values associated with each GVRP timer are: 200 ms for the join-timer, 600 ms for the leave-timer, and 1000 cs (10000 ms) for the leaveall-timer. Modifying timers to inappropriate values may cause an imbalance in the operation of GVRP. Refer to IEEE 802.1D [2004] Clause 12 for more information. The timer values are displayed when you use the show gvrp command to verify that GVRP is enabled. For more information on the timers, see gvrp and its associated configuration statements.
Results
440
} } ge-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } gvrp { interface xe-0/1/0.0; } rstp; } ethernet-switching-options { storm-control { interface all { level 50; } } } vlans { finance { vlan-id 100; } lab { vlan-id 200; } sales { vlan-id 300; } }
441
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To quickly configure the finance, lab, and sales VLANs on the Distribution Switch and to enable GVRP on the trunk interface of the Distribution Switch, copy the following commands and paste them into the switch terminal window of the Distribution Switch:
[edit] set vlans finance vlan-id 100 set vlans lab vlan-id 200 set vlans sales vlan-id 300 set interfaces xe-0/1/1 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk set protocols gvrp interface xe-0/1/1.0 set protocols gvrp interface xe-0/1/0.0
Step-by-Step Procedure
To configure the three VLANs on the Distribution Switch, to configure the trunk interfaces, and to enable GVRP on the trunk interface of the Distribution Switch:
1.
2.
3.
4.
5.
6.
7.
442
Results
443
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
unit 0 { family ethernet-switching; } } } protocols { igmp-snooping { vlan all; } lldp { interface all; } lldp-med { interface all; } gvrp { interface xe-0/1/0.0; interface xe-0/1/1.0; } rstp; } ethernet-switching-options { storm-control { interface all { level 50; } } } vlans { finance { vlan-id 100; } lab { vlan-id 300; } sales { vlan-id 300; } }
Verification
To confirm that the configuration is updating VLAN membership, perform these tasks:
Verifying That GVRP Is Enabled on Access Switch A on page 445 Verifying That GVRP Is Updating VLAN Membership on Switch A on page 445 Verifying That GVRP Is Enabled on Access Switch B on page 445 Verifying That GVRP Is Updating VLAN Membership on Switch B on page 446 Verifying That GVRP Is Enabled on the Distribution Switch on page 446 Verifying That GVRP Is Updating VLAN Membership on the Distribution Switch on page 446
444
Verification
Verify that GVRP is enabled on the switch. Show the GVRP configuration:
user@Access-Switch-A> Global GVRP configuration GVRP status : Enabled GVRP Timers (ms) Join : 200 Leave : 600 LeaveAll : 10000 Interface Name Protocol Status ---------------------------xe-0/1/1.0 Enabled
Meaning
The results show that GVRP is enabled on the trunk interface of Switch A and that the default timers are used.
To verify that GVRP is updating VLAN membership, display the Ethernet switching interfaces and associated VLANs that are active on switch A: List Ethernet switching interfaces on the switch:
user@Access-Switch-A> Interface State VLAN members ge-0/0/1.0 up finance ge-0/0/2.0 up lab ge-0/0/3.0 up sales xe-0/1/1.0 up finance lab
Action
Meaning
GVRP has automatically added finance and lab as VLAN members on the trunk interface, because they are being advertised by Access Switch B.
Verify that GVRP is enabled on the switch. Show the GVRP configuration:
user@Access-Switch-B> show gvrp Global GVRP configuration GVRP status : Enabled GVRP Timers (ms) Join : 200 Leave : 600 LeaveAll : 10000 Interface Name Protocol Status ---------------------------xe-0/1/0.0 Enabled
445
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Meaning
The results show that GVRP is enabled on the trunk interface of Switch B and that the default timers are used.
To verify that GVRP is updating VLAN membership, display the Ethernet switching interfaces and associated VLANs that are active on switch B: List Ethernet switching interfaces on the switch:
user@Access-Switch-B> show ethernet-switching interfaces Interface State VLAN members Blocking ge-0/0/0.0 up finance unblocked ge-0/0/1.0 up lab unblocked xe-0/1/1.0 up finance unblocked lab unblocked sales unblocked
Action
Meaning
GVRP has automatically added finance ,lab, and sales as VLAN members on the trunk interface because they are being advertised by Access Switch A.
Verify that GVRP is enabled on the switch. Show the GVRP configuration:
user@Distribution-Switch> show gvrp Global GVRP configuration GVRP status : Enabled GVRP Timers (ms) Join : 200 Leave : 600 LeaveAll : 10000 Interface Name Protocol Status ---------------------------xe-0/1/0.0 Enabled xe-0/1/1.0 Enabled
To verify that GVRP is updating VLAN membership on the distribution switch, display the Ethernet switching interfaces and associated VLANs on the Distribution Switch: List the Ethernet switching interfaces on the switch:
user@Distribution-Switch> show ethernet-switching interfaces Interface State VLAN members Blocking xe-0/1/1.0 up finance unblocked lab unblocked sales unblocked
Action
446
xe-0/1/0.0
up
finance lab
unblocked unblocked
Meaning
The Distribution Switch has two trunk interfaces. Interface xe-0/1/1.0 connects the Distribution Switch to Access Switch A and is therefore updated to show that it is a member of all the VLANs that are active on Access Switch A. Any traffic for those VLANs will be passed on from the Distribution Switch to Access Switch A, through interface xe-0/1/1.0. Interface xe-0/1/0.0 connects the Distribution Switch to Access Switch B and is updated to show that it is a member of the two VLANs that are active on Access Switch B. Thus, the Distribution Switch sends traffic for finance and lab to both Access Switch A and Access Switch B. But the Distribution Switch sends traffic for sales only to Access Switch A.
Related Topics
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Understanding Bridging and VLANs on EX-series Switches on page 395
Requirements on page 447 Overview and Topology on page 448 Configuration on page 449 Verification on page 450
Requirements
This example uses the following hardware and software components:
Two EX-series 4200 distribution switches. One EX-series 3200 access switch. JUNOS Release 9.0 or later for EX-series switches
Before you configure the redundant trunk links network on the access and distribution switches, be sure you have:
Installed the access switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Installed the two distribution switches. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60.
447
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If the old, active link was configured as the primary link, then it resumes the role of active link and the other link is blocked. An interface configured as primary continues to carry with it the primary role whenever it becomes active. If no primary link was configured, and the active link was calculated by the software when the redundant group was formed, then the old, active link will not preempt the other interface (new active).
NOTE: The JUNOS software for EX-series switches does not allow an interface to be in a redundant trunk group and in an STP topology at the same time. Figure 29 on page 449 displays an example topology containing three switches. Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the access layer. Switch 3 is connected to the distribution layer through trunk ports ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2). Table 60 on page 449 lists the components used in this redundant trunk group.
448
Switch hardware
Switch 11 EX-series 4200 distribution switch Switch 21 EX-series 4200 distribution switch Switch 31 EX-series 3200 access switch
This configuration example creates a redundant trunk group called group1 on Switch 3. The trunk ports ge-0/0/9.0 and ge-0/0/10.0 are the two links in group1. The trunk port ge-0/0/9.0 will be configured administratively as the primary link. The trunk port ge-0/0/10.0 will be the secondary link.
Configuration
CLI Quick Configuration
To quickly configure the redundant trunk group group1 on Switch 3, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options redundant-trunk-group group-name group1 set ethernet-switching-options redundant-trunk-group group-name group1 interface ge-0/0/9.0 primary
Configuration
449
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
Configure the redundant trunk group group1 on Switch 3 and specify the primary and secondary links.
1.
2.
Configure the trunk port ge-0/0/9.0 as the primary link and ge-0/0/10 as the secondary link:
[edit ethernet-switching-options] user@switch# set redundant-trunk-group group-name group1 interface ge-0/0/9.0 primary user@switch# set redundant-trunk-group group-name group1 interface ge-0/0/10.0
Results
Verification
Verify that the redundant trunk group group1 has been created and is operating properly:
Verifying That the Redundant Group Has Been Created on page 450
Verify that the redundant trunk group group1 has been created on the switch and that trunk ports are members of the redundant trunk group. List all redundant trunk groups configured on the switch:
user@switch> show redundant-trunk-group group1 Redundant-trunk-group: group1 Interfaces : ge-0/0/9.0 (P) , DOWN : ge-0/0/10.0 (A) , UP Bandwidth : 1000 Mbps, 1000 Mbps
Action
450
Verification
Meaning
The show redundant-trunk-group command lists all redundant trunk groups configured on the switch and which trunk links are members of the group. For this configuration example, the output shows that the redundant trunk group group1 is configured on the switch. The (P) beside trunk port ge-0/0/9.0 indicates that it is configured as the primary link. The (A) beside the ge-0/0/10.0 trunk port indicates that it is the active link.
Related Topics
Requirements on page 451 Overview and Topology on page 451 Configuration on page 452
Requirements
This example uses the following hardware and software components:
One Juniper Networks EX-series 3200 switch JUNOS Release 9.1 or later for EX-series switches
451
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: If you do not specify the level, the default level will be applied. The default level is 80. Storm control monitors the incoming broadcast traffic or unknown unicast traffic or both and compares it with the level that you specify. If broadcast traffic or unknown unicast traffic or both exceed the specified level, packets for the controlled traffic types are dropped. The topology used in this example consists of one EX 3200 switch with 24 ports. The switch is connected to various network devices. In this example, storm control is configured to rate limit both broadcast and unknown unicast traffic on port interface ge-0/0/0. The rate limit level is set to 40. Therefore, if broadcast traffic or unknown unicast traffic or both exceed 40 (plus or minus two) percent of the total available bandwidth of the port, packets for the controlled traffic types are dropped to prevent network outage.
NOTE: When you configure storm control on an interface, both broadcast traffic and unknown unicast traffic are rate limited, by default. You can exempt either type of traffic from rate limiting by using the no-broadcast or no-unknown-unicast statement.
Configuration
CLI Quick Configuration
To quickly configure storm control, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options storm-control interface ge-0/0/0 level 40
Step-by-Step Procedure
Enable storm control on the interface and specify the level of allowed broadcast traffic and unknown unicast traffic:
[edit ethernet-switching-options] user@switch# set storm-control interface ge-0/0/0 level 40
Results
452
Configuration
Related Topics
Requirements on page 453 Overview and Topology on page 453 Configuration on page 453 Verification on page 455
Requirements
This example requires one EX-series switch with JUNOS Release 9.3 or later for EX-series switches. Before you begin setting up Q-in-Q tunneling, make sure you have created and configured the necessary customer VLANs. See Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 or Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465.
Tagged S-VLAN trunk port Untagged customer-facing access port Untagged customer-facing access port Tagged S-VLAN trunk port
Configuration
CLI Quick Configuration
To quickly create and configure Q-in-Q tunneling, copy the following commands and paste them into the switch terminal window:
453
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit] set vlans qinqvlan vlan-id 4001 set vlans qinqvlan dot1q-tunneling customer-vlans 1-100 set vlans qinqvlan dot1q-tunneling customer-vlans 201-300 set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/0/12 unit 0 family ethernet-switching set interfaces ge-0/0/12 unit 0 family ethernet-switching set interfaces ge-0/0/13 unit 0 family ethernet-switching set interfaces ge-0/0/13 unit 0 family ethernet-switching set interfaces ge-0/0/14 unit 0 family ethernet-switching set interfaces ge-0/0/14 unit 0 family ethernet-switching set ethernet-switching-options dot1q-tunneling ether-type
port-mode trunk vlan members 4001 port-mode access vlan members 4001 port-mode access vlan members 4001 port-mode trunk vlan members 4001 0x9100
Step-by-Step Procedure
2.
3.
Set the port mode and VLAN information for the interfaces:
[edit interfaces] user@switch# set ge-0/0/11 trunk user@switch# set ge-0/0/11 4001 user@switch# set ge-0/0/12 access user@switch# set ge-0/0/12 4001 user@switch# set ge-0/0/13 access user@switch# set ge-0/0/13 4001 user@switch# set ge-0/0/14 trunk user@switch# set ge-0/0/14 4001
port-mode
unit 0 family ethernet-switching vlan members unit 0 family ethernet-switching port-mode unit 0 family ethernet-switching vlan members unit 0 family ethernet-switching port-mode unit 0 family ethernet-switching vlan members unit 0 family ethernet-switching port-mode unit 0 family ethernet-switching vlan members
4.
Results
454
Configuration
user@switch> show configuration vlans qinqvlan vlan-id 4001; dot1q-tunneling { customer-vlans [ 1-100 201-300 ]; }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify that Q-in-Q tunneling was properly enabled on the switch. Use the show vlans command:
user@switch> show vlans qinqvlan extensive VLAN: qinqvlan, Created at: Thu Sep 18 07:17:53 2008 802.1Q Tag: 4001, Internal index: 18, Admin State: Enabled, Origin: Static Dot1q Tunneling Status: Enabled Customer VLAN ranges: 1-100 201-300 Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 4 (Active = 0) ge-0/0/11.0, tagged, trunk ge-0/0/14.0, tagged, trunk ge-0/0/12.0, untagged, access ge-0/0/13.0, untagged, access
Meaning
The output indicates that Q-in-Q tunneling is enabled and that the VLAN is tagged and shows the associated customer VLANs.
Related Topics
Requirements on page 456 Overview and Topology on page 456 Configuration on page 456 Verification on page 459
Verification
455
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Requirements
This example requires one EX-series switch with JUNOS Release 9.3 or later for EX-series switches. Before you begin configuring a private VLAN, make sure you have created and configured the necessary VLAN. See Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 or Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465.
Primary VLAN (pvlan) trunk port User 1, HR Community (hr-comm) User 2, HR Community (hr-comm) User 3, Finance Community (finance-comm) User 4, Finance Community (finance-comm) Mail server, Isolated (isolated) Backup server, Isolated (isolated) Primary VLAN ( pvlan) trunk port
Configuration
CLI Quick Configuration
To quickly create and configure a private VLAN, copy the following commands and paste them into the switch terminal window:
[edit] set vlans pvlan vlan-id 1000 set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members pvlan set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode access
456
Requirements
set set set set set set set set set set set set set set
interfaces ge-0/0/12 unit 0 family ethernet-switching interfaces ge-0/0/13 unit 0 family ethernet-switching interfaces ge-0/0/14 unit 0 family ethernet-switching interfaces ge-0/0/15 unit 0 family ethernet-switching interfaces ge-0/0/16 unit 0 family ethernet-switching vlans pvlan no-local-switching vlans pvlan interface ge-0/0/0.0 vlans pvlan interface ge-1/0/0.0 vlans hr-comm interface ge-0/0/11.0 vlans hr-comm interface ge-0/0/12.0 vlans finance-comm interface ge-0/0/13.0 vlans finance-comm interface ge-0/0/14.0 vlans hr-comm primary-vlan pvlan vlans finance-comm primary-vlan pvlan
Step-by-Step Procedure
2.
port-mode members
user@switch# set ge-1/0/0 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-1/0/0 unit 0 family ethernet-switching vlan members pvlan user@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/15 unit 0 family ethernet-switching port-mode access user@switch# set ge-0/0/16 unit 0 family ethernet-switching port-mode access
3.
Configuration
457
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
4.
5.
user@switch# set hr-comm interface ge-0/0/12.0 user@switch# set finance-comm interface ge-0/0/13.0 user@switch# set finance-comm interface ge-0/0/14.0
6.
7.
Results
458
Configuration
} primary-vlan pvlan; } hr-comm { interface { ge-0/0/11.0; ge-0/0/12.0; } primary-vlan pvlan; } pvlan { vlan-id 1000; interface { ge-0/0/15.0; ge-0/0/16.0; ge-0/0/0.0; ge-1/0/0.0; } no-local-switching; }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Private VLAN and Secondary VLANs Were Created on page 459
Verify that the primary VLAN and secondary VLANs were properly created on the switch. Use the show vlans command:
user@switch> show vlans pvlan extensive VLAN: pvlan, Created at: Tue Sep 16 17:59:47 2008 802.1Q Tag: 1000, Internal index: 18, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-0/0/15.0, untagged, access ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk Secondary VLANs: Isolated 2, Community 2 Isolated VLANs : __pvlan_pvlan_ge-0/0/15.0__ __pvlan_pvlan_ge-0/0/16.0__ Community VLANs : finance-comm hr-comm user@switch> show vlans hr-comm extensive
Action
Verification
459
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
VLAN: hr-comm, Created at: Tue Sep 16 17:59:47 2008 Internal index: 22, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = ge-0/0/0.0, tagged, trunk ge-0/0/11.0, untagged, access ge-0/0/12.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans finance-comm extensive VLAN: finance-comm, Created at: Tue Sep 16 17:59:47 2008 Internal index: 21, Admin State: Enabled, Origin: Static Private VLAN Mode: Community, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = ge-0/0/0.0, tagged, trunk ge-0/0/13.0, untagged, access ge-0/0/14.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __pvlan_pvlan_ge-0/0/15.0__ extensive VLAN: __pvlan_pvlan_ge-0/0/15.0__, Created at: Tue Sep 16 17:59:47 Internal index: 19, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = ge-0/0/0.0, tagged, trunk ge-0/0/15.0, untagged, access ge-1/0/0.0, tagged, trunk user@switch> show vlans __pvlan_pvlan_ge-0/0/16.0__ extensive VLAN: __pvlan_pvlan_ge-0/0/16.0__, Created at: Tue Sep 16 17:59:47 Internal index: 20, Admin State: Enabled, Origin: Static Private VLAN Mode: Isolated, Primary VLAN: pvlan Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = ge-0/0/0.0, tagged, trunk ge-0/0/16.0, untagged, access ge-1/0/0.0, tagged, trunk
0)
0)
2008
0)
2008
0)
Meaning
The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.
Related Topics
Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches
Virtual routing instances allow each EX-series switch to have multiple routing tables on a device. With virtual routing instances, you can segment your network to isolate traffic without setting up additional devices. This example describes how to create virtual routing instances:
460
Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches
Requirements
This example uses the following hardware and software components:
One EX-series switch JUNOS Release 9.3 or later for EX-series switches
Before you create the virtual routing instances, make sure you have:
Configured the necessary VLANs. See Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 or Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465.
Configuration
CLI Quick Configuration
To quickly create and configure virtual routing instances, copy the following commands and paste them into the switch terminal window:
[edit] set interfaces ge-0/0/3 vlan-tagging set interfaces ge-0/0/3 unit 0 vlan-id 1030 family inet address 103.1.1.1/24 set interfaces ge-0/0/3 unit 1 vlan-id 1031 family inet address 103.1.1.1/24 set routing-instances r1 instance-type virtual-router set routing-instances r1 interface ge-0/0/1.0 set routing-instances r1 interface ge-0/0/3.0 set routing-instances r2 instance-type virtual-router set routing-instances r2 interface ge-0/0/2.0 set routing-instances r2 interface ge-0/0/3.1
Step-by-Step Procedure
2.
Create two subinterfaces, on the interface, one for each routing instance:
[edit]
Requirements
461
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch# set interfaces ge-0/0/3 unit 0 vlan-id 1030 family inet address 103.1.1.1/24 user@switch# set interfaces ge-0/0/3 unit 1 vlan-id 1031 family inet address 103.1.1.1/24
3.
4.
Results
462
Configuration
r1 { instance-type virtual-router; interface ge-0/0/1.0; interface ge-0/0/3.0; } r2 { instance-type virtual-router; interface ge-0/0/2.0; interface ge-0/0/3.1; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify that the virtual routing instances were properly created on the switch. Use the show route instance command:
user@switch> show route instance Instance Type Primary RIB master forwarding inet.0 r1 r1.inet.0 r2 r2.inet.0 virtual-router 1/0/0 virtual-router 1/0/0
Active/holddown/hidden 3/0/0
Meaning
Each routing instance created is displayed, along with its type, information about whether it is active or not, and its primary routing table.
Related Topics
Configuring Virtual Routing Instances Using VRF (CLI Procedure) on page 473
Verification
463
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
464
Chapter 31
Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465 Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Creating a Series of Tagged VLANs (CLI Procedure) on page 470 Creating a Private VLAN (CLI Procedure) on page 471 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472 Configuring Virtual Routing Instances Using VRF (CLI Procedure) on page 473 Configuring MAC Table Aging (CLI Procedure) on page 474 Configuring the Native VLAN Identifier (CLI Procedure) on page 474 Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 475 Configuring Unknown Unicast Forwarding (CLI Procedure) on page 476
From the Configure menu, select Switching > VLAN. The VLAN Configuration page displays a list of existing VLANs. If you select a specific VLAN, the specific VLAN details are displayed in the Details section.
2.
Click one:
Add creates a VLAN. Edit edits an existing VLAN configuration. Delete deletes an existing VLAN.
NOTE: If you delete a VLAN, the VLAN configuration for all the associated interfaces is also deleted.
465
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
When you are adding or editing a VLAN, enter information as described in Table 63 on page 466.
Function
Your Action
VLAN IDType a unique identification number from 1 through 4094. If no value is specified, it defaults to 0 VLAN RangeType a number range to create VLANs with IDs corresponding to the range. For example, the range 23 will create two VLANs with the ID 2 and 3.
Describes the VLAN. Specifies the maximum time that an entry can remain in the forwarding table before it 'ages out'. Specifies the VLAN firewall filter that is applied to incoming packets. Specifies the VLAN firewall filter that is applied to outgoing packets.
Enter a brief description for the VLAN. Type the number of seconds from 60 through 1000000.
Filter Input
To apply an input firewall filter, select the firewall filter from the list. To apply an output firewall filter, select the firewall filter from the list.
Filter Output
Port Association tab Ports Specifies the ports to be associated with this VLAN for data traffic. You can also remove the port association. Click one:
Add Select the ports from the available list. Remove Select the port that you don't want
associated with the VLAN. IP Address tab Enable IP Address IP Address Subnet Mask Specifies IP address options for the VLAN. Specifies the IP address of the VLAN. Specifies the range of logical addresses within the address space that is assigned to an organization. Specifies the VLAN interface firewall filter that is applied to incoming packets. Specifies the VLAN interface firewall filter that is applied to outgoing packets. Select to enable the IP address options. Enter the IP address. Enter the address, for example, 255.255.255.0 You can also specify the address prefix.
Filter Input
To apply an input firewall filter to an interface, select the firewall filter from the list. To apply an output firewall filter to an interface, select the firewall filter from the list.
Filter Output
466
VoIP tab Ports Specifies the ports to be associated with this VLAN for voice traffic. You can also remove the port association. Click one:
Add Select the ports from the available list. Remove Select the port that you don't want
Related Topics
Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Understanding Bridging and VLANs on EX-series Switches on page 395 Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407
2.
3.
address
ip-address
4.
467
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
or
[edit vlans] user@switch# set vlan-name vlan-range vlan-id-low-vlan-id-high
5.
To specify the maximum time that an entry can remain in the forwarding table before it ages out:
[edit vlans] user@switch# set vlan-name mac-table-aging-time time
6.
Related Topics
Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465 Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Creating a Series of Tagged VLANs (CLI Procedure) on page 470 Understanding Bridging and VLANs on EX-series Switches on page 395
2.
Assign an interface to the VLAN by specifying the logical interface (with the unit statement) and specifying the VLAN name as the member:
[edit] user@switch# set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members support
3.
468
[edit] user@switch# set interfaces vlan unit 111 family inet address 111.111.111.1/24
4.
NOTE: Layer 3 interfaces on trunk ports allow the interface to transfer traffic between multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is routed. You can display the configuration settings:
user@switch> show interfaces vlan terse regress@tp-robin# run show interfaces vlan terse Interface Admin Link Proto Local vlan up up vlan.111 up up inet 111.111.111.1/24 user@switch> Name default employee-vlan show vlans Tag Interfaces None 20 ge-1/0/0.0, ge-1/0/1.0, ge-1/0/2.0 hurricane-pubs 40 ge-1/0/10.0, ge-1/0/20.0, ge-1/0/30.0 support mgmt bme0.32769, bme0.32771* user@switch> show ethernet-switching table Ethernet-switching table: 1 entries, 0 learned VLAN MAC address Type support 00:19:e2:50:95:a0 Static 111 ge-0/0/18.0
Remote
Related Topics
Understanding Bridging and VLANs on EX-series Switches on page 395 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Connecting an Access Switch to a Distribution Switch on page 422 Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407
469
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Layer 3 interfaces do not support this feature. Because an access interface can only support one VLAN member, access interfaces also do not support this feature. Voice over IP (VoIP) configurations do not support a range of tagged VLANs.
470
To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):
a.
Configure the series (here, a VLAN series from 120 through 130):
[edit] user@switch# set vlans employee vlan-range 120-130
b.
Associate a series of tagged VLANs when you configure an interface in one of two ways: Include the name of the series:
[edit interfaces] user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan members employee
Associating a series of tagged VLANS to an interface by name or by VLAN range have the same result: VLANs __employee_120__ through __employee_130__ are created.
NOTE: When a series of VLANs are created using the vlan-range command, the VLAN names are prefixed and suffixed with a double underscore.
Related Topics
Verifying That a Series of Tagged VLANs Has Been Created on page 477 Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Connecting an Access Switch to a Distribution Switch on page 422 Understanding Bridging and VLANs on EX-series Switches on page 395
471
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
2.
interface
ge-chassis/slot/port
3.
4.
For each isolated VLAN, add the interface to the primary VLAN:
[edit vlans] user@switch# set primary-vlan-name interface ge-chassis/slot/port
Related Topics
Example: Configuring a Private VLAN on an EX-series Switch on page 455 Verifying That a Private VLAN Is Working on page 480 Understanding Private VLANs on EX-series Switches on page 405
472
2.
Set the allowed C-VLANs on the S-VLAN (optional). Here, the C-VLANs are identified by VLAN range:
[edit vlans] user@switch# set s-vlan-name dot1q-tunneling customer-vlans range
3.
Related Topics
Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Verifying That Q-in-Q Tunneling Is Working on page 479 Understanding Q-in-Q Tunneling on EX-series Switches on page 404
2.
3.
4.
473
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches on page 460 Verifying That Virtual Routing Instances Are Working on page 482 Understanding Virtual Routing Instances on EX-series Switches on page 403
Related Topics
Understanding Bridging and VLANs on EX-series Switches on page 395 Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Connecting an Access Switch to a Distribution Switch on page 422
Configure the port mode so that the interface is in multiple VLANs and can multiplex traffic between different VLANs. Trunk interfaces typically connect to other switches and to routers on the LAN. Configure the port mode as trunk:
[edit interfaces ge-0/0/3 unit 0 family ethernet-switching] user@switch# set port-mode trunk
2.
474
Related Topics
Understanding Bridging and VLANs on EX-series Switches on page 395 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Connecting an Access Switch to a Distribution Switch on page 422 Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407
Automatically unblock an interface by configuring a timer that expires (here, the interface is ge-0/0/6):
[edit ethernet-switching-options] user@switch# set bpdu-block disable-timeout 30 interface ge-0/0/6
Related Topics
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487
475
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configure unknown unicast forwarding for a specific VLAN (here, the VLAN name is employee):
[edit ethernet-switching-options] user@switch# set unknown-unicast-forwarding vlan employee
2.
Specify the trunk interface to which all unknown unicast traffic will be forwarded:
[edit ethernet-switching-options ] user@switch# set unknown-unicast-forwarding vlan employee interface ge-0/0/3.0
Related Topics
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 479 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405 Understanding Storm Control on EX-series Switches on page 403
476
Chapter 32
Verifying That a Series of Tagged VLANs Has Been Created on page 477 Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 479 Verifying That Q-in-Q Tunneling Is Working on page 479 Verifying That a Private VLAN Is Working on page 480 Verifying That Virtual Routing Instances Are Working on page 482
Verify that a series of tagged VLANs is created on the switch. Display the VLANs in the ascending order of their VLAN ID:
user@switch> show vlans sort-by tag Interfaces ge-0/0/22.0* __employee_121__ __employee_122__ __employee_123__ __employee_124__ __employee_125__ __employee_126__ __employee_127__ __employee_128__ __employee_129__ __employee_130__ 121 ge-0/0/22.0* 122 ge-0/0/22.0* 123 ge-0/0/22.0* 124 ge-0/0/22.0* 125 ge-0/0/22.0* 126 ge-0/0/22.0* 127 ge-0/0/22.0* 128 ge-0/0/22.0* 129 ge-0/0/22.0* 130 ge-0/0/22.0*
Action
477
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch> Name
__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*
Display the VLANs by specifying the VLAN-range name (here, the VLAN-range name is employee):
user@switch> Name show vlans employee Tag Interfaces
__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*
Meaning
The sample output shows the VLANs configured on the switch. The series of tagged VLANs is displayed: __employee__120__ through __employee_130__. Each of the tagged VLANs is configured on the trunk interface ge-0/0/22.0. The asterisk (*) beside the interface name indicates that the interface is UP.
478
When a series of VLANs is created using the vlan-range statement, the VLAN names are prefixed and suffixed with a double underscore.
Related Topics
Verify that a VLAN is forwarding all unknown unicast packets (those with unknown destination MAC addresses) to a single trunk interface instead of flooding unknown unicast packets across all interfaces that are members of the same VLAN. Display the forwarding interface for unknown unicast packets for a VLAN (here, the VLAN name is v1):
user@switch> show configuration ethernet-switching-options unknown-unicast-forwarding { vlan v1 { interface ge-0/0/7.0; } }
Action
Age 24 37
Meaning
The sample output from the show configuration ethernet-switching-options command shows that the unknown unicast forwarding interface for VLAN v1 is interface ge-0/0/7. The show ethernet-switching table command shows that an unknown unicast packet is received on interface ge-0/0/3 with the destination MAC address (DMAC) 00:01:09:00:00:00 and the source MAC address (SMAC) of 00:11:09:00:01:00. This shows that the SMAC of the packet is learned in the normal way (through the interface ge-0/0/3.0), while the DMAC is learned on interface ge-0/0/7.
Related Topics
Use the show configuration vlans command to determine if you successfully created the primary and secondary VLAN configurations:
user@switch> show configuration vlans
479
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
2.
Use the show vlans command to view VLAN information and link status:
user@switch> show vlans s-vlan-name extensive VLAN: svlan, Created at: Thu Oct 23 16:53:20 2008 802.1Q Tag: 300, Internal index: 2, Admin State: Enabled, Origin: Static Dot1q Tunneling Status: Enabled Customer VLAN ranges: 101200 Protocol: Port Mode Number of interfaces: Tagged 1 (Active = 0), Untagged 1 (Active = 0) ge-0/0/1, tagged, trunk ge-0/0/2, untagged, access
Meaning
The output confirms that Q-in-Q tunnling is enabled and that the VLAN is tagged, and lists the customer VLANs that are associated with the tagged VLAN.
Related Topics
Configuring Q-in-Q Tunneling (CLI Procedure) on page 472 Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453
After creating and configuring private VLANs, verify they are set up properly.
1.
Use the show configuration vlans command to determine if you successfully created the primary and secondary VLAN configurations:
user@switch> show configuration vlans community1 { interface { interface a; interface b; } primary-vlan pvlan; } community2 { interface { interface d; interface e; } primary-vlan pvlan; } pvlan { vlan-id 1000; interface { isolated1;
480
2.
Use the show vlans command to view VLAN information and link status:
user@switch> show vlans pvlan extensive VLAN: pvlan, Created at: time 802.1Q Tag: vlan-id, Internal index: index-number, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0) trunk1, tagged, trunk interface a, untagged, access interface b, untagged, access interface c, untagged, access interface d, untagged, access interface e, untagged, access interface f, untagged, access trunk2, tagged, trunk Secondary VLANs: Isolated 2, Community 2 Isolated VLANs : __pvlan_pvlan_isolated1__ __pvlan_pvlan_isolated2__ Community VLANs : community1 community2
3.
Use the show ethernet-switching table vlan command to view logs for MAC learning on the VLANs:
user@switch> vlan pvlan extensive pvlan, * Interface(s): trunk1 Interface(s): interface Interface(s): interface Interface(s): interface Interface(s): interface Interface(s): interface Interface(s): interface Interface(s): trunk2 Type: Flood Nexthop index: 1344
a b c d e f
Meaning
The output shows that the primary and secondary VLANs were created and associated and displays MAC learning information.
Related Topics
Creating a Private VLAN (CLI Procedure) on page 471 Example: Configuring a Private VLAN on an EX-series Switch on page 455
481
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Use the show route instance command to list all of the routing instances and their properties:
user@switch> Instance
Type Primary RIB Active/holddown/hidden master forwarding inet.0 __juniper_private1__ forwarding __juniper_private1__.inet.0 __juniper_private2__ forwarding instance1 r1 r1.inet.0 r2 r2.inet.0 virtual-router forwarding virtual-router
3/0/0
1/0/3
1/0/0
1/0/0
2.
Use the show route forwarding-table command to view the forwarding table information for each routing instance:
user@switch>
Routing table: r1.inet Internet: Destination Type RtRef Next hop default perm 0 0.0.0.0/32 perm 0 103.1.1.0/24 ifdn 0 ge-0/0/3.0 103.1.1.0/32 iddn 0 103.1.1.0 ge-0/0/3.0 103.1.1.1/32 user 0 103.1.1.1/32 intf 0 103.1.1.1 103.1.1.1/32 iddn 0 103.1.1.1 103.1.1.255/32 iddn 0 103.1.1.255 ge-0/0/3.0 224.0.0.0/4 perm 0 224.0.0.1/32 perm 0 224.0.0.1 255.255.255.255/32 perm 0
Type Index NhRef Netif rjct 539 2 dscd 537 1 rslv 579 1 recv rjct locl locl bcst mdsc mcst bcst 577 539 578 578 576 538 534 535 1 2 2 2 1 1 1 1
Meaning
The output confirms that the virtual routing instances are created and the links are up and displays the routing table information.
Related Topics
Configuring Virtual Routing Instances Using VRF (CLI Procedure) on page 473
482
Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches on page 460
483
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
484
Chapter 33
Understanding STP for EX-series Switches on page 485 Understanding RSTP for EX-series Switches on page 486 Understanding MSTP for EX-series Switches on page 487 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches on page 489 Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches on page 490
Configuration BPDUs: Contain configuration information about the transmitting switch and its ports, including switch and port MAC addresses, switch priority, port priority, and port cost. Topology Change Notification (TCN) BPDUs: When a bridge needs to signal a topology change, it starts to send TCNs on its root port. The designated bridge
485
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
receives the TCN, acknowledges it, and generates another one for its own root port. The process continues until the TCN reaches the root bridge. STP uses the information provided by the BPDUs to elect a root bridge, identify root ports for each switch, identify designated ports for each physical LAN segment, and prune specific redundant links to create a loop-free tree topology. All leaf devices calculate the best path to the root device and place their ports in blocking or forwarding states based on the best path to the root. The resulting tree topology provides a single active Layer 2 data path between any two end stations.
Related Topics
Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486
A root port, which is the best path to the root device. A designated port, indicating that the switch is the designated bridge for the other switch connecting to this port. An alternate port, which provides an alternate root port. A backup port, which provides an alternate designated port.
Port assignments change through messages exchanged throughout the domain. An RSTP device generates configuration messages once every hello time interval. If an RSTP device does not receive a configuration message from its neighbor after an interval of three hello times, it determines it has lost connection with that neighbor. When a root port or a designated port fails on a device, the device generates a configuration message with the proposal bit set. Once its neighbor device receives this message, it verifies that this configuration message is better than the one saved for that port and then it starts a synchronizing operation to ensure that all of its ports are in sync with the new information.
486
Similar waves of proposal agreement handshake messages propagate toward the leaves of the network, restoring the connectivity very quickly after a topology change (in a well-designed network that uses RSTP, network convergence can take as little as 0.5 seconds). If a device does not receive an agreement to a proposal message it has sent, it returns to the original IEEE 802.D convention. RSTP was originally defined in the IEEE 802.1w draft specification and later incorporated into the IEEE 802.1D-2004 specification.
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding STP for EX-series Switches on page 485 Understanding MSTP for EX-series Switches on page 487
Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding STP for EX-series Switches on page 485 Understanding RSTP for EX-series Switches on page 486
Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). BPDU protection can help prevent STP misconfigurations that can lead to network outages. A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in an STP, RSTP, or MSTP topology, however, can lead to network outages. Enable BPDU protection on those interfaces to prevent these outages.
487
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic and which interfaces become root ports and forward traffic. However, a user bridge application running on a PC can also generate BPDUs. If these BPDUs are picked up by STP applications running on the switch, they can trigger STP miscalculations, and those miscalculations can lead to network outages. Enable BPDU protection on switch interfaces connected to user devices or on interfaces on which no BPDUs are expected, such as edge ports. If BPDUs are received on a protected interface, the interface is disabled and stops forwarding frames. Not only can you configure BPDU protection on a switch with a spanning tree, but also on a switch without a spanning tree. This type of topology typically consists of a non-STP switch connected to an STP switch through a trunk interface. To configure BPDU protection on a switch with a spanning tree, include the bpdu-block-on-edge statement at the [edit protocols (stp | mstp | rstp )] hierarchy level. To configure BPDU protection on a switch without a spanning tree, include the bpdu-block statement at the [edit ethernet-switching-options interface interface-name ] hierarchy level. After the misconfiguration that triggered the BPDUs being sent to an interface is fixed in the topology, the interface can be unblocked in one of two ways:
If the disable-timeout statement has been included in the BPDU configuration, the interface automatically returns to service after the timer expires. Use the operational mode command clear ethernet-switching bpdu-error.
Disabling the BPDU protection configuration does not unblock the interface.
Related Topics
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches on page 489 Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches on page 490 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485
488
Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches
Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by preventing ports from moving into a forwarding state that would result in a loop opening up in the network. A loop-free network in spanning-tree topologies is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic (preventing loops) and which interfaces become root ports and forward traffic. However, a blocking interface can transition to the forwarding state in error if the interface stops receiving BPDUs from its designated port on the segment. Such a transition error can occur when there is a hardware error on the switch or software configuration error between the switch and its neighbor. When loop protection is enabled, the spanning-tree topology detects root ports and blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled interface stops receiving BPDUs from its designated port, it reacts as it would react to a problem with the physical connection on this interface. It doesn't transition the interface to a forwarding state, but instead transitions it to a loop-inconsistent state. The interface recovers and then it transitions back to the spanning-tree blocking state as soon as it receives a BPDU. We recommend that you enable loop protection on all switch interfaces that have a chance of becoming root or designated ports. Loop protection is most effective when enabled in the entire switched network. When you enable loop protection, you must configure at least one action (alarm, block, or both). An interface can be configured for either loop protection or root protection, but not for both.
Related Topics
Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches on page 490 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485
Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches
489
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic and which interfaces become root ports and forward traffic. However, a root port elected through this process has the possibility of being wrongly elected. A user bridge application running on a PC can generate BPDUs, too, and interfere with root port election. Root protection allows network administrators to manually enforce the root bridge placement in the network. Enable root protection on interfaces that should not receive superior BPDUs from the root bridge and should not be elected as the root port. These interfaces become designated ports and are typically located on an administrative boundary. If the bridge receives superior STP BPDUs on a port that has root protection enabled, that port transitions to a root-prevented STP state (inconsistency state) and the interface is blocked. This blocking prevents a bridge that should not be the root bridge from being elected the root bridge. After the bridge stops receiving superior STP BPDUs on the interface with root protection, the interface returns to a listening state, followed by a learning state, and ultimately back to a forwarding state. Recovery back to the forwarding state is automatic. When root protection is enabled on an interface, it is enabled for all the STP instances on that interface. The interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it participates in the spanning-tree topology. An interface can be configured for either root protection or loop protection, but not for both.
Related Topics
Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches on page 540 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485
490
Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
Chapter 34
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches on page 540
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches
EX-series switches use Rapid Spanning Tree Protocol (RSTP) to provide a loop-free topology. RSTP identifies certain links as point to point. When a point-to-point link fails, the alternate link can transition to the forwarding state. RSTP provides better reconvergence time than original STP because it uses protocol handshake messages rather than fixed timeouts. Eliminating the need to wait for timers to expire makes RSTP more efficient than STP. This example describes how to configure RSTP on four EX-series switches:
Requirements on page 492 Overview and Topology on page 492 Configuring RSTP on Switch 1 on page 494 Configuring RSTP on Switch 2 on page 496 Configuring RSTP on Switch 3 on page 499 Configuring RSTP on Switch 4 on page 501 Verification on page 504
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches
491
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches Four EX-series switches
Before you configure the switches for RSTP, be sure you have:
Installed the four switches. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed the initial software configuration on all switches. See Installing and Connecting an EX 3200 or EX 4200 Switch.
The interfaces shown in Table 64 on page 493 will be configured for RSTP.
492
Requirements
NOTE: You can configure RSTP on logical or physical interfaces. This example shows RSTP configured on logical interfaces.
Table 64: Components of the Topology for Configuring RSTP on EX-series Switches
Property Switch 1 Settings The following ports on Switch 1 are connected in this way:
Switch 2
Switch 3
Switch 4
This configuration example creates a loop-free topology between four EX-series switches using RSTP. An RSTP topology contains ports that have specific roles:
The root port is responsible for forwarding data to the root bridge. The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port. The designated port forwards data to the downstream network segment or device. The backup port is a backup port for the designated port. When a designated port goes down, the backup port becomes the active designated port and starts forwarding data.
493
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: You also can create a loop-free topology between the aggregation layer and the distribution layer using redundant trunk links. For more information about configuring redundant trunk links, see Example: Configuring Redundant Trunk Links for Faster Recovery on page 447.
To quickly configure interfaces and RSTP on Switch 1, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voice-vlan description Voice VLAN set vlans voice-vlan vlan-id 10 set vlans employee-vlan description Employee VLAN set vlans employee-vlan vlan-id 20 set vlans guest-vlan description Guest VLAN set vlans guest-vlan vlan-id 30 set vlans camera-vlan description Camera VLAN set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set protocols rstp bridge-priority 16k set protocols rstp interface ge-0/0/13.0 cost 1000 set protocols rstp interface ge-0/0/13.0 mode point-to-point set protocols rstp interface ge-0/0/9.0 cost 1000 set protocols rstp interface ge-0/0/9.0 mode point-to-point set protocols rstp interface ge-0/0/11.0 cost 1000 set protocols rstp interface ge-0/0/11.0 mode point-to-point
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
494
[edit interfaces] user@switch1# set ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
bridge-priority 16k interface ge-0/0/13.0 cost 1000 interface ge-0/0/13.0 mode point-to-point interface ge-0/0/9.0 cost 1000 interface ge-0/0/9.0 mode point-to-point interface ge-0/0/11.0 cost 1000 interface ge-0/0/11.0 mode point-to-point
Results
495
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } } protocols { rstp { bridge-priority 16k; interface ge-0/0/13.0 { cost 1000; mode point-to-point; } interface ge-0/0/9.0 { cost 1000; mode point-to-point; } interface ge-0/0/11.0 { cost 1000; mode point-to-point; } } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } }
To quickly configure interfaces and RSTP on Switch 2, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voice-vlan description Voice VLAN set vlans voice-vlan vlan-id 10 set vlans employee-vlan description Employee VLAN
496
set set set set set set 40] set 40] set set set set set set set
vlans employee-vlan vlan-id 20 vlans guest-vlan description Guest VLAN vlans guest-vlan vlan-id 30 vlans camera-vlan description Camera VLAN vlans camera-vlan vlan-id 40 interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk protocols rstp bridge-priority 32k protocols rstp interface ge-0/0/14.0 cost 1000 protocols rstp interface ge-0/0/14.0 mode point-to-point protocols rstp interface ge-0/0/18.0 cost 1000 protocols rstp interface ge-0/0/18.0 mode point-to-point
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan vlan-description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces] user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
bridge-priority 32k interface ge-0/0/14.0 interface ge-0/0/14.0 interface ge-0/0/18.0 interface ge-0/0/18.0
497
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Results
498
To quickly configure interfaces and RSTP on Switch 3, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voice-vlan description Voice VLAN set vlans voice-vlan vlan-id 10 set vlans employee-vlan description Employee VLAN set vlans employee-vlan vlan-id 20 set vlans guest-vlan description Guest VLAN set vlans guest-vlan vlan-id 30 set vlans camera-vlan description Camera VLAN set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk set protocols rstp bridge-priority 8k set protocols rstp interface ge-0/0/26.0 cost 1000 set protocols rstp interface ge-0/0/26.0 mode point-to-point set protocols rstp interface ge-0/0/28.0 cost 1000 set protocols rstp interface ge-0/0/28.0 mode point-to-point set protocols rstp interface ge-0/0/24.0 cost 1000 set protocols rstp interface ge-0/0/24.0 mode point-to-point
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces] user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40]
499
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
3.
4.
bridge-priority 8k interface ge-0/0/26.0 interface ge-0/0/26.0 interface ge-0/0/28.0 interface ge-0/0/28.0 interface ge-0/0/24.0 interface ge-0/0/24.0
Results
500
} } } protocols { rstp { bridge-priority 8k; interface ge-0/0/26.0 { cost 1000; mode point-to-point; } interface ge-0/0/28.0 { cost 1000; mode point-to-point; } interface ge-0/0/24.0 { cost 1000; mode point-to-point; } } bridge-priority 8k; } } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } }
To quickly configure interfaces and RSTP on Switch 4, copy the following commands and paste them into the switch terminal window:
[edit] set vlans set vlans set vlans set vlans set vlans set vlans set vlans set vlans
voice-vlan description Voice VLAN voice-vlan vlanid 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan description Camera VLAN camera-vlan vlan-id 40
501
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
set 40] set 40] set set set set set set set
interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 interfaces ge-0/0/23 unit 0 family ethernet-switching port-mode trunk interfaces ge-0/0/19 unit 0 family ethernet-switching port-mode trunk protocols rstp bridge-priority 16k protocols rstp interface ge-0/0/23.0 cost 1000 protocols rstp interface ge-0/0/23.0 mode point-to-point protocols rstp interface ge-0/0/19.0 cost 1000 protocols rstp interface ge-0/0/19.0 mode point-to-point
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces] user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
bridge-priority 16k interface all cost 1000 interface ge-0/0/23.0 cost interface ge-0/0/23.0 mode interface ge-0/0/19.0 cost interface ge-0/0/19.0 mode
Results
502
user@switch4> show configuration interfaces { ge-0/0/23 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } ge-0/0/19 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [10 20 30 40]; } } } } } protocols { rstp { bridge-priority 16k; interface ge-0/0/23.0 { cost 1000; mode point-to-point; } interface ge-0/0/19.0 { cost 1000; mode point-to-point; } } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40; } }
503
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying RSTP Configuration on Switch 1 on page 504 Verifying RSTP Configuration on Switch 2 on page 504 Verifying RSTP Configuration on Switch 3 on page 504 Verifying RSTP Configuration on Switch 4 on page 505
Verify the RSTP configuration on Switch 1. Use the operational mode command:
user@switch1> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface ge-0/0/13.0 ge-0/0/9.0 ge-0/0/11.0 Port ID 128:527 128:529 128:531 Designated port ID 128:525 128:513 128:513 Designated bridge ID 16384.0019e25040e0 32768.0019e2503d20 8192.0019e25051e0 Port Cost 1000 1000 1000 State BLK BLK FWD Role ALT ALT ROOT
Meaning
Refer to the topology in Figure 30 on page 492. The operational mode command show spanning-tree interface shows that ge-0/0/13.0 is in a forwarding state. The other interfaces on Switch 1 are blocking.
Verify the RSTP configuration on Switch 2. Use the operational mode command:
user@switch2> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface ge-0/0/14.0 ge-0/0/18.0 Port ID Designated port ID 128:513 128:513 128:519 128:515 Designated bridge ID 32768.0019e2503d20 8192.0019e25051e0 Port State Cost 1000 BLK 1000 FWD Role DESG ROOT
Meaning
Refer to the topology in Figure 30 on page 492. The operational mode command show spanning-tree interface shows that ge-0/0/18.0 is in a forwarding state and the root port. The other interface on Switch 2 is blocking.
504
Verification
Action
Spanning tree interface parameters for instance 0 Interface ge-0/0/26.0 ge-0/0/28.0 ge-0/0/24.0 Port ID Designated port ID 128:513 128:513 128:515 128:515 128:517 128:517 Designated bridge ID 8192.0019e25051e0 8192.0019e25051e0 8192.0019e25051e0 Port State Cost 1000 FWD 1000 FWD 1000 FWD Role DESG DESG DESG
Meaning
Refer to the topology in Figure 30 on page 492. The operational mode command show spanning-tree interface shows that no interface is the root interface.
Verify the RSTP configuration on Switch 4. Use the operational mode commands:
user@switch4> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:517 128:525 Designated bridge ID 8192.0019e25051e0 16384.0019e25040e0 Port Cost 1000 1000 State Role
Action
ge-0/0/23.0 ge-0/0/19.0
128:523 128:525
FWD FWD
ROOT DESG
Meaning
Refer to the topology in Figure 30 on page 492. The operational mode command show spanning-tree interface shows that interface ge-0/0/23.0 is the root interface and forwarding.
Related Topics
Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding RSTP for EX-series Switches on page 486
Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches
Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in networks using multiple spanning tree regions, each region containing multiple spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs. This functionality facilitates better load sharing across redundant links. MSTP supports up to 64 regions, each one capable of supporting 4094 MSTIs. This example describes how to configure MSTP on four EX-series switches:
505
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring MSTP on Switch 1 on page 509 Configuring MSTP on Switch 2 on page 512 Configuring MSTP on Switch 3 on page 515 Configuring MSTP on Switch 4 on page 518 Verification on page 521
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches Four EX-series switches
Before you configure the switches for MSTP, be sure you have:
Installed the four switches. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed the initial software configuration on all switches. See Installing and Connecting an EX 3200 or EX 4200 Switch.
506
Requirements
The interfaces shown in Table 65 on page 507 will be configured for MSTP.
NOTE: You can configure MSTP on logical or physical interfaces. This example shows MSTP configured on logical interfaces.
Table 65: Components of the Topology for Configuring MSTP on EX-series Switches
Property Switch 1 Settings The following ports on Switch 1 are connected in this way:
Switch 2
507
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 65: Components of the Topology for Configuring MSTP on EX-series Switches (continued)
Property Switch 3 Settings The following ports on Switch 3 are connected in this way:
Switch 4
MSTIs
The topology in Figure 31 on page 507 shows a Common Internal Spanning Tree (CIST). The CIST is a single spanning tree connecting all devices in the network. The switch with the highest priority is elected as the root bridge of the CIST. Also in an MSTP topology are ports that have specific roles:
The root port is responsible for forwarding data to the root bridge. The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port. The designated port forwards data to the downstream network segment or device. The backup port is a backup port for the designated port. When a designated port goes down, the backup port becomes the active designated port and starts forwarding data.
In this example, one MSTP region, region1, contains Switch 1, Switch 2, Switch 3, and Switch 4. Within the region, four VLANs are created:
The voice-vlan supports voice traffic and has a VLAN tag identifier of 10.
employee-vlan supports data traffic and has a VLAN tag identifier of 20.
The guest-vlan supports guest VLAN traffic (for supplicants that fail 802-1X authentication) and has a VLAN tag identifier of 30. The camera-vlan supports video traffic and has a VLAN tag identifier of 40.
The VLANs are associated with specific interfaces on each of the four switches. Two MSTIs, 1 and 2, are then associated with the VLAN tag identifiers, and some MSTP parameters, such as cost, are configured on each switch.
508
To quickly configure interfaces and MSTP on Switch 1, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voice-vlan description Voice VLAN set vlans voice-vlan vlan-id 10 set vlans employee-vlan description Employee VLAN set vlans employee-vlan vlan-id 20 set vlans guest-vlan description Guest VLAN set vlans guest-vlan vlan-id 30 set vlans camera-vlan description Camera VLAN set vlans camera-vlan vlan-id 40 set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 16k set protocols mstp interface ge-0/0/13.0 cost 1000 set protocols mstp interface ge-0/0/13.0 mode point-to-point set protocols mstp interface ge-0/0/9.0 cost 1000 set protocols mstp interface ge-0/0/9.0 mode point-to-point set protocols mstp interface ge-0/0/11.0 cost 1000 set protocols mstp interface ge-0/0/11.0 mode point-to-point set protocols mstp msti 1 bridge-priority 16k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 1 interface ge-0/0/11.0 cost 4000 set protocols mstp msti 2 bridge-priority 8k set protocols mstp msti 2 vlan [30 40]
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces]
509
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch1# set ge0/0/13 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
configuration-name region1 bridge-priority 16k interface ge-0/0/13.0 cost 1000 interface ge-0/0/13.0 mode point-to-point interface ge-0/0/9.0 cost 1000 interface ge-0/0/9.0 mode point-to-point interface ge-0/0/11.0 cost 4000 interface ge-0/0/11.0 mode point-to-point msti 1 bridge-priority 16k msti 1 vlan [10 20] msti 1 interface ge-0/0/11.0 cost 4000 msti 2 bridge-priority 8k msti 2 vlan [30 40]
Results
510
port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } protocols { mstp { configuration-name region1; bridge-priority 16k; interface ge-0/0/13.0 { cost 1000; mode point-to-point; } interface ge-0/0/9.0 { cost 1000; mode point-to-point; } interface ge-0/0/11.0 { cost 4000; mode point-to-point; } msti 1 { bridge-priority 16k; vlan [ 10 20 ]; interface ge-0/0/11.0 { cost 4000; } } msti 2 { bridge-priority 8k; vlan [ 30 40 ]; } } vlans { voice-vlan { vlan-id 10; }
511
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To quickly configure interfaces and MSTP on Switch 2, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voice-vlan description Voice VLAN set vlans voice-vlan vlanid 10 set vlans employee-vlan description Employee VLAN set vlans employee-vlan vlan-id 20 set vlans guest-vlan description Guest VLAN set vlans guest-vlan vlan-id 30 set vlans camera-vlan description Camera VLAN set vlans camera-vlan vlan-id 40 set interfaces ge0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 32k set protocols mstp interface ge-0/0/14.0 cost 1000 set protocols mstp interface ge-0/0/14.0 mode point-to-point set protocols mstp interface ge-0/0/18.0 cost 1000 set protocols mstp interface ge-0/0/18.0 mode point-to-point set protocols mstp msti 1 bridge-priority 32k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 2 bridge-priority 4k set protocols mstp msti 2 vlan [30 40]
512
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan vlan-description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces] user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
configuration-name region1 bridge-priority 32k interface ge-0/0/14.0 cost interface ge-0/0/14.0 mode interface ge-0/0/18.0 cost interface ge-0/0/18.0 mode interface all cost 1000 msti 1 bridge-priority 32k msti 1 vlan [10 20] msti 2 bridge-priority 4k msti 2 vlan [30 40]
Results
513
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } ge-0/0/18 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } protocols { mstp { configuration-name region1; bridge-priority 32k; interface ge-0/0/14.0 { cost 1000; mode point-to-point; } interface ge-0/0/18.0 { cost 1000; mode point-to-point; } msti 1 { bridge-priority 32k; vlan [ 10 20 ]; } msti 2 { bridge-priority 4k; vlan [ 30 40 ]; } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40;
514
} }
To quickly configure interfaces and MSTP on Switch 3, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voice-vlan description Voice VLAN set vlans voice-vlan vlan-id 10 set vlans employee-vlan description Employee VLAN set vlans employee-vlan vlan-id 20 set vlans guest-vlan description Guest VLAN set vlans guest-vlan vlan-id 30 set vlans camera-vlan description Camera VLAN set vlans camera-vlan vlanid 40 set interfaces ge0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 8k set protocols mstp interface ge-0/0/26.0 cost 1000 set protocols mstp interface ge-0/0/26.0 mode point-to-point set protocols mstp interface ge-0/0/28.0 cost 1000 set protocols mstp interface ge-0/0/28.0 mode point-to-point set protocols mstp interface ge-0/0/24.0 cost 1000 set protocols mstp interface ge-0/0/24.0 mode point-to-point set protocols mstp msti 1 bridge-priority 4k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 2 bridge-priority 16k set protocols mstp msti 2 vlan [30 40]
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlan-id 10 employee-vlan description Employee VLAN employee-vlan vlan-id 20 guest-vlan description Guest VLAN guest-vlan vlan-id 30 camera-vlan description Camera VLAN guest-vlan vlan-id 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
515
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit interfaces] user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
configuration-name region1 bridge-priority 8k interface ge-0/0/26.0 cost interface ge-0/0/26.0 mode interface ge-0/0/28.0 cost interface ge-0/0/28.0 mode interface ge-0/0/24.0 cost interface ge-0/0/24.0 mode interface all cost 1000 msti 1 bridge-priority 4k msti 1 vlan [10 20] msti 2 bridge-priority 16k msti 2 vlan [30 40]
Results
516
family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } ge-0/0/24 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } } protocols { mstp { configuration-name region1; bridge-priority 8k; interface ge-0/0/26.0 { cost 1000; mode point-to-point; } interface ge-0/0/28.0 { cost 1000; mode point-to-point; } interface ge-0/0/24.0 { cost 1000; mode point-to-point; } msti 1 { bridge-priority 4k; vlan [ 10 20 ]; } msti 2 { bridge-priority 16k; vlan [ 30 40 ]; } } } vlans { voice-vlan { vlan-id 10; }
517
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To quickly configure interfaces and MSTP on Switch 4, copy the following commands and paste them into the switch terminal window:
[edit] set vlans voicevlan description Voice VLAN set vlans voice-vlan vlanid 10 set vlans employeevlan description Employee VLAN set vlans employeevlan vlanid 20 set vlans guestvlan description Guest VLAN set vlans guestvlan vlanid 30 set vlans cameravlan description Camera VLAN set vlans cameravlan vlanid 40 set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40] set interfaces ge0/0/23 unit 0 family ethernet-switching port-mode trunk set interfaces ge0/0/19 unit 0 family ethernet-switching port-mode trunk set protocols mstp configuration-name region1 set protocols mstp bridge-priority 16k set protocols mstp interface ge0/0/23.0 cost 1000 set protocols mstp interface ge0/0/23.0 mode point-to-point set protocols mstp interface ge0/0/19.0 cost 1000 set protocols mstp interface ge0/0/19.0 mode point-to-point set protocols mstp msti 1 bridge-priority 16k set protocols mstp msti 1 vlan [10 20] set protocols mstp msti 2 bridge-priority 32k set protocols mstp msti 2 vlan [30 40]
518
Step-by-Step Procedure
voice-vlan description Voice VLAN voice-vlan vlanid 10 employee-vlan description Employee VLAN employee-vlan vlanid 20 guest-vlan description Guest VLAN guest-vlan vlanid 30 camera-vlan description Camera VLAN guest-vlan vlanid 40
2.
Configure the VLANs on the interfaces, including support for the Ethernet Switching protocol:
[edit interfaces] user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30 40] user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30 40]
3.
4.
configuration-name region1 bridge-priority 16k interface all cost 1000 interface ge0/0/23.0 cost interface ge0/0/23.0 mode interface ge0/0/19.0 cost interface ge0/0/19.0 mode msti 1 bridge-priority 16k msti 1 vlan [10 20] msti 2 bridge-priority 32k msti 2 vlan [30 40]
Results
519
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } ge-0/0/19 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 10; members 20; members 30; members 40; } } } } } protocols { mstp { configuration-name region1; bridge-priority 16k; interface ge-0/0/23.0 { cost 1000; mode point-to-point; } interface ge-0/0/19.0 { cost 1000; mode point-to-point; } msti 1 { bridge-priority 16k; vlan [ 10 20 ]; } msti 2 { bridge-priority 32k; vlan [ 30 40 ]; } } } vlans { voice-vlan { vlan-id 10; } employee-vlan { vlan-id 20; } guest-vlan { vlan-id 30; } camera-vlan { vlan-id 40;
520
} }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying MSTP Configuration on Switch 1 on page 521 Verifying MSTP Configuration on Switch 2 on page 522 Verifying MSTP Configuration on Switch 3 on page 524 Verifying MSTP Configuration on Switch 4 on page 525
Verify the MSTP configuration on Switch 1. Use the operational mode commands:
user@switch1> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/13.0 ge-0/0/9.0 ge-0/0/11.0 Port ID 128:527 128:529 128:531 Designated port ID 128:525 128:513 128:513 Designated bridge ID 16384.0019e25040e0 32768.0019e2503d20 8192.0019e25051e0 Port Cost 1000 1000 4000 State FWD BLK BLK Role ROOT ALT ALT
Action
Spanning tree interface parameters for instance 1 Interface ge-0/0/13.0 ge-0/0/9.0 ge-0/0/11.0 Port ID 128:527 128:529 128:531 Designated port ID 128:525 128:513 128:513 Designated bridge ID 16385.0019e25040e0 32769.0019e2503d20 4097.0019e25051e0 Port Cost 1000 1000 4000 State FWD BLK BLK Role ROOT ALT ALT
Spanning tree interface parameters for instance 2 Interface ge-0/0/13.0 ge-0/0/9.0 ge-0/0/11.0 Port ID 128:527 128:529 128:531 Designated port ID 128:527 128:513 128:531 Designated bridge ID 8194.0019e25044e0 4098.0019e2503d20 8194.0019e25044e0 Port Cost 1000 1000 1000 State FWD FWD FWD Role DESG ROOT DESG
user@switch1> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age
: : : : : : :
Verification
521
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Forward delay Hop count Message age Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID
: : : : :
: 16384.00:19:e2:50:44:e0 : 0 : 0
: : : : : : :
: 16385.00:19:e2:50:44:e0 : 0 : 1
: : : : : : :
: 8194.00:19:e2:50:44:e0 : 0 : 2
Meaning
The operational mode command show spanning-tree interface displays spanning-tree domain information such as the designated port and the port roles. The operational mode command show spanning-tree bridge displays the spanning-tree domain information at either the bridge level or interface level. If the optional interface name is omitted, all interfaces in the spanning-tree domain are displayed.
Verify the MSTP configuration on Switch 2. Use the operational mode commands:
user@switch2> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface ge-0/0/14.0 Port ID Designated port ID 128:513 128:513 Designated bridge ID 32768.0019e2503d20 Port State Cost 1000 FWD Role DESG
522
ge-0/0/18.0
128:519
128:515
8192.0019e25051e0
1000
FWD
ROOT
Spanning tree interface parameters for instance 1 Interface ge-0/0/14.0 ge-0/0/18.0 Port ID Designated port ID 128:513 128:513 128:519 128:515 Designated bridge ID 32769.0019e2503d20 4097.0019e25051e0 Port State Cost 1000 FWD 1000 FWD Role DESG ROOT
Spanning tree interface parameters for instance 2 Interface ge-0/0/14.0 ge-0/0/18.0 Port ID Designated port ID 128:513 128:513 128:519 128:519 Designated bridge ID 4098.0019e2503d20 4098.0019e2503d20 Port State Cost 1000 FWD 1000 FWD Role DESG DESG
user@switch2> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay Hop count Message age Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Hello time Maximum age Forward delay Local parameters Bridge ID
: : : : : : : : : : : :
: 32768.00:19:e2:50:3d:20 : 0 : 0
: : : : : : :
: 32769.00:19:e2:50:3d:20 : 0 : 1
: : : :
: 4098.00:19:e2:50:3d:20
523
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
: 0 : 2
Meaning
The operational mode command show spanning-tree interface displays spanning-tree domain information such as the designated port and the port roles. The operational mode command show spanning-tree bridge displays the spanning-tree domain information at either the bridge level or interface level. If the optional interface name is omitted, all interfaces in the spanning-tree domain are displayed.
Verify the MSTP configuration on Switch 3. Use the operational mode commands:
user@switch3> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface ge-0/0/26.0 ge-0/0/28.0 ge-0/0/24.0 Port ID Designated port ID 128:513 128:513 128:515 128:515 128:517 128:517 Designated bridge ID 8192.0019e25051e0 8192.0019e25051e0 8192.0019e25051e0 Port State Cost 1000 FWD 1000 FWD 1000 FWD Role DESG DESG DESG
Spanning tree interface parameters for instance 1 Interface ge-0/0/26.0 ge-0/0/28.0 ge-0/0/24.0 Port ID Designated port ID 128:513 128:513 128:515 128:515 128:517 128:517 Designated bridge ID 4097.0019e25051e0 4097.0019e25051e0 4097.0019e25051e0 Port State Cost 1000 FWD 1000 FWD 1000 FWD Role DESG DESG DESG
Spanning tree interface parameters for instance 2 Interface ge-0/0/26.0 ge-0/0/28.0 ge-0/0/24.0 Port ID Designated port ID 128:513 128:531 128:515 128:519 128:517 128:517 Designated bridge ID 8194.0019e25044e0 4098.0019e2503d20 16386.0019e25051e0 Port State Cost 1000 BLK 1000 FWD 1000 FWD Role ALT ROOT DESG
user@switch3> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID CIST regional root CIST internal root cost Hello time Maximum age Forward delay Number of topology changes Time since last topology change Local parameters
: : : : : : : :
524
Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Hello time Maximum age Forward delay Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID
: 8192.00:19:e2:50:51:e0 : 0 : 0
: : : :
: 4097.00:19:e2:50:51:e0 : 0 : 1
: : : : : : :
: 16386.00:19:e2:50:51:e0 : 0 : 2
Meaning
The operational mode command show spanning-tree interface displays spanning-tree domain information such as the designated port and the port roles. The operational mode command show spanning-tree bridge displays the spanning-tree domain information at either the bridge level or interface level. If the optional interface name is omitted, all interfaces in the spanning-tree domain are displayed.
Verify the MSTP configuration on Switch 4. Use the operational mode commands:
user@switch4> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:517 128:525 Designated bridge ID 8192.0019e25051e0 16384.0019e25040e0 Port Cost 1000 1000 State Role
Action
ge-0/0/23.0 ge-0/0/19.0
128:523 128:525
FWD FWD
ROOT DESG
Spanning tree interface parameters for instance 1 Interface ge-0/0/23.0 ge-0/0/19.0 Port ID 128:523 128:525 Designated port ID 128:517 128:525 Designated bridge ID 4097.0019e25051e0 16385.0019e25040e0 Port Cost 1000 1000 State FWD FWD Role ROOT DESG
525
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch4> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay Hop count Message age Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID
: : : : : : : : : : : :
: 16384.00:19:e2:50:40:e0 : 0 : 0
: : : : : : :
: 16385.00:19:e2:50:40:e0 : 0 : 1
: : : : : : :
: 32770.00:19:e2:50:40:e0 : 0 : 2
Meaning
The operational mode command show spanning-tree interface displays spanning-tree domain information such as the designated port and the port roles.
526
The operational mode command show spanning-tree bridge displays the spanning-tree domain information at either the bridge level or interface level. If the optional interface name is omitted, all interfaces in the spanning-tree domain are displayed.
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Configure BPDU protection on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages. This example describes how to configure BPDU protection on access interfaces on an EX-series switch in an RSTP topology:
Requirements on page 527 Overview and Topology on page 527 Configuration on page 529 Verification on page 530
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches Two EX-series switches in an RSTP topology
Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have:
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches
527
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Enable BPDU protection on switch interfaces connected to user devices or on interfaces on which no BPDUs are expected, such as edge ports. If a BPDU is received on a BPDU-protected interface, the interface is disabled and stops forwarding frames. Two EX-series switches are displayed in Figure 32 on page 528. In this example, Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The interfaces on Switch 2 are access ports. This example shows you how to configure interface ge-0/0/5 and interface ge-0/0/6 as edge ports and to configure BPDU protection. When BPDU protection is enabled, the interfaces will transition to a blocking state when BPDUs are received on them.
Figure 32: BPDU Protection Topology
Table 66 on page 533 shows the components that will be configured for BPDU protection.
Table 66: Components of the Topology for Configuring BPDU Protection on EX-series Switches
Property Switch 1 (Distribution Layer) Settings Switch 1 is connected to Switch 2 on a trunk interface.
528
Table 66: Components of the Topology for Configuring BPDU Protection on EX-series Switches (continued)
Property Switch 2 (Access Layer) Settings Switch 2 has these access ports that require BPDU protection:
ge-0/0/5 ge-0/0/6
This configuration example is using an RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.
Configuration
To configure BPDU protection on two access interfaces:
CLI Quick Configuration
To quickly configure BPDU protection on Switch 2, copy the following commands and paste them into the switch terminal window:
[edit] set protocols rstp interface ge-0/0/5 edge set protocols rstp interface ge-0/0/6 edge set protocols rstp bpdu-block-on-edge
Step-by-Step Procedure
2.
Results
Configuration
529
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verification
To confirm that the configuration is working properly:
Displaying the Interface State Before BPDU Protection Is Triggered on page 530 Verifying That BPDU Protection is Working Correctly on page 530
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state. Use the operational mode command:
user@switch> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:513 128:514 128:515 128:516 128:517 128:518 128:519 Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 Port Cost 20000 20000 20000 20000 20000 20000 20000 State BLK BLK BLK FWD FWD FWD FWD Role DIS DIS DIS DESG DESG DESG DESG
ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 [output truncated]
Meaning
The output from the operational mode command show spanning-tree interface shows that ge-0/0/5.0 and interface ge-0/0/6.0 are designated ports in a forwarding state.
In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is configured on the interfaces. Use the operational mode command:
user@switch> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 (BpduIncon) ge-0/0/6.0 (BpduIncon) ge-0/0/7.0 Port ID 128:513 128:514 128:515 128:516 128:517 128:518 128:519 128:520 Designated port ID 128:513 128:514 128:515 128:516 128:517 128:518 128:519 128:1 Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348 Port Cost 20000 20000 20000 20000 20000 20000 20000 20000 State BLK BLK BLK FWD FWD BLK BLK FWD Role DIS DIS DIS DESG DESG DIS DIS ROOT
530
Verification
128:521
32768.0019e2503f00
20000
FWD
DESG
Meaning
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces block and prevents them from forwarding traffic. Disabling the BPDU protection configuration on an interface does not unblock the interface. If the disable-timeout statement has been included in the BPDU configuration, the interface automatically returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error to unblock the interface. If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state. In such cases, you need to find and repair the misconfiguration on the PCs that is triggering BPDUs being sent to Switch 2.
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches on page 540 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Configure BPDU protection on non-STP interfaces that are connected to switches with spanning trees to prevent the non-STP interfaces from receiving BPDUs. When non-STP interfaces receive BPDUs, it can result in an STP misconfiguration, which could lead to network outages. This example describes how to configure BPDU protection on non-STP interfaces on an EX-series switch:
Requirements on page 532 Overview and Topology on page 532 Configuration on page 534 Verification on page 534
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches
531
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches One EX-series switch in an RSTP topology One EX-series switch that is not in a spanning-tree topology
Before you configure the interface for BPDU protection, be sure you have:
532
Requirements
Table 66 on page 533 shows the components that will be configured for BPDU protection.
Table 67: Components of the Topology for Configuring BPDU Protection on EX-series Switches
Property Switch 1 (Distribution Layer) Settings Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured for RSTP. Switch 2 has RSTP disabled and has these access ports that require BPDU protection:
ge-0/0/5 ge-0/0/6
CAUTION: When configuring BPDU protection on a non-STP configured switch connected to an STP-configured switch, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on interfaces (such as a trunk interface) that should be receiving BPDUs from an STP-configured switch.
533
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuration
To configure BPDU protection on the interfaces:
CLI Quick Configuration
To quickly configure BPDU protection on Switch 2, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options bpdu-block interface ge-0/0/5 set ethernet-switching-options bpdu-block interface ge-0/0/6
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Displaying the Interface State Before BPDU Protection Is Triggered on page 534 Verifying That BPDU Protection Is Working Correctly on page 535
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state. Use the operational mode command:
user@switch> show ethernet-switching interfaces VLAN members default default default default v1 v1 default Blocking unblocked unblocked unblocked unblocked unblocked unblocked unblocked
Action
Interface State ge-0/0/0.0 down ge-0/0/1.0 down ge-0/0/2.0 down ge-0/0/3.0 up ge-0/0/4.0 up ge-0/0/5.0 up ge-0/0/6.0 up [output truncated]
534
Configuration
Meaning
The output from the operational mode command show ethernet-switching interfaces shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.
In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is configured on the interfaces. Use the operational mode command:
user@switch> show ethernet-switching interfaces VLAN members default default default default v1 v1 default Blocking unblocked unblocked unblocked unblocked unblocked blocked - blocked by bpdu-control blocked - blocked by bpdu-control
Action
Interface State ge-0/0/0.0 down ge-0/0/1.0 down ge-0/0/2.0 down ge-0/0/3.0 up ge-0/0/4.0 up ge-0/0/5.0 up ge-0/0/6.0 up [output truncated]
Meaning
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces block and prevents them from forwarding traffic. Disabling the BPDU protection configuration on an interface does not unblock the interface. If the disable-timeout statement has been included in the BPDU configuration, the interface automatically returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error to unblock the interface. If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state. In such cases, you need to find and repair the misconfiguration on the PCs that is triggering BPDUs being sent to Switch 2.
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches on page 540 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487
535
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by preventing interfaces from moving into a forwarding state that would result in a loop opening up in the network. This example describes how to configure loop protection for an interface on an EX-series switch in an RSTP topology:
Requirements on page 536 Overview and Topology on page 536 Configuration on page 538 Verification on page 538
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches Three EX-series switches in an RSTP topology
Before you configure the interface for loop protection, be sure you have:
536
Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches
CAUTION: An interface can be configured for either loop protection or root protection, but not for both. Three EX-series switches are displayed in Figure 34 on page 537. In this example, they are configured for RSTP and create a loop-free topology. Interface ge-0/0/6 is blocking traffic between Switch 3 and Switch 1; thus, traffic is forwarded through interface ge-0/0/7 on Switch 2. BPDUs are being sent from the root bridge on Switch 1 to both of these interfaces. This example shows how to configure loop protection on interface ge-0/0/6 to prevent it from transitioning from a blocking state to a forwarding state and creating a loop in the spanning-tree topology.
Figure 34: Network Topology for Loop Protection
Table 68 on page 537 shows the components that will be configured for loop protection.
Table 68: Components of the Topology for Configuring Loop Protection on EX-series Switches
Property Switch 1 Switch 2 Switch 3 Settings Switch 1 is the root bridge. Switch 2 has the root port ge-0/0/7. Switch 3 is connected to Switch 1 through interface ge-0/0/6.
537
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The root port is responsible for forwarding data to the root bridge. The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port. The designated port forwards data to the downstream network segment or device.
This configuration example uses an RSTP topology. However, you also can configure loop protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.
Configuration
To configure loop protection on an interface:
CLI Quick Configuration
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Displaying the Interface State Before Loop Protection Is Triggered on page 538 Verifying That Loop Protection Is Working on an Interface on page 539
Before loop protection is triggered on interface ge-0/0/6, confirm that the interface is blocking. Use the operational mode command:
Action
538
Configuration
user@switch>
Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:513 128:514 128:515 128:516 128:517 128:518 128:2 Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348 Port Cost 20000 20000 20000 20000 20000 20000 20000 State BLK BLK BLK FWD FWD FWD BLK Role DIS DIS DIS DESG DESG DESG ALT
ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 [output truncated]
Meaning
The output from the operational mode command show spanning-tree interface shows that ge-0/0/6.0 is the alternate port and in a blocking state.
Verify the loop protection configuration on interface ge-0/0/6. RSTP has been disabled on interface ge-0/0/4 on Switch 1. This will stop BPDUs from being sent to interface ge-0/0/6 and trigger loop protection on the interface. Use the operational mode command:
user@switch> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:513 128:514 128:515 128:516 128:517 128:518 128:519 Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 Port Cost 20000 20000 20000 20000 20000 20000 20000 State BLK BLK BLK FWD FWD FWD BLK Role DIS DIS DIS DESG DESG DESG DIS
ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 (Loop-Incon) [output truncated]
Meaning
The operational mode command show spanning-tree interface shows that interface ge-0/0/6.0 has detected that BPDUs are no longer being forwarded to it and has moved into a loop-inconsistent state. The loop-inconsistent state prevents the interface from transitioning to a forwarding state. The interface recovers and transitions back to its original state as soon as it receives BPDUs.
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches on page 540 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527
539
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches on page 489
Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Root protection increases the efficiency of STP, RSTP, and MSTP by allowing network administrators to manually enforce the root bridge placement in the network. This example describes how to configure root protection on an interface on an EX-series switch:
Requirements on page 540 Overview and Topology on page 540 Configuration on page 543 Verification on page 543
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches Four EX-series switches in an RSTP topology
Before you configure the interface for root protection, be sure you have:
540
Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches
port. These interfaces are typically located on an administrative boundary and are designated ports. When root protection is enabled on an interface:
The interface is blocked from becoming the root port. Root protection is enabled for all STP instances on that interface. The interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it participates in the spanning-tree topology.
CAUTION: An interface can be configured for either root protection or loop protection, but not for both. Four EX-series switches are displayed in Figure 35 on page 542. In this example, they are configured for RSTP and create a loop-free topology. Interface ge-0/0/7 on Switch 1 is a designated port on an administrative boundary. It connects to Switch 4. Switch 3 is the root bridge. Interface ge-0/0/6 on Switch 1 is the root port. This example shows how to configure root protection on interface ge-0/0/7 to prevent it from transitioning to become the root port.
541
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 69 on page 542 shows the components that will be configured for root protection.
Table 69: Components of the Topology for Configuring Root Protection on EX-series Switches
Property Switch 1 Switch 2 Settings Switch 1 is connected to Switch 4 through interface ge-0/0/7. Switch 2 is connected to Switch 1 and Switch 3. Interface ge-0/0/4 is the alternate port in the RSTP topology. Switch 3 is the root bridge and is connected to Switch 1 and Switch 2. Switch 4 is connected to Switch 1. After loop protection is configured on interface ge-0/0/7, Switch 4 will send superior BPDUs that will trigger loop protection on interface ge-0/0/7.
Switch 3 Switch 4
542
The root port is responsible for forwarding data to the root bridge. The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port. The designated port forwards data to the downstream network segment or device.
This configuration example uses an RSTP topology. However, you also can configure root protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.
Configuration
To configure root protection on an interface:
CLI Quick Configuration
To quickly configure root protection on interface ge-0/0/7, copy the following command and paste it into the switch terminal window:
[edit] set protocols rstp interface ge-0/0/7 no-root-port
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is working properly:
Displaying the Interface State Before Root Protection Is Triggered on page 543 Verifying That Root Protection Is Working on the Interface on page 544
Before root protection is triggered on interface ge-0/0/7, confirm the interface state. Use the operational mode command:
Action
Configuration
543
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch>
Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:513 128:514 128:515 128:516 128:517 128:2 128:1 128:520 Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348 16384.00aabbcc0348 32768.0019e2503f00 Port Cost 20000 20000 20000 20000 20000 20000 20000 20000 State BLK BLK BLK FWD FWD BLK FWD FWD Role DIS DIS DIS DESG DESG ALT ROOT DESG
ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 ge-0/0/7.0 128:520 [output truncated]
Meaning
The output from the operational mode command show spanning-tree interface shows that ge-0/0/7.0 is a designated port in a forwarding state.
A configuration change takes place on Switch 4. A smaller bridge priority on the Switch 4 causes it to send superior BPDUs to interface ge-0/0/7. Receipt of superior BPDUs on interface ge-0/0/7 will trigger root protection. Verify that root protection is operating on interface ge-0/0/7. Use the operational mode command:
user@switch> show spanning-tree interface
Action
Spanning tree interface parameters for instance 0 Interface Port ID Designated port ID 128:513 128:514 128:515 128:516 128:517 128:2 128:1 128:520 Designated bridge ID 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 32768.0019e2503f00 16384.00aabbcc0348 16384.00aabbcc0348 32768.0019e2503f00 Port Cost 20000 20000 20000 20000 20000 20000 20000 20000 State BLK BLK BLK FWD FWD BLK FWD BLK Role DIS DIS DIS DESG DESG ALT ROOT DIS
ge-0/0/0.0 128:513 ge-0/0/1.0 128:514 ge-0/0/2.0 128:515 ge-0/0/3.0 128:516 ge-0/0/4.0 128:517 ge-0/0/5.0 128:518 ge-0/0/6.0 128:519 ge-0/0/7.0 128:520 (RootIncon) [output truncated]
Meaning
The operational mode command show spanning-tree interface shows that interface ge-0/0/7.0 has transitioned to a loop inconsistent state. The loop inconsistent state makes the interface block and prevents the interface from becoming a candidate for the root port. When the root bridge no longer receives superior STP BPDUs from the interface, the interface will recover and transition back to a forwarding state. Recovery is automatic.
544
Related Topics
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches on page 490
545
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
546
Chapter 35
Delete the RSTP configuration on the interface (here, the interface is ge-0/0/5):
[edit] user@switch# delete protocols rstp interface ge-0/0/5
2.
3.
Related Topics
show spanning-tree bridge show spanning-tree interface Understanding STP for EX-series Switches on page 485
547
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
548
Chapter 36
[edit vlans] Configuration Statement Hierarchy on page 549 [edit interfaces] Configuration Statement Hierarchy on page 550 [edit protocols] Configuration Statement Hierarchy on page 550
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Connecting an Access Switch to a Distribution Switch on page 422 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472 Creating a Private VLAN (CLI Procedure) on page 471 Understanding Bridging and VLANs on EX-series Switches on page 395
549
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
aggregated-ether-options {
lacp mode { periodic interval; } } } ge-chassis/pic/port { description text; ether-options { 802.3ad aex; auto-negotiation; flow-control; link-mode mode; speed (speed | auto-negotiation | no-autonegotiation); } mtu bytes; unit logical-unit-number { family ethernet-switching { filter input filter-name; filter output filter-name; l3-interface interface-name-logical-unit-number; native-vlan-id vlan-id port-mode mode; vlan { members [ (all | names | vlan-ids) ]; } } vlan-id vlan-id-number; } vlan-tagging; } }
Related Topics
EX-series Switches Interfaces Overview on page 279 Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Configuring a Layer 3 Subinterface (CLI Procedure)
550
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
} interface (all | interface-name) { disable; guest-vlan (vlan-name | vlan-id); mac-radius <restrict>; maximum-requests seconds; no-reauthentication; quiet-period seconds; reauthentication { interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name); server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } } gvrp { disable; interface (all | [interface-name]) { disable; } join-timer millseconds; leave-timer milliseconds; leaveall-timer milliseconds; } igmp-snooping { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } vlan (vlan-id | vlan-number { disable{ interface interface-name } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } } lldp { disable; advertisement-interval seconds;
551
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
hold-multiplier number; interface (all | interface-name) { disable; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } transmit-delay seconds; } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mstp { disable; bpdu-block-on-edge; bridge-priority priority; configuration-name name; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; max-hops hops; msti msti-id { vlan (vlan-id | vlan-name); interface interface-name { disable; cost cost;
552
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
revision-level revision-level;
traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } rstp { disable; bpdu-block-on-edge; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } stp { disable; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds;
553
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } sflow { collector { ip-address; udp-port port-number; } disable; interfaces interface-name { disable; polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; }
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 IGMP Snooping on EX-series Switches Overview on page 659 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
554
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
alarm
Syntax Hierarchy Level
alarm; [edit protocols mstp interface (all | interface-name) bpdu-timeout-action], [edit protocols rstp interface (all | interface-name) bpdu-timeout-action], [edit protocols stp interface (all | interface-name) bpdu-timeout-action]
Statement introduced in JUNOS Release 9.1 for EX-series switches. For interfaces configured for loop protection, configure the software to generate a message to be sent to the system log file to record the loop-protection event. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches on page 489
alarm
555
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
block
Syntax Hierarchy Level
block; [edit protocols mstp interface (all | interface-name) bpdu-timeout-action], [edit protocols rstp interface (all | interface-name) bpdu-timeout-action], [edit protocols stp interface (all | interface-name) bpdu-timeout-action]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure loop protection on a specific interface. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches on page 489
556
block
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
bpdu-block
Syntax
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure BPDU protection on an interface. If the interface receives BPDUs, it is disabled. The statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface clear ethernet-switching bpdu-error Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 475 Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491
bpdu-block
557
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
bpdu-block-on-edge
Syntax Hierarchy Level
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure bridge protocol data unit (BPDU) protection on all edge ports of a switch. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface clear ethernet-switching bpdu-error Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527
558
bpdu-block-on-edge
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
bpdu-timeout-action
Syntax
bpdu-timeout-action { block; alarm; } [edit protocols mstp interface (all | interface-name)], [edit protocols rstp interface (all | interface-name)], [edit protocols stp interface (all | interface-name)]
Hierarchy Level
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure the BPDU timeout action on a specific interface. You must configure at least one action (alarm, block, or both). The statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 536 Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches on page 489
bpdu-timeout-action
559
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
bridge-priority
Syntax Hierarchy Level
bridge-priority priority; [edit [edit [edit [edit protocols protocols protocols protocols mstp], mstp msti msti-id], rstp], stp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the bridge priority. The bridge priority determines which bridge is elected as the root bridge. If two bridges have the same path cost to the root bridge, the bridge priority determines which bridge becomes the designated bridge for a LAN segment. 32,768
priority Bridge priority. It can be set only in increments of 4096.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding MSTP for EX-series Switches on page 487
560
bridge-priority
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
configuration-name
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the configuration name. The configuration name is the MSTP region name carried in the MSTP BPDUs. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487
configuration-name
561
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
cost
Syntax Hierarchy Level
cost cost; [edit [edit [edit [edit protocols protocols protocols protocols mstp interface (all | interface-name)], mstp msti msti-id interface interface-name], rstp interface (all | interface-name)], stp interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), configure link cost to control which bridge is the designated bridge and which interface is the designated interface. The link cost is determined by the link speed.
cost Link cost associated with the port.
Default Options
Range: 1 through 200,000,000 Default: Link cost is determined by the link speed.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Understanding STP for EX-series Switches on page 485 Understanding MSTP for EX-series Switches on page 487
562
cost
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
customer-vlans
Syntax Hierarchy Level Release Information Description Options
Statement introduced in JUNOS Release 9.3 for EX-series switches. Limit the set of accepted C-VLAN tags to a list of ranges or discrete values.
idNumeric identifier for a VLAN. rangeRange of numeric identifiers for VLANs.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
dot1q-tunneling ether-type Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472
description
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Provide a textual description of the VLAN. The text has no effect on the operation of the VLAN or switch.
text-description Text to describe the interface. It can contain letters, numbers, and
Options
hyphens (-) and can be up to 255 characters long. If the text includes spaces, enclose the entire text in quotation marks.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show vlans Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Understanding Bridging and VLANs on EX-series Switches on page 395
customer-vlans
563
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
disable
Syntax Hierarchy Level
Release Information
NOTE: As of JUNOS Release 9.2, GVRP can be enabled only on trunk interfaces.
Description Default
Disable the GVRP configuration on the interface. If you do not configure GVRP, it is disabled. You can use this command to disable a prior configuration of GVRP on a specified interface. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show gvrp Example: Configure Automatic VLAN Administration Using GVRP on page 432
564
disable
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
disable
Syntax Hierarchy Level
disable; [edit protocols mstp], [edit protocols mstp interface interface-name], [ edit protocols mstp msti msti-id vlan (vlan-id | vlan-name) interface interface-name, [edit protocols rstp], [edit protocols rstp interface interface-name], [edit protocols stp] [edit protocols stp interface interface-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Disable STP, MSTP, or RSTP on the switch or on a specific interface. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
disable
565
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
disable-timeout
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. For interfaces configured for BPDU protection, specify the amount of time an interface receiving BPDUs is disabled. The disable timeout is not enabled.
timeout Amount of time, in seconds, the interface receiving BPDUs is disabled.
Default Options
Once the timeout expires, the interface is brought back into service. Range: 10 through 3600 seconds
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487
566
disable-timeout
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
dot1q-tunneling
Syntax
Hierarchy Level Release Information Description Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.3 for EX-series switches. The remaining statement is explained separately. Set a global value for the Ethertype for Q-in-Q tunneling. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
dot1q-tunneling Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472
dot1q-tunneling
Syntax
Statement introduced in JUNOS Release 9.3 for EX-series switches. Enable Q-in-Q tunneling on the specified VLAN. The remaining statement is explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
dot1q-tunneling Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472
dot1q-tunneling
567
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
edge
Syntax Hierarchy Level
edge; [edit [edit [edit [edit protocols protocols protocols protocols mstp interface (all | interface-name)], mstp msti msti-id interface interface-name], rstp interface (all | interface-name)], stp interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), configure interfaces as edge interfaces. Edge interfaces immediately transition to a forwarding state. Edge interfaces are not enabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
568
edge
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
ethernet-switching-options
Syntax
ethernet-switching-options { analyzer { name { loss-priority priority; ratio number; input { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } output { interface interface-name; vlan (vlan-id | vlan-name); } } } bpdu-block { interface (all | [interface-name]); disable-timeout timeout; } dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100) } redundant-trunk-group { group-name name { interface interface-name <primary>; interface interface-name; } } secure-access-port { interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description;
ethernet-switching-options
569
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } unknown-unicast-forwarding { vlan (all | vlan-name) { interface interface-name; } } voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ; forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } }
Hierarchy Level Release Information
[edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Support for storm control and BPDU protection added in JUNOS Release 9.1 for EX-series switches. Options static-ip and ip-source-guard added in JUNOS Release 9.2 for EX-series switches. Options dhcp-option82, dot1q-tunneling, and no-allowed-mac-log added in JUNOS Release 9.3 for EX-series switches. Configure Ethernet switching options. The remaining statements are explained separately.
Description
570
ethernet-switching-options
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487 Port Mirroring on EX-series Switches Overview on page 1269 Port Security for EX-series Switches Overview on page 734 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
ether-type
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure a global value for the Ethertype. Only one Ethertype value is supported at a time. The Ethertype value appears in the Ethernet type field of the packet. It specifies the protocol being transported in the Ethernet frame. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
dot1q-tunneling Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472
ether-type
571
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
filter
Syntax Hierarchy Level Release Information Description Default
Statement introduced in JUNOS Release 9.0 for EX-series switches. Apply a firewall filter to traffic coming into or exiting from the VLAN. All incoming traffic is accepted unmodified to the VLAN, and all outgoing traffic is sent unmodified from the VLAN.
filter-name Name of a firewall filter defined in a filter statement.
Options
inputApply a firewall filter to VLAN ingress traffic. outputApply a firewall filter to VLAN egress traffic.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Firewall Filters for EX-series Switches Overview on page 1041
572
filter
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
forward-delay
Syntax Hierarchy Level
forward-delay seconds; [edit protocols mstp], [edit protocols rstp], [edit protocols stp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), specify how long a bridge interface remains in the listening and learning states before transitioning to the forwarding state. 15 seconds
seconds Number of seconds the bridge interface remains in the listening and
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
forward-delay
573
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
group-name
Syntax
group-name name { interface interface-name <primary>; interface interface-name; } [edit ethernet-switching-options redundant-trunk-group]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Create a redundant trunk group.
nameThe name of the redundant trunk group. The group name must start with a
letter and can consist of letters, numbers, dashes, and underscores. The remaining options are explained separately.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Configuring Redundant Trunk Links for Faster Recovery on page 447 Understanding Redundant Trunk Links on EX-series Switches on page 401
574
group-name
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
gvrp
Syntax
gvrp { interface [interface-name] { disable; } join-timer milliseconds; leave-timer milliseconds; leaveall-timer milliseconds; } [edit protocols]
NOTE: As of JUNOS Release 9.2, GVRP can be configured only on trunk interfaces.
Description
When GVRP is configured on a trunk interface, it ensures that the VLAN membership information on the trunk interface is updated as the switchs access interfaces become active or inactive in the configured VLANs. The statements are explained separately.
When GVRP is configured, it is automatically enabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show gvrp Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432
gvrp
575
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
hello-time
Syntax Hierarchy Level
hello-time seconds; [edit protocols mstp], [edit protocols rstp], [edit protocols stp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), the time interval at which the root bridge transmits configuration BPDUs. 2 seconds
seconds Number of seconds between transmissions of configuration BPDUs.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
576
hello-time
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
instance-type
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.3 for EX-series switches. Specify the type of routing instance.
virtual-routerA logical entity.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches on page 460 Configuring Virtual Routing Instances Using VRF (CLI Procedure) on page 473
interface
Syntax Hierarchy Level Release Information Description Options
Statement introduced in JUNOS Release 9.1 for EX-series switches. Apply BPDU protection to all interfaces or one or more interfaces.
allAll interfaces. interface-name Name of a Gigabit Ethernet interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 531 Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487
instance-type
577
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure GARP VLAN Registration Protocol (GVRP) for one or more interfaces. By default, GVRP is disabled.
allAll interfaces. interface-nameThe list of interfaces to be configured for GVRP.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show gvrp Example: Configure Automatic VLAN Administration Using GVRP on page 432
578
interface
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
interface
Syntax
interface interface-name <primary>; interface interface-name; [edit ethernet-switching-options redundant-trunk-group group-name name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a primary link and secondary link on trunk ports. If the primary link fails, the secondary link automatically takes over as the primary link without waiting for normal STP convergence.
interface interface-nameA logical interface or an aggregated interface containing
Options
multiple ports.
primary(Optional) Specify one of the interfaces in the redundant group as the
primary link. The interface without this option is the secondary link in the redundant group. If a link is not specified as primary, the software compares the two links and selects the link with the highest port number as the active link. For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software assigns ge-0/1/1 as the active link.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Configuring Redundant Trunk Links for Faster Recovery on page 447 Understanding Redundant Trunk Links on EX-series Switches on page 401
interface
579
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax
interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } [edit ethernet-switching-options storm-control]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Apply storm control to all interfaces or to the specified interface. The statements are explained separately.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Understanding Storm Control on EX-series Switches on page 403
580
interface
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
interface
Syntax
interface interface-name { disable; cost cost; edge; mode mode; no-root-port; priority priority; } [edit [edit [edit [edit protocols protocols protocols protocols mstp], mstp msti], rstp], stp]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), configure an interface.
interface-name Name of a Gigabit Ethernet interface.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485
interface
581
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax Hierarchy Level Release Information Description Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.3 for EX-series switches. Specify the interface to which unknown unicast packets will be forwarded. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show vlans show ethernet-switching table Configuring Unknown Unicast Forwarding (CLI Procedure) on page 476 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
join-timer
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For GARP VLAN Registration Protocol (GVRP), configure the maximum number of milliseconds interfaces must wait before sending VLAN advertisements. 20 centiseconds
milliseconds Number of milliseconds.
Default: 20 centiseconds routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show gvrp Example: Configure Automatic VLAN Administration Using GVRP on page 432
582
interface
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
l3-interface
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk ports to allow the interface to transfer traffic between multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is routed. No Layer 3 (routing) interface is associated with the VLAN. vlan. logical-interface-number Number of the logical interface defined with a set interfaces vlan unit command. For the logical interface number, use the same number you configure in the unit statement. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Default Options
show ethernet-switching interfaces show vlans Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Understanding Bridging and VLANs on EX-series Switches on page 395
l3-interface
583
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
leaveall-timer
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For GARP VLAN Registration Protocol (GVRP), configure the interval at which Leave All messages are sent on the interfaces. Leave All messages maintain current GVRP VLAN membership information in the network. A Leave All message instructs the port to change the GVRP state for all its VLANs to a leaving state and remove them unless a Join message is received before the leave timer expires. 1000 centiseconds
milliseconds Number of milliseconds. Range: 5 times leave-timer value
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show gvrp Example: Configure Automatic VLAN Administration Using GVRP on page 432
584
leaveall-timer
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
leave-timer
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For GARP VLAN Registration Protocol (GVRP), configure the number of milliseconds an interface must wait after receiving a leave message to remove the interface from the VLAN specified in the message. If the interface receives a join message before the timer expires, the software keeps the interface in the VLAN. 60 centiseconds
milliseconds Number of milliseconds. At a minimum, the leave timer interval should
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show gvrp Example: Configure Automatic VLAN Administration Using GVRP on page 432
leave-timer
585
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
level
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. For interfaces configured for storm control, configure the storm control level as a percentage of the combined broadcast and unknown unicast streams. The level set to 100% means no traffic storm control. When storm control is enabled on an interface, the storm control level is 80%.
levelPercentage of the combined broadcast and unknown unicast streams.
Default Options
Range: 0 through 100 % Default: 80 % The remaining statements are explained separately.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Understanding Storm Control on EX-series Switches on page 403
586
level
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
mac-limit
Syntax Hierarchy Level Release Information Description Default Options Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the number of MAC addresses allowed on a VLAN. MAC limit is disabled. numberMaximum number of MAC addresses. Range: 1 through 32768 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show vlans Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Configuring MAC Table Aging (CLI Procedure) on page 474 Understanding Bridging and VLANs on EX-series Switches on page 395
mac-limit
587
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mac-table-aging-time
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define how long entries remain in the Ethernet switching table before expiring. 300 seconds secondsTime that entries remain in the Ethernet switching table before being removed.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Understanding Bridging and VLANs on EX-series Switches on page 395
588
mac-table-aging-time
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
max-age
Syntax Hierarchy Level
max-age seconds; [edit protocols mstp], [edit protocols rstp], [edit protocols stp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), specify the maximum age of received protocol BPDUs. 20 seconds
seconds The maximum age of received protocol BPDUs.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
max-age
589
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
max-hops
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Multiple Spanning Tree Protocol (MSTP), configure the maximum number of hops a BPDU can be forwarded in the MSTP region. 20 hops
hops Number of hops the BPDU can be forwarded.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding MSTP for EX-series Switches on page 487
590
max-hops
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
members
Syntax Hierarchy Level
members [ (all | names | vlan-ids) ]; [edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching vlan]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For trunk interfaces, configure the VLANs for which the interface can carry traffic.
allSpecifies that this trunk interface is a member of all the VLANs that are configured
on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.
NOTE: Each VLAN that is configured must have a specified VLAN ID when you attempt to commit the configuration; otherwise, the configuration commit fails. Also, all cannot be the name of a VLAN on the switch.
names Name of one or more VLANs. vlan-ids Numeric identifier of one or more VLANs. For a series of tagged VLANs, specify a range; for example, 10-20.
Required Privilege Level Related Topics
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 Example: Connecting an Access Switch to a Distribution Switch on page 422 Creating a Series of Tagged VLANs (CLI Procedure) on page 470 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
members
591
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mode
Syntax Hierarchy Level
mode mode; [edit [edit [edit [edit protocols protocols protocols protocols mstp interface (all | interface-name)], mstp msti msti-id interface interface-name], rstp interface (all | interface-name)], stp interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), configure the link mode to identify point-to-point links. For a full-duplex link, the default link mode is point-to-point. For a half-duplex link, the default link mode is shared. modeLink mode:
Default
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
592
mode
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
msti
Syntax
msti msti-id { vlan[vlan-id ]; interface interface-name { disable; cost cost; priority priority; } } [edit protocols mstp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the Multiple Spanning Tree Instance (MSTI) identifier for Multiple Spanning Tree Protocol (MSTP). MSTI IDs are local to each region, so you can reuse the same MSTI ID in different regions. MSTI is disabled.
msti-id MSTI identifer.
Default Options
Range: 1 through 4094. The Common Instance Spanning Tree (CIST) is always MSTI 0. The remaining statements are explained separately.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding MSTP for EX-series Switches on page 487
msti
593
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mstp
Syntax
mstp { disable; bpdu-block-on-edge; bridge-priority priority; configuration-name name; forward-delay seconds; hello-time seconds; interface ( all | interface-name { bpdu-timeout-action { block; alarm; } disable; cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; max-hops hops; msti msti-id { vlan (vlan-id | vlan-name); interface interface-name { disable; cost cost; priority priority; } } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } revision-level revision-level; } [edit protocols]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Multiple Spanning Tree Protocol (MSTP). MSTP is defined in the IEEE 802.1Q-2003 specification and is used to create a loop-free topology in networks with multiple spanning tree regions. The statements are explained separately.
594
mstp
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding MSTP for EX-series Switches on page 487
native-vlan-id
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the VLAN identifier to associate with untagged packets received on the interface.
vlan-idNumeric identifier of the VLAN.
Range: 0 through 4095 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show vlans show ethernet-switching interfaces Understanding Bridging and VLANs on EX-series Switches on page 395
native-vlan-id
595
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
no-broadcast
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. For interfaces configured for storm control, disable broadcast traffic storm control on the interface. When storm control is enabled on an interface, it is enabled for both unknown unicast traffic and broadcast traffic. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Default
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Understanding Storm Control on EX-series Switches on page 403
no-local-switching
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Specify that access ports in this VLAN domain do not forward packets to each other. You use this statement with primary VLANs and isolated secondary VLANs. routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Configuring a Private VLAN on an EX-series Switch on page 455 Creating a Private VLAN (CLI Procedure) on page 471
596
no-broadcast
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
no-root-port
Syntax Hierarchy Level
no-root-port; [edit protocols mstp interface (all | interface-name)], [edit protocols rstp interface (all | interface-name)], [edit protocols stp interface (all | interface-name)]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure an interface to be a spanning tree designated port. If the bridge receives superior STP bridge protocol data units (BPDUs) on a root-protected interface, that interface transitions to a root-prevented STP state (inconsistency state) and the interface is blocked. This blocking prevents a bridge that should not be the root bridge from being elected the root bridge. When the bridge stops receiving superior STP BPDUs on the root-protected interface, interface traffic is no longer blocked. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches on page 540 Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491
no-root-port
597
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
no-unknown-unicast
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. For interfaces configured for storm control, disable unknown unicast traffic storm control on the interface. When storm control is enabled on an interface, it is enabled for both unknown unicast traffic and broadcast traffic. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Default
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Understanding Storm Control on EX-series Switches on page 403
598
no-unknown-unicast
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
port-mode
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure whether an interface on the switch operates in access or trunk mode. All switch interfaces are in access mode.
accessHave the interface operate in access mode. In this mode, the interface can
be in a single VLAN only. Access interfaces typically connect to network devices such as PCs, printers, IP telephones, and IP cameras.
trunkHave the interface operate in trunk mode. In this mode, the interface can be
in multiple VLANs and can multiplex traffic between different VLANs. Trunk interfaces typically connect to other switches and to routers on the LAN.
Required Privilege Level Related Topics
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Interfaces on EX-series Switches (CLI Procedure) Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
primary-vlan
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the primary VLAN for this community VLAN. The primary VLAN must be tagged, and the secondary community VLAN must be untagged. routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Configuring a Private VLAN on an EX-series Switch on page 455 Creating a Private VLAN (CLI Procedure) on page 471
port-mode
599
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
primary-vlan
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the primary VLAN for this community VLAN. The primary VLAN must be tagged, and the secondary community VLAN must be untagged. routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Configuring a Private VLAN on an EX-series Switch on page 455 Creating a Private VLAN (CLI Procedure) on page 471
600
primary-vlan
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
priority
Syntax Hierarchy Level
priority priority; [edit [edit [edit [edit protocols protocols protocols protocols mstp interface (all | interface-name)], mstp msti msti-id interface interface-name], rstp interface (all | interface-name)], stp interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree Protocol (MSTP), the interface priority to control which interface is elected as the root port. The default value is 128.
priority Interface priority. The interface priority must be set in increments of 16.
Range: 0 through 240 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding STP for EX-series Switches on page 485
priority
601
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
redundant-trunk-group
Syntax
redundant-trunk-group { group-name name { interface interface-name <primary>; interface interface-name; } } [edit ethernet-switching-options]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a primary link and secondary link on trunk ports. If the primary link fails, the secondary link automatically takes over without waiting for normal STP convergence. The statements are explained separately. routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Configuring Redundant Trunk Links for Faster Recovery on page 447 Understanding Redundant Trunk Links on EX-series Switches on page 401
routing-instances
Syntax
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure a virtual routing entity.
routing-instance-nameName for this routing instance.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Using Virtual Routing Instances to Route Among VLANs on EX-series Switches on page 460 Configuring Virtual Routing Instances Using VRF (CLI Procedure) on page 473
602
redundant-trunk-group
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
rstp
Syntax
rstp { disable; bpdu-block-on-edge; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { bpdu-timeout-action { block; alarm; } disable; cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } [edit protocols]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Rapid Spanning Tree Protocol (RSTP). RSTP is defined in the IEEE 802.1D-2004 specification and is used to prevent loops in Layer 2 networks, providing shorter convergence times than those provided with basic STP. The statements are explained separately.
RSTP is enabled on all Ethernet switching interfaces. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding RSTP for EX-series Switches on page 486
rstp
603
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
storm-control
Syntax
storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } [edit ethernet-switching-options]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Apply storm control to all interfaces or to the specified interfaces. The statements are explained separately.
Storm control is disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches on page 451 Understanding Storm Control on EX-series Switches on page 403
604
storm-control
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
stp
Syntax
stp { disable; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } [edit protocols]
Statement introduced in JUNOS Release 9.0 for EX-series switches. When you explicitly configure STP, the EX-series switches use the IEEE 802.1D 2004 specification, force version 0. This configuration runs a version of RSTP that is compatible with the classic, basic STP (defined in the IEEE 802.1D 1998 specification). The remaining statements are explained separately.
STP is disabled; by default, RSTP is enabled on all Ethernet switching ports. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches on page 527 Configuring STP (CLI Procedure) on page 547 Understanding STP for EX-series Switches on page 485
stp
605
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
traceoptions
Syntax
traceoptions { file name <replace> <size size> <files number> <no-stamp> <(world-readable | no-world-readable)>; flag flag <flag-modifier> <disable>; } [edit protocols mstp], [edit protocols rstp], [edit protocols stp]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Set STP protocol-level tracing options. Traceoptions is disabled.
disable(Optional) Disable the tracing operation. One use of this option is to disable
a single operation when you have defined a broad group of tracing operations, such as all.
file name Name of the file to receive the output of the tracing operation. Enclose
the name in quotation marks. We recommend that you place STP tracing output in the file /var/log/stp-log.
files number (Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file .0, then trace-file .1, and so on, until the maximum number of trace files is reached. Then, the
oldest trace file is overwritten. If you specify a maximum number of files, you must also specify a maximum file size with the size option. Range: 2 through 1000 files Default: 1 trace file only
flag Tracing operation to perform. To specify more than one tracing operation, include multiple flag statements. These are the STP-specific tracing options:
all Trace all operations. all-failures Trace all failure conditions. bpdu Trace BPDU reception and transmission. bridge-detection-state-machine Trace the bridge detection state machine. events Trace events of the protocol state machine. port-information-state-machine Trace the port information state machine. port-migration-state-machine Trace the port migration state machine.
606
traceoptions
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
port-receive-state-machine Trace the port receive state machine. port-role-select-state-machine Trace the port role selection state machine. port-role-transit-state-machine Trace the port role transit state machine. port-transmit-state-machine Trace the port transmit state machine port-state-transit-state-machine Trace the port state transit state machine. ppmd Trace the state and events for the ppmd process state-machine-variables Trace when the state machine variables change timers Trace protocol timers topology-change-state-machine Trace the topology change state machine.
allAll tracing operations config-internalTrace configuration internals. generalTrace general events. normalAll normal events.
Default: If you do not specify this option, only unusual or abnormal operations are traced.
parseTrace configuration parsing. policyTrace policy operations and actions. regex-parseTrace regular-expression parsing. routeTrace routing table changes. stateTrace state transitions. taskTrace protocol task processing. timerTrace protocol task timer processing.
line in the trace file. Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output.
no-world-readable(Optional) Prevent any user from reading the log file.
traceoptions
607
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Default: If you do not include this option, tracing output is appended to an existing trace file.
size size (Optional) Maximum size of each trace file, in kilobytes (KB) or megabytes (MB). When a trace file named trace-file reaches this size, it is renamed trace-file .0. When the trace-file again reaches its maximum size, trace-file .0 is renamed trace-file .1 and trace-file is renamed trace-file .0. This renaming scheme
continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you must also specify a maximum number of trace files with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through the maximum file size supported on your system Default: 1 MB
world-readable(Optional) Allow any user to read the log file.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show spanning-tree bridge show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches on page 491 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485
608
traceoptions
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
translate
Syntax Hierarchy Level Release Information Description
translate vlan-id1 vlan-id2; [edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching vlan]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For trunk interfaces, have the interface change the VLAN identifier on received packets to a different identifier.
vlan-id1Number of the VLAN identifier in received packets. This identifier is removed
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show ethernet-switching interfaces Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Understanding Bridging and VLANs on EX-series Switches on page 395
translate
609
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
unknown-unicast-forwarding
Syntax
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the switch to forward all unknown unicast packets in a VLAN or on all VLANs to a particular interface. The remaining statements are explained separately.
Unknown unicast packets are flooded to all interfaces that belong to the same VLAN. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show vlans show ethernet-switching table Configuring Unknown Unicast Forwarding (CLI Procedure) on page 476 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
610
unknown-unicast-forwarding
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
vlan
Syntax
vlan { [ (names | vlan-ids) ]; [ (names | vlan-ids) ]; translate vlan-id1 vlan-id2 } [edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Gigabit Ethernet and aggregated Ethernet interfaces, binds an 802.1Q VLAN tag ID to a logical interface. The statements are explained separately.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 JUNOS Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
vlan
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the VLANs for a Multiple Spanning Tree Instance (MSTI). not enabled vlan-idNumeric VLAN identifer. vlan-nameName of the VLAN.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Understanding MSTP for EX-series Switches on page 487 Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505
vlan
611
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan
Syntax
Statement introduced in JUNOS Release 9.3 for EX-series switches. Specify a VLAN from which unknown unicast packets will be forwarded or specify that the packets will be forwarded from all VLANS. Unknown unicast packets are forwarded from a VLAN to a specific trunk interface. The interface statement is explained separately.
Options
allAll VLANs.
vlan-nameName of a VLAN.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show vlans show ethernet-switching table Configuring Unknown Unicast Forwarding (CLI Procedure) on page 476 Verifying That Unknown Unicast Packets Are Forwarded to a Trunk Interface on page 479 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
612
vlan
Chapter 36: Configuration Statements for Bridging, VLANs, and Spanning Trees
vlan-id
Syntax Hierarchy Level Release Information Description Default
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure an 802.1Q tag to apply to all traffic that originates on the VLAN. If you use the default factory configuration, all traffic originating on the VLAN is untagged and has a VLAN identifier of 0.
number VLAN tag identifier.
Range: 0 through 4093. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Understanding Bridging and VLANs on EX-series Switches on page 395
vlan-range
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.2 for EX-series switches. Configure multiple VLANs. Each VLAN is assigned a VLAN ID number from the range. None.
vlan-id-low-vlan-id-high Specify the first and last VLAN ID number for the group of
VLANs.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465 Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Understanding Bridging and VLANs on EX-series Switches on page 395
vlan-id
613
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlans
Syntax
vlans { vlan-name { description text-description; dot1q-tunneling { customer-vlans (id | range) } filter input filter-name; filter output filter-name; interface interface-name; l3-interface vlan.logical-interface-number; mac-limit number; mac-table-aging-time seconds; no-local-switching; primary-vlan vlan-name; vlan-id number; vlan-range vlan-id-low-vlan-id-high; } } [edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Options dot1q-tunneling, no-local-switching, and primary-vlan introduced in JUNOS Release 9.3 for EX-series switches. Configure VLAN properties on EX-series switches. If you use the default factory configuration, all switch interfaces become part of the VLAN default.
vlan-name Name of the VLAN. The name can contain letters, numbers, and hyphens
Description Default
Options
(-) and can be up to 255 characters long. The remaining statements are described separately.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Configuring VLANs for EX-series Switches (CLI Procedure) on page 467 Configuring VLANs for EX-series Switches (J-Web Procedure) on page 465 Configuring Q-in-Q Tunneling (CLI Procedure) on page 472 Creating a Series of Tagged VLANs (CLI Procedure) on page 470 Configuring Routed VLAN Interfaces (CLI Procedure) on page 468 Creating a Private VLAN (CLI Procedure) on page 471 Understanding Bridging and VLANs on EX-series Switches on page 395
614
vlans
Chapter 37
615
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.1 for EX-series switches. Clear bridge protocol data unit (BPDU) errors from an interface and unblock the interface.
interface-name Clear BPDU errors on the specified interface.
clear
show spanning-tree statistics Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487
616
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Command introduced in JUNOS Release 9.0 for EX-series switches. Clear GARP VLAN Registration Protocol (GVRP) statistics. clear
show spanning-tree statistics Example: Configure Automatic VLAN Administration Using GVRP on page 432
617
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Reset STP statistics for the all interfaces or a specified interface.
noneReset STP counters for all interfaces. interface-name (Optional) The name of the interface for which statistics should be
reset.
logical-unit-number (Optional) The logical unit number of the interface.
Required Privilege Level Related Topics
clear
show spanning-tree bridge show spanning-tree interface Understanding STP for EX-series Switches on page 485
618
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Command introduced in JUNOS Release 9.0 for EX-series switches. Display information about switched Ethernet interfaces.
none(Optional) Display brief information for Ethernet-switching interfaces. brief | detail | summary(Optional) Display the specified level of output. interface interface-name (Optional) Display Ethernet-switching information for a
specific interface.
Required Privilege Level List of Sample Output
view show show show show show ethernet-switching ethernet-switching ethernet-switching ethernet-switching ethernet-switching interfaces on page 620 interfaces summary on page 620 interfaces brief on page 620 interfaces detail on page 620 interfaces ge-0/0/0.0 on page 621
Output Fields
Table 70 on page 1019 lists the output fields for the show ethernet-switching interfaces command. Output fields are listed in the approximate order in which they appear.
Field Description Name of a switching interface. Interface state. Values are up or down.
VLAN members
Name of a VLAN.
Blocking
blockedTraffic is not being forwarded on the interface. unblockedTraffic is forwarded on the interface.
The VLAN index internal to JUNOS software. Specifies whether the interface forwards 802.1Q-tagged or untagged traffic.
detail detail
619
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch> show ethernet-switching interfaces Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ge-0/0/8.0 ge-0/0/9.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/12.0 ge-0/0/13.0 ge-0/0/14.0 ge-0/0/15.0 ge-0/0/16.0 ge-0/0/17.0 ge-0/0/18.0 ge-0/0/19.0 ge-0/1/0.0 ge-0/1/1.0 ge-0/1/2.0 ge-0/1/3.0 State up down down down down down down down down up down down down down down down down down down up down down down down VLAN members T1122 default default default default default default default default T111 default default default default default default default default default T111 default default default default Blocking unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked
user@switch> show ethernet-switching interfaces summary ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/8.0 ge-0/0/10.0 ge-0/0/11.0 user@switch> show ethernet-switching interfaces brief Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked ge-0/0/1.0 down employee-vlan unblocked ge-0/0/2.0 down employee-vlan unblocked ge-0/0/3.0 down employee-vlan unblocked ge-0/0/8.0 down employee-vlan unblocked ge-0/0/10.0 down default unblocked ge-0/0/11.0 down employee-vlan unblocked user@switch> show ethernet-switching interfaces detail Interface: ge-0/0/0.0 Index: 65 State: down VLANs: default untagged unblocked Interface: ge-0/0/1.0 Index: 66 State: down VLANs: employee-vlan untagged Interface: ge-0/0/2.0 Index: 67 State: down VLANs:
unblocked
620
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
employee-vlan
untagged
unblocked
Interface: ge-0/0/3.0 Index: 68 State: down VLANs: employee-vlan untagged Interface: ge-0/0/8.0 Index: 69 State: down VLANs: employee-vlan untagged Interface: ge-0/0/10.0 Index: 70 State: down VLANs: default untagged Interface: ge-0/0/11.0 Index: 71 State: down VLANs: employee-vlan tagged
unblocked
unblocked
unblocked
unblocked
user@switch> show ethernet-switching interfaces ge-0/0/0.0 Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked
621
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Displays the event log of learned MAC addresses. view
show ethernet-switching table show ethernet-switching interfaces Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Connecting an Access Switch to a Distribution Switch on page 422
show ethernet-switching mac-learning-log on page 622 Table 71 on page 622 lists the output fields for the show ethernet-switching mac-learning-log command. Output fields are listed in the approximate order in which they appear.
Field Description Timestamp when the MAC address was added or deleted from the log. VLAN index. An internal value assigned by the JUNOS software for each VLAN . Learned MAC address. MAC address deleted or added to the MAC learning log. The forwarding state of the interface:
blockedTraffic is not being forwarded on the interface. unblockedTraffic is forwarded on the interface.
user@switch> show ethernet-switching mac-learning-log Mon Feb 25 08:07:05 2008 vlan_idx 7 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 9 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 10 mac 00:00:00:00:00:00 was deleted
622
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Mon Feb 25 08:07:05 2008 vlan_idx 11 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 12 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 13 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 14 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 15 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 16 mac 00:00:00:00:00:00 was deleted Mon Feb 25 08:07:05 2008 vlan_idx 4 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 6 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 7 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 9 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 10 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 11 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 12 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 13 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 14 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 15 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 16 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 5 mac 00:00:00:00:00:00 was added Mon Feb 25 08:07:05 2008 vlan_idx 18 mac 00:00:05:00:00:05 was learned Mon Feb 25 08:07:05 2008 vlan_idx 5 mac 00:30:48:90:54:89 was learned Mon Feb 25 08:07:05 2008 vlan_idx 6 mac 00:00:5e:00:01:00 was learned Mon Feb 25 08:07:05 2008 vlan_idx 16 mac 00:00:5e:00:01:08 was learned Mon Feb 25 08:07:05 2008 vlan_idx 7 mac 00:00:5e:00:01:09 was learned Mon Feb 25 08:07:05 2008 vlan_idx 8 mac 00:19:e2:50:ac:00 was learned Mon Feb 25 08:07:05 2008 vlan_idx 12 mac 00:00:5e:00:01:04 was learned [output truncated]
623
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show ethernet-switching table <brief | detail | extensive> <interface interface-name> <vlan (vlan-id | vlan-name)>
Command introduced in JUNOS Release 9.0 for EX-series switches. Displays the Ethernet switching table. If a VLAN range has been configured for any of the VLANs on the switch, the output displays the MAC addresses for the entire series of VLANs.
none(Optional) Display brief information about the Ethernet switching table for all
Options
specified VLAN ID or VLAN name. If a VLAN range has been configured for this VLAN name, the output displays the MAC addresses for the entire series of VLANs that were created for that name.
Required Privilege Level Related Topics
view
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407 Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453
show ethernet-switching table on page 625 show ethernet-switching table (where one VLAN is configured with VLAN range and the other is not) on page 626 show ethernet-switching table brief on page 626 show ethernet-switching table detail on page 627 show ethernet-switching table extensive on page 628 show ethernet-switching table interface ge-0/0/1 on page 629 show ethernet-switching table vlan customer (vlan-name) on page 629 show ethernet-switching table vlan employee (vlan-name is vlan-range) on page 629 Table 72 on page 625 lists the output fields for the show ethernet-switching table command. Output fields are listed in the approximate order in which they appear.
Output Fields
624
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Field Description The name of a VLAN. The MAC address associated with the VLAN. If the If a VLAN range has been configured for a VLAN, the output displays the MAC addresses for the entire series of VLANs that were created with that name. The type of MAC address. Values are:
Type
All levels
staticThe MAC address is manually created. learnThe MAC address is learned dynamically from a packet's source
MAC address.
Age
The time remaining before the entry ages out and is removed from the Ethernet switching table. Interface associated with learned MAC addresses or All-members (flood entry). For learned entries, the time which the entry was added to the Ethernet-switching table.
All levels
Interfaces Learned
All levels
detail, extensive
user@switch> show ethernet-switching table Ethernet-switching table: 57 entries, 17 learned VLAN MAC address Type F2 * Flood F2 00:00:05:00:00:03 Learn F2 00:19:e2:50:7d:e0 Static Linux * Flood Linux 00:19:e2:50:7d:e0 Static Linux 00:30:48:90:54:89 Learn T1 * Flood T1 00:00:05:00:00:01 Learn T1 00:00:5e:00:01:00 Static T1 00:19:e2:50:63:e0 Learn T1 00:19:e2:50:7d:e0 Static T10 * Flood T10 00:00:5e:00:01:09 Static T10 00:19:e2:50:63:e0 Learn T10 00:19:e2:50:7d:e0 Static T111 * Flood T111 00:19:e2:50:63:e0 Learn T111 00:19:e2:50:7d:e0 Static T111 00:19:e2:50:ac:00 Learn T2 * Flood T2 00:00:5e:00:01:01 Static T2 00:19:e2:50:63:e0 Learn T2 00:19:e2:50:7d:e0 Static T3 * Flood T3 00:00:5e:00:01:02 Static T3 00:19:e2:50:63:e0 Learn T3 00:19:e2:50:7d:e0 Static T4 * Flood T4 00:00:5e:00:01:03 Static
Age 0 0 0 0 0 0 0 0 0 -
Interfaces All-members ge-0/0/44.0 Router All-members Router ge-0/0/47.0 All-members ge-0/0/46.0 Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0 Router All-members ge-0/0/15.0 Router ge-0/0/15.0 All-members Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0 Router All-members Router
625
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
T4 [output truncated]
00:19:e2:50:63:e0 Learn
0 ge-0/0/46.0
show ethernet-switching table (where one VLAN is configured with VLAN range and the other is not)
user@switch> show ethernet-switching table Ethernet-switching table: 36 entries, 30 learned VLAN MAC address Type __employee_1__ * Flood __employee_1__ 00:10:94:00:00:02 Learn __employee_1__ 00:10:94:00:00:03 Learn __employee_1__ 00:10:94:00:00:04 Learn __employee_1__ 00:10:94:00:00:05 Learn __employee_1__ 00:10:94:00:00:06 Learn __employee_2__ * Flood __employee_2__ 00:10:94:00:00:02 Learn __employee_2__ 00:10:94:00:00:03 Learn __employee_2__ 00:10:94:00:00:04 Learn __employee_2__ 00:10:94:00:00:05 Learn __employee_2__ 00:10:94:00:00:06 Learn __employee_3__ * Flood __employee_3__ 00:10:94:00:00:02 Learn __employee_3__ 00:10:94:00:00:03 Learn __employee_3__ 00:10:94:00:00:04 Learn __employee_3__ 00:10:94:00:00:05 Learn __employee_3__ 00:10:94:00:00:06 Learn __employee_4__ * Flood __employee_4__ 00:10:94:00:00:02 Learn __employee_4__ 00:10:94:00:00:03 Learn __employee_4__ 00:10:94:00:00:04 Learn __employee_4__ 00:10:94:00:00:05 Learn __employee_4__ 00:10:94:00:00:06 Learn __employee_5__ * Flood __employee_5__ 00:10:94:00:00:02 Learn __employee_5__ 00:10:94:00:00:03 Learn __employee_5__ 00:10:94:00:00:04 Learn __employee_5__ 00:10:94:00:00:05 Learn __employee_5__ 00:10:94:00:00:06 Learn customer * Flood customer 00:10:94:00:00:02 Learn customer 00:10:94:00:00:03 Learn customer 00:10:94:00:00:04 Learn customer 00:10:94:00:00:05 Learn customer 00:10:94:00:00:06 Learn user@switch> show ethernet-switching table brief Ethernet-switching table: 57 entries, 17 learned VLAN MAC address Type F2 * Flood F2 00:00:05:00:00:03 Learn F2 00:19:e2:50:7d:e0 Static Linux * Flood Linux 00:19:e2:50:7d:e0 Static Linux 00:30:48:90:54:89 Learn T1 * Flood T1 00:00:05:00:00:01 Learn T1 00:00:5e:00:01:00 Static T1 00:19:e2:50:63:e0 Learn T1 00:19:e2:50:7d:e0 Static T10 * Flood T10 00:00:5e:00:01:09 Static T10 00:19:e2:50:63:e0 Learn T10 00:19:e2:50:7d:e0 Static
Age 4:35 4:27 4:30 4:23 4:34 4:27 4:35 4:22 4:31 4:26 4:23 4:31 4:26 4:35 4:38 4:23 4:31 4:26 4:35 4:38 4:27 4:35 4:22 4:31 4:26 4:23 4:31 4:27 4:35 4:38
Interfaces All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0
Age 0 0 0 0 0 -
Interfaces All-members ge-0/0/44.0 Router All-members Router ge-0/0/47.0 All-members ge-0/0/46.0 Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0 Router
626
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
* 00:19:e2:50:63:e0 00:19:e2:50:7d:e0 00:19:e2:50:ac:00 * 00:00:5e:00:01:01 00:19:e2:50:63:e0 00:19:e2:50:7d:e0 * 00:00:5e:00:01:02 00:19:e2:50:63:e0 00:19:e2:50:7d:e0 * 00:00:5e:00:01:03 00:19:e2:50:63:e0
Flood Learn Static Learn Flood Static Learn Static Flood Static Learn Static Flood Static Learn
0 0 0 0 0
All-members ge-0/0/15.0 Router ge-0/0/15.0 All-members Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0 Router All-members Router ge-0/0/46.0
user@switch> show ethernet-switching table detail Ethernet-switching table: 57 entries, 17 learned F2, * Interface(s): ge-0/0/44.0 Type: Flood F2, 00:00:05:00:00:03 Interface(s): ge-0/0/44.0 Type: Learn, Age: 0, Learned: 2:03:09 F2, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static Linux, * Interface(s): ge-0/0/47.0 Type: Flood Linux, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static Linux, 00:30:48:90:54:89 Interface(s): ge-0/0/47.0 Type: Learn, Age: 0, Learned: 2:03:08 T1, * Interface(s): ge-0/0/46.0 Type: Flood T1, 00:00:05:00:00:01 Interface(s): ge-0/0/46.0 Type: Learn, Age: 0, Learned: 2:03:07 T1, 00:00:5e:00:01:00 Interface(s): Router Type: Static T1, 00:19:e2:50:63:e0 Interface(s): ge-0/0/46.0 Type: Learn, Age: 0, Learned: 2:03:07 T1, 00:19:e2:50:7d:e0 Interface(s): Router
627
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Type: Static T10, * Interface(s): ge-0/0/46.0 Type: Flood T10, 00:00:5e:00:01:09 Interface(s): Router Type: Static T10, 00:19:e2:50:63:e0 Interface(s): ge-0/0/46.0 Type: Learn, Age: 0, Learned: 2:03:08 T10, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static T111, * Interface(s): ge-0/0/15.0 Type: Flood [output truncated]
user@switch> show ethernet-switching table extensive Ethernet-switching table: 57 entries, 17 learned F2, * Interface(s): ge-0/0/44.0 Type: Flood F2, 00:00:05:00:00:03 Interface(s): ge-0/0/44.0 Type: Learn, Age: 0, Learned: 2:03:09 F2, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static Linux, * Interface(s): ge-0/0/47.0 Type: Flood Linux, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static Linux, 00:30:48:90:54:89 Interface(s): ge-0/0/47.0 Type: Learn, Age: 0, Learned: 2:03:08 T1, * Interface(s): ge-0/0/46.0 Type: Flood T1, 00:00:05:00:00:01 Interface(s): ge-0/0/46.0 Type: Learn, Age: 0, Learned: 2:03:07 T1, 00:00:5e:00:01:00 Interface(s): Router Type: Static
628
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
T1, 00:19:e2:50:63:e0 Interface(s): ge-0/0/46.0 Type: Learn, Age: 0, Learned: 2:03:07 T1, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static T10, * Interface(s): ge-0/0/46.0 Type: Flood T10, 00:00:5e:00:01:09 Interface(s): Router Type: Static T10, 00:19:e2:50:63:e0 Interface(s): ge-0/0/46.0 Type: Learn, Age: 0, Learned: 2:03:08 T10, 00:19:e2:50:7d:e0 Interface(s): Router Type: Static T111, * Interface(s): ge-0/0/15.0 Type: Flood [output truncated]
user@switch> show ethernet-switching table interface ge-0/0/1 Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces V1 * Flood - All-members V1 00:00:05:00:00:05 Learn 0 ge-0/0/1.0 user@switch> show ethernet-switching table customer Ethernet-switching table: 5 unicast entries VLAN MAC address Type Age customer * Flood customer 00:10:94:00:00:02 Learn 1:36 customer 00:10:94:00:00:03 Learn 1:44 customer 00:10:94:00:00:04 Learn 1:40 customer 00:10:94:00:00:05 Learn 1:48 customer 00:10:94:00:00:06 Learn 1:51
user@switch> show ethernet-switching table employee Ethernet-switching table: 25 unicast entries VLAN MAC address Type Age __employee_1__ * Flood __employee_1__ 00:10:94:00:00:02 Learn 1:23 __employee_1__ 00:10:94:00:00:03 Learn 1:15 __employee_1__ 00:10:94:00:00:04 Learn 1:18 __employee_1__ 00:10:94:00:00:05 Learn 1:11 __employee_1__ 00:10:94:00:00:06 Learn 1:22 __employee_2__ * Flood __employee_2__ 00:10:94:00:00:02 Learn 1:15 __employee_2__ 00:10:94:00:00:03 Learn 1:23 __employee_2__ 00:10:94:00:00:04 Learn 1:10 __employee_2__ 00:10:94:00:00:05 Learn 1:19 __employee_2__ 00:10:94:00:00:06 Learn 1:14
Interfaces All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0
629
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
__employee_3__ __employee_3__ __employee_3__ __employee_3__ __employee_3__ __employee_3__ __employee_4__ __employee_4__ __employee_4__ __employee_4__ __employee_4__ __employee_4__ __employee_5__ __employee_5__ __employee_5__ __employee_5__ __employee_5__ __employee_5__
* 00:10:94:00:00:02 00:10:94:00:00:03 00:10:94:00:00:04 00:10:94:00:00:05 00:10:94:00:00:06 * 00:10:94:00:00:02 00:10:94:00:00:03 00:10:94:00:00:04 00:10:94:00:00:05 00:10:94:00:00:06 * 00:10:94:00:00:02 00:10:94:00:00:03 00:10:94:00:00:04 00:10:94:00:00:05 00:10:94:00:00:06
Flood Learn Learn Learn Learn Learn Flood Learn Learn Learn Learn Learn Flood Learn Learn Learn Learn Learn
1:11 1:19 1:14 1:23 1:26 1:11 1:19 1:14 1:23 1:26 1:15 1:23 1:10 1:19 1:14
All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 All-members ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0 ge-0/0/6.0
630
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show gvrp
Syntax Release Information Description Options
show gvrp
Command introduced in JUNOS Release 9.0 for EX-series switches. Display GARP VLAN Registration Protocol (GVRP) information.
noneDisplays all GVRP configuration attributes. interface interface-name (Optional) Displays GVRP statistics for a specific interface
only.
Required Privilege Level Related Topics
view
show gvrp statistics Example: Configure Automatic VLAN Administration Using GVRP on page 432
show gvrp on page 631 Table 73 on page 631 lists the output fields for the show gvrp command. Output fields are listed in the approximate order in which they appear.
GVRP statusDisplays whether GVRP is enabledor disabled. JoinThe maximum number of milliseconds the interfaces must wait before sending VLAN
advertisements.
Leave The number of milliseconds an interface must wait after receiving a Leave message
LeaveallThe interval at which Leave All messages are sent on interfaces. Leave all messages
InterfaceThe interface on which GVRP is configured.. GVRP statusDisplays whether GVRP is enabled or disabled.
show gvrp
user@switch> show gvrp Global GVRP configuration GVRP status : Enabled GVRP timers (ms) Join : 40 Leave : 120 Leaveall : 2000
show gvrp
631
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
632
show gvrp
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Command introduced in JUNOS Release 9.0 for EX-series switches. Display Generic VLAN Registration Protocol (GVRP) statistics in the form of GARP Information Propagation (GIP) messages. clear
show gvrp Example: Configure Automatic VLAN Administration Using GVRP on page 432
show gvrp statistics on page 634 Table 74 on page 633 lists the output fields for the show gvrp statistics command. Output fields are listed in the approximate order in which they appear.
Field Description Number of GIP Join Empty messages received on the switch. Number of GIP Join In messages received on the switch. Number of GIP Empty messages received on the switch. Number of GIP Leave In messages received on the switch. Number of GIP Leave Empty messages received on the switch. Number of GIP Leave All messages received on the switch. Number of GIP Join Empty messages sent from the switch.
Number of GIP Join In messages sent from the switch. Number of GIP Empty messages sent from the switch. Number of GIP Leave In messages sent from the switch. Number of GIP Leave Empty messages sent from the switch.
633
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch> show gvrp statistics GVRP statistics Join Empty received : Join In received : Empty received : Leave In received : Leave Empty received : Leave All received : Join Empty transmitted : Join In transmitted : Empty transmitted : Leave In transmitted : Leave Empty transmitted : Leave All transmitted :
0 12 0 0 0 0 0 48 4 0 0 4
634
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show redundant-trunk-group
Syntax Release Information Description Options
Command introduced in JUNOS Release 9.0 for EX-series switches. Display information about redundant trunk groups.
group-name group-nameDisplay information about the specified redundant trunk
group.
Required Privilege Level Related Topics
view
Example: Configuring Redundant Trunk Links for Faster Recovery on page 447 Understanding Redundant Trunk Links on EX-series Switches on page 401
show redundant-trunk-group group-name Group1 on page 635 Table 75 on page 635 lists the output fields for the show redundant-trunk-group command. Output fields are listed in the approximate order in which they appear.
Field Description Name of the redundant trunk port group. Name of an interface belonging to the trunk port group.
Operating state of the interface: UP or DOWN. Date and time at which the advertised link became unavailable, and then, available again. Total number of flaps since the last switch reboot.
user@switch> show redundanttrunk-group group-name Group1 show redundant-trunk-group group-name Group1 Group Name Interface Group1 ge-0/0/45.0 (P) ge-0/0/47.0 State UP UP Last Time of Flap Fri Jan 2 04:10:58 Fri Jan 2 04:10:58 # Flaps 0 0
show redundant-trunk-group
635
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the configured or calculated spanning-tree protocol (can be either STP, RSTP, or MSTP) parameters.
none(Optional) Display brief STP bridge information for all Multiple Spanning Tree
Options
Instances (MSTIs).
brief | detail(Optional) Display the specified level of output. msti msti-id(Optional) Display STP bridge information for the specified MSTP instance ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a value from 1 through 4094 for an MSTI. vlan vlan-id(Optional) Display STP bridge information for the specified VLAN. Specify a VLAN tag identifier from 1 through 4094.
Required Privilege Level Related Topics
view
show spanning-tree interface Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding STP for EX-series Switches on page 485 Understanding RSTP for EX-series Switches on page 486 Understanding MSTP for EX-series Switches on page 487
show spanning-tree bridge on page 637 show spanning-tree bridge brief on page 638 show spanning-tree bridge detail on page 638 Table 76 on page 636 lists the output fields for the show spanning-tree bridge command. Output fields are listed in the approximate order in which they appear.
Table 76: show spanning-tree bridge Output Fields
Field Name
Context ID Enabled protocol Root ID
Output Fields
Field Description An internally generated identifier. Spanning-tree protocol type enabled. Bridge ID of the elected spanning tree root bridge. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge.
636
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Field Description Calculated cost to reach the root bridge from the bridge where the command is entered. Interface that is the current elected root port for this bridge. Bridge ID of the elected MSTP regional root bridge. Calculated cost to reach the regional root bridge from the bridge where the command is entered. Configured number of seconds between transmissions of configuration BPDUs. Maximum age of received protocol BPDUs. Configured time an STP bridge port remains in the listening and learning states before transitioning to the forwarding state. Configured maximum number of hops a BPDU can be forwarded in the MSTP region. Number of seconds elapsed since the most recent BPDU was received. Total number of STP topology changes detected since the switch last booted.
Root port CIST regional root CIST internal root cost Hello time Maximum age Forward delay
Hop count
Message age Number of topology changes Time since last topology change Bridge ID (Local)
Locally configured bridge ID. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge. Internally generated system identifier. Bridge ID of the elected MSTP regional root bridge. An internally generated identifier. Bridges supporting 802.1D (legacy) implement only 16-bit values for path cost. Newer versions of this standard support 32-bit values.
Extended system ID MSTI regional root Internal instance ID Path Cost Method
user@switch> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : MSTP STP bridge parameters for CIST Root ID Root cost Root port CIST regional root CIST internal root cost Hello time Maximum age
: : : : : : :
637
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Forward delay Hop count Message age Number of topology changes Time since last topology change Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 1 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID STP bridge parameters for MSTI 2 MSTI regional root Root cost Root port Hello time Maximum age Forward delay Hop count Local parameters Bridge ID Extended system ID Internal instance ID
: : : : :
: 16384.00:19:e2:50:44:e0 : 0 : 0
: : : : : : :
: 16385.00:19:e2:50:44:e0 : 0 : 1
: : : : : : :
: 8194.00:19:e2:50:44:e0 : 0 : 2
user@switch> show spanning-tree bridge brief STP bridge parameters Context ID : 0 Enabled protocol : RSTP Root ID : 32768.00:19:e2:50:95:a0 Hello time : 2 seconds Maximum age : 20 seconds Forward delay : 15 seconds Message age : 0 Number of topology changes : 0 Local parameters Bridge ID : 32768.00:19:e2:50:95:a0 Extended system ID : 0 Internal instance ID : 0 user@switch> show spanning-tree bridge detail STP bridge parameters Context ID Enabled protocol Root ID Hello time Maximum age Forward delay
: : : : : :
638
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Message age Number of topology changes Local parameters Bridge ID Extended system ID Internal instance ID Hello time Maximum age Forward delay Path cost method
639
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show spanning-tree interface <brief | detail> <interface-name interface-name> <msti msti-id> <vlan-id vlan-id>
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the configured or calculated interface-level spanning-tree protocol (can be either STP, RSTP, or MSTP) parameters.
none(Optional) Display brief STP interface information. brief | detail(Optional) Display the specified level of output. interface-name interface-name(Optional) Name of an interface. msti msti-id(Optional) Display STP bridge information for the specified MSTP instance ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a value from 1 through 4094 for an MSTI. vlan-id vlan-id(Optional) For MSTP interfaces, display interface information for the specified VLAN. Specify a value from 0 through 4094.
Options
view
show spanning-tree bridge Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches on page 505 Understanding STP for EX-series Switches on page 485 Understanding RSTP for EX-series Switches on page 486 Understanding MSTP for EX-series Switches on page 487 spanning-tree spanning-tree spanning-tree spanning-tree interface on page 641 interface brief on page 641 interface detail on page 642 interface ge-1/0/0 on page 643
Output Fields
Table 77 on page 640 lists the output fields for the show spanning-tree Interface command. Output fields are listed in the approximate order in which they appear.
Field Description Interface configured to participate in the STP, RSTP, or MSTP instance.
640
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Field Description Logical interface identifier configured to participate in the MSTP instance. Port ID of the designated port for the LAN segment this interface is attached to. Bridge ID of the designated bridge for the LAN segment this interface is attached to. Configured cost for the interface. STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled. MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), or root. MSTP or RSTP link type. Shared or point-to-point (pt-pt) and edge or non edge. Identifies the interface as an MSTP or RSTP alternate root port (yes) or nonalternate root port (no). Identifies the interface as an MSTP regional boundary port (yes) or nonboundary port (no).
Boundary Port
user@switch> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface ge-0/0/0.0 ge-0/0/2.0 ge-0/0/4.0 ge-0/0/23.0 Port ID 128:513 128:515 128:517 128:536 Designated port ID 128:513 128:515 128:517 128:536 Designated bridge ID 8192.0019e2500340 8192.0019e2500340 8192.0019e2500340 8192.0019e2500340 Port Cost 1000 1000 1000 1000 State FWD BLK FWD FWD Role DESG DIS DESG DESG
Spanning tree interface parameters for instance 1 Interface ge-0/0/0.0 ge-0/0/2.0 ge-0/0/4.0 ge-0/0/23.0 Port ID 128:513 128:515 128:517 128:536 Designated port ID 128:513 128:515 128:517 128:536 Designated bridge ID 8193.0019e2500340 8193.0019e2500340 8193.0019e2500340 8193.0019e2500340 Port Cost 1000 1000 1000 1000 State FWD BLK FWD FWD Role DESG DIS DESG DESG
Spanning tree interface parameters for instance 2 Interface ge-0/0/0.0 ge-0/0/2.0 ge-0/0/4.0 ge-0/0/23.0 Port ID 128:513 128:515 128:517 128:536 Designated port ID 128:1 128:515 128:1 128:536 Designated bridge ID 8194.001b549fd000 32770.0019e2500340 16386.001b54013080 32770.0019e2500340 Port Cost 1000 4000 1000 1000 State FWD BLK BLK FWD Role ROOT DIS ALT DESG
user@switch> show spanning-tree interface brief Spanning tree interface parameters for instance 0
641
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch> show spanning-tree interface detail Spanning tree interface parameters for instance 0 Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type Boundary port Interface name Port identifier Designated port ID Port cost Port state Designated bridge ID Port role Link type : : : : : : : : ge-1/0/0.0 128.625 128.625 20000 Blocking 32768.00:19:e2:50:95:a0 Disabled Pt-Pt/EDGE : NA ge-1/0/1.0 128.626 128.626 20000 Blocking 32768.00:19:e2:50:95:a0 Disabled Pt-Pt/NONEDGE : NA ge-1/0/2.0 128.627 128.627 20000 Blocking 32768.00:19:e2:50:95:a0 Disabled Pt-Pt/NONEDGE : NA ge-1/0/10.0 128.635 128.635 20000 Blocking 32768.00:19:e2:50:95:a0 Disabled Pt-Pt/NONEDGE : NA ge-1/0/20.0 128.645 128.645 20000 Blocking 32768.00:19:e2:50:95:a0 Disabled Pt-Pt/NONEDGE
: : : : : : : :
: : : : : : : :
: : : : : : : :
: : : : : : : :
642
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
: NA
user@switch> show spanning-tree interface ge-1/0/0 Interface ge-1/0/0.0 Port ID 128:625 Designated port ID 128:625 Designated bridge ID 32768.0019e25095a0 Port Cost 20000 State BLK Role DIS
643
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the MSTP configuration.
noneDisplay MSTP configuration information. brief | detail(Optional) Display the specified level of output.
view show spanning-tree mstp configuration on page 644 Table 78 on page 644 lists the output fields for the show spanning-tree mstp configuration command. Output fields are listed in the approximate order in which they appear.
Field Description Internally generated identifier. MSTP region name carried in the MSTP BPDUs. Revision number of the MSTP configuration. Numerical value derived from the VLAN-to-instance mapping table. MSTI instance identifier. Identifiers for VLANs associated with the MSTI.
user@host> show spanning-tree mstp configuration MSTP configuration information Context identifier : 0 Region name : region1 Revision : 0 Configuration digest : 0xc92e7af9febb44d8df928b87f16b
644
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Command introduced in JUNOS Release 9.0 for EX-series switches. Display STP statistics.
noneDisplay brief STP statistics. brief | detail(Optional) Display the specified level of output.
view show spanning-tree statistics interface on page 645 Table 79 on page 645 lists the output fields for the show spanning-tree statistics command. Output fields are listed in the approximate order in which they appear.
Field Description Total number of BPDUs sent. Total number of BPDUs received. Interface for which the statistics are being displayed. Number of seconds until the next BPDU is scheduled to be sent.
user@switch> show spanning-tree statistics interface ge-0/0/4 Interface BPDUs sent BPDUs received Next BPDU transmission ge-0/0/4 7 190 0
645
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show vlans
Syntax
show vlans <brief | detail | extensive> <dot1q-tunneling> <management-vlan> <sort-by (tag | name)> <vlan-range-name>
Release Information
Command introduced in JUNOS Release 9.0 for EX-series switches. Modified in JUNOS Release 9.2 for EX-series switches to display support for MAC-based VLANs and sort-by (tag | name) and vlan-range-name options. Modified in JUNOS Release 9.3 for EX-series switches to display support for dot1q-tunneling and management-vlan options. Display information about VLANs configured on bridged Ethernet interfaces. For interfaces configured to support a VoIP VLAN and a data VLAN, the show vlans command displays both tagged and untagged membership for those VLANs.
Description
NOTE: When a series of VLANs is created using the vlan-range statement, such VLAN names are prefixed and suffixed with a double underscore. For example, a series of VLANs using the VLAN range 13 and the base VLAN name marketing would be displayed as __marketing_1__, __marketing_2__, and __marketing_3__.
NOTE: To display an 802.1X supplicant successfully authenticated in multiple-supplicant mode with dynamic VLAN movement, use the show vlans vlan-name extensive operational mode command, where vlan-name is the dynamic VLAN.
Options
enabled.
management-vlan(Optional) Display information for the management VLAN on the
NOTE: It is recommended that you enter this command option on the master member of the Virtual Chassis.
sort-by (tag | name)(Optional) Display information for VLANs in ascending order of
646
show vlans
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
VLAN-range names.
Required Privilege Level Related Topics
view
show ethernet-switching interfaces Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Example: Configuring a Private VLAN on an EX-series Switch on page 455 Example: Setting Up Q-in-Q Tunneling on EX-series Switches on page 453 Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration on page 170 Understanding Bridging and VLANs on EX-series Switches on page 395 vlans on page 648 vlans brief on page 649 vlans detail on page 649 vlans extensive (MAC-based) on page 650 vlans extensive (Port-based) on page 650 vlans dot1q-tunneling on page 651 vlans management-vlan on page 651 vlans sort-by tag on page 651 vlans sort-by employee (vlan-range-name) on page 652 vlans employee (vlan-range-name) on page 653
show show show show show show show show show show
Output Fields
Table 80 on page 1034 lists the output fields for the show vlans command. Output fields are listed in the approximate order in which they appear.
Field Description Name of a VLAN. The 802.1Q tag applied to this VLAN. If none is displayed, no tag is applied. Interface associated with learned MAC addresses or all-members (flood entry). An asterisk (*) beside the interface indicates that the interface is UP. The IP address. The number of interfaces associated with a VLAN. The Active column indicates interfaces that are UP, and the Total column indicates interfaces that are active and inactive. Name of a VLAN. The state of the interface. Values are:
enabledThe interface is turned on, and the physical link is operational and
none, brief
brief
show vlans
647
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Level of Output
detail, extensive
A description for the VLAN. Primary IP address associated with a VLAN. The number of interfaces associated with a VLAN. Both the total number of interfaces and the number of active interfaces associated with a VLAN are displayed. The spanning tree associated with a VLAN. The redundant trunk group associated with a VLAN. The tagged interfaces to which a VLAN is associated. The untagged interfaces to which a VLAN is associated. Lists the customer VLAN (C-VLAN) ranges associated with this service VLAN (S-VLAN). The private VLAN mode for this VLAN. Values include Primary, Isolated, and Community. The primary VLAN tag for this secondary VLAN. VLAN index internal to JUNOS software. The manner in which the VLAN was created. Values are static or learn. Port-based VLAN or MAC-based VLAN. MAC-based protocol is displayed when VLAN assignment is done either statically or dynamically through 802.1X, IP address associated with a VLAN. For MAC-based VLANs created either statically or dynamically, the MAC addresses associated with an interface. The secondary VLANs associated with a primary VLAN. The isolated VLANs associated with a primary VLAN. The community VLANs associated with a primary VLAN.
STP RTG Tagged interfaces Untagged interfaces Customer VLAN Ranges Private VLAN Mode
extensive
IP addresses Number of MAC entries Secondary VLANs Isolated VLANs Community VLANs
extensive extensive
show vlans
show vlans Tag None Interfaces ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0, ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0,
648
show vlans
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0, ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0 v0001 v0002 v0003 v0004 v0005 1 ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0 2 None 3 None 4 None 5 None
user@switch> show vlans brief Name default v0001 v0002 v0003 v0004 v0005 v0006 v0007 v0008 v0009 v0010 v0011 v0012 v0013 v0014 v0015 v0016 Tag None 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Address Ports Active/Total 0/23 0/4 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/2 0/0 0/0 0/0 0/0 0/0 0/0
user@switch> show vlans detail VLAN: default, Tag: Untagged, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 23 (Active = 0) STP: None, RTG: None Untagged interfaces: ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0, ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0, ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0, ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0, Tagged interfaces: None VLAN: v0001, Tag: 802.1Q Tag 1, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 4 (Active = 0) Dot1q Tunneling Status: Enabled STP: None, RTG: None Untagged interfaces: None Tagged interfaces: ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0, VLAN: v0002, Tag: 802.1Q Tag 2, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 0 (Active = 0) STP: None, RTG: None Untagged interfaces: None Tagged interfaces: None
show vlans
649
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
VLAN: v0003, Tag: 802.1Q Tag 3, Admin state: Enabled Description: None Primary IP: None, Number of interfaces: 0 (Active = 0) STP: None, RTG: None Untagged interfaces: None Tagged interfaces: None
user@switch> show vlans extensive VLAN: default, Created at: Thu May 15 13:43:09 2008 Internal index: 3, Admin State: Enabled, Origin: Static Protocol: Port Mode Number of interfaces: Tagged 0 (Active = 0), Untagged 2 (Active = 2) ge-0/0/0.0*, untagged, access ge-0/0/14.0*, untagged, access VLAN: vlan_dyn, Created at: Thu May 15 13:43:09 2008 Internal index: 4, Admin State: Enabled, Origin: Static Protocol: Port Mode Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) Protocol: MAC Based Number of MAC entries: 6 ge-0/0/0.0* 00:00:00:00:00:02 (untagged) 00:00:00:00:00:03 (untagged) 00:00:00:00:00:04 (untagged) 00:00:00:00:00:05 (untagged) 00:00:00:00:00:06 (untagged) 00:00:00:00:00:07 (untagged)
user@switch> show vlans extensive VLAN: default, created at Mon Feb 4 12:13:47 2008 Tag: None, Internal index: 0, Admin state: Enabled, Origin: static Description: None Dot1q Tunneling Status: Enabled Customer VLAN ranges: 1-4100 Private VLAN Mode: Primary Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 0 (Active = 0), Untagged 23 (Active = 0) ge-0/0/34.0 (untagged, access) ge-0/0/33.0 (untagged, access) ge-0/0/32.0 (untagged, access) ge-0/0/31.0 (untagged, access) ge-0/0/30.0 (untagged, access) ge-0/0/29.0 (untagged, access) ge-0/0/28.0 (untagged, access) ge-0/0/27.0 (untagged, access) ge-0/0/26.0 (untagged, access) ge-0/0/25.0 (untagged, access) ge-0/0/19.0 (untagged, access) ge-0/0/18.0 (untagged, access) ge-0/0/17.0 (untagged, access) ge-0/0/16.0 (untagged, access) ge-0/0/15.0 (untagged, access) ge-0/0/14.0 (untagged, access) ge-0/0/13.0 (untagged, access) ge-0/0/11.0 (untagged, access) ge-0/0/9.0 (untagged, access)
650
show vlans
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Secondary VLANs: Isolated 1, Community Isolated VLANs : __pvlan_pvlan_ge-0/0/3.0__ Community VLANs : comm1
VLAN: v0001, created at Mon Feb 4 12:13:47 2008 Tag: 1, Internal index: 1, Admin state: Enabled, Origin: static Description: None Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 4 (Active = 0), Untagged 0 (Active = 0) ge-0/0/24.0 (tagged, trunk) ge-0/0/23.0 (tagged, trunk) ge-0/0/22.0 (tagged, trunk) ge-0/0/21.0 (tagged, trunk) VLAN: v0002, created at Mon Feb 4 12:13:47 2008 Tag: 2, Internal index: 2, Admin state: Enabled, Origin: static Description: None Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) None VLAN: v0003, created at Mon Feb 4 12:13:47 2008 Tag: 3, Internal index: 3, Admin state: Enabled, Origin: static Description: None Protocol: Port based, Layer 3 interface: None IP addresses: None STP: None, RTG: None. Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0) None
show vlans
651
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Name default __vlan-x_1__ __vlan-x_2__ __vlan-x_3__ __vlan-x_4__ __vlan-x_5__ __vlan-x_6__ __vlan-x_7__ __vlan-x_8__ __vlan-x_9__ __vlan-x_10__ __vlan-x_11__ __vlan-x_12__ __vlan-x_13__ __vlan-x_14__ __vlan-x_15__ __vlan-x_16__ __vlan-x_17__ __vlan-x_18__ __vlan-x_19__ __vlan-x_20__
Tag 1
2 None 3 None 4 None 5 None 6 None 7 None 8 None 9 None 10 None 11 None 12 None 13 None 14 None 15 None 16 None 17 None 18 None 19 None 20 None
__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0*
652
show vlans
Chapter 37: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
__employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*
__employee_120__ 120 ge-0/0/22.0* __employee_121__ 121 ge-0/0/22.0* __employee_122__ 122 ge-0/0/22.0* __employee_123__ 123 ge-0/0/22.0* __employee_124__ 124 ge-0/0/22.0* __employee_125__ 125 ge-0/0/22.0* __employee_126__ 126 ge-0/0/22.0* __employee_127__ 127 ge-0/0/22.0* __employee_128__ 128 ge-0/0/22.0* __employee_129__ 129 ge-0/0/22.0* __employee_130__ 130 ge-0/0/22.0*
show vlans
653
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
654
show vlans
Part 9
Layer 3 Protocols
Understanding Layer 3 Protocols on page 657 Examples of Configuring Layer 3 Protocols on page 663 Configuring Layer 3 Protocols on page 667 Verifying Layer 3 Protocols on page 681 Configuration Statements for Layer 3 Protocols on page 691 Operational Mode Commands for Layer 3 Protocols on page 705
Layer 3 Protocols
655
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
656
Layer 3 Protocols
Chapter 38
DHCP Services for EX-series Switches Overview on page 657 DHCP/BOOTP Relay for EX-series Switches Overview on page 658 IGMP Snooping on EX-series Switches Overview on page 659
For information about configuring DHCP services with the CLI, see the JUNOS Software System Basics Configuration Guide at http://www.juniper.net/techpubs/ software/junos/junos93/index.html. Configuring DHCP Services (J-Web Procedure) on page 668 Monitoring DHCP Services on page 683
657
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: Because DHCP/BOOTP messages are broadcast and are not directed to a specific server, switch, or router, EX-series switches cannot function as both a DHCP server and a DHCP/BOOTP relay agent at the same time. JUNOS software generates a commit error if both options are configured at the same time, and the commit will not succeed until one of the options is removed.
Related Topics
For information about configuring the switch as a DHCP/BOOTP relay agent, see the JUNOS Software Policy Framework Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos93/index.html. DHCP Services for EX-series Switches Overview on page 657
658
For IGMPv2, see RFC 2236, Internet Group Management Protocol, Version 2 at
http://www.faqs.org/rfcs/rfc2236.html
How IGMP Snooping Works on page 659 How IGMP Snooping Works with Routed VLAN Interfaces on page 660 How Hosts Join and Leave Multicast Groups on page 662
659
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
660
A bridge multicast ID is assigned to direct Layer 3 interfaces and to RVIs. For VLANs that include multicast receivers, the bridge multicast ID includes a sub-next-hop ID. The sub-next-hop ID identifies the multicast Layer 2 interfaces in that VLAN that are interested in receiving the multicast stream. The switch ultimately assigns a next-hop after it does a route lookup. The next-hop includes all direct Layer 3 interfaces and RVIs. The Packet Forwarding Engine then forwards multicast traffic to the bridge multicast ID that includes all Layer 3 interfaces and RVIs that are multicast receivers for a given multicast group. Figure 37 on page 661 shows how multicast traffic is forwarded on a multilayer switch. In this illustration, multicast traffic is coming in through the xe-0/1/0.0 interface. A multicast group has been formed by the Layer 3 interface ge-0/0/2.0, vlan.0 and vlan.1. The ge-2/0/0.0 interface is a common trunk interface that belongs to both vlan.0 and vlan.1. The letter R next to an interface name in the illustration indicates that a multicast receiver host is associated with that interface.
NOTE: Traffic sent to an access interface is untagged; traffic sent to a trunk interface is tagged. For more information on VLAN tagging, see Understanding Bridging and VLANs on EX-series Switches on page 395.
The following table shows the bridge multicast IDs and next-hops that are created. The term subnh refers to a sub-next-hop. The Packet Forwarding Engine will forward multicast traffic to bridge multicast ID9.
ID Number ID1
661
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Type of Next-Hop RHN_UNICAST RHN_FLOOD RHN_UNICAST RHN_FLOOD RHN_UNICAST RHN_UNICAST RHN_UNICAST RHN_FLOOD
Next Hop ge-2/0/0.0 [ID1, ID2] ge-0/0/1.0 [ID4, ID2] vlan.0 VLAN.1 ge-0/0/2.0 [ID6, ID7, ID8]
tag=off
subnh=ID3 subnh=ID5
By sending an unsolicited IGMP join message to a multicast router that specifies the IP multicast that the host is attempting to join. By sending an IGMP join message in response to a general query from a multicast router.
A multicast router continues to forward multicast traffic to a VLAN provided that at least one host on that VLAN responds to the periodic general IGMP queries. For a host to remain a member of a multicast group, therefore, it must continue to respond to the periodic general IGMP queries. To leave a multicast group, a host can either not respond to the periodic general IGMP queries, which results in a silent leave (the only leave option for hosts connected to switches running IGMPv1), or send a group-specific IGMPv2 leave message.
Related Topics
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671 RFC 3171, IANA Guidelines for IPv4 Multicast Address Assignments at
http://tools.ietf.org/html/rfc3171
662
Chapter 39
Requirements on page 663 Overview and Topology on page 664 Configuration on page 664
Requirements
This example uses the following software and hardware components:
One EX-series 3200-24T switch JUNOS Release 9.1 or later for EX-series switches
Configured the employee-vlan VLAN on the switch Assigned interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3 to employee-vlan
See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
663
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Switch hardware VLAN name Interfaces in employee-vlan Multicast IP address for employee-vlan
Configuration
To configure basic IGMP snooping on a switch:
CLI Quick Configuration
To quickly configure IGMP snooping, copy the following commands and paste them into the switch terminal window:
[edit protocols] set igmp-snooping vlan employee-vlan set igmp-snooping vlan employee-vlan immediate-leave set igmp-snooping vlan employee-vlan interface ge-0/0/3 static group 225.100.100.100 set igmp-snooping vlan employee-vlan interface ge-0/0/2 multicast-router-interface set igmp-snooping vlan employee-vlan query-interval 60 set igmp-snooping vlan employee-vlan query-last-member-interval 75 set igmp-snooping vlan employee-vlan query-response-interval 3 set igmp-snooping vlan employee-vlan robust-count 4
664
Step-by-Step Procedure
2.
Configure the switch to immediately remove a group membership from an interface when it receives a leave message from that interface and suppress the sending of any group-specific queries for the multicast group (IGMPv2 only):
[edit protocols] user@switch# set igmp-snooping vlan employee-vlan immediate-leave
3.
4.
Statically configure an interface as a switching interface toward a multicast router (the interface to receive multicast traffic):
[edit protocols] user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/2 multicast-router-interface
5.
6.
7.
8.
Change the number of timeout intervals the switch waits before timing out a multicast group to 4:
[edit protocols] user@switch# set igmp-snooping vlan employee-vlan robust-count 4
Results
Configuration
665
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch# show protocols igmp-snooping vlan employee-vlan { query-interval 60; query-last-member interval 75; query-response interval 3; robust-count 4; immediate-leave; interface ge-0/0/2 { multicast-router-interface; } interface ge-0/0/3 { static { group 255.100.100.100 } } }
Related Topics
Configuring IGMP Snooping (CLI Procedure) on page 671 [edit protocols] Configuration Statement Hierarchy on page 33
666
Configuration
Chapter 40
Configuring BGP Sessions (J-Web Procedure) on page 667 Configuring DHCP Services (J-Web Procedure) on page 668 Configuring IGMP Snooping (CLI Procedure) on page 671 Configuring an OSPF Network (J-Web Procedure) on page 672 Configuring a RIP Network (J-Web Procedure) on page 673 Configuring SNMP (J-Web Procedure) on page 674 Configuring Static Routing (CLI Procedure) on page 678 Configuring Static Routing (J-Web Procedure) on page 679
NOTE: To configure BGP sessions a license must be installed on the EX-series switch. To configure a BGP peering session :
1. 2. 3.
In the J-Web user interface, select Configure> Routing >BGP Routing. Enter information into the configuration page for BGP, as described in Table 82 on page 667. To apply the configuration, click Apply.
Function
Your Action
Enable BGP
To enable BGP, select the check box. To disable BGP, clear the check box.
667
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Type the IP address of the peer host's adjacent interface, in dotted decimal notation.
Local Address
Type the IP address of the local host's adjacent interface, in dotted decimal notation.
Related Topics
EX-series Switch Software Features Overview on page 3 Monitoring BGP Routing Information on page 681
To configure a DHCP pool for a subnet, click Add in the DHCP Pools box. To configure a static binding for a DHCP client, click Add in the DHCP Static Binding box. To globally configure settings for existing DHCP pools and static bindings, click Configure Global DHCP Parameters.
3. 4.
Enter information into the DHCP Configuration pages, as described in Table 83 on page 669. To apply the configuration, click Apply.
668
Function
Your Action
Specifies the subnet on which DHCP is configured. Specifies the lowest address in the IP address pool range. Specifies the highest address in the IP address pool range.
Type an IP address that is part of the subnet specified in DHCP Subnet. Type an IP address that is part of the subnet specified in DHCP Subnet. This address must be greater than the address specified in Address Range (Low).
Exclude Addresses
To add an excluded address, type the address next to the Add button, and click Add. To delete an excluded address, select the address in the Exclude Addresses box, and click Delete.
Lease Time
Specifies the maximum length of time a client can hold a lease. (Dynamic BOOTP lease lengths can exceed this maximum time.) Specifies the length of time a client can hold a lease for clients that do not request a specific lease length.
Type a number from 60 through 4,294,967,295 (seconds). You can also type infinite to specify a lease that never expires. Type a number from 60 through 2,147,483,647 (seconds). You can also type infinite to specify a lease that never expires.
Server Information
Server Identifier
Type the IP address of the server. If you do not specify a server identifier, the primary address of the interface on which the DHCP exchange occurs is used. Type the name of the domain.
Domain Name
Specifies the domain name that clients must use to resolve hostnames. Specifies the orderfrom top to bottomin which clients must append domain names when resolving hostnames using DNS.
Domain Search
To add a domain name, type the name next to the Add button, and click Add. To delete a domain name, select the name in the Domain Search box, and click Delete. To add a DNS server, type an IP address next to the Add button, and click Add. To remove a DNS server, select the IP address in the DNS Name Servers box, and click Delete.
Defines a list of DNS servers the client can use, in the specified orderfrom top to bottom.
669
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To add a relay agent, type an IP address next to the Add button, and click Add. To remove a relay agent, select the IP address in the Gateway Routers box, and click Delete. To add a NetBIOS name server, type an IP address next to the Add button, and click Add. To remove a NetBIOS name server, select the IP address in the WINS Servers box, and click Delete.
WINS Servers
Defines a list of NetBIOS name servers, in the specified orderfrom top to bottom.
Boot Options
Boot File
Specifies the path and filename of the initial boot file to be used by the client. Specifies the TFTP server that provides the initial boot file to the client.
Boot Server
Specifies the MAC address of the client to be permanently assigned a static IP address. Defines a list of IP addresses permanently assigned to the client. A static binding must have at least one fixed address assigned to it, but multiple addresses are also allowed. Specifies the name of the client used in DHCP messages exchanged between the server and the client. The name must be unique to the client within the subnet on which the client resides. Specifies the name of the client used by the DHCP server to index its database of address bindings. The name must be unique to the client within the subnet on which the client resides. Specifies the name of the client, in hexadecimal form, used by the DHCP server to index its database of address bindings. The name must be unique to the client within the subnet on which the client resides.
To add an IP address, type it next to the Add button, and click Add. To remove an IP address, select it in the Fixed IP Addresses box, and click Delete.
Host Name
Client Identifier
Related Topics
DHCP Services for EX-series Switches Overview on page 657 Monitoring DHCP Services on page 683
670
2.
Configure the switch to immediately remove a multicast group membership from an interface when it receives a leave message from that interface and suppress the sending of any group-specific queries for the multicast group (IGMPv2 only):
[edit protocols] user@switch# set igmp-snooping vlan employee-vlan immediate-leave
3.
4.
Statically configure an interface as a switching interface toward a multicast router (the interface to receive multicast traffic):
[edit protocols] user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/2.0 multicast-router-interface
5.
6.
671
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
7.
8.
Change the number of timeout intervals the switch waits before timing out a multicast group to 4:
[edit protocols] user@switch# set igmp-snooping vlan employee-vlan robust-count 4
Related Topics
show igmp-snooping membership show igmp-snooping route show igmp-snooping statistics show igmp-snooping vlans Example: Configuring IGMP Snooping on EX-series Switches on page 663 IGMP Snooping on EX-series Switches Overview on page 659
In the J-Web user interface, select Configure> Routing>OSPF Routing. Enter information into the Configuration Routing page for OSPF, as described in Table 84 on page 672. To apply the configuration, click Apply.
Router Identification
Enable OSPF
To enable OSPF, select the check box. To disable OSPF, clear the check box.
OSPF Area ID
Type a 32-bit numeric identifier for the area, or type an integer. If you enter an integer, the value is converted to a 32-bit equivalent. For example, if you enter 3, the value assigned to the area is 0.0.0.3.
672
regularA regular OSPF area, including the backbone area stubA stub area nssaA not-so-stubby area (NSSA)
OSPF-Enabled Interfaces
The first time you configure OSPF, the Logical Interfaces box displays a list of all the logical interfaces configured on the switch. Do any of:
To enable OSPF on an interface, click the interface name to highlight it, and click the left arrow to add the interface to the OSPF interfaces list. To enable OSPF on multiple interfaces at once, press Ctrl while you click multiple interface names to highlight them. Then click the left arrow to add the interfaces to the OSPF interfaces list. To enable OSPF on all logical interfaces except the special me0 management interface, select All Interfaces in the Logical Interfaces list and click the left arrow. To enable OSPF on all the interfaces displayed in the Logical Interfaces list, click All to highlight every interface. Then click the left arrow to add the interfaces to the OSPF interfaces list. To disable OSPF on one or more interfaces, highlight the interface or interfaces in the OSPF interfaces box and click the right arrow to move them back to the Logical Interfaces list.
Related Topics
In the J-Web user interface, select Configure> Routing > RIP Routing. Enter information into the Configuration page for RIP, as described in Table 85 on page 673. To apply the configuration, click Apply.
Function
Your Action
Enable RIP
To enable RIP, select the check box. To disable RIP, clear the check box.
673
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To advertise the default route using RIPv2, select the check box. To disable the default route advertisement, clear the check box.
RIP-Enabled Interfaces
The first time you configure RIP, the Logical Interfaces box displays a list of all the logical interfaces configured on the switch. Do any of the following:
To enable RIP on an interface, click the interface name to highlight it, and click the left arrow to add the interface to the RIP interfaces list. To enable RIP on multiple interfaces at once, press Ctrl while you click multiple interface names to highlight them. Then click the left arrow to add the interfaces to the RIP interfaces list. To disable RIP on one or more interfaces, highlight the interface or interfaces in the RIP interfaces box and click the right arrow to move them back to the Logical Interfaces list.
Related Topics
Select Configure>Services>SNMP. Enter information into the Configuration page for SNMP, as described in Table 86 on page 674. To apply the configuration click Apply.
674
To add a community, click Add Community Name Authorization Specifies the name of the SNMP community. . Type the name of the community being added.
Specifies the type of authorization (either read-only or read-write) for the SNMP community being configured.
Select the desired authorization (either read-only or read-write) from the list.
Traps To add a trap group, click Add. Trap Group Name Specifies the name of the SNMP trap group being configured. Type the name of the group being added.
675
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To generate traps for authentication failures, select Authentication. To generate traps for chassis and environment notifications, select Chassis. To generate traps for configuration changes, select Configuration. To generate traps for link-related notifications (up-down transitions), select Link. To generate traps for remote operation notifications, select Remote operations. To generate traps for remote network monitoring (RMON), select RMON alarm. To generate traps for routing protocol notifications, select Routing. To generate traps on system warm and cold starts, select Startup. To generate traps on Virtual Router Redundancy Protocol (VRRP) events (such as new-master or authentication failures), select VRRP events. Enter the hostname or IP address, in dotted decimal notation, of the target system to receive the SNMP traps. Click Add.
Targets
Specifies one or more hostnames or IP addresses for the systems to receive SNMP traps generated by the trap group being configured.
1.
2.
Health Monitoring Enable Health Monitoring Enables the SNMP health monitor on the switch. The health monitor periodically (over the time you specify in the interval field) checks the following key indicators of switch health:
Select the check box to enable the health monitor and configure options. Clear the check box to disable the health monitor. NOTE: If you select the Enable Health Monitoring check box and do not specify options, then SNMP health monitoring is enabled with default values.
Percentage of file storage used Percentage of Routing Engine CPU used Percentage of Routing Engine memory used Percentage of memory used for each system process Percentage of CPU used by the forwarding process Percentage of memory used for temporary storage by the forwarding process
Interval
Specifies the sampling frequency, in seconds, over which the key health indicators are sampled and compared with the rising and falling thresholds. For example, if you configure the interval as 100 seconds, the values are checked every 100 seconds.
Enter an interval time, in seconds, from 1 through 2147483647. The default value is 300 seconds (5 minutes).
676
Related Topics
677
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
When the switch does not have a route to a destination that has a better (lower) preference value. The preference is an arbitrary value in the range from 0 through 255 that the software uses to rank routes received from different protocols, interfaces, or remote systems. The routing protocol process generally determines the active route by selecting the route with the lowest preference value. In the given range, 0 is the lowest and 255 is the highest. When the switch cannot determine the route to a destination. When the switch is forwarding unroutable packets.
To configure a static route and specify the next address to be used when routing traffic to the static route:
[edit] user@switch# set routing-options static route 20.0.0.0/24 next-hop 10.0.0.2.1
Related Topics
Configuring Static Routing (J-Web Procedure) on page 679 Monitoring Routing Information on page 688
678
In the J-Web user interface, select Configure>Routing. Enter information into the routing page, as described in Table 87 on page 679. To apply the configuration, click Apply.
Function
Your Action
Default Route
Type the 32-bit IP address of the switch's default route in dotted decimal notation.
Static Routes
1. 2.
On the main static routing Configuration page, click Add. In the Static Route Address box, type the 32-bit IP address of the static route in dotted decimal notation. In the Add box, type the 32-bit IP address of the next-hop host. Click Add. Add more next-hop addresses as necessary.
Next-Hop Addresses
Specifies the next-hop address or addresses to be used when routing traffic to the static route.
1. 2. 3.
NOTE: If a route has multiple next-hop addresses, traffic is routed across each address in round-robin fashion.
4.
Related Topics
Configuring Static Routing (CLI Procedure) on page 678 Monitoring Routing Information on page 688
679
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
680
Chapter 41
Monitoring BGP Routing Information on page 681 Monitoring DHCP Services on page 683 Monitoring OSPF Routing Information on page 684 Monitoring RIP Routing Information on page 686 Monitoring Routing Information on page 688
Use the monitoring functionality to monitor BGP routing information. To view BGP routing information in the J-Web interface, select Monitor>Routing>BGP Information. To view BGP routing information in the CLI, enter the following commands:
Meaning
Table 88 on page 681 summarizes key output fields in the BGP routing display.
BGP Summary
Address of each BGP peer. Number of packets received from the peer. Number of packets sent to the peer.
681
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Additional Information A high number of flaps might indicate a problem with the interface on which the BGP session is enabled. If the BGP session is unavailable, this time might be useful in determining when the problem occurred.
Last Up/Down
State
If a peer is not established, the field shows the state of the peer session: Active, Connect, or Idle. If a BGP session is established, the field shows the number of active, received, and damped routes that are received from a neighbor. For example, 2/4/0 indicates two active routes, four received routes, and no damped routes.
BGP Neighbors
attempt to connect to a peer. If the connection is successful, BGP sends an open message.
Generally, the most common states are Active, which indicates a problem establishing the BGP conenction, and Established, which indicates a successful session setup. The other states are transition states, and BGP sessions normally do not stay in those states for extended periods of time.
to become complete.
an open message from the peer and is waiting to receive a keepalive or notification message.
waiting to receive an open message from the peer. Export Import Number of flaps Names of any export policies configured on the peer. Names of any import policies configured on the peer. Number of times the BGP sessions has changed state from Down to Up. A high number of flaps might indicate a problem with the interface on which the session is established.
682
Related Topics
Configuring BGP Sessions (J-Web Procedure) on page 667 Layer 3 Protocols Supported on EX-series Switches on page 9
A switch can operate as a DHCP server. When it is a DHCP server, use the monitoring functionality to view information about dynamic and static DHCP leases, conflicts, pools, and statistics. To monitor the DHCP server in the J-Web interface, select Monitor>Services >DHCP. To monitor the DHCP server in the CLI, enter the following CLI commands:
Action
show system services dhcp binding show system services dhcp conflict show system services dhcp pool show system services dhcp statistics
Meaning
Values
Additional Information
List of IP addresses the DHCP server has assigned to clients. Corresponding media access control (MAC) address of the client. Type of binding assigned to the client: dynamic or static. DHCP servers can assign a dynamic binding from a pool of IP addresses or a static binding to one or more specific IP addresses.
Lease Expires
Date and time the lease expires, or never for leases that do not expire.
DHCP Conflicts
The addresses in the conflicts list remain excluded until you use the clear system services dhcp conflict command to manually clear the list.
DHCP Pools
Pool Name
683
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
DHCP Statistics
Default lease time Minimum lease time Maximum lease time Packets dropped Messages received
Lease time assigned to clients that do not request a specific lease time. Minimum time a client can retain an IP address lease on the server. Maximum time a client can retain an IP address lease on the server. Total number of packets dropped and the number of packets dropped due to a particular condition. Number of BOOTREQUEST, DHCPDECLINE, DHCPDISCOVER, DHCPINFORM, DHCPRELEASE, and DHCPREQUEST messages sent from DHCP clients and received by the DHCP server. Number of BOOTREPLY, DHCPACK, DHCPOFFER, and DHCPNAK messages sent from the DHCP server to DHCP clients.
Messages sent
Related Topics
DHCP Services for EX-series Switches Overview on page 657 Configuring DHCP Services (J-Web Procedure) on page 668
Use the monitoring functionality to monitor OSPF routing information. To view OSPF routing information in the J-Web interface, select Monitor>Routing>OSPF Information. To view OSPF routing information in the CLI, enter the following CLI commands:
684
Meaning
Table 90 on page 685 summarizes key output fields in the OSPF routing display.
OSPF Neighbors
State of the neighbor: Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2way.
Generally, only the Down state, indicating a failed OSPF adjacency, and the Full state, indicating a functional adjacency, are maintained for more than a few seconds. The other states are transitional states that a neighbor is in only briefly while an OSPF adjacency is being established.
ID Priority
OSPF Interfaces
Interface State
Name of the interface running OSPF. State of the interface: BDR, Down, DR, DRother, Loop, PtToPt, or Waiting. The Down state, indicating that the interface is not functioning, and PtToPt state, indicating that a point-to-point connection has been established, are the most common states.
Number of the area that the interface is in. Address of the area's designated device. Address of the area's backup designated device. Number of neighbors on this interface. Number of devices in the area using the same area identifier. The areas into which OSPF does not flood AS external advertisements In this mode the interface is present on the network but does not transmit or receive packets. The authentication scheme for the backbone or area.
685
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
OSPF Statistics
Packet Type Packets Sent Packets Received Depth of flood Queue Total Retransmits Total Database Summaries
Related Topics
Configuring an OSPF Network (J-Web Procedure) on page 672 Layer 3 Protocols Supported on EX-series Switches on page 9
Use the monitoring functionality to monitor RIP routing. To view RIP routing information in the J-Web interface, select Monitor>Routing>RIP Routing. To view RIP routing information in the CLI, enter the following CLI commands:
686
Meaning
Table 91 on page 687 summarizes key output fields in the RIP routing display.
RIP Statistics
The port on which RIP is enabled. The interval during which routes are neither advertised nor updated. Number of RIP routes learned on the logical interface.
Number of RIP routes that are not advertised or updated during hold-down. Number of requests dropped.
RIP Neighbors
Neighbor
This value is the name of the interface on which RIP is enabled. Click the name to see the details for this neighbor.
State Source Address Destination Address Send Mode Receive Mode In Metric
State of the RIP connection: Up or Dn (Down). Local source address. This value is the configured address of the interface on which RIP is enabled. This value is the configured address of the immediate RIP adjacency.
Destination address.
The mode of sending RIP messages. The mode in which messages are received.
Related Topics
Configuring a RIP Network (J-Web Procedure) on page 673 Layer 3 Protocols Supported on EX-series Switches on page 9
687
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Use the monitoring functionality to view inet.0 routing table. To view the routing tables in the J-Web interface, select Monitor>Routing>Static Routing To view the routings table in the CLI, enter the following commands in the CLI interface:
Meaning
Table 92 on page 688 summarizes key output fields in the routing information display.
Additional Information
activeNumber of routes that are active. hold downNumber of routes that are in
hold-down state (neither advertised nor updated) before being declared inactive.
routing policies configured on the switching platform. Destination Protocol/ Preference Destination address of the route. Protocol from which the route was learned: Static, Direct, Local, or the name of a particular protocol. The preference is the individual preference value for the route. Next-Hop Network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it. If a next hop is listed as Discard, all traffic with that destination address is discarded rather than routed. This value generally means that the route is a static route for which the discard attribute has been set. If a next hop is listed as Reject, all traffic with that destination address is rejected. This value generally means that the address is unreachable. For example, if the address is a configured interface address and the interface is unavailable, traffic bound for that address is rejected. If a next hop is listed as Local, the destination is an address on the host (either the loopback address or Ethernet management port 0 address, for example). The route preference is used as one of the route selection criteria.
688
Additional Information
Related Topics
Configuring Static Routing (J-Web Procedure) on page 679 Configuring Static Routing (CLI Procedure) on page 678
689
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
690
Chapter 42
691
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
leave-timer milliseconds; leaveall-timer milliseconds; } igmp-snooping { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } vlan (vlan-id | vlan-number { disable{ interface interface-name } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } transmit-delay seconds; } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } }
692
} } } } mstp { disable; bpdu-block-on-edge; bridge-priority priority; configuration-name name; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; max-hops hops; msti msti-id { vlan (vlan-id | vlan-name); interface interface-name { disable; cost cost; edge; mode mode; priority priority; } } revision-level revision-level; traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } rstp { disable; bpdu-block-on-edge; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost;
693
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } stp { disable; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } sflow { collector { ip-address; udp-port port-number; } disable; interfaces interface-name { disable; polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; }
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Configure Automatic VLAN Administration Using GVRP on page 432
694
Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 IGMP Snooping on EX-series Switches Overview on page 659 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
disable
Syntax
Hierarchy Level Release Information Description Default Options Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.2 for EX-series switches. Disable IGMP snooping on all interfaces in a VLAN or on a specific VLAN interface. If you do not specify an interface, all interfaces in the given VLAN are disabled.
interface-name Name of the interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
disable
695
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
group
Syntax Hierarchy Level Release Information Description Default Options Required Privilege Level Related Topics
group ip-address; [edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name static]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure a static multicast group using a valid IP multicast address. None.
ip-address IP address of the multicast group receiving data on an interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
696
group
igmp-snooping
Syntax
igmp-snooping { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } vlan vlan-id | vlan-name { disable { interface interface-name; } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } } [edit protocols]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Enable and configure IGMP snooping on EX-series switches. The remaining statements are explained separately.
IGMP snooping is disabled by default. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
igmp-snooping
697
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
immediate-leave
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. (Applies only to switches running IGMPv2.) After the switch receives a leave group membership message from a host, immediately remove the group membership from the interface and suppress the sending of any group-specific queries for the multicast group.
NOTE: When configuring this statement, ensure that the IGMP interface has only one IGMP host connected. If more than one IGMPv2 host is connected to the switch through the same interface and one of the hosts sends a leave message, the switch removes all hosts on the interface from the multicast group. The switch loses contact with the hosts in the multicast group that did not send a leave message until they send join requests in response to the next general multicast listener query from the router.
The immediate-leave feature is disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
698
immediate-leave
interface
Syntax
interface interface-name { multicast-router-interface; static { group ip-address; } } [edit protocols igmp-snooping vlan vlan-id | vlan-name]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Enable IGMP snooping on an interface and configure interface-specific properties. The remaining statements are explained separately.
None.
interface-name Name of the interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show igmp-snooping vlans Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
multicast-router-interface
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. Statically configure an interface as a switching interface toward a multicast router (the interface to receive multicast traffic). Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
interface
699
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
query-interval
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure how frequently the switch sends host-query timeout messages to a multicast group. 125 seconds.
seconds Number of seconds between host-query timeout messages.
Range: 1 through 1024 seconds routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
query-last-member-interval
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure the interval between group-specific query timeout messages sent by the switch. 1 second.
seconds Amount of time between group-specific query timeout messages.
Range: 1 though 1024 seconds routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
700
query-interval
query-response-interval
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure the length of time the switch waits to receive a response to a specific query message from a host. 10 seconds.
seconds Number of seconds the switch waits to receive a response to a specific
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
robust-count
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure the number of intervals the switch waits before removing a multicast group from the multicast forwarding table. The length of each interval is configured using the query-interval statement. 2
number Number of intervals the switch waits before timing out a multicast group.
Range: 2 through 10 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
query-response-interval
701
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
traceoptions
Syntax
traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } [edit protocols igmp-snooping]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Define tracing operations for IGMP snooping. The traceoptions feature is disabled by default.
file filename Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. files number (Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached ( xk to specify KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace
file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files
flag flag Tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
allAll tracing operations. generalTrace general IGMP snooping protocol events. leaveTrace leave group messages (IGMPv2 only). normalTrace normal IGMP snooping protocol events. packetsTrace all IGMP packets. policyTrace policy processing. queryTrace IGMP membership query messages. reportTrace membership report messages. routeTrace routing information. stateTrace IGMP state transitions. taskTrace routing protocol task processing. timerTrace routing protocol timer processing.
702
traceoptions
match regex (Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file. size size (Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes Range: 10 KB through 1 gigabytes Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IGMP Snooping on EX-series Switches on page 663 Configuring IGMP Snooping (CLI Procedure) on page 671
traceoptions
703
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan
Syntax
vlan vlan-id | vlan-name { disable { interface interface-name; } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } [edit protocols igmp-snooping]
Statement introduced in JUNOS Release 9.1 for EX-series switches. Configure IGMP snooping parameters for a VLAN. The remaining statements are explained separately.
Default Options
Range: 0 through 4095. Tags 0 and 4095 are reserved by JUNOS software, and you should not configure them.
vlan-name Name of a VLAN.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring IGMP Snooping (CLI Procedure) on page 671 IGMP Snooping on EX-series Switches Overview on page 659
704
vlan
Chapter 43
705
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.1 for EX-series switches. Clear IGMP snooping membership information.
vlan vlan-id Numeric tag identifier of the VLAN. vlan vlan-name Name of the VLAN.
Required Privilege Level Related Topics List of Sample Output clear igmp-snooping membership
view
706
Command introduced in JUNOS Release 9.1 for EX-series switches. Clear IGMP snooping statistics. view
707
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show igmp-snooping membership <brief | detail> <interface interface-name > <vlan vlan-id | vlan-number>
Command introduced in JUNOS Release 9.1 for EX-series switches. Display IGMP snooping membership information.
noneDisplay general parameters. brief | detail (Optional) Display the specified level of output. interface interface-name (Optional) Display IGMP snooping information for the
specified interface.
vlan vlan-id | vlan-number (Optional) Display IGMP snooping information for the
specified VLAN.
Required Privilege Level Related Topics List of Sample Output Output Fields
view
show igmp-snooping membership on page 709 show igmp-snooping membership detail on page 709 Table 42 on page 1306 lists the output fields for the show igmp-snooping membership command. Output fields are listed in the approximate order in which they appear.
Field Description Name of the VLAN. Interfaces assigned to the VLAN. Numerical identifier of the VLAN. Names of interfaces statically configured as multicast router interfaces. IP multicast address of the multicast group. Number of interfaces that have membership in a multicast group. IGMP version of the host sending a join message. The IGMP version can be V1-hosts, V2-hosts, or static. Length of time (in seconds) left until the entry is removed.
timeout
All
708
user@switch> show igmp-snooping membership VLAN: v1 224.1.1.1 * 258 secs Interfaces: ge-0/0/0.0 224.1.1.3 * 258 secs Interfaces: ge-0/0/0.0 224.1.1.5 * 258 secs Interfaces: ge-0/0/0.0 224.1.1.7 * 258 secs Interfaces: ge-0/0/0.0 224.1.1.9 * 258 secs Interfaces: ge-0/0/0.0 224.1.1.11 * 258 secs Interfaces: ge-0/0/0.0 user@switch> show igmp-snooping membership detail VLAN: default Tag: 0 (Index: 119) Router interfaces:ge-2/0/45.0, ge-2/0/47.0, ge-2/0/46.0 Group: 224.1.1.1 Receiver count: 0, Flags: <V1-hosts V2-hosts> ge-2/0/46.0 timeout: 203 Group: 224.1.1.2 Receiver count: 0, Flags: <V1-hosts V2-hosts> ge-2/0/46.0 timeout: 203 Group: 224.1.1.3 Receiver count: 0, Flags: <V1-hosts V2-hosts> ge-2/0/46.0 timeout: 203 Group: 224.1.1.4 Receiver count: 0, Flags: <V1-hosts V2-hosts> ge-2/0/46.0 timeout: 204 Group: 224.1.1.5 Receiver count: 0, Flags: <V1-hosts V2-hosts> ge-2/0/46.0 timeout: 204 Group: 224.1.1.6
709
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show igmp-snooping route <brief | detail> <ethernet-switching <brief | detail | vlan ( vlan-id | vlan-name )>> <inet <brief | detail | vlan ( vlan-id | vlan-name )>> <vlan vlan-id | vlan-name >
Command introduced in JUNOS Release 9.1 for EX-series switches. Display IGMP snooping route information.
noneDisplay general parameters. brief | detail (Optional) Display the specified level of output. ethernet-switching (Optional) Display Ethernet switching information. inet (Optional) Display inet information. vlan vlan-id | vlan-name (Optional) Display route information for the specified
VLAN.
Required Privilege Level Related Topics
view
show igmp-snooping route on page 710 show igmp-snooping route vlan v1 on page 711 Table 42 on page 1306 lists the output fields for the show igmp-snooping route command. Output fields are listed in the approximate order in which they appear.
Field Description (For internal use only. Value is always 0.) Name of the VLAN. Multicast group address. ID associated with the next-hop device.
user@switch> show igmp-snooping route VLAN Group Next-hop V11 224.1.1.1, * 533 Interfaces: ge-0/0/13.0, ge-0/0/1.0
710
VLAN v12
user@switch> show igmp-snooping route vlan v1 Table: 0 VLAN Group Next-hop v1 224.1.1.1, * 1266 Interfaces: ge-0/0/0.0 v1 224.1.1.3, * 1266 Interfaces: ge-0/0/0.0 v1 224.1.1.5, * 1266 Interfaces: ge-0/0/0.0 v1 224.1.1.7, * 1266 Interfaces: ge-0/0/0.0 v1 224.1.1.9, * 1266 Interfaces: ge-0/0/0.0 v1 224.1.1.11, * 1266 Interfaces: ge-0/0/0.0
711
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.1 for EX-series switches. Display IGMP snooping statistics. view
show igmp-snooping statistics on page 712 Table 42 on page 1306 lists the output fields for the show igmp-snooping statistics command. Output fields are listed in the approximate order in which they appear.
Field Description IGMP packet has illegal or bad length. IGMP or IP checksum is incorrect. Packet was received through an invalid interface. Unknown IGMP type. Number of timeouts for all multicast groups. Type of IGMP message (Query, Report, Leave, or Other). Number of IGMP packets received. Number of IGMP packets transmitted. Number of general receive errors.
user@switch> show igmp-snooping statistics Bad length: 0 Bad checksum: 0 Invalid interface: 0 Not local: 0 Receive unknown: 0 Timed out: 58 IGMP Type Queries: Reports: Leaves: Other: Received 74295 18148423 0 0 Transmitted 0 0 0 0 Recv Errors 0 16333523 0 0
712
Command introduced in JUNOS Release 9.1 for EX-series switches. Display IGMP snooping VLAN information.
noneDisplay general parameters. brief | detail (Optional) Display the specified level of output. vlan vlan-id | vlan vlan-number (Optional) Display VLAN information for the specified
VLAN.
Required Privilege Level Related Topics
view
show igmp-snooping vlans on page 714 show igmp-snooping vlans vlan v10 on page 714 show igmp-snooping vlans vlan v10 detail on page 714 Table 42 on page 1306 lists the output fields for the show igmp-snooping vlans command. Output fields are listed in the approximate order in which they appear.
Output Fields
Field Description Name of the VLAN. Number of interfaces in the VLAN. Number of groups in the VLAN Number of multicast routers associated with the VLAN. Number of host receivers in the VLAN. Numerical identifier of the VLAN. Internal VLAN interface identifier. Membership timeout value.
Level of Output All levels All levels All levels All levels All levels Detail Detail Detail
713
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description Timeout value for interfaces dynamically marked as router interfaces (interfaces that receive queries). When the querier timeout is reached, the switch marks the interface as a host interface. Name of the interface. Number of dynamic groups on an interface.
Interface Reporters
Detail Detail
user@switch> show igmp-snooping vlans VLAN default v1 v10 v11 v180 v181 v182
user@switch> show igmp-snooping vlans vlan v10 user@switch> show igmp-snooping vlans vlan v10 VLAN Interfaces Groups MRouters Receivers v10 1 0 0 0 user@switch> show igmp-snooping vlans vlan v10 detail VLAN: v10, Tag: 10, vlan-interface: vlan.10 Membership timeout: 260, Querier timeout: 255 Interface: ge-0/0/10.0, tagged, Groups: 0, Reporters: 0
714
Part 10
Understanding 802.1X, Port Security, and VoIP on page 717 Examples of Configuring 802.1X, Port Security, and VoIP on page 755 Configuring 802.1X, Port Security, and VoIP on page 865 Verifying 802.1X, Port Security, and VoIP on page 907 Configuration Statements for 802.1X, Port Security, and VoIP on page 919 Operational Mode Commands for 802.1X, Port Security, and VoIP on page 1005
715
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
716
Chapter 44
802.1X for EX-series Switches Overview on page 718 Understanding 802.1X Authentication on EX-series Switches on page 719 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 Understanding Dynamic VLANs for 802.1X on EX-series Switches on page 726 Understanding Guest VLANs for 802.1X on EX-series Switches on page 726 Understanding 802.1X and AAA Accounting on EX-series Switches on page 727 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding 802.1X Static MAC on EX-series Switches on page 730 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding 802.1X and VSAs on EX-series Switches on page 734 Port Security for EX-series Switches Overview on page 734 Understanding How to Protect Access Ports on EX-series Switches from Common Attacks on page 736 Understanding DHCP Snooping for Port Security on EX-series Switches on page 738 Understanding DAI for Port Security on EX-series Switches on page 744 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746 Understanding Trusted DHCP Servers for Port Security on EX-series Switches on page 748 Understanding DHCP Option 82 for Port Security on EX-series Switches on page 748 Understanding IP Source Guard for Port Security on EX-series Switches on page 751
717
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
singleAuthenticates only the first supplicant. All other supplicants who connect
later to the port are allowed full access without any further authentication. They effectively piggyback on the first supplicants authentication.
be authenticated individually. Network access can be further defined using VLANs and firewall filters, which both act as filters to separate and match groups of supplicants to the areas of the LAN they require. 802.1X does not replace other security technologies. 802.1X works together with port security features, such as DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting, to guard against DoS attacks and spoofing. 802.1X features on EX-series switches are:
Guest VLANProvides limited access to a LAN, typically just to the Internet, for supplicants that fail 802.1X authentication. Dynamic VLANEnables a supplicant, after authentication, to be a member of a VLAN dynamically. MAC-based authenticationProvides MAC-based authentication as a bypass mechanism to authenticate non-responsive hosts (such as printers) that are not 802.1X-enabled. MAC-based authentication connects the non-responsive hosts to 802.1X-enabled ports, bypassing 802.1X authentication. Dynamic changes to a user sessionLets the switch administrator terminate an already authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576. Support for VoIPSupports IP telephones. If the phone is 8021X enabled, it is authenticated like any other supplicant. When it is authenticated, the RADIUS server returns the Voice VLAN ID and other parameters for managing VoIP traffic. If the phone is not 802.1X-enabled, but has another 802.1X-compatible device connected to its data port, that device is authenticated, and then VoIP traffic can flow to and from the phone. If the IP phone supports Link Layer Discovery Protocol (LLDP) or Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), the RADIUS server
718
can send VoIP parameters to the IP telephone through these protocols. The VoIP parameters ensure that voice traffic gets tagged and prioritized with the correct values at the source itself. If the phone does not support LLDP or LLDP-MED, then the packets will be put in the VoIP VLAN configured on the switch.
RADIUS accountingSends accounting information to the RADIUS accounting server. Accounting information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber activates or deactivates a subscription. This feature is based on RFC 2866, RADIUS Accounting. Vendor Specific Attributes (VSAs)Supports a new set of filtering attributes that are applied on the RADIUS authentication server. These filtering attributes further define a supplicant's access during the 802.1X authentication process. Centrally configuring VSAs on the authentication server does away with the need to configure these same attributes in the form of firewall filters on every switch in the LAN to which the supplicant may connect to the LAN. This feature is based on RLI 4583, AAA RADIUS BRAS VSA Support. Understanding 802.1X Static MAC on EX-series Switches on page 730 Understanding 802.1X Authentication on EX-series Switches on page 719 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding 802.1X and AAA Accounting on EX-series Switches on page 727 Understanding Guest VLANs for 802.1X on EX-series Switches on page 726 Understanding 802.1X and VSAs on EX-series Switches on page 734 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723
Related Topics
719
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
A LAN network configured for 802.1X authentication contains three basic components:
SupplicantThe IEEE term for a host that requests to join the network. The host can be responsive or nonresponsive. A responsive host is one on which 802.1X is enabled and provides authentication credentials; specifically, a username and password for EAP MD5, or a username and client certificates for EAP-TLS, EAP-TTLS, and EAP-PEAP. A nonresponsive host is one on which 802.1X is not enabled, but can be authenticated using a MAC-based authentication method. Authenticator Port Access EntityThe IEEE term for the authenticator. The EX-series switch is the authenticator and it controls access by blocking all traffic to and from supplicants until they are authenticated. Authentication server The authentication server contains the backend database that makes authentication decisions. It contains credential information for each supplicant that can connect to the network. The authenticator forwards credentials supplied by the supplicant to the authentication server. If the credentials forwarded by the authenticator match the credentials in the authentication server database, access is granted. If the credentials forwarded do not match, access is denied. The EX-series switches support RADIUS authentication servers.
Figure 38 on page 721 illustrates the basic deployment topology for 802.1X on an EX-series switch:
720
721
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The communication protocol between the supplicant and the EX-series switch is Extensible Authentication Protocol Over LAN (EAPOL). EAPOL is a version of EAP designed to work with Ethernet networks. The communication protocol between the authentication server and the switch is RADIUS. The authentication process requires multiple message exchanges between the supplicant and the authentication server. The switch that is in between the supplicant and the authentication server is the authenticator. It acts as an intermediary, converting EAPOL messages to RADIUS messages and vice versa. Figure 39 on page 722 illustrates the authentication process:
Figure 39: Authentication Process
Authentication is initiated by the client or the switch. The client initiates authentication by sending an EAPOL-start message, or the switch initiates authentication when it receives the first data packet from the client. When the switch port (authenticator) detects a new supplicant connecting to the LAN network, the port on the authenticator is enabled and set to the initialized
2.
722
state. In this state, only 802.1X traffic is allowed. Other traffic, such as DHCP and HTTP, is blocked at the data link layer.
3. 4.
The authenticator sends a RADIUS access request message to the RADIUS server to allow the supplicant access to the LAN. The authentication server accepts or rejects the access request. If it accepts the request, the authentication server sends a RADIUS access challenge. If the challenge is met by the supplicant, the authenticator sets the port to the authorized state and normal traffic is then accepted to pass through the port. If the authentication server rejects the RADIUS access request, the authenticator sets the port to the unauthorized state, blocking all traffic. When the supplicant disconnects from the network, the supplicant sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the unauthorized state, once again blocking all non-EAP traffic.
5.
The 802.1X authentication feature on an EX-series switch is based upon the IEEE 802.1D standard Port-Based Network Access Control.
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Configuring 802.1X Authentication (CLI Procedure) on page 866
723
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Nonresponsive hosts can also gain access to the LAN using static MAC as a bypass mechanism for 802.1X authentication. See Understanding 802.1X Static MAC on EX-series Switches on page 730 for more information about a static MAC configuration.
Related Topics
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring MAC RADIUS Authentication (CLI Procedure) on page 871 802.1X for EX-series Switches Overview on page 718
724
Permit authentication, allowing traffic to flow from the supplicant through the interface as if the supplicant were successfully authenticated by the RADIUS server. Deny authentication, preventing traffic from flowing from the supplicant through the interface. This is the default. Move the supplicant to a specified VLAN. (The VLAN must already exist on the switch.) Sustain authenticated supplicants that already have LAN access and deny unauthenticated supplicants. If the RADIUS servers time out during reauthentication, previously authenticated supplicants are reauthenticated and new users are denied LAN access.
Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a supplicants first attempt at authentication through the RADIUS server. Server fail fallback also allows you to specify that a supplicant be moved to a specified VLAN if the switch receives an EAPOL Accept-Reject message. The configured VLAN name overrides any attributes sent by the server.
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch on page 761 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Configuring 802.1X Authentication (CLI Procedure) on page 866
725
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Understanding Guest VLANs for 802.1X on EX-series Switches on page 726
The supplicant machine does not have supplicant software on it (for example, the supplicant is a non-responsive host, such as a printer). The supplicant provided invalid credentialsa username or password that were not authenticated by the authentication server.
For non-responsive hosts, the guest VLAN could allow limited access to a server from which the non-responsive host can download the supplicant software and attempt authentication again.
Related Topics
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Understanding Dynamic VLANs for 802.1X on EX-series Switches on page 726
726
A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a specific port. For example, on FreeRADIUS, the default port is 1813. The switch forwards an accounting-request packet containing an event record to the accounting server. For example, a supplicant is authenticated through 802.1X authentication and connected to the LAN. The event record associated with this supplicant contains an Acct-Status-Type attribute whose value indicates the beginning of user service for this supplicant. When the supplicant's session ends, the accounting request will contain an Acct-Status-Type attribute value indicating the end of user service. The RADIUS accounting server records this as a stop-accounting record containing session information and the length of the session. The RADIUS accounting server logs these events as start-accounting or stop-accounting records. The records are in a file. On FreeRADIUS, the file name is the server's address; for example, 122.69.1.250. The accounting server sends an accounting-response packet back to the switch confirming it has received the accounting request. If the switch does not receive a response from the server, it continues to send accounting requests until an accounting response is returned from the accounting server.
3.
4. 5.
The statistics collected through this process can be displayed from the RADIUS server; to see those statistics, the user accesses the log file configured to receive them.
Related Topics
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 802.1X for EX-series Switches Overview on page 718 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
727
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Chassis IdentifierThe MAC address associated with the local system. Port identifierThe port identification for the specified port in the local system. Port DescriptionThe user configured port description. The port description
System NameThe user configured name of the local system. The system name
software and current image running on the system. This information is not configurable, but taken from the software.
capabilities that system supports are defined; for example, bridge or router. This information is not configurable, but based on the model of the product.
Power via MDIA TLV that advertises MDI power support, PSE power pair, and
physical interface, such as autonegotiation status and support and MAU type. The information is not configurable, but based on the physical interface structure.
728
Link AggregationA TLV that advertises if the port is aggregated and its aggregated
port ID.
Maximum Frame SizeA TLV that advertises the Maximum Transmission Unit
Port VlanA TLV that advertises the VLAN name configured on the interface.
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone sends an ARP request to the DHCP server and references the VLAN ID for the VLAN on which it is a member. If the VLAN ID is incorrect, the IP phones request for an IP address is denied. To bypass this issue, configure the voip statement on the interface. With the interface designated as a VoIP interface, the switch can forward the VLAN name and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the voice VLAN (that is, it references the voice VLANs ID) to make an ARP request and receive an IP address.
LLDP MED CapabilitiesA TLV that advertises the primary function of the port.
0 Capabilities 1 Network Policy 2 Location Identification 3 Extended Power via MDI-PSE 4 Inventory 515 Reserved
0 Class not defined. 1 Class 1 Device. 2 Class 2 Device. 3 Class 3 Device. 4 Network Connectivity Device 5255 Reserved.
Network PolicyA TLV that advertises the port VLAN configuration and associated
Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p priority bits and Diffserv code points.
729
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Endpoint Location A TLV that advertises the physical location of the endpoint. Extended Power via MDI A TLV that advertises the power type, power source,
power priority, and power value of the port. It is the responsibility of the PSE device (network connectivity device) to advertise the power priority on a port.
Related Topics
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882 Configuring LLDP (CLI Procedure) on page 880
730
Related Topics
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 802.1X for EX-series Switches Overview on page 718
731
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If an 802.1X-compatible IP telephone does not have an 802.1X host but has another 802.1X-compatible device connected to its data port, you can connect the phone to an interface in single-supplicant mode. In single-supplicant mode, the 802.1X process authenticates only the first supplicant. All other supplicants who connect later to the interface are allowed full access without any further authentication. They effectively
732
piggyback on the first supplicants authentication. For an example of a VoIP single supplicant topology, see Figure 43 on page 733 .
If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X and LLDP-MED and have the packets forwarded to a VoIP VLAN,.
Related Topics
Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication on page 792 Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support on page 798
733
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding 802.1X Authentication on EX-series Switches on page 719 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875 Configuring Firewall Filters (CLI Procedure) on page 1087 VSA Match Conditions and Actions for EX-series Switches on page 883
734
Port security features can be turned on to obtain the most robust port security level. Basic port security features are enabled in the switch's default configuration. You can configure additional features with minimal configuration steps. Port security features on EX-series switches are:
DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted ports; builds and maintains an IP-address/MAC-address binding database (called the DHCP snooping database). You enable this feature on VLANs. Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. You enable this feature on VLANs. MAC limitingProtects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports). MAC move limitingDetects MAC movement and MAC spoofing on access ports. Prevents hosts whose MAC addresses have not been learned by the switch from accessing the network. You enable this feature on VLANs. Trusted DHCP serverWith a DHCP server on a trusted port, protects against rogue DHCP servers sending leases. You enable this feature on interfaces (ports). By default, access ports are untrusted and trunk ports are trusted. (Access ports are the switch ports that connect to Ethernet endpoints such as user PCs and laptops, servers, and printers. Trunk ports are the switch ports that connect to other Ethernet switches or to routers.) IP source guardMitigates the effects of IP address spoofing attacks on the Ethernet LAN. You enable this feature on VLANs. With IP source guard enabled, the source IP address in the packet sent from an untrusted access interface is validated against the source MAC address in the DHCP snooping database. The packet is allowed for further processing if the source IP address to source MAC address binding is valid; if the binding is not valid, the packet is discarded. DHCP option 82Also known as the DHCP relay agent information option. Helps protect the EX-series switch against attacks such as spoofing of IP addresses and MAC addresses and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. Security Features for EX-series Switches Overview on page 12 Understanding DHCP Snooping for Port Security on EX-series Switches on page 738 Understanding DAI for Port Security on EX-series Switches on page 744 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746 Understanding IP Source Guard for Port Security on EX-series Switches on page 751
Related Topics
735
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding DHCP Option 82 for Port Security on EX-series Switches on page 748 Understanding How to Protect Access Ports on EX-series Switches from Common Attacks on page 736
Understanding How to Protect Access Ports on EX-series Switches from Common Attacks
Port security features can protect the EX-series switch against various types of attacks. Protection methods against some common attacks are:
Mitigation of Ethernet Switching Table Overflow Attacks on page 736 Mitigation of Rogue DHCP Server Attacks on page 736 Protection Against ARP Spoofing Attacks on page 737 Protection Against DHCP Snooping Database Alteration Attacks on page 737 Protection Against DHCP Starvation Attacks on page 737
736
Understanding How to Protect Access Ports on EX-series Switches from Common Attacks
Understanding How to Protect Access Ports on EX-series Switches from Common Attacks
737
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Understanding DHCP Snooping for Port Security on EX-series Switches on page 738 Understanding DAI for Port Security on EX-series Switches on page 744 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746 Understanding Trusted DHCP Servers for Port Security on EX-series Switches on page 748 Configuring Port Security (CLI Procedure) on page 886 Configuring Port Security (J-Web Procedure) on page 887
DHCP Snooping Basics on page 738 DHCP Snooping Process on page 739 DHCP Server Access on page 740 DHCP Snooping Table on page 743 Static IP Address Additions to the DHCP Snooping Database on page 743
738
By default, all trunk ports on the switch are trusted and all access ports are untrusted for DHCP snooping. You can modify these defaults on each of the switch's interfaces. You configure DHCP snooping for each VLAN, not for each interface (port). By default, DHCP snooping is disabled for all VLANs. If you move a network device from one VLAN to another, typically the device has to acquire a new IP address, so its entry in the database, including the VLAN ID, is updated. The Ethernet switching process, ESWD, maintains the timeout (lease time) value for each IP-addressMAC-address binding in its database. The lease time is assigned by the DHCP server. The software reads the DHCP messages to obtain the lease time and deletes the associated entry from the database when the lease time expires. If the switch is rebooted, DHCP bindings are lost. The DHCP clients (the network devices, or hosts) must reacquire the bindings.
For general information about the messages that the DHCP client and DHCP server exchange during the assignment of an IP address for the client, see the JUNOS Software
739
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN on page 740 Switch Acts as DHCP Server on page 741 Switch Acts as Relay Agent on page 742
Switch, DHCP Clients, and DHCP Server Are All on the Same VLAN
When the switch, DHCP clients, and DHCP server are all members of the same VLAN, the DHCP server can be connected to the switch in one of two ways:
The server is directly connected to the same switch as the one connected to the DHCP clients (the hosts, or network devices, that are requesting IP addresses from the server). You must configure the port that connects the server to the switch as a trusted port. See Figure 45 on page 740. The server is directly connected to a switch that is itself directly connected through a trunk port to the switch that the DHCP clients are connected to. The trunk port is configured by default as a trusted port. The switch that the DHCP server is connected to is not configured for DHCP snooping. See Figure 46 on page 741in the figure, ge-0/0/11 is a trusted trunk port.
740
Figure 46: DHCP Server Connected Directly to Switch 2, with Switch 2 Connected to Switch 1 Through a Trusted Trunk Port
741
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The DHCP server and clients are in different VLANs. The switch is connected to a router that is in turn connected to the DHCP server. See Figure 48 on page 743.
742
Figure 48: Switch Acting as Relay Agent Through Router to DHCP Server
Port Security for EX-series Switches Overview on page 734 Understanding Trusted DHCP Servers for Port Security on EX-series Switches on page 748
743
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding DHCP Option 82 for Port Security on EX-series Switches on page 748 DHCP Services for EX-series Switches Overview on page 657 DHCP/BOOTP Relay for EX-series Switches Overview on page 658 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Enabling DHCP Snooping (CLI Procedure) on page 889 and Enabling DHCP Snooping (J-Web Procedure) on page 890
Address Resolution Protocol on page 744 ARP Spoofing on page 744 DAI on EX-series Switches on page 745
ARP Spoofing
ARP spoofing (also known as ARP poisoning or ARP cache poisoning) is one way to initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the MAC address of another device on the LAN. Instead of the switch sending traffic to the proper network device, it sends it to the device with the spoofed address that is
744
impersonating the proper device. If the impersonating device is the attacker's machine, the attacker receives all the traffic from the switch that should have gone to another device. The result is that trafic from the switch is misdirected and cannot reach its proper destination. One type of ARP spoofing is gratuitous ARP, which is when a network device sends an ARP request to resolve its own IP address. In normal LAN operation, gratuitous ARP messages indicate that two devices have the same MAC address. They are also broadcast when a network interface card (NIC) in a device is changed and the device is rebooted, so that other devices on the LAN update their ARP caches. In malicious situations, an attacker can poison the ARP cache of a network device by sending an ARP response to the device that directs all packets destined for a certain IP address to go to a different MAC address instead. To prevent MAC spoofing through gratuitous ARP and through other types of spoofing, EX-series switches examine ARP responses through DAI.
Port Security for EX-series Switches Overview on page 734 Understanding DHCP Snooping for Port Security on EX-series Switches on page 738 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840
745
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Enabling Dynamic ARP Inspection (J-Web Procedure) on page 898
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches
MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on access interfaces. It prevents hosts whose MAC addresses have not been learned by the switch from accessing the network. You enable this feature on VLANs.
MAC Limiting on page 746 MAC Move Limiting on page 746 Actions for MAC Limiting and MAC Move Limiting on page 747 MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 747
MAC Limiting
MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface. JUNOS software provides two MAC limiting methods:
Maximum number of MAC addressesYou configure the maximum number of dynamic MAC addresses allowed per interface. As soon as the limit is reached, incoming packets with new MAC addresses are dropped. The MAC limit value in the EX-series switch default configuration is five MAC addresses. Allowed MACYou configure specific allowed MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned. Allowed MAC binds MAC addresses to a VLAN so that the address does not get registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.
746
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches
dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
noneTake no action. shutdownBlock data traffic on the interface and generate an alarm.
If you do not set an action, then the action is none. You can also explicitly set none as the action. See results of these various action settings in Verifying That MAC Limiting Is Working Correctly on page 913. If you set a MAC limit to apply to all interfaces on the switch, you can override that setting for a particular interface by specifying action none. See Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) on page 904.
MAC Addresses That Exceed the MAC Limit or MAC Move Limit
If you view log messages that indicate the MAC limit or MAC move limit is exceeded, you can view the offending MAC addresses that have exceeded the limit. See Troubleshooting Port Security for details.
Related Topics
Port Security for EX-series Switches Overview on page 734 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches
747
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding DHCP Snooping for Port Security on EX-series Switches on page 738 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Enabling a Trusted DHCP Server (J-Web Procedure) on page 891
DHCP Option 82 Processing on page 748 Suboption Components of Option 82 on page 749 Configurations of the EX-series Switch That Support Option 82 on page 750
748
You can enable DHCP option 82 on a single VLAN or on all VLANs on the switch. You can also configure it on Layer 3 interfaces (in routed VLAN interfaces, or RVIs) when the switch is functioning as a relay agent. When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request:
1. 2. 3. 4. 5.
The switch receives the request and inserts the option 82 information in the packet header. The switch forwards or relays the request to the DHCP server. The server uses the DHCP option 82 information to formulate its reply and sends a response back to the switch. It does not alter the option 82 information. The switch strips the option 82 information from the response packet. The switch forwards the response packet to the client.
NOTE: To use the DHCP option 82 feature, you must ensure that the DHCP server is configured to accept option 82. If it is not configured to accept option 82, then when it receives requests containing option 82 information, it does not use the information in setting parameters and it does not echo the information in its response message. For detailed information about configuring DHCP services, see the JUNOS Software System Basics Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos93/index.html. The configuration for DHCP service on the EX-series switch includes the dhcp statement at the [edit system services] hierarchy level.
circuit IDIdentifies the circuit (interface and/or VLAN) on the switch on which the request was received. The circuit ID contains the interface name and/or VLAN name, with the two elements separated by a colonfor example, ge-0/0/10:vlan1, where ge-0/0/10 is the interface name and vlan1 is the VLAN name. If the request packet is received on a Layer 3 interface, the circuit ID is just the interface namefor example, ge-0/0/10. Use the prefix option to add an optional prefix to the circuit ID. If you enable the prefix option, the hostname for the switch is used as the prefix; for example, switch1:ge-0/0/10:vlan1, where switch1 is the hostname. You can also specify that the interface description be used rather than the interface name and/or that the VLAN ID be used rather than the VLAN name.
remote IDIdentifies the host. By default, the remote ID is the MAC address of the switch. You can specify that the remote ID be the hostname of the switch, the interface description, or a character string of your choice. You can also add an optional prefix to the remote ID.
749
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vendor IDIdentifies the vendor of the host. If you specify the vendor-id option but do not enter a value, the default value Juniper is used. To specify a value, you type a character string.
Switch and Clients Are on Same VLAN as DHCP Server on page 750 Switch Acts as Relay Agent on page 750
For the configuration shown in Figure 49 on page 750, you set DHCP option 82 at the [edit ethernet-switching-options secure-access-port vlan] hierarchy level.
750
a scenario for the switch-as-relay-agent; in this instance, the switch relays requests through a router to the server.
Figure 50: Switch Relays DHCP Requests to Server
For the configuration shown in Figure 50 on page 751, you set DHCP option 82 at the [edit forwarding-options helpers bootp] hierarchy level.
Related Topics
Port Security for EX-series Switches Overview on page 734 Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895
IP Address Spoofing on page 752 How IP Source Guard Works on page 752
751
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The IP Source Guard Database on page 752 Typical Uses of Other JUNOS Software Features with IP Source Guard on page 753
IP Address Spoofing
Hosts on access interfaces can spoof source IP addresses and/or source MAC addresses by flooding the switch with packets containing invalid addresses. Such attacks combined with other techniques such as TCP SYN flood attacks can result in denial-of-service (DoS) attacks. With source IP address or source MAC address spoofing, the system administrator cannot identify the source of the attack. The attacker can spoof addresses on the same subnet or on a different subnet.
752
ge0/0/13.0
100
voice
The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields. See the entry for the voice VLAN in the preceding sample output.
VLAN tagging (used for voice VLANs) GRES (Graceful Routing Engine switchover) Virtual Chassis configurations (multiple EX 4200 switches that are managed through a single management interface) Link-aggregation groups (LAGs) 802.1X user authentication, in single supplicant mode
NOTE: The 802.1X user authentication is applied in one of three modes: single supplicant, single-secure supplicant, or multiple supplicant. Single supplicant mode works with IP source guard, but single-secure and multiple supplicant modes do not.
Related Topics
Understanding DHCP Snooping for Port Security on EX-series Switches on page 738 Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848 Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855
753
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
754
Chapter 45
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch on page 761 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch on page 785 Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication on page 792 Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support on page 798 Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX-series Switch on page 802 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825
755
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848 Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855
Requirements on page 756 Overview and Topology on page 757 Configuration on page 759 Verification on page 760
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the switch, be sure you have:
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60.
756
Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Configured users on the authentication server.
757
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
758
Switch hardware
EX 4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
default
In this example, connect the RADIUS server to access port ge-0/0/10 on the EX 4200 switch. The switch acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS server. You must configure connectivity between the EX 4200 and the RADIUS server by specifying the address of the server and configuring the secret password. This information is configured in an access profile on the switch.
NOTE: JUNOS Software System Basics Configuration Guide. For more information about authentication, authorization, and accounting (AAA) services, please see the JUNOS Software System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/
Configuration
CLI Quick Configuration
To quickly connect the RADIUS server to the switch, copy the following commands and paste them into the switch terminal window:
[edit] set access radius-server 10.0.0.100 secret juniper set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.0.0.100 10.2.14.200
Step-by-Step Procedure
Define the address of the server, and configure the secret password. The secret password on the switch must match the secret password on the server:
[edit access] user@switch# set radius-server 10.0.0.100 secret juniper
2.
Configure the authentication order, making radius the first method of authentication:
[edit access profile] user@switch# set profile1 authentication-order radius
Configuration
759
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
3.
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify That the Switch and RADIUS Server are Properly Connected on page 760
Verify That the Switch and RADIUS Server are Properly Connected
Purpose
Verify that the RADIUS server is connected to the switch on the specified port. Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100 PING 10.0.0.100 (10.0.0.100): 56 data bytes 64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms 64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms
Action
Meaning
ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether it is reachable across the IP network. ICMP echo responses are being returned from the server, verifying that the switch and the server are connected.
Related Topics
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch
760
Verification
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875
Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch
Server fail fallback allows you to specify how 802.1X supplicants connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends an EAP Access-Reject message. 802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use 802.1X to control network access. Only users and devices (supplicants) providing credentials that have been verified against a user database are allowed access to the network. You use a RADIUS server as the user database. This example describes how to configure an interface to move a supplicant to a VLAN in the event of a RADIUS server timeout:
Requirements on page 761 Overview and Topology on page 762 Configuration on page 763 Verification on page 764
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.3 or later for EX-series switches One EX 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the switch, be sure you have:
Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Set up a connection between the switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Disable firewall filters on the interface. Firewall filters interfere with server fail fallback operation. Configured users on the authentication server.
Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch
761
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
762
Supplicant attempting access on interface ge-0/0/1 Backend database with an address of 10.0.0.100 connected to the switch at port
ge-0/0/10
In this example, configure interface ge-0/0/1 to move a supplicant attempting access to the LAN during a RADIUS timeout to another VLAN. A RADIUS timeout prevents the normal exchange of EAP messages that carry information from the RADIUS server to the switch and permit the authentication of a supplicant. The default VLAN is configured on interface ge-0/0/1. When a RADIUS timeout occurs, supplicants on the interface will be moved from the default VLAN to the VLAN named vlan-sf.
NOTE: For more information about authentication, authorization, and accounting (AAA) services, see the JUNOS Software System Basics Configuration Guide at http://www.juniper.net/techpubs/software/junos/.
Configuration
To configure server fail fallback on the switch:
CLI Quick Configuration
To quickly configure server fail fallback on the switch, copy the following commands and paste them into the switch terminal window:
[edit protocols dot1x authenticator] set interface ge-0/0/1 server-fail vlan-name vlan-sf
Step-by-Step Procedure
To configure an interface to divert supplicants to a specific VLAN when a RADIUS timeout occurs (here, the VLAN is vlan-sf):
1.
Results
Configuration
763
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
family ethernet-switching { vlan { members default; } } } } protocols { dot1x { authenticator { authentication-profile-name profile52; interface { ge-0/0/1.0 { server-fail vlan-name vlan-sf; } } } } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout on page 764
Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout
Purpose
Verify that the interface moves supplicants to an alternative VLAN during a RADIUS timeout. Display the VLANs configured on the switch; the interface ge-0/0/1.0 is a member of the default VLAN:
user@switch> Name default show vlans Tag Interfaces ge-0/0/0.0, ge-0/0/1.0*, ge-0/0/5.0*, ge-0/0/10.0, ge-0/0/12.0*, ge-0/0/14.0*, ge-0/0/15.0, ge-0/0/20.0 v2 vlansf mgmt me0.0* 77 None 50 None
Action
Display 802.1X protocol information on the switch to view supplicants that are authenticated on interface ge-0/0/1.0:
user@switch> show dot1x interface brief
764
Verification
802.1X Information: Interface Role ge-0/0/1.0 Authenticator ge-0/0/10.0 Authenticator ge-0/0/14.0 Authenticator ge-0/0/15.0 Authenticator ge-0/0/20.0 Authenticator
User abc
A RADIUS server timeout occurs. Display the Ethernet switching table to show that the supplicant with the MAC address 00:00:00:00:00:01 previously accessing the LAN through the default VLAN is now being learned on the VLAN named vlan-sf:
user@switch> show ethernet-switching table Ethernet-switching table: 3 entries, 1 learned VLAN MAC address Type v1 * Flood vlansf 00:00:00:00:00:01 Learn default * Flood
Age 1:07 -
Display 802.1X protocol information to show that interface ge-0/0/1.0 is connecting and will open LAN access to supplicants:
user@switch> show dot1x interface brief
802.1X Information: Interface Role ge-0/0/1.0 Authenticator ge-0/0/10.0 Authenticator ge-0/0/14.0 Authenticator ge-0/0/15.0 Authenticator ge-0/0/20.0 Authenticator
MAC address
User
Meaning
The command show vlans displays interface ge-0/0/1.0 as a member of the default VLAN. The command show dot1x interface brief shows that a supplicant (abc) is authenticated on interface ge-0/0/1.0 and has the MAC address 00:00:00:00:00:01. A RADIUS server timeout occurs, and the authentication server cannot be reached by the switch. The command show-ethernet-switching table shows that MAC address 00:00:00:00:00:01 is learned on VLAN vlan-sf. The supplicant has been moved from the default VLAN to the vlan-sf VLAN. The supplicant is then connected to the LAN through the VLAN named vlan-sf.
Related Topics
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Configuring Server Fail Fallback (CLI Procedure) on page 872 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725
Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout
765
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch
802.1X on EX-series switches provides LAN access to users who do not have credentials in the RADIUS database. These users, referred to as guests, are authenticated and typically provided with access to the Internet. This example describes how to create a guest VLAN and configure 802.1X authentication for it.
Requirements on page 766 Overview and Topology on page 766 Configuration of a Guest VLAN That Includes 802.1X Authentication on page 768 Verification on page 769
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX-series 4200 switch acting as an authenticator interface access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407.
766
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch
767
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Switch hardware
EX 4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0 through ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)
sales, tag 100 support, tag 200 guest-vlan, tag 300
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure this access interface to provide LAN connectivity to visitors in the conference room who are not authenticated by the corporate VLAN.
To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste them into the switch terminal window:
[edit] set vlans guest-vlan vlan-id 300 set protocols dot1x authenticator interface all guest-vlan guest-vlan
Step-by-Step Procedure
2.
Results
768
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify that the guest VLAN is created and that an interface has failed authentication and been moved to the guest VLAN. Use the operational mode commands:
user@switch> Name default dynamic guest guestvlan vlan_dyn None user@switch> show dot1x interface ge-0/0/1.0 detail ge-0/0/1.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Guest VLAN membership: guest-vlan Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant: user1, 00:00:00:00:13:23 Operational state: Authenticated Reauthentication due in 3307 seconds show vlans Tag Interfaces ge-0/0/3.0* 40 None 30 None 300 ge-0/0/1.0*
Action
Meaning
The output from the show vlans command shows guest-vlan as the the name of the VLAN and the VLAN ID as 300.
Verification
769
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The output from the show dot1x interface ge-0/0/1.0 detail command displays the Guest VLAN membership field, indicating that a supplicant at this interface failed 802.1X authentication and was passed through to the guest-vlan.
Related Topics
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring 802.1X Authentication (CLI Procedure) on page 866
Requirements on page 770 Overview and Topology on page 771 Configuration on page 773 Verification on page 774
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Configured basic access between the EX-series switch and the RADIUS server. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407.
770
771
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The interfaces shown in Table 100 on page 777 will be configured for static MAC authentication.
772
Switch hardware
EX 4200 24T, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
default ge-0/0/19, MAC address 00:04:0f:fd:ac:fe ge-0/0/20, MAC address 00:04:ae:cd:23:5f
The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers will be added to the static list and bypass 802.1X authentication.
Configuration
To configure static MAC authentication, perform these tasks:
CLI Quick Configuration
To quickly configure static MAC authentication, copy the following commands and paste them into the switch terminal window:
[edit] set protocols dot1x authenticator authenticaton-profile-name profile1 set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f] set protocols dot1x interface all supplicant multiple
Step-by-Step Procedure
Configure the authentication profile name (access profile name) to use for authentication:
[edit protocols] user@switch# set dot1x authenticator authentication-profile-name profile1
2.
3.
Results
Configuration
773
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interfaces { ge-0/0/19 { unit 0 { family ethernet-switching { vlan members default; } } } ge-0/0/20 { unit 0 { family ethernet-switching { vlan members default; } } } } protocols { dot1x { authenticator { authentication-profile-name profile1 static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]; interface { all { supplicant multiple; } } } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify that the MAC address for both printers is configured and associated with the correct interfaces. Use the operational mode command:
user@switch> show dot1x static-mac-address MAC address 00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f VLAN-Assignment default default Interface ge-0/0/19.0 ge-0/0/20.0
Action
Meaning
The output field MAC address shows the MAC addresses of the two printers. The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through interface ge-0/0/20.0.
774
Verification
Related Topics
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server
If a device is not 802.1X-enabled, it is known as a nonresponsive host. To permit nonresponsive hosts access to the LAN, you can configure MAC RADIUS authentication on the switch interfaces to which the nonresponsive hosts are connected. This example describes how to configure MAC RADIUS authentication for two nonresponsive hosts:
Requirements on page 775 Overview and Topology on page 775 Configuration on page 777 Verification on page 778
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.3 or later for EX-series switches. One EX 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Configured basic access between the EX-series switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Performed basic 802.1X configuration. See Configuring 802.1X Authentication (CLI Procedure) on page 866.
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server
775
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
hosts are connected. When the MAC address of the nonresponsive host appears on the interface, the switch consults the RADIUS server to check whether it is a permitted MAC address. If the MAC address of the nonresponsive host is configured as permitted on the RADIUS server, the switch opens LAN access to the nonresponsive host. MAC RADIUS authentication can be one of several 802.1X authentication methods used on a single interface configured for multiple supplicants. However, you can configure the switch to immediately identify that the interface is only connected to a nonresponsive host and eliminate other authentication possibilities when they are not necessary for LAN security. Figure 55 on page 776 shows the two printers connected to the switch.
Figure 55: Topology for MAC RADIUS Authentication Configuration
Table 100 on page 777 shows the components in the example for MAC RADIUS authentication.
776
Switch hardware
EX 4200 24T, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
default ge-0/0/19, MAC address 00040ffdacfe ge-0/0/20, MAC address 0004aecd235f
RADIUS server
The printer with the MAC address 00040ffdacfe is connected to access interface ge-0/0/19. A second printer with the MAC address 0004aecd235f is connected to access interface ge-0/0/20. In this example, both interfaces are configured for MAC RADIUS authentication on the switch, and the MAC addresses (without colons) of both printers are configured on the RADIUS server. Interface ge-0/0/20 is configured to eliminate the normal 90-second delay it takes the switch to determine whether the connected device is a nonresponsive host; MAC RADIUS authentication is the only 802.1X authentication needed on this interface.
Configuration
To configure MAC RADIUS authentication on the switch, perform these tasks:
CLI Quick Configuration
To quickly configure MAC RADIUS authentication, copy the following commands and paste them into the switch terminal window:
[edit] set protocols dot1x authenticator interface ge-0/0/19 mac-radius set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
NOTE: You must also configure the two MAC addresses as usernames and passwords on the RADIUS server, as in done in step 2 of the Step-by-Step Procedure.
Step-by-Step Procedure
Configure MAC RADIUS authentication on the switch and on the RADIUS server:
1.
On the switch, configure the interfaces to which the printers are attached for MAC RADIUS authentication, and configure interface ge-0/0/20, so that only MAC RADIUS authentication is used:
[edit] user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
2.
On the RADIUS server, configure the MAC addresses 00040ffdacfe and 0004aecd235f as usernames and passwords:
Configuration
777
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[root@freeradius]# edit /etc/raddb vi users 00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe" 0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
Results
Verification
Verify that the supplicants are authenticated:
After supplicants are configured for MAC RADIUS authentication on the switch and on the RADIUS server, verify that they are authenticated and display the method of authentication: Display information about 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20:
user@switch> show dot1x interface ge-0/0/19.0 detail ge-0/0/19.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Reauthentication interval: 40 seconds
Action
778
Verification
Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: 00040ffdacfe, 00:04:0f:fd:ac:fe Operational state: Authenticated Authentication method: MAC Radius Authenticated VLAN: v200 Reauthentication due in 17 seconds user@switch> show dot1x interface ge-0/0/20.0 detail ge-0/0/19.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Reauthentication interval: 40 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: 0004aecd235f, 00:04:ae:cd:23:5f Operational state: Authenticated Authentication method: MAC Radius Authenticated VLAN: v200 Reauthentication due in 23 seconds
Meaning
The sample output from the show dot1x interface detail command displays the MAC address of the connected supplicant in the Supplicant field. On interface ge-0/0/19, the MAC address is 00:04:0f:fd:ac:fe, which is the MAC address of the first printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method as MAC Radius. On interface ge-0/0/20, the MAC address is 00:04:ae:cd:23:5f, which is the MAC address of the second printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method as MAC Radius.
Related Topics
Configuring MAC RADIUS Authentication (CLI Procedure) on page 871 Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch
802.1x Port-Based Network Access Control (PNAC) authentication on EX-series switches provides three types of authentication to meet the access needs of your enterprise LAN:
Authenticate the first host (supplicant) on an authenticator port, and allow all others also connecting to have access.
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch
779
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Authenticate only one supplicant on an authenticator port at one time. Authenticate multiple supplicants on an authenticator port. Multiple supplicant mode is used in VoIP configurations.
This example configures an EX-series 4200 switch to use IEEE 802.1X to authenticate supplicants that use three different administrative modes:
Requirements on page 780 Overview and Topology on page 780 Configuration of 802.1X to Support Multiple Supplicant Modes on page 782 Verification on page 783
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX-series 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you configure the ports for 802.1X authentciation, be sure you have:
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Configured users on the authentication server.
780
Requirements
781
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Switch hardware
EX-series 4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
ge-0/0/8, ge-0/0/9, and ge-0/0/11
Connections to Avaya phoneswith integrated hub, to connect phone and desktop PC to a single port; (requires PoE)
To configure the administrative modes to support supplicants in different areas of the Enterprise network:
Configure access port ge-0/0/8 for single supplicant mode authentication. Configure access port ge-0/0/9 for single secure supplicant mode authentication. Configure access port ge-0/0/11 for multiple supplicant mode authentication.
Single supplicant mode authenticates only the first supplicant that connects to an authenticator port. All other supplicants connecting to the authenticator port after the first supplicant has connected successfully, whether they are 802.1X-enabled or not, are permitted free access to the port without further authentication. If the first authenticated supplicant logs out, all other supplicants are locked out until a supplicant authenticates. Single-secure supplicant mode authenticates only one supplicant to connect to an authenticator port. No other supplicant can connect to the authenticator port until the first supplicant logs out. Multiple supplicant mode authenticates multiple supplicants individually on one authenticator port. If you configure a maximum number of devices that can be connected to a port through port security, the lesser of the configured values is used to determine the maximum number of supplicants allowed per port.
To quickly configure the ports with different 802.1X authentication modes, copy the following commands and paste them into the switch terminal window:
[edit] set protocols dot1x authenticator interface ge-0/0/8 supplicant single set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure set protocols dot1x authenticator interface ge-0/0/11 supplicant multiple
Step-by-Step Procedure
782
[edit protocols] user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single
2.
3.
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify the 802.1X configuration on interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/5. Verify the 802.1X configuration with the operational mode command show dot1x interface:
Action
Verification
783
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch> show dot1x interface ge-0/0/8.0 detail ge-0/0/8.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant: user100, 00:00:00:00:22:22 Operational state: Authenticated Reauthentication due in 506 seconds user@switch> show dot1x interface ge-0/0/9.0 detail ge-0/0/9.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Secure Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant timeout: 30 seconds Supplicant: user101, 00:13:00:00:28:22 Operational state: Authenticated Reauthentication due in 917 seconds user@switch> show dot1x interface ge-0/0/11.0 detail ge-0/0/11.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant: user102, 00:10:12:e0:28:22 Operational state: Authenticated Reauthentication due in 1788 seconds
Meaning
The Supplicant mode output field displays the configured administrative mode for each interface. Interface ge-0/0/8.0 displays Single supplicant mode. Interface ge-0/0/9.0 displays Single Secure supplicant mode. Interface ge-0/0/11.0 displays Multiple supplicant mode.
Related Topics
Understanding 802.1X Authentication on EX-series Switches on page 719 Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875
784
Requirements on page 785 Overview and Topology on page 786 Configuration on page 788 Verification on page 790
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches One EX 4200 switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. An Avaya 9620 IP telephone that supports LLDP-MED and 802.1X
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Configured the RADIUS server for 802.1X authentication and set up the access profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information about configuring PoE, see Configuring PoE (CLI Procedure) on page 1241.
NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power adapter.
785
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
786
In this example, you configure VoIP parameters and specify the forwarding class assured-forward for voice traffic to provide the highest quality of service. Table 103 on page 787 describes the components used in this VoIP configuration example.
Table 103: Components of the VoIP Configuration Topology
Property Settings
787
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Connection to Avaya phonewith integrated hub, to connect phone and desktop PC to a single interface (requires PoE) One RADIUS server
802.1X authentication. Authentication is set to multiple supplicant to support more than one supplicant's access to the LAN through interface ge-0/0/2. LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged and prioritized with the correct values at the source itself. For example, 802.1p class of service and 802.1Q tag information can be sent to the IP telephone.
Configuration
To configure VoIP, LLDP-MED, and 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands and paste them into the switch terminal window:
[edit] set vlans data-vlan vlan-id 77 set vlans voice-vlan vlan-id 99 set vlans data-vlan interface ge-0/0/2.0 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class assured-forwarding set protocols lldp-med interface ge-0/0/2.0 set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
788
Configuration
Step-by-Step Procedure
2.
3.
Configure the interface as an access interface, configure support for Ethernet switching, and add the data-vlan VLAN:
[edit interfaces] user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
4.
Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
[edit ethernetswitchingoptions] user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding
5.
6.
To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X authentication support and specify multiple supplicant mode:
NOTE: If you do not want to authenticate any device, skip the 802.1X configuration on this interface.
[edit protocols] user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results
Configuration
789
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
family ethernet-switching { port-mode access; vlan { members data-vlan; } } } } } protocols { lldp-med { interface ge-0/0/2.0; } dot1x { authenticator { interface { ge-0/0/2.0 { supplicant multiple; } } } } } vlans { data-vlan { vlan-id 77; interface { ge-0/0/2.0; } } voice-vlan { vlan-id 99; } } ethernet-switching options { voip { interface ge-0/0/2.0 { vlan voice-vlan; forwarding-class assured-forwarding; } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying LLDP-MED Configuration on page 790 Verifying 802.1X Authentication for IP Phone and Desktop PC on page 791 Verifying the VLAN Association with the Interface on page 792
790
Verification
Action
user@switch> show lldp detail LLDP : Enabled Advertisement interval : 30 Second(s) Transmit delay : 2 Second(s) Hold timer : 2 Second(s) Config Trap Interval : 300 Second(s) Connection Hold timer : 60 Second(s) LLDP MED MED fast start count : Enabled : 3 Packet(s)
Interface all ge-0/0/2.0 Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/8.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/11.0 ge-0/0/23.0
LLDP-MED Enabled
Neighbor count 0 0
VLAN-name default employee-vlan data-vlan voice-vlan employee-vlan employee-vlan default employee-vlan __juniper-vlan_internal__ default
LLDP basic TLVs supported: Chassis identifier, Port identifier, Port description, System name, System description, System capabilities, Management address. LLDP 802 TLVs supported: Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port VLAN name. LLDP MED TLVs supported: LLDP MED capabilities, Network policy, Endpoint location, Extended power Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Display the 802.1X configuration to confirm that the VoIP interface has access to the LAN.
user@switch> show dot1x interface ge/0/0/2.0 detail ge-0/0/2.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds
Action
791
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Number of connected supplicants: 1 Supplicant: abc, 00:00:00:00:22:22 Operational state: Authenticated Reauthentication due in 3588 seconds
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.
Action
Meaning
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.
Related Topics
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Configuring LLDP-MED (CLI Procedure) on page 882
792
networks. VoIP transmits voice calls using a network connection instead of an analog phone line. To configure VoIP on an EX-series switch to support an IP phone that does not support 802.1X authentication, you must add the MAC address of the phone as a static entry in the authenticator database. This example describes how to configure VoIP on an EX-series switch without 802.1X authentication:
Requirements on page 793 Overview on page 793 Configuration on page 794 Verification on page 796
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches An IP telephone without 802.1X authentication
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Configured the RADIUS server for 802.1X authentication and set up the access profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information about configuring PoE, see Configuring PoE (CLI Procedure) on page 1241.
NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power adapter.
Overview
Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch.
Requirements
793
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
In this example, the access interface ge-0/0/2 on the EX 4200 switch is connected to a non-802.1X IP phone. To configure VoIP on an EX-series switch to support an IP phone that does not support 802.1X authentication, add the MAC address of the phone as a static entry in the authenticator database and set the supplicant mode to multiple.
Configuration
To configure VoIP without 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, copy the following commands and paste them into the switch terminal window:
[edit] set vlans data-vlan vlan-id 77 set vlans voice-vlan vlan-id 99 set vlans data-vlan interface ge-0/0/2.0 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access set ethernetswitchingoptions voip interface ge-0/0/2.0 vlan voice-vlan set ethernetswitchingoptions voip interface ge-0/0/2.0 forwarding-class assured-forwarding set protocols lldpmed interface ge-0/0/2.0 set protocols dot1x authenticator authentication-profile-name auth-profile set protocols dot1x authenticator static 00:04:f2:11:aa:a7 set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Step-by-Step Procedure
2.
3.
Configure the interface as an access interface, configure support for Ethernet switching, and add the data-vlan VLAN:
[edit interfaces] user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
4.
Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
[edit ethernetswitchingoptions] user@switch# set voip interface ge-0/0/2.0
vlan
voice-vlan
794
Configuration
5.
6.
Set the authentication profile (see Configuring 802.1X Authentication (CLI Procedure) on page 866 and Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874):
[edit protocols] set dot1x authenticator authentication-profile-name auth-profile
7.
8.
Results
Configuration
795
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ge-0/0/2.0 { supplicant multiple; } } } } vlans { data-vlan { vlan-id 77; interface { ge-0/0/2.0; } } voice-vlan { vlan-id 99; } } ethernet-switching options { voip { interface ge-0/0/2.0 { vlan voice-vlan; forwarding-class assured-forwarding; } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying LLDP-MED Configuration on page 796 Verifying Authentication for the Desktop PC on page 797 Verifying the VLAN Association with the Interface on page 798
Action
LLDP Enabled -
LLDP-MED Enabled
Neighbor count 0 0
796
Verification
Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/8.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/11.0 ge-0/0/23.0
VLAN-id 0 0 0 99 0 0 0 20 0 0
VLAN-name default employee-vlan data-vlan voice-vlan employee-vlan employee-vlan default employee-vlan __juniper-vlan_internal__ default
LLDP basic TLVs supported: Chassis identifier, Port identifier, Port description, System name, System description, System capabilities, Management address. LLDP 802 TLVs supported: Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port VLAN name. LLDP MED TLVs supported: LLDP MED capabilities, Network policy, Endpoint location, Extended power Via MDI.
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Display the 802.1X configuration for the desktop PC connected to the VoIP interface through the IP phone.
user@switch> show dot1x interface ge/0/0/2.0 detail ge-0/0/2.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Number of connected supplicants: 1 Supplicant: abc, 00:00:00:00:22:22 Operational state: Authenticated Reauthentication due in 3588 seconds
Action
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The Supplicant field shows that the interface is configured in multiple supplicant mode, permitting multiple supplicants to be authenticated on this interface. The MAC addresses of the supplicants currently connected are displayed at the bottom of the output.
797
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action
Meaning
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.
Related Topics
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support on page 798 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
NOTE: Because this configuration without LLDP-MED requires you to set the port mode to trunk, 802.1X authentication cannot be enabled. This example describes how to configure VoIP on an EX-series switch without LLDP-MED and without 802.1X:
798
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.1 or later for EX-series switches. One EX 4200 switch acting as an authenticator port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. A non-LLDP-MED IP phone.
Installed your EX-series switch. See Installing and Connecting an EX 3200 or EX 4200 Switch. Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60. Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 407. Configured the IP phone as a member of the voice VLAN. Configured interface ge-0/0/2 for Power over Ethernet (PoE). See Configuring PoE (CLI Procedure) on page 1241.
NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power adapter.
Overview
Instead of using a regular telephone, you connect an IP telephone directly to the switch. An IP phone has all the hardware and software needed to handle VoIP. You also can power an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces on the switch. To configure VoIP on an EX-series switch to support an IP phone that does not support LLDP-MED, set the mode of the port (to which you want to connect the IP phone) to trunk, add the port as a member of the voice VLAN, and configure the data VLAN as the native VLAN on the EX-series switch. This configuration ensures that the voice traffic and data traffic do not affect each other. In this example, the trunk interface ge-0/0/2 on the EX 4200 switch is connected to a non-LLDP-MED IP phone.
Requirements
799
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuration
To configure VoIP without LLDP-MED or 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, copy the following commands and paste them into the switch terminal window:
[edit] set vlans data-vlan vlan-id 77 set vlans voice-vlan vlan-id 99 set vlans data-vlan interface ge-0/0/2.0 set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
Step-by-Step Procedure
Configure VoIP:
1.
2.
3.
4.
5.
Results
800
Configuration
vlan { members voice-vlan; } native-vlan-id data-vlan; } } } } vlans { data-vlan { vlan-id 77; interface { ge-0/0/2.0; } } voice-vlan { vlan-id 99; } }
Verification
To confirm that the configuration is working properly, perform the following task:
Action
Meaning
The field VLAN members shows that the ge-0/0/2.0 interface supports both the data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.
Related Topics
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication on page 792
Verification
801
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX-series Switch
You can use RADIUS server attributes and a port-based firewall filter to centrally apply terms to multiple supplicants connected to an EX-series switch in your enterprise. Terms are applied following a supplicants successful authentication through 802.1X. EX-series switches support port-based firewall filters. Port firewall filters are configured on a single EX-series switch, but in order for them to operate throughout an enterprise, they have to be configured on multiple switches. To reduce the need to configure the same port firewall filter on multiple switches, you can instead apply the filter centrally on the RADIUS server using RADIUS server attributes. The following example uses FreeRADIUS to apply a port firewall filter on a RADIUS server. For specifics on configuring your server, consult the AAA documentation that was included with your server. This example describes how to configure a port firewall filter with terms, create counters to count packets for the supplicants, apply the filter to user profiles on the RADIUS server, and display the counters to verify the configuration:
Requirements on page 802 Overview and Topology on page 803 Configuring the Port Firewall Filter and Counters on page 805 Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server on page 806 Verification on page 807
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.3 or later for EX-series switches One EX 4200 switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated. One RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the switch, be sure you have:
Set up a connection between the switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756.
802
Switch
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS Server Attributes on an EX-series
Configured 802.1X authentication on the switch, with the authentication mode for interface ge-0/0/2 set to multiple. See Configuring 802.1X Authentication (CLI Procedure) on page 866 and Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779. Configured users on the RADIUS authentication server (in this example, the user profiles for Supplicant 1 and Supplicant 2 in the topology are modified on the RADIUS server).
803
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 58: Topology for Firewall Filter and RADIUS Server Attributes Configuration
EX 4200 access switch, 24 Gigabit Ethernet ports, 8 PoE ports. Backend database with an address of 10.0.0.100 connected to the switch at port ge-0/0/10.
Supplicant 1 has MAC address 00:50:8b:6f:60:3a. Supplicant 2 has MAC address 00:50:8b:6f:60:3b.
804
Table 104: Components of the Firewall Filter and RADIUS Server Attributes Topology (continued)
Port firewall filter to be applied on the RADIUS server Counters
filter1
Supplicant 1 has the user profile supplicant1. Supplicant 2 has the user profile supplicant2.
In this example, you configure a port firewall filter named filter1. The filter contains terms that will be applied to the supplicants based on the MAC addresses of the supplicants. When you configure the filter, you also configure the counters called counter1 and counter2. Packets from each supplicant will be counted, helping you verify that the configuration is working. Then, you check to see that the RADIUS server attribute is available on the RADIUS server and apply the filter to the user profiles of each supplicant on the RADIUS server. Finally, you verify the configuration by displaying output for the two counters.
NOTE: For more information about authentication, authorization, and accounting (AAA) services, see the JUNOS Software System Basics Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos93/index.html.
To quickly configure a port firewall filter with terms for Supplicant 1 and Supplicant 2 and create parallel counters for each supplicant, copy the following commands and paste them into the switch terminal window:
[edit] set firewall family ethernet-switching filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a set firewall family ethernet-switching filter filter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b set firewall family ethernet-switching filter filter1 term supplicant1 then count counter1 set firewall family ethernet-switching filter filter1 term supplicant2 then count counter2
Step-by-Step Procedure
Configure a port firewall filter (here, filter1) with terms for each supplicant based upon the MAC address of each supplicant:
[edit firewall family ethernet-switching] user@switch# set filter filter1 term supplicant1 from source-mac-address 00:50:8b:6f:60:3a
805
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
2.
Create two counters that will count packets for each supplicant:
[edit firewall family ethernet-switching] user@switch# set filter filter1 term supplicant1 then count counter1 user@switch# set filter filter1 term supplicant2 then count counter2
Results
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server
Verify that the RADIUS server attribute needed to apply a filter on the RADIUS server is on the server and apply the port firewall filter to each supplicants user profile on the RADIUS server:
Step-by-Step Procedure
To verify that the RADIUS server attribute Filter-ID is on the RADIUS server and to apply the filter to the user profiles:
1.
Display the dictionary dictionary.rfc2865 on the RADIUS server, and verify that the attribute Filter-ID is in the dictionary:
[root@freeradius]# cd usr/share/freeradius/dictionary.rfc2865
806
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS Server
2.
3.
Display the local user profiles of the supplicants to which you want to apply the filter (here, the user profiles are called supplicant1 and supplicant2):
[root@freeradius]# cd cat/usr/local/etc/raddb/users
4.
Apply the filter to both user profiles by adding the line Filter-Id = filter1 to each profile, and then close the file:
[root@freeradius]# cd cat/usr/local/etc/raddb/users
After you paste the line into the files, the files look like this:
supplicant1 Auth-Type := EAP, User-Password == "supplicant1" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1005", Filter-Id = "filter1" supplicant2 Auth-Type := EAP, User-Password == "supplicant2" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1005", Filter-Id = "filter1"
Verification
Verify that the filter has been applied to the supplicants:
Verifying That the Filter Has Been Applied to the Supplicants on page 807
After supplicants are authenticated, verify that the filter configured on the switch and added to each supplicants user profile on the RADIUS server has been applied:
Verification
807
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action
Bytes 128 64
Packets 2 1
Meaning
The output of the command show firewall filter filter1 displays counter1 and counter2. Packets from Supplicant 1 are counted using counter1, and packets from Supplicant 2 are counted using counter2. The output from the command displays packets incrementing for both counters. The filter has been applied to both supplicants.
Related Topics
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Understanding 802.1X Authentication on EX-series Switches on page 719 Understanding 802.1X and VSAs on EX-series Switches on page 734
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting, and MAC move limiting on the access ports of EX-series switches to protect the switch and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. You can also configure a trusted DHCP server and specific (allowed) MAC addresses for the switch interfaces. This example describes how to configure basic port security featuresDHCP snooping, DAI, MAC limiting, and MAC move limiting, as well as a trusted DHCP server and allowed MAC addresseson a switch. The DHCP server and its clients are all members of a single VLAN on the switch.
Requirements on page 808 Overview and Topology on page 809 Configuration on page 810 Verification on page 812
Requirements
This example uses the following hardware and software components:
808
Switch
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series
JUNOS Release 9.0 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP snooping, DAI, and MAC limiting port security features, be sure you have:
Connected the DHCP server to the switch. Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
809
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The components of the topology for this example are shown in Table 105 on page 838.
Table 105: Components of the Port Security Topology
Properties Settings
In this example, the switch is initially configured with the default port security setup. In the default configuration on the switch:
Secure port access is activated on the switch. A dynamic limit on the maximum number of MAC addresses to be learned per port by the switch is already set in the default configuration. The default limit is 5. The switch does not drop any packets, which is the default setting. DHCP snooping and DAI are disabled on all VLANs. All access ports are untrusted and all trunk ports are trusted for DHCP snooping, which is the default setting.
In the configuration tasks for this example, you set the DHCP server first as untrusted and then as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a VLAN; you modify the value for MAC limit; and you configure some specific (allowed) MAC addresses on an interface.
Configuration
To configure basic port security on a switch whose DHCP server and client ports are in a single VLAN:
CLI Quick Configuration
To quickly configure basic port security on the switch, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 4 action drop set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88 set interface ge-0/0/2 mac-limit 4 action drop set interface ge-0/0/8 dhcp-trusted
810
Configuration
set vlan employeevlan arp-inspection set vlan employee-vlan examine-dhcp set vlan employee-vlan mac-move-limit 5 action drop
Step-by-Step Procedure
2.
Specify the interface (port) from which DHCP responses are allowed:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/8 dhcp-trusted
3.
4.
Configure the MAC limit of 4 and specify that packets with new addresses be dropped if the limit has been exceeded on the interfaces:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit 4 action drop user@switch# set interface ge-0/0/2 mac-limit 4 action drop
5.
Configure a MAC move limit of 5 and specify that packets with new addresses be dropped if the limit has been exceeded on the VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee-vlan mac-move-limit 5 action drop
6.
Results
Configuration
811
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85:3a:82:85 00:05:85:3a:82:88 ]; mac-limit 4 action drop; } interface ge-0/0/8.0 { dhcp-trusted; } vlan employee-vlan { arp-inspection examine-dhcp; mac-move-limit 5 action drop; }
Verification
To confirm that the configuration is working properly:
Verifying That DHCP Snooping Is Working Correctly on the Switch on page 812 Verifying That DAI Is Working Correctly on the Switch on page 813 Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on the Switch on page 813 Verifying That Allowed MAC Addresses Are Working Correctly on the Switch on page 814
Verify that DHCP snooping is working on the switch. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720 00:05:85:3A:82:81 192.0.2.20 932 00:05:85:3A:82:83 192.0.2.21 1230 00:05:85:27:32:88 192.0.2.22 3200
Action
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires.
812
Verification
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -------------------------- ----00:05:85:3A:82:77 0.0.0.0 00:05:85:3A:82:79 0.0.0.0 00:05:85:3A:82:80 0.0.0.0 00:05:85:3A:82:81 0.0.0.0 00:05:85:3A:82:83 0.0.0.0 00:05:85:27:32:88 0.0.0.0 -
In the preceding output sample, IP addresses and lease times are not assigned because the DHCP clients do not have a trusted server to which they can send requests. In the database, the clients' MAC addresses are shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time is shown as a dash in the Lease column).
Verify that DAI is working on the switch. Send some ARP requests from network devices connected to the switch. Display the DAI information:
user@switch> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ARP inspection failed --------------- ---------------------------------- --------------------ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 12 12 0
Meaning
The sample output shows the number of ARP packets received and inspected per interface, with a listing of how many packets passed and how many failed the inspection on each interface. The switch compares the ARP requests and replies against the entries in the DHCP snooping database. If a MAC address or IP address in the ARP packet does not match a valid entry in the database, the packet is dropped.
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on the Switch
Purpose
Verify that MAC limiting and MAC move limiting are working on the switch. Suppose that two DHCP requests have been sent from hosts on ge-0/0/1 and five DHCP requests from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the action drop. Display the MAC addresses learned:
user@switch> show ethernet-switching table
Action
813
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan * 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 Flood Learn Learn Learn Learn Learn Learn
Age 0 0 0 0 0 0
Note that one of the MAC addresses on ge-0/0/2 was not learned because the limit of 4 MAC addresses for that interface had been exceeded. Now suppose that DHCP requests have been sent from two of the hosts on ge-0/0/2 after they have been moved to other interfaces more than 5 times in 1 second, with employee-vlan set to a MAC move limit of 5 with the action drop. Display the MAC addresses in the table:
user@switch> show ethernet-switching table
Ethernet-switching table: 7 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan * 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 * * Flood Learn Learn Learn Learn Flood Flood
Age 0 0 0 0 -
Meaning
The first sample output shows that with a MAC limit of 4 for each interface, the DHCP request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The second sample output shows that DHCP requests for two of the hosts on ge-/0/0/2 were dropped when the hosts had been moved back and forth from various interfaces more than 5 times in one second.
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose
Verify that allowed MAC addresses are working on the switch. Display the MAC cache information after 5 allowed MAC addresses have been configured on interface ge/0/0/2:
user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 Learn Learn Learn Learn
Action
Age 0 0 0 0
814
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
employee-vlan
Flood
ge-0/0/2.0
Meaning
Because the MAC limit value for this interface has been set to 4, only 4 of the 5 configured allowed addresses are learned.
Related Topics
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Configuring Port Security (CLI Procedure) on page 886 Configuring Port Security (J-Web Procedure) on page 887
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests from new MAC addresses that the Ethernet switching table fills up and then overflows, forcing the switch to broadcast all messages. This example describes how to configure MAC limiting and allowed MAC addresses, two port security features, to protect the switch from Ethernet switching table attacks:
Requirements on page 815 Overview and Topology on page 816 Configuration on page 817 Verification on page 818
Requirements
This example uses the following hardware and software components:
One EX 3200-24P switch JUNOS Release 9.0 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
815
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Before you configure specific port security features to mitigate common access-interface attacks, be sure you have:
Connected the DHCP server to the switch. Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
The components of the topology for this example are shown in Table 105 on page 838.
Table 106: Components of the Port Security Topology
Properties Settings
816
In this example, use the MAC limit feature to control the total number of MAC addresses that can be added to the Ethernet switching table for the specified interface. Use the allowed MAC addresses feature to ensure that the addresses of network devices whose network access is critical are guaranteed to be included in the Ethernet switching table. In this example, the switch has already been configured as follows:
Secure port access is activated on the switch. No MAC limit is set on any of the interfaces. All access interfaces are untrusted, which is the default setting.
Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch against Ethernet switching table overflow attacks:
CLI Quick Configuration
To quickly configure MAC limiting and some allowed MAC addresses, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 4 action drop set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Step-by-Step Procedure
Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with different addresses be dropped once the limit is exceeded on the interface:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/1 mac-limit 4 action drop
2.
Configuration
817
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Results
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch on page 818
Verify that MAC limiting is working on the switch. Display the MAC cache information after DHCP requests have been sent from hosts on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after four allowed MAC addresses have been configured on interface ge/0/0/2:
user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan 00:05:85:3A:82:71 00:05:85:3A:82:74 00:05:85:3A:82:77 00:05:85:3A:82:79 * 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 * Learn Learn Learn Learn Flood Learn Learn Learn Learn Flood
Action
Age 0 0 0 0 0 0 0 0 0 -
Interfaces ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0 ge-0/0/2.0
Meaning
The sample output shows that with a MAC limit of 4 for the interface, the DHCP request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the MAC limit and that only the specified allowed MAC addresses have been learned on the ge-0/0/2 interface.
818
Verification
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks
In a rogue DHCP server attack, an attacker has introduced a rogue server into the network, allowing it to give IP address leases to the network's DHCP clients and to assign itself as the gateway device. This example describes how to configure a DHCP server interface as untrusted to protect the switch from a rogue DHCP server:
Requirements on page 819 Overview and Topology on page 819 Configuration on page 821 Verification on page 821
Requirements
This example uses the following hardware and software components:
One EX 3200-24P switch JUNOS Release 9.0 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure an untrusted DHCP server interface to mitigate rogue DHCP server attacks, be sure you have:
Connected the DHCP server to the switch. Enabled DHCP snooping on the VLAN. Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks
819
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The components of the topology for this example are shown in Table 105 on page 838.
Table 107: Components of the Port Security Topology
Properties Settings
Secure port access is activated on the switch. DHCP snooping is enabled on the VLAN employee-vlan. The interface (port) where the rogue DHCP server has connected to the switch is currently trusted.
820
Configuration
To configure the DHCP server interface as untrusted because the interface is being used by a rogue DHCP server:
CLI Quick Configuration
To quickly set the rogue DHCP server interface as untrusted, copy the following command and paste it into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/8 no-dhcp-trusted
Step-by-Step Procedure
To set the DHCP server interface as untrusted:Specify the interface (port) from which DHCP responses are not allowed:[edit ethernet-switching-options secure-access-port]user@switch# set interface ge-0/0/8 nodhcp-trusted
Results
Verification
To confirm that the configuration is working properly:
Verify that DHCP snooping is working on the switch. See what happens when the DHCP server is untrusted. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the port on which the DHCP server connects to the switch is not trusted. The following output results when requests are sent from the MAC addresses but no server has provided IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -------------------------- ----00:05:85:3A:82:77 0.0.0.0 00:05:85:3A:82:79 0.0.0.0 00:05:85:3A:82:80 0.0.0.0 00:05:85:3A:82:81 0.0.0.0 00:05:85:3A:82:83 0.0.0.0 00:05:85:27:32:88 0.0.0.0 -
Action
VLAN Interface -----------employee-vlan ge-0/0/1.0 employee-vlan ge-0/0/1.0 employee-vlan ge-0/0/2.0 employee-vlan ge-0/0/2.0 employee-vlan ge-0/0/2.0 employee-vlan ge-0/0/2.0
Configuration
821
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Meaning
In the sample output from the database, the clients' MAC addresses are shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time is shown as a dash in the Lease column).
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Enabling a Trusted DHCP Server (J-Web Procedure) on page 891
Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the EX-series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. This example describes how to configure DHCP option 82 on a switch that is on the same VLAN with the DHCP clients but on a different VLAN from the DHCP server; the switch acts as a relay agent:
Requirements on page 822 Overview and Topology on page 823 Configuration on page 823
Requirements
This example uses the following hardware and software components:
One EX-series EX 4200-24P switch JUNOS Release 9.3 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP option 82 on the switch, be sure you have:
NOTE: Your DHCP server must be configured to accept DHCP option 82. If it is not configured for DHCP option 82, it does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages. Configured the employee VLAN on the switch and associated the interfaces on which the clients connect to the switch with that VLAN. See Configuring VLANs for EX-series Switches (CLI Procedure) on page 467.
822
Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server
Configured the corporate VLAN for the DHCP server. Configured the switch as a BOOTP relay agent. See DHCP/BOOTP Relay for EX-series Switches Overview on page 658. Configured the routed VLAN interface (RVI) to allow the switch to relay packets to the server and receive packets from the server. See Configuring Routed VLAN Interfaces (CLI Procedure) on page 468.
The switch receives the request and inserts the option 82 information in the packet header. The switch relays the request to the DHCP server. The server uses the DHCP option 82 information to formulate its reply and sends a response back to the switch. It does not alter the option 82 information. The switch strips the option 82 information from the response packet. The switch forwards the response packet to the client.
In this example, you configure option 82 on the EX-series switch. The switch is configured as a BOOTP relay agent. The switch connects to the DHCP server through the routed VLAN interface (RVI) that you configured. The switch and clients are members of the employee VLAN. The DHCP server is a member of the corporate VLAN.
Configuration
To configure DHCP option 82:
CLI Quick Configuration
To quickly configure DHCP option 82, copy the following commands and paste them into the switch terminal window:
set forwarding-options set forwarding-options set forwarding-options set forwarding-options set forwarding-options set forwarding-options employee-switch1 set forwarding-options helpers helpers helpers helpers helpers helpers bootp bootp bootp bootp bootp bootp dhcp-option82 dhcp-option82 dhcp-option82 dhcp-option82 dhcp-option82 dhcp-option82
circuit-id prefix hostname circuit-id use-vlan-id remote-id remote-id prefix mac remote-id use-string
823
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
2.
Configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id prefix hostname
3.
Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id use-vlan-id
4.
Specify that the remote ID suboption be included in the DHCP option 82 information:
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id
5.
Configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id prefix mac
6.
Specify that the remote ID suboption value contains a character string (here, the string is employee-switch1):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id use-string employee-switch1
7.
Configure a vendor ID suboption value, and use the default value. To use the default value, do not type a character string after the vendor-id option keyword:
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 vendor-id
Results
824
Configuration
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the EX-series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. This example describes how to configure DHCP option 82 on a switch with DHCP clients, DHCP server, and switch all on the same VLAN:
Requirements on page 825 Overview and Topology on page 826 Configuration on page 827
Requirements
This example uses the following hardware and software components:
One EX-series EX 3200-24P switch JUNOS Release 9.3 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP option 82 on the switch, be sure you have:
NOTE: Your DHCP server must be configured to accept DHCP option 82. If it is not configured for DHCP option 82, it does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server
825
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configured the employee VLAN on the switch and associated the interfaces on which the clients and the server connect to the switch with that VLAN. See Configuring VLANs for EX-series Switches (CLI Procedure) on page 467.
The switch receives the request and inserts the option 82 information in the packet header. The switch forwards the request to the DHCP server. The server uses the DHCP option 82 information to formulate its reply and sends a response back to the switch. It does not alter the option 82 information. The switch strips the option 82 information from the response packet. The switch forwards the response packet to the client.
826
Figure 62: Network Topology for Configuring DHCP Option 82 on a Switch That Is on the Same VLAN as the DHCP Clients and the DHCP Server
In this example, you configure DHCP option 82 on the EX-series switch. The switch connects to the DHCP server on interface ge-0/0/8. The DHCP clients connect to the switch on interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3. The switch, server, and clients are all members of the employee VLAN.
Configuration
To configure DHCP option 82:
CLI Quick Configuration
To quickly configure DHCP option 82, copy the following commands and paste them into the switch terminal window:
set ethernet-switching-options secure-access-port set ethernet-switching-options secure-access-port circuit-id prefix hostname set ethernet-switching-options secure-access-port circuit-id use-vlan-id set ethernet-switching-options secure-access-port remote-id set ethernet-switching-options secure-access-port remote-id prefix mac set ethernet-switching-options secure-access-port remote-id use-string employee-switch1 set ethernet-switching-options secure-access-port vendor-id vlan employee dhcp-option82 vlan employee dhcp-option82 vlan employee dhcp-option82 vlan employee dhcp-option82 vlan employee dhcp-option82 vlan employee dhcp-option82 vlan employee dhcp-option82
Configuration
827
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
2.
Configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname
3.
Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id
4.
Specify that the remote ID suboption be included in the DHCP option 82 information:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id
5.
Configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix mac
6.
Specify that the remote ID suboption value contains a character string (here, the string is employee-switch1):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id use-string employee-switch1
7.
Configure a vendor ID suboption value, and use the default value. To use the default value, do not type a character string after the vendor-id option keyword:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 vendor-id
Results
828
Configuration
circuit-id { prefix hostname; use-vlan-id; } remote-id { prefix mac; use-string employee-switch1; } vendor-id; } }
Related Topics
Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests from spoofed (counterfeit) MAC addresses. The switch's trusted DHCP server or servers cannot keep up with the requests and can no longer assign IP addresses and lease times to legitimate DHCP clients on the switch. Requests from those clients are either dropped or directed to a rogue DHCP server set up by the attacker. This example describes how to configure MAC limiting, a port security feature, to protect the switch against DHCP starvation attacks:
Requirements on page 829 Overview and Topology on page 830 Configuration on page 831 Verification on page 832
Requirements
This example uses the following hardware and software components:
One EX 3200-24P switch JUNOS Release 9.0 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation attacks, be sure you have:
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
829
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
The components of the topology for this example are shown in Table 105 on page 838.
Table 108: Components of the Port Security Topology
Properties Settings
830
Secure port access is activated on the switch. No MAC limit is set on any of the interfaces. DHCP snooping is disabled on the VLAN employee-vlan. All access interfaces are untrusted, which is the default setting.
Configuration
To configure the MAC limiting port security feature to protect the switch against DHCP starvation attacks:
CLI Quick Configuration
To quickly configure MAC limiting, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/1 mac-limit 3 action drop set interface ge-0/0/2 mac-limit 3 action drop
Step-by-Step Procedure
Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge0/0/1 mac-limit 3 action drop
2.
Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge-0/0/2 mac-limit 3 action drop
Results
Configuration
831
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch on page 832
Verify that MAC limiting is working on the switch. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the MAC addresses learned when DHCP requests are sent from hosts on ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3 with the action drop:
user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type default default default default default default default * 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 Flood Learn Learn Learn Learn Learn Learn
Action
Age 0 0 0 0 0 0
Meaning
The sample output shows that with a MAC limit of 3 for each interface, the DHCP request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. Because only 3 MAC addresses can be learned on each of the two interfaces, attempted DHCP starvation attacks will fail.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
In an ARP spoofing attack, the attacker associates its own MAC address with the IP address of a network device connected to the switch. Traffic intended for that IP address is now sent to the attacker instead of being sent to the intended destination. The attacker can send faked, or spoofed, ARP messages on the LAN.
832
Verification
This example describes how to configure DHCP snooping and dynamic ARP inspection (DAI), two port security features, to protect the switch against ARP spoofing attacks:
Requirements on page 833 Overview and Topology on page 833 Configuration on page 835 Verification on page 835
Requirements
This example uses the following hardware and software components:
One EX 3200-24P switch JUNOS Release 9.0 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP snooping and DAI, two port security features, to mitigate ARP spoofing attacks, be sure you have:
Connected the DHCP server to the switch. Configured the VLAN employee-vlan on the switch.
Requirements
833
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The components of the topology for this example are shown in Table 105 on page 838.
Table 109: Components of the Port Security Topology
Properties Settings
Secure port access is activated on the switch. DHCP snooping is disabled on the VLAN employee-vlan. All access ports are untrusted, which is the default setting.
834
Configuration
To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch against ARP attacks:
CLI Quick Configuration
To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/8 dhcp-trusted set vlan employee-vlan examine-dhcp set vlan employee-vlan arp-inspection
Step-by-Step Procedure
Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN:
1.
2.
3.
Results
Verification
To confirm that the configuration is working properly:
Verifying That DHCP Snooping Is Working Correctly on the Switch on page 835 Verifying That DAI Is Working Correctly on the Switch on page 836
Configuration
835
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action
Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the port on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720 00:05:85:3A:82:81 192.0.2.20 932 00:05:85:3A:82:83 192.0.2.21 1230 00:05:85:27:32:88 192.0.2.22 3200
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires.
Verify that DAI is working on the switch. Send some ARP requests from network devices connected to the switch. Display the DAI information:
user@switch> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ARP inspection failed --------------- ---------------------------------- --------------------ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 12 12 0
Action
Meaning
The sample output shows the number of ARP packets received and inspected per interface, with a listing of how many packets passed and how many failed the inspection on each interface. The switch compares the ARP requests and replies against the entries in the DHCP snooping database. If a MAC address or IP address in the ARP packet does not match a valid entry in the database, the packet is dropped.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Enabling DHCP Snooping (CLI Procedure) on page 889 Enabling DHCP Snooping (J-Web Procedure) on page 890 Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Enabling Dynamic ARP Inspection (J-Web Procedure) on page 898
836
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks
In one type of attack on the DHCP snooping database, an intruder introduces a DHCP client on an untrusted access interface with a MAC address identical to that of a client on another untrusted interface. The intruder then acquires the DHCP lease of that other client, thus changing the entries in the DHCP snooping table. Subsequently, what would have been valid ARP requests from the legitimate client are blocked. This example describes how to configure allowed MAC addresses, a port security feature, to protect the switch from DHCP snooping database alteration attacks:
Requirements on page 837 Overview and Topology on page 837 Configuration on page 839 Verification on page 839
Requirements
This example uses the following hardware and software components:
One EX 3200-24P switch JUNOS Release 9.0 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch
Before you configure specific port security features to mitigate common access-inteface attacks, be sure you have:
Connected the DHCP server to the switch. Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks
837
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The components of the topology for this example are shown in Table 105 on page 838.
Table 110: Components of the Port Security Topology
Properties Settings
Secure port access is activated on the switch. DHCP snooping is enabled on the VLAN employee-vlan. All access ports are untrusted, which is the default setting.
838
Configuration
To configure allowed MAC addresses to protect the switch against DHCP snooping database alteration attacks:
CLI Quick Configuration
To quickly configure some allowed MAC addresses on an interface, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port] set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85 set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
Step-by-Step Procedure
To configure some allowed MAC addresses on an interface:Configure the five allowed MAC addresses on an interface:[edit ethernet-switching-options secure-access-port]user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
Results
Verification
To confirm that the configuration is working properly:
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch on page 839
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose
Verify that allowed MAC addresses are working on the switch. Display the MAC cache information:
user@switch> show ethernet-switching table Ethernet-switching table: 6 entries, 5 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 Learn Learn Learn
Action
Age 0 0 0
Configuration
839
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
00:05:85:3A:82:85 00:05:85:3A:82:88 *
0 0 -
Meaning
The output shows that the five MAC addresses configured as allowed MAC addresses have been learned and are displayed in the MAC cache. The last MAC address in the list, one that had not been configured as allowed, has not been added to the list of learned addresses.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting on the access interfaces of EX-series switches to protect the switch and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. To obtain those basic settings, you can use the switch's default configuration for port security, configure an action for the MAC limit, and enable DHCP snooping and DAI on a VLAN. You can configure those features when the DHCP server is connected to a different switch from the one to which the DHCP clients (network devices) are connected. This example describes how to configure port security features on an EX-series switch whose hosts obtain IP addresses and lease times from a DHCP server attached to a second switch:
Requirements on page 840 Overview and Topology on page 841 Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 on page 843 Configuring a VLAN and Interfaces on Switch 2 on page 845 Verification on page 846
Requirements
This example uses the following hardware and software components:
One EX 3200-24P switchSwitch 1 in this example. An additional EX-series switchSwitch 2 in this example. You will not configure port security on this switch. JUNOS Release 9.0 or later for EX-series switches.
840
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch
A DHCP server connected to Switch 2. You will use the server to provide IP addresses to network devices connected to Switch 1. At least two network devices (hosts) that you will connect to access interfaces on Switch 1. These devices will be DHCP clients.
Before you configure DHCP snooping, DAI, and MAC limiting port security features, be sure you have:
Connected the DHCP server to Switch 2. Configured the VLAN employee-vlan on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414.
DHCP snooping to validate DHCP server messages DAI to protect against ARP spoofing MAC limiting to constrain the number of MAC addresses the switch adds to its MAC address cache
This example shows how to configure these port security features on an EX 3200 switch, which is Switch 1 in this example. (You could also use an EX 4200 switch for this example.) Switch 1 is attached to a switch that is not configured with port security features. That second switch (Switch 2) is connected to a DHCP server. (See Figure 66 on page 842. ) Network devices (hosts) that are connected to Switch 1 will send requests for IP addresses (that is, the devices will be DHCP clients). Those requests will be transmitted from Switch 1 to Switch 2 and then to the DHCP server connected to Switch 2. Responses to the requests will be transmitted along the reverse path from the one followed by the requests. The setup for this example includes the VLAN employee-vlan on both switches. Figure 66 on page 842 shows the network topology for the example.
841
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 66: Network Topology for Port Security Setup with Two Switches on Same VLAN
The components of the topology for this example are shown in Table 111 on page 842.
Table 111: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2
Properties Settings
Switch hardware
Trunk interface on both switches Access interfaces on Switch 1 Access interface on Switch 2 Interface for DHCP server
Switch 1 is initially configured with the default port security setup. In the default configuration on the switch:
Secure port access is activated on the switch. The switch does not drop any packets, which is the default setting.
842
A dynamic limit on the maximum number of MAC addresses to be learned per port by the switch is already set in the default configuration. The default limit is 5. DHCP snooping and dynamic ARP inspection (DAI) are disabled on all VLANs. All access interfaces are untrusted and trunk interfaces are trusted; these are the default settings.
In the configuration tasks for this example, you configure a VLAN on both switches. In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In this example, you'll also enable DAI and a MAC limit of 5 on Switch 1. Because the interface that connects Switch 2 to Switch 1 is a trunk interface, you do not have to configure this interface to be trusted. As noted above, trunk interfaces are automatically trusted, so DHCP messages coming from the DHCP server to Switch 2 and then on to Switch 1 are trusted.
To quickly configure a VLAN, interfaces, and port security features, copy the following commands and paste them into the switch terminal window:
[edit] set ethernet-switching-options secure-access-port interface ge-0/0/1 maclimit 5 action drop set ethernet-switching-options secure-access-port vlan employee-vlan arpinspection set ethernet-switching-options secure-access-port vlan employee-vlan examinedhcp set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 20 set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 20 set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 20 set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 20 set vlans employeevlan vlan-id 20
Step-by-Step Procedure
To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAI and DHCP on the VLAN :
1.
2.
3.
Associate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11:
[edit interfaces]
843
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
set ge-0/0/1 unit 0 family ethernet-switching vlan members set ge-0/0/2 unit 0 family ethernet-switching vlan members set ge-0/0/3 unit 0 family ethernet-switching vlan members set ge-0/0/11 unit 0 family ethernet-switching vlan members
4.
5.
6.
Configure a MAC limit of 5 on ge-0/0/1 and specify that the address be dropped if the limit has been exceeded:
[edit ethernet-switching-options secure-access-port] user@switch1# set interface ge-0/0/1 mac-limit 5 action drop
Results
844
vlan { members 20; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members 20; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members 20; } } } } } vlans { employee-vlan { vlan-id 20; } }
To quickly configure the VLAN and interfaces on Switch 2, copy the following commands and paste them into the switch terminal window:
[edit] set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk set vlans employee-vlan vlan-id 20
Step-by-Step Procedure
2.
845
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit interfaces] user@switch2# set ge-0/0/1 unit 0 family ethernet-switching vlan members 20 user@switch2# set ge-0/0/11 unit 0 family ethernet-switching vlan members 20
Results
Verification
To confirm that the configuration is working properly:
Verifying That DHCP Snooping Is Working Correctly on Switch 1 on page 846 Verifying That DAI Is Working Correctly on Switch 1 on page 847 Verifying That MAC Limiting Is Working Correctly on Switch 1 on page 847
846
Verification
Action
Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface through which Switch 2 sends the DHCP server replies to clients connected to Switch 1 is trusted. The server has provided the IP addresses and leases:
user@switch1> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653 00:05:85:3A:82:80 192.0.2.19 720 00:05:85:3A:82:81 192.0.2.20 932 00:05:85:3A:82:83 192.0.2.21 1230 00:05:85:3A:82:90 192.0.2.20 932 00:05:85:3A:82:91 192.0.2.21 1230
Meaning
The output shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires.
Verify that DAI is working on Switch 1. Send some ARP requests from network devices connected to the switch. Display the DAI information:
user@switch1> show arp inspection statistics ARP inspection statistics: Interface Packets received ARP inspection pass ARP inspection failed --------------- ---------------------------------- --------------------ge-0/0/1.0 7 5 2 ge-0/0/2.0 10 10 0 ge-0/0/3.0 18 15 3
Action
Meaning
The sample output shows the number of ARP packets received and inspected per interface, with a listing of how many packets passed and how many failed the inspection on each interface. The switch compares the ARP requests and replies against the entries in the DHCP snooping database. If a MAC address or IP address in the ARP packet does not match a valid entry in the database, the packet is dropped.
Verify that MAC limiting is working on Switch 1. Display the MAC addresses that are learned when DHCP requests are sent from hosts on ge-0/0/1:
user@switch1> show ethernet-switching table
Action
847
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Ethernet-switching table: 6 entries, 5 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 * Learn Learn Learn Learn Learn Flood
Age 0 0 0 0 0 -
Meaning
The sample output shows that five MAC addresses have been learned for interface ge-0/0/1, which corresponds to the MAC limit of 5 set in the configuration. The last line of the output shows that a sixth MAC address request was dropped, as indicated by the asterisk (*) in the MAC address column.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Configuring Port Security (CLI Procedure) on page 886 Configuring Port Security (J-Web Procedure) on page 887
Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. You can enable the IP source guard port security feature on EX-series switches to mitigate the effects of such attacks. If IP source guard determines that a source IP address and a source MAC address in a binding in an incoming packet are not valid, the switch does not forward the packet. If two VLANs share an interface, you can configure IP source guard on just one of the VLANs; in this example, you configure IP source guard on an untagged data VLAN but not on the tagged voice VLAN. You can use 802.1X user authentication to validate the device connections on the data VLAN. This example describes how to configure IP source guard with 802.1X user authentication on a data VLAN, with a voice VLAN on the same interface:
Requirements on page 849 Overview and Topology on page 849 Configuration on page 850 Verification on page 852
848
Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN
Requirements
This example uses the following hardware and software components:
One EX-series EX 3200-24P switch JUNOS Release 9.2 or later for EX-series switches A DHCP server to provide IP addresses to network devices on the switch A RADIUS server to provide 802.1X authentication
Before you configure IP source guard for the data VLANs, be sure you have:
Connected the DHCP server to the switch. Connected the RADIUS server to the switch and configured user authentication on the server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Configured the VLANs. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 for detailed information about configuring VLANs.
NOTE: The 802.1X user authentication applied in this example is for single supplicants. Single-secure supplicant mode and multiple supplicant mode do not work with IP source guard. For more information about 802.1X authentication, see Understanding 802.1X Authentication on EX-series Switches on page 719.
Requirements
849
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
TIP: You can set the ip-source-guard flag in the traceoptions statement for debugging purposes. This example shows how to configure a static IP address to be added to the DHCP snooping database.
Configuration
CLI Quick Configuration
To quickly configure IP source guard on a data VLAN, copy the following commands and paste them into the switch terminal window:
set ethernet-switching-options voip interface ge-0/0/14.0 vlan voice set ethernet-switching-options secure-access-port interface ge-0/0/24.0 dhcp-trusted set ethernet-switching-options secure-access-port interface ge-0/0/14 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan data set ethernet-switching-options secure-access-port vlan data examine-dhcp set ethernet-switching-options secure-access-port vlan data ip-source-guard set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data set vlans voice vlan-id 100 set protocols lldp-med interface ge-0/0/14.0 set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/14.0 supplicant single
Step-by-Step Procedure
2.
Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the data VLAN:
[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24.0 dhcp-trusted [edit interfaces] user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members data
3.
4.
850
Configuration
5.
Configure 802.1X user authentication and LLDP-MED on the interface that is shared by the data VLAN and the voice VLAN:
[edit protocols] user@switch# set lldp-med interface ge-0/0/14.0 user@switch# set dot1x authenticator authentication-profile-name profile52 user@switch# set dot1x authenticator interface ge-0/0/14.0 supplicant single
6.
Results
Configuration
851
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
lldp-med { interface ge-0/0/14.0; } dot1x { authenticator { authentication-profile-name profile52; interface { ge-0/0/14.0 { supplicant single; } } } }
TIP: If you wanted to configure IP source guard on the voice VLAN as well as on the data VLAN, you would configure DHCP snooping and IP source guard exactly as you did for the data VLAN. The configuration result for the voice VLAN under secure-access-port would look like this:
secure-access-port { vlan voice { examine-dhcp; ip-source-guard; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That 802.1X User Authentication Is Working on the Interface on page 852 Verifying the VLAN Association with the Interface on page 853 Verifying That DHCP Snooping and IP Source Guard Are Working on the Data VLAN on page 853
Verify the 802.1X configuration on interface ge-0/0/14. Verify the 802.1X configuration with the operational mode command show dot1x interface:
user@switch> show dot1x interface e-0/0/14.0 detail ge-0/0/14.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds
Action
852
Verification
Transmit period: 30 seconds Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Supplicant: user100, 00:00:00:00:22:22 Operational state: Authenticated Reauthentication due in 506 seconds
Meaning
The Supplicant mode output field displays the configured administrative mode for each interface. Interface ge-0/0/14.0 displays Single supplicant mode.
Action
Meaning
The field VLAN members shows that the ge-0/0/14.0 interface supports both the data VLAN and the voice VLAN. The State field shows that the interface is up.
Verifying That DHCP Snooping and IP Source Guard Are Working on the Data VLAN
Purpose
Verify that DHCP snooping and IP source guard are enabled and working on the data VLAN. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type
Action
VLAN
Interface
853
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
dynamic dynamic dynamic dynamic 10.10.10.7 dynamic dynamic static static static static
employee employee employee employee 720 data voice data employee employee employee
ge-0/0/1.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/2.0 dynamic ge-0/0/14.0 ge-0/0/14.0 ge-0/0/14.0 ge-0/0/17.0 ge-0/0/17.0 ge-0/0/17.0
00:30:48:92:A5:9D vlan100 ge-0/0/13.0 00:30:48:8D:01:3D 10.10.10.9 720 00:30:48:8D:01:5D 10.10.10.8 1230 00:11:11:11:11:11 11.1.1.1 00:05:85:27:32:88 192.0.2.22 00:05:85:27:32:89 192.0.2.23 00:05:85:27:32:90 192.0.2.27
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see the preceding sample output for show dhcp snooping binding) shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. Statically configured entries never expire. The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields. See the entry for the voice VLAN in the preceding sample output.
Related Topics
Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch on page 785 Configuring IP Source Guard (CLI Procedure) on page 904
854
Verifying That DHCP Snooping and IP Source Guard Are Working on the Data VLAN
Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP addresses or source MAC addresses. These spoofed packets are sent from hosts connected to untrusted access interfaces on the switch. You can enable the IP source guard port security feature on EX-series switches to mitigate the effects of such attacks. If IP source guard determines that a source IP address and a source MAC address in a binding in an incoming packet are not valid, the switch does not forward the packet. You can use IP source guard in combination with other EX-series switch features to mitigate address-spoofing attacks on untrusted access interfaces. This example shows two configuration scenarios:
Requirements on page 855 Overview and Topology on page 855 Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection on page 856 Configuring IP Source Guard on a Guest VLAN on page 859 Verification on page 861
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.2 or later for EX-series switches An EX 4200-24P switch A DHCP server to provide IP addresses to network devices on the switch A RADIUS server to provide 802.1X authentication
Before you configure IP source guard for these scenarios, be sure you have:
Connected the DHCP server to the switch. Connected the RADIUS server and configured user authentication on the RADIUS server . See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Configured the VLANs on the switch. See Example: Setting Up Bridging with Multiple VLANs for EX-series Switches on page 414 for detailed information about configuring VLANs.
Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
855
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
When you configure IP source guard, you enable on it on one or more VLANs. IP source guard applies its checking rules to untrusted access interfaces on those VLANs. By default, on EX-series switches, access interfaces are untrusted and trunk interfaces are trusted. IP source guard does not check packets that have been sent to the switch by devices connected to either trunk interfaces or trusted access interfacesthat is, interfaces configured with dhcp-trusted so that a DHCP server can be connected to that interface to provide dynamic IP addresses. IP source guard obtains information about IP-address/MAC-address/VLAN bindings from the DHCP snooping database. It causes the switch to validate incoming IP packets against the entries in that database. The topology for this example includes an EX-4200-24P switch, a connection to a DHCP server, and a connection to a RADIUS server for user authentication.
NOTE: The 802.1X user authentication applied in this example is for single supplicants. Single-secure supplicant mode and multiple supplicant mode do not work with IP source guard. For more information about 802.1X authentication, see Understanding 802.1X Authentication on EX-series Switches on page 719. In the first example configuration, two clients (network devices) are connected to an access switch. You configure IP source guard and 802.1X user authentication, in combination with access port security features DHCP snooping and dynamic ARP inspection (DAI). This setup is designed to protect the switch from IP attacks such as ping of death attacks, DHCP starvation, and ARP spoofing. In the second example configuration, the switch is configured for 802.1X user authentication. If the client fails authentication, the switch redirects the client to a guest VLAN that allows this client to access a set of restricted network features. You configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.
NOTE: Control-plane rate limiting is achieved by restricting CPU control-plane protection. It can be used in conjunction with storm control (see Understanding Storm Control on EX-series Switches on page 403) to limit data-plane activity.
TIP: You can set the ip-source-guard flag in the traceoptions statement for debugging purposes.
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
CLI Quick Configuration
To quickly configure IP source guard with 802.1X authentication and with other access port security features, copy the following commands and paste them into the switch terminal window:
set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted set ethernet-switching-options secure-access-port vlan data examine-dhcp
856
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
set set set set set set set set set set
ethernet-switching-options secure-access-port vlan data arp-inspection ethernet-switching-options secure-access-port vlan data ip-source-guard interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members data interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members data interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data protocols lldp-med interface ge-0/0/0.0 protocols dot1x authenticator authentication-profile-name profile52 protocols dot1x authenticator interface ge-0/0/0.0 supplicant single protocols lldp-med interface ge-0/0/1.0 protocols dot1x authenticator interface ge-0/0/1.0 supplicant single
Step-by-Step Procedure
To configure IP source guard with 802.1X authentication and various port security features:
1.
Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the data VLAN:
[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan members data
2.
3.
Configure 802.1X user authentication and LLDP-MED on the two interfaces that you associated with the data VLAN:
[edit protocols] user@switch# set lldp-med interface ge-0/0/0.0 user@switch# set dot1x authenticator authentication-profile-name profile52 user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single user@switch# set lldp-med interface ge-0/0/1.0 user@switch# set dot1x authenticator interface ge-0/0/1.0 supplicant single
4.
Configure access port security features DHCP snooping, dynamic ARP inspection (DAI), and IP source guard on the data VLAN:
[edit ethernet-switching-options] user@switch# set secure-access-port vlan data examine-dhcp user@switch# set secure-access-port vlan data arp-inspection user@switch# set secure-access-port vlan data ip-source-guard
Results
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
857
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
dhcp-trusted; } vlan data { arp-inspection; examine-dhcp; ip-source-guard; } } [edit interfaces] ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members data; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members data; } } } } ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members data; } } } } [edit protocols] lldp-med { interface ge-0/0/14.0; interface ge-0/0/0.0; interface ge-0/0/1.0; } dot1x { authenticator { authentication-profile-name profile52; } interface { ge-0/0/0.0 { supplicant single; } ge-0/0/1.0 { supplicant single; } ge-0/0/14.0 {
858
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
supplicant single; } } }
To quickly configure IP source guard on a guest VLAN, copy the following commands and paste them into the switch terminal window:
set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members employee set ethernet-switching-options secure-access-port vlan employee examine-dhcp set ethernet-switching-options secure-access-port vlan employee ip-source-guard set ethernet-switching-options secure-access-port interface ge-0/0/0 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan employee set ethernet-switching-options secure-access-port interface ge-0/0/1 static-ip 11.1.1.2 mac 00:22:22:22:22:22 vlan employee set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access set protocols dot1x authenticator authentication-profile-name profile52 set protocols dot1x authenticator interface ge-0/0/0 supplicant single set protocols dot1x authenticator interface ge-0/0/0 guest-vlan employee set protocols dot1x authenticator interface ge-0/0/0 supplicant-timeout 2 set protocols dot1x authenticator interface ge-0/0/1 supplicant single set protocols dot1x authenticator interface ge-0/0/1 guest-vlan employee set protocols dot1x authenticator interface ge-0/0/1 supplicant-timeout 2 set vlans employee vlan-id 300
Step-by-Step Procedure
Configure the interface on which the DHCP server is connected to the switch as a trusted interface and add that interface to the employee VLAN:
[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members employee
2.
3.
4.
Configure a static IP address on each of two interfaces on the employee VLAN (optional):
859
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/0 static-ip 11.1.1.1 mac 00:11:11:11:11:11 vlan employee
[edit ethernet-switching-options] user@switch# set secure-access-port interface ge-0/0/1 static-ip 11.1.1.2 mac 00:22:22:22:22:22 vlan employee
5.
dot1x authenticator authentication-profile-name profile52 dot1x authenticator interface ge-0/0/0 supplicant single dot1x authenticator interface ge-0/0/1 supplicant single dot1x authenticator interface ge-0/0/0 supplicant-timeout 2 dot1x authenticator interface ge-0/0/1 supplicant-timeout
6.
Results
860
[edit interfaces] ge-0/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/24 { unit 0 { family ethernet-switching { vlan { members employee; } } } } [edit ethernet-switching-options] secure-access-port { interface ge-0/0/0.0 { static-ip 11.1.1.1 vlan employee mac 00:11:11:11:11:11; } interface ge-0/0/1.0 { static-ip 11.1.1.2 vlan employee mac 00:22:22:22:22:22; } interface ge-0/0/24.0 { dhcp-trusted; } vlan employee { examine-dhcp; ip-source-guard; } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That 802.1X User Authentication Is Working on the Interface on page 861 Verifying the VLAN Association with the Interface on page 862 Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN on page 862
Verification
861
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action Meaning
Use the show dot1x interface command to view the 802.1X details. The Supplicant mode output field displays the configured administrative mode for each interface.
Verity interface states and VLAN memberships. Use the show ethernet-switching interfaces command to view the Ethernet switching table entries. The field VLAN members shows the associations between VLANs and interfaces. The State field shows whether the interfaces are up or down. For the guest VLAN configuration, the interface is associated with the guest VLAN if and when the supplicant fails 802.1X user authentication.
Meaning
Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN
Purpose
Verify that DHCP snooping and IP source guard are enabled and working on the VLAN. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Use the show dhcp snooping binding command to display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. View the MAC addresses from which requests were sent and the IP addresses and leases provided by the server. Use the show ip-source-guard command to view IP source guard information for the VLAN.
Action
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. Statically configured entries never expire. The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch on page 785
862
Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848 Configuring IP Source Guard (CLI Procedure) on page 904
Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN
863
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
864
Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN
Chapter 46
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Configuring MAC RADIUS Authentication (CLI Procedure) on page 871 Configuring Server Fail Fallback (CLI Procedure) on page 872 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875 Configuring LLDP (CLI Procedure) on page 880 Configuring LLDP (J-Web Procedure) on page 881 Configuring LLDP-MED (CLI Procedure) on page 882 VSA Match Conditions and Actions for EX-series Switches on page 883 Configuring Port Security (CLI Procedure) on page 886 Configuring Port Security (J-Web Procedure) on page 887 Enabling DHCP Snooping (CLI Procedure) on page 889 Enabling DHCP Snooping (J-Web Procedure) on page 890 Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Enabling a Trusted DHCP Server (J-Web Procedure) on page 891 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Enabling Dynamic ARP Inspection (J-Web Procedure) on page 898 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901 Configuring MAC Move Limiting (CLI Procedure) on page 902 Configuring MAC Move Limiting (J-Web Procedure) on page 903
865
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) on page 904 Configuring IP Source Guard (CLI Procedure) on page 904 Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 906
Specify the RADIUS server to be used as the authentication server. Specify the 802.1X exclusion list, used to specify which supplicants can bypass 802.1X authentication and be automatically connected to the LAN. Specify 802.1X interface settings on the switch.
1. Configuring the RADIUS Server on page 866 2. Configuring Static MAC Bypass on page 867 3. Configuring 802.1X Interface Settings on page 867
Define the address of the server, the RADIUS server authentication port number, and the secret password. The secret password on the switch must match the secret password on the server:
[edit access ] user@switch# set radius-server 10.0.0.100 port 1812 secret abc
2.
Configure the authentication order, making radius the first method of authentication:
[edit access] user@switch# set profile profile1 authentication-order radius
3.
866
[edit access profile] user@switch# set profile1 radius authentication-server 10.0.0.100 10.2.14.200
2.
3.
Configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates only one supplicant), or multiple (authenticates multiple supplicants):
[edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 supplicant multiple
2.
Enable reauthentication:
[edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5/0 reauthentication interval 5
3.
Configure the port timeout value for the response from the supplicant:
867
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
4.
Configure the timeout for the interface before it resends an authentication request to the RADIUS server:
[edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 server-timeout 5
5.
Configure how long the interface waits before retransmitting the initial EAPOL PDUs to the supplicant:
[edit protocols dot1x] user@switch# set authenticator interface ge-0/0/5 transmit-period 5
Related Topics
Configuring 802.1X Authentication (J-Web Procedure) on page 868 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Monitoring 802.1X Authentication on page 908 Verifying 802.1X Authentication on page 907 Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X Authentication on EX-series Switches on page 719
From the Configure menu, select Security > 802.1X. The 802.1X screen displays a list of interfaces, whether 802.1X security has been enabled, and the assigned port role. When you select a particular interface, the Details section displays 802.1X details for the selected interface.
2.
Click one:
RADIUS ServersSpecifies the RADIUS server to be used for authentication. Select the check box to select the required server. Click Add or Edit to add or modify the RADIUS server settings. Enter information as specified in Table 112 on page 869. Exclusion List Excludes hosts from the 802.1X authentication list by specifying the MAC address. Click Add or Edit in the Exclusion list screen to include or modify the MAC addresses. Enter information as specified in Table 113 on page 869. Edit Specifies 802.1X settings for the selected interface
868
Apply 802.1X ProfileApplies a pre-defined 802.1X profile based on the port role. If a message appears asking if you want to configure a RADIUS server, click Yes. 802.1X ConfigurationConfigures custom 802.1X settings for the selected interface. If a message appears asking if you want to configure a RADIUS server, click Yes. Enter information as specified in Table 112 on page 869. To configure 802.1X settings enter information as specified in Table 114 on page 870.
Specifies the login password. Verifies the login password for the server. Specifies the port with which the server is associated. Specifies the source address of the server.
Retry Attempts
Specifies the number of login retries allowed after a login failure. Specifies the time interval to wait before the connection to the server is closed.
Timeout
Exclude if connected through the port Move the host to the VLAN
Select to enable the option. Select the port through which the host is connected. Select to enable the option. Select the VLAN from the list.
869
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Function
Your Action
Single allows only one host for authentication. Multiple allows multiple hosts for authentication. Each host is checked before being admitted to the network. Single authentication for multiple hosts Allows multiple hosts but only the first is authenticated.
1. 2.
Select one:
Move to the Guest VLAN Select the VLAN to move the interface to. Deny the host is not permitted access.
Timeouts
Port waiting time after an authentication failure EAPOL re-transmitting interval Max. EAPOL requests Maximum number of retries Port timeout value for the response from the supplicant Port timeout value for the response from the RADIUS server
Related Topics
Configuring 802.1X Authentication (CLI Procedure) on page 866 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Understanding 802.1X Authentication on EX-series Switches on page 719 802.1X for EX-series Switches Overview on page 718
870
Configured basic access between the EX-series switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756. Configured 802.1X authentication on the switch. See Configuring 802.1X Authentication (CLI Procedure) on page 866 or Configuring 802.1X Authentication (J-Web Procedure) on page 868.
On the switch, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS authentication:
[edit] user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC address (without colons) of the nonresponsive host as the username and password (here, the MAC addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):
[root@freeradius]# edit /etc/raddb vi users 00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe" 0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
Related Topics
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Verifying 802.1X Authentication on page 907 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723
871
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
872
Configure an interface to allow traffic to flow from a supplicant to the LAN if a RADIUS server timeout occurs (as if the supplicant had been successfully authenticated by a RADIUS server):
[edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail permit
Configure an interface to prevent traffic flow from a supplicant to the LAN (as if the supplicant had failed authentication and had been rejected by the RADIUS server):
[edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail deny
Configure an interface to move a supplicant to a specified VLAN if a RADIUS server timeout occurs (in this case, the VLAN name is vlan1):
[edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail vlan-name vlan1
Configure an interface to recognize already connected supplicants as reauthenticated if there is a RADIUS timeout during reauthentication (new users will be denied access):
[edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-fail use-cache
Configure an interface that receives an EAPOL Access-Reject message from the authentication server to move supplicants attempting LAN access on the interface to a specified VLAN already configured on the switch (in this case, the VLAN name is vlan-sf):
[edit protocols dot1x authenticator] user@switch# set interface ge-0/0/1 server-reject-vlan vlan-sf
Related Topics
Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch on page 761 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Configuring 802.1X Authentication (CLI Procedure) on page 866 Monitoring 802.1X Authentication on page 908 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725
873
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Specify the accounting servers to which the switch will forward accounting statistics:
[edit access] user@switch# set profile profile1 radius accounting-server [122.69.1.250 122.69.1.252]
2.
3.
4.
Configure the RADIUS servers to use while sending accounting messages and updates:
[edit access] user@switch# set profile profile1 accounting order radius none
5.
Configure the statistics to be collected on the switch and forwarded to the accounting server:
[edit access] user@switch# set profile profile1 accounting order stop-on-access-deny user@switch# set profile profile1 accounting order stop-on-failure
6.
7.
Open an accounting log on the RADIUS accounting server using the server's address, and view accounting statistics:
874
detail-20071214
User-Name = "000347e1bab9" NAS-Port = 67 Acct-Status-Type = Stop Acct-Session-Id = "8O2.1x811912" Acct-Input-Octets = 17454 Acct-Output-Octets = 4245 Acct-Session-Time = 1221041249 Acct-Input-Packets = 72 Acct-Output-Packets = 53 Acct-Terminate-Cause = Lost-Carrier Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Called-Station-Id = "00-19-e2-50-52-60" Calling-Station-Id = "00-03-47-e1-ba-b9" Event-Timestamp = "Sep 10 2008 16:52:39 PDT" NAS-Identifier = "esp48t-1b-01" NAS-Port-Type = Virtual User-Name = "000347e1bab9" NAS-Port = 67 Acct-Status-Type = Start Acct-Session-Id = "8O2.1x811219" Called-Station-Id = "00-19-e2-50-52-60" Calling-Station-Id = "00-03-47-e1-ba-b9" Event-Timestamp = "Sep 10 2008 18:58:52 PDT" NAS-Identifier = "esp48t-1b-01" NAS-Port-Type = Virtual
Related Topics
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Understanding 802.1X and AAA Accounting on EX-series Switches on page 727
875
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The following procedure uses FreeRADIUS to configure VSAs. For specifics on configuring your server, consult the AAA documentation that was included with your server. This topic includes the following tasks: 1. Load the Juniper Dictionary on page 876 2. Configure a Match Statement on page 878 3. Apply a Port Firewall Filter Directly to the RADIUS Server Configuration (Optional) on page 879
2.
If the attribute Juniper-Switching-Filter is not displayed in the dictionary, you can copy the string shown at the bottom of step 1, and paste the string at the end of the list in the dictionary file. The output shows where to paste the string:
# dictionary.juniper # # Version: $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25 aland Exp $ # VENDOR Juniper 2636 BEGIN-VENDOR Juniper ATTRIBUTE Juniper-Local-User-Name 1 string ATTRIBUTE Juniper-Allow-Commands 2 string ATTRIBUTE Juniper-Deny-Commands 3 string
876
ATTRIBUTE Juniper-Allow-Configuration ATTRIBUTE Juniper-Deny-Configuration ATTRIBUTE Juniper-Firewall-Filter copy and paste the entire string here <
4 5 44
3.
877
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To deny authentication based on the 802.1Q tag (here, the 802.1Q tag is 10):
[root@freeradius]# cd /usr/local/pool/raddbvi users Juniper-Switching-Filter = "match source-dot1q-tag 10 action deny"
To set the packet loss priority (PLP) to high based on a destination MAC address and the IP protocol:
[root@freeradius]# cd /usr/local/pool/raddbvi users Juniper-Switching-Filter = "match destination-mac 00:04:0f:fd:ac:fe, ip-protocol 2, forwarding-class high, action loss-priority high"
NOTE: In order for the forwarding-class option to be applied, the forwarding class must be configured on the switch. If it is not configured on the switch, this option is ignored. You must specify both the forwarding class and the packet loss priority.
NOTE: After you configure a match statement, stop and restart the RADIUS process to activate the configuration.
878
Apply a Port Firewall Filter Directly to the RADIUS Server Configuration (Optional)
Port (Layer 2) firewall filters apply to Layer 2 switch ports. When the 802.1X configuration on an interface is set to multiple supplicant mode, you can specify a single port firewall filter configured on the EX-series switch through the JUNOS CLI to be applied to any number of supplicants (users) that are connected to the switch on one interface by adding the filter centrally to the RADIUS server. For more information about firewall filters, see Firewall Filters for EX-series Switches Overview on page 1041. To apply a port firewall filter centrally from the RADIUS server:
NOTE: Multiple filters are not supported on a single interface. However, you can support multiple filters for multiple users that are connected to the switch on the same interface by configuring a single filter with policies for each of those users.
NOTE: If port firewall filters are also configured locally for the interface, then VSAs take precedence if they conflict with the filters. If the VSAs and the local port firewall filters do not conflict, they are merged.
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring 802.1X Authentication (CLI Procedure) on page 866 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Understanding 802.1X and VSAs on EX-series Switches on page 734
Apply a Port Firewall Filter Directly to the RADIUS Server Configuration (Optional)
879
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configure the advertisement interval in seconds to specify the frequency at which LLDP advertisements are sent:
[edit protocols lldp] user@switch# set advertisement-interval 45
2.
Configure the frequency in seconds at which LLDP advertisements are sent from the switch in the first second after it has detected an LLDP-capable device:
[edit protocols lldp] user@switch# set fast-start 8
3.
Specify the multiplier used in combination with the advertisement-interval value to determine the length of time LLDP information is held before it is discarded:
[edit protocols lldp] user@switch# set hold-multiplier 5
4.
5.
6.
Related Topics
Configuring LLDP-MED (CLI Procedure) on page 882 Configuring LLDP (J-Web Procedure) on page 881 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
880
From the Configure menu, select the option Switching > LLDP. The LLDP Configuration page displays LLDP Global Settings and Port Settings. The second half of the screen displays operational details for the selected port.
2.
To modify LLDP Global Settings, click Global Settings. Enter information as described in Table 115 on page 881.
3.
To modify Port Settings, click Edit in the Port Settings section. Enter information as described in Table 116 on page 881.
Transmit delay
Hold multiplier
Your Action Select one: Enabled, Disabled, or None. Select Enable from the list.
Related Topics
Configuring LLDP (CLI Procedure) on page 880 Configuring LLDP-MED (CLI Procedure) on page 882
881
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
Configure the frequency at which LLDP-MED advertisements are sent from the switch in the first second after it has detected an LLDP-MED device:
[edit protocols lldp-med] user@switch# set fast-start 6
2.
3.
Configure the location information that is advertised from the switch to the LLDP-MED device. You can specify a civic-based location (geographic location) or a location based on an elin (emergency location identification string):
882
[edit protocols lldp-med] user@switch# set interface ge-0/0/2.0 location elin 4085551212
You can display the configuration settings using the show lldp command:
[edit protocols lldp-med] user@switch> show lldp LLDP Advertisement interval Transmit delay Hold timer Config Trap Interval Connection Hold timer LLDP MED MED fast start count : : : : : : Enabled 30 seconds 2 seconds 2 seconds 60 seconds 300 seconds
: Enabled : 6 Packets
LLDP Enabled -
LLDP-MED Enabled
Related Topics
Configuring LLDP (J-Web Procedure) on page 881 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
883
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Both match and action statements are mandatory. Any or all options (separated by commas) may be included in each match and action statement. Fields separated by commas will be ANDed if they are of a different type. The same types cannot be repeated. For OR cases (for example, match 10.1.1.0/24 OR 11.1.1.0/24), apply multiple VSAs to the 802.1X supplicant. In order for the forwarding-class option to be applied, the forwarding class must be configured on the switch. If it is not configured on the switch, this option is ignored.
Table 117 on page 884 describes the match conditions you can specify when configuring a VSA using the match command on the RADIUS server. The string that defines a match condition is called a match statement.
Table 117: Match Conditions
Option
destination-mac mac-address source-vlan source-vlan source-dot1q-tag tag destination-ip ip-address ip-protocol protocol-id
Description Destination media access control (MAC) address of the packet. Name of the source VLAN. Tag value in the dot1q header, in the range 0 through 4095. Address of the final destination node. IPv4 protocol value. In place of the numeric value, you can specify one of the following text synonyms:
ah, egp (8), esp (50, gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17)
source-port port
TCP or User Datagram Protocol (UDP) source port field. Normally, you specify this match statement in conjunction with the ip-protocol match statement to determine which protocol is being used on the port. In place of the numeric field, you can specify one of the text options listed under destination-port.
884
Description TCP or UDP destination port field. Normally, you specify this match in conjunction with the ip-protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed):
afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cvspserver (2401), cmd (514), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), telnet (23), tacacs-ds (65), talk (517), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)
When you define one or more terms that specify the filtering criteria, you also define the action to take if the packet matches all criteria. Table 118 on page 885 shows the actions that you can specify in a term.
Table 118: Actions for VSAs
Option (allow | deny) Description Accept a packet or discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. (Optional) Classify the packet in one of the following forwarding classes:
forwarding-class class-of-service
(Optional) Set the packet loss priority (PLP) to low, medium, or high. Specify both the forwarding class and loss priority.
Related Topics
Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875 Understanding 802.1X and VSAs on EX-series Switches on page 734
885
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
On a specific VLAN:
[edit ethernet-switching-options secure-access port] user@switch# set vlan default examine-dhcp
On all VLANs:
[edit ethernet-switching-options secure-access port] user@switch# set vlan all examine-dhcp
2.
Enable DAI:
On all VLANs:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan all arp-inspection
3.
Limit the number of dynamic MAC addresses and specify the action to take if the limit is exceededfor example, set a MAC limit of 5 with an action of drop:
On all interfaces:
[edit ethernet-switching-options secure-access-port] user@switch# set interface all maclimit 5 action drop
4.
886
user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:80 user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:81 user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:83
On all interfaces:
[edit ethernet-switching-options secure-access-port] user@switch# set interface all allowed-mac 00:05:85:3A:82:80 user@switch# set interface all allowed-mac 00:05:85:3A:82:81 user@switch# set interface all allowed-mac 00:05:85:3A:82:83
5.
Limit the number of times a MAC address can move from its original interface in one secondfor example, set a MAC move limit of 5 with an action of drop if the limit is exceeded:
On all VLANs:
[edit ethernet-switching-options secure-access-port] set vlan all macmove-limit 5 action drop
6.
Related Topics
Configuring Port Security (J-Web Procedure) on page 887 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Monitoring Port Security on page 909 Port Security for EX-series Switches Overview on page 734
From the Configure menu select the option Security > Port Security. The first part of the screen displays a VLAN list with the VLAN name, VLAN identifier, port members, and port security VLAN features.
887
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The second part of the screen displays a list of all ports and whether security features have been enabled on the ports.
2.
Click one:
Edit Click this option to modify the security features for the selected port
or VLAN. Enter information as specified in Table 119 on page 888 to modify Port Security settings on VLANs. Enter information as specified in Table 120 on page 888 to modify Port Security settings on interfaces.
switch.
ARP Inspection
Select to enable ARP inspection on a specified VLAN or all VLANs. (Configure any port on which you do not want ARP inspection to occur as a trusted DHCP server port.) Enter the required number.
MAC Movement
Prevents hosts whose MAC addresses have not been learned by the switch from accessing the network. Specifies the number of times per second that a MAC address can move to a new interface. Specifies the action to be taken if the MAC move limit is exceeded.
Select one:
LogGenerate a system log entry, an SNMP trap, or an alarm. DropDrop the packets and generate a system log entry, an SNMP trap, or an alarm. ShutdownBlock data traffic on the interface and generate an alarm. None No action to be taken.
888
Select one:
LogGenerate a system log entry, an SNMP trap, or an alarm. DropDrop the packets and generate a system log entry, an SNMP trap, or an alarm. ShutdownBlock data traffic on the interface and generate an alarm. None No action to be taken.
Specifies the MAC addresses that are allowed for the interface.
1. 2. 3.
Related Topics
Configuring Port Security (CLI Procedure) on page 886 Monitoring Port Security on page 909 Port Security for EX-series Switches Overview on page 734 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808
On all VLANs:
[edit ethernet-switching-options secure-access port] user@switch# set vlan all examine-dhcp
889
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Enabling DHCP Snooping (J-Web Procedure) on page 890 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Verifying That DHCP Snooping Is Working Correctly on page 910 Monitoring Port Security on page 909 Understanding DHCP Snooping for Port Security on EX-series Switches on page 738
Select Configure>Security>Port Security. Select one or more VLANs from the VLAN list. Click the Edit button. If a message appears asking if you want to enable port security, click Yes. Select the Enable DHCP Snooping on VLAN check box and then click OK. Click OK after the command has been successfully delivered.
NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), the message asking if you want to enable port security appears.
Related Topics
Enabling DHCP Snooping (CLI Procedure) on page 889 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832
890
Verifying That DHCP Snooping Is Working Correctly on page 910 Monitoring Port Security on page 909 Understanding DHCP Snooping for Port Security on EX-series Switches on page 738
Related Topics
Enabling a Trusted DHCP Server (J-Web Procedure) on page 891 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Verifying That a Trusted DHCP Server Is Working Correctly on page 911 Monitoring Port Security on page 909 Understanding Trusted DHCP Servers for Port Security on EX-series Switches on page 748
Select Configure>Security>Port Security. Select one or more interfaces from the Port list. Click the Edit button. If a message appears asking if you want to enable port security, click Yes.
891
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
4. 5.
Select the Trust DHCP check box and then click OK. Click OK after the command has been successfully delivered.
NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), the message asking if you want to enable port security appears.
Related Topics
Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Verifying That a Trusted DHCP Server Is Working Correctly on page 911 Monitoring Port Security on page 909 Understanding Trusted DHCP Servers for Port Security on EX-series Switches on page 748
Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the EX-series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. You can configure the DHCP option 82 feature in two topologies:
The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch forwards the clients' requests to the server and forwards the server's replies to the clients. This topic describes this configuration. The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays the clients' requests to the server and then forwards the server's replies to the clients. This configuration is described in Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895.
Before you configure DHCP option 82 on the switch, perform these tasks:
892
Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)
NOTE: Your DHCP server must be configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages. Configure a VLAN on the switch and associate the interfaces on which the clients and the server connect to the switch with that VLAN.
NOTE: Replace values displayed in italics with values for your configuration. Specify DHCP option 82 for all VLANs associated with the switch or for a specified VLAN. (You can also configure the feature for a VLAN range.)
1.
On a specific VLAN:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82
On all VLANs:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan all dhcp-option82
To configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname
3.
To specify that the circuit ID suboption value contains the interface description rather than the interface name (the default):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-interface-description
4.
To specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id
5.
To specify that the remote ID suboption is included in the DHCP option 82 information:
Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)
893
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
6.
To configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix mac
7.
To specify that the prefix for the remote ID suboption is the hostname of the switch rather than the MAC address of the switch (the default):
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix hostname
8.
To specify that the remote ID suboption value contains the interface description:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id use-interface-description
9.
10. To configure a vendor ID suboption and use the default value (the default value
is Juniper), do not type a character string after the vendor-id option keyword:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 vendor-id
11. To specify that the vendor ID suboption value contains a character string value
To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt.
Related Topics
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Understanding DHCP Option 82 for Port Security on EX-series Switches on page 748 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
894
Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure)
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the EX-series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. You can configure the DHCP option 82 feature in two topologies:
The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays the clients' requests to the server and then forwards the server's replies to the clients. This topic describes this configuration. The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch forwards the clients' requests to the server and forwards the server's replies to the clients. This configuration is described in Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892.
Before you configure DHCP option 82 on the switch, perform these tasks:
NOTE: Your DHCP server must be configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages. Configure the VLAN on the switch and associate the interfaces on which the clients connect to the switch with that VLAN. Configure the routed VLAN interface (RVI) to allow the switch to relay packets to the server and receive packets from the server. See Configuring Routed VLAN Interfaces (CLI Procedure) on page 468. Configure the switch as a BOOTP relay agent. See DHCP/BOOTP Relay for EX-series Switches Overview on page 658.
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure)
895
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: Replace values displayed in italics with values for your configuration. Specify DHCP option 82 for the BOOTP server:
1.
The remaining steps are optional. They show configurations for all interfaces; include the specific interface designation to configure any of the following options on a specific interface:
2.
To configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id prefix hostname
3.
To specify that the circuit ID suboption value contains the interface description rather than the interface name (the default):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id use-interface-description
4.
To specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 circuit-id use-vlan-id
5.
To specify that the remote ID suboption is included in the DHCP option 82 information:
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id
6.
To configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id prefix mac
896
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure)
7.
To specify that the prefix for the remote ID suboption is the hostname of the switch rather than the MAC address of the switch (the default):
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id prefix hostname
8.
To specify that the remote ID suboption value contains the interface description:
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 remote-id use-interface-description
9.
10. To configure a vendor ID suboption and use the default value (the default value
is Juniper), do not type a character string after the vendor-id option keyword:
[edit forwarding-options helpers bootp] user@switch# set dhcp-option82 vendor-id
11. To specify that the vendor ID suboption value contains a character string value
To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt.
Related Topics
Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 [edit forwarding options] Configuration Statement Hierarchy on page 921 Understanding DHCP Option 82 for Port Security on EX-series Switches on page 748 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure)
897
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
On all VLANs:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan all arp-inspection
Related Topics
Enabling Dynamic ARP Inspection (J-Web Procedure) on page 898 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Verifying That DAI Is Working Correctly on page 912 Monitoring Port Security on page 909 Understanding DAI for Port Security on EX-series Switches on page 744
Select Configure>Security>Port Security. Select one or more VLANs from the VLAN list.
898
3. 4. 5.
Click the Edit button. If a message appears asking if you want to enable port security, click Yes. Select the Enable ARP Inspection on VLAN check box and then click OK. Click OK after the command has been successfully delivered.
NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), the message asking if you want to enable port security appears.
Related Topics
Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Verifying That DAI Is Working Correctly on page 912 Monitoring Port Security on page 909 Understanding DAI for Port Security on EX-series Switches on page 744
Maximum number of dynamic MAC addresses allowed per interfaceAs soon as the limit is reached, incoming packets with new MAC addresses are dropped. Specific allowed MAC addresses for the access interfaceAny MAC address that is not in the list of configured addresses is not learned.
You configure MAC limiting for each interface, not for each VLAN. In the default configuration, the limit for dynamically learned MAC addresses for each interface is 5 and the action that the switch will take if that limit is exceeded is none. To configure MAC limiting on a specific interface or on all interfaces, using the CLI:
1.
For limiting the number of dynamic MAC addresses, set a MAC limit of 5 with an action of drop if the limit is exceeded:
899
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge0/0/1 mac-limit 5 action drop
On all interfaces:
[edit ethernet-switching-options secure-access-port] user@switch# set interface all maclimit 5 action drop
2.
On all interfaces:
[edit ethernet-switching-options secure-access-port] user@switch# set interface all allowed-mac 00:05:85:3A:82:80 user@switch# set interface all allowed-mac 00:05:85:3A:82:81 user@switch# set interface all allowed-mac 00:05:85:3A:82:83
Related Topics
Configuring MAC Limiting (J-Web Procedure) on page 901 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Verifying That MAC Limiting Is Working Correctly on page 913 Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) on page 904 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746
900
Maximum number of dynamic MAC addresses allowed per interfaceAs soon as the limit is reached, incoming packets with new MAC addresses are dropped. Specific allowed MAC addresses for the access interfaceAny MAC address that is not in the list of configured addresses is not learned.
You configure MAC limiting for each interface, not for each VLAN. In the default configuration, the limit for dynamically learned MAC addresses for each interface is 5 and the action that the switch will take if that limit is exceeded is none. To enable MAC limiting on one or more interfaces using the J-Web interface:
1. 2. 3. 4.
Select Configure>Security>Port Security. Select one or more interfaces from the Port list. Click the Edit button. If a message appears asking if you want to enable port security, click Yes. To set a dynamic MAC limit:
1. 2.
Type a limit value in the MAC Limit box. Select an action from the MAC Limit Action box. The switch takes this action when the limit is exceeded.
5.
Click Add. Type the allowed MAC address and click OK.
Click OK when you have finished setting MAC limits. Click OK after the command has been successfully delivered.
NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), the message asking if you want to enable port security appears.
Related Topics
Configuring MAC Limiting (CLI Procedure) on page 899 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837
901
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Verifying That MAC Limiting Is Working Correctly on page 913 Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) on page 904 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746
On all VLANs:
[edit ethernet-switching-options secure-access-port] set vlan all macmove-limit 5 action drop
Related Topics
Configuring MAC Move Limiting (J-Web Procedure) on page 903 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That MAC Move Limiting Is Working Correctly on page 917 Monitoring Port Security on page 909 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746
902
Select Configure>Security>Port Security. Select one or more VLANs from the VLAN list. Click the Edit button. If a message appears asking if you want to enable port security, click Yes. To set a MAC move limit:
1. 2.
Type a limit value in the MAC Movement box. Select an action from the MAC Movement Action box. The switch takes this action when the limit is exceeded. Click OK.
3. 5.
NOTE: You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), the message asking if you want to enable port security appears.
Related Topics
Configuring MAC Move Limiting (CLI Procedure) on page 902 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That MAC Move Limiting Is Working Correctly on page 917 Monitoring Port Security on page 909 Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches on page 746
903
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
If you set a MAC limit in your port security settings to apply to all interfaces on the EX-series switch, you can override that setting for a particular interface by specifying action none. To use the none action to override a MAC limit setting:
1.
2.
Then change the action for one interface (here, ge-0/0/2) with this command. You don't need to specify a limit value.
[edit ethernet-switching-options secure-access-port] user@switch# set interface ge0/0/2 mac-limit action none
Related Topics
Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That MAC Limiting Is Working Correctly on page 913
NOTE: IP source guard applies only to access interfaces and only to untrusted interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or an interface set to dhcp-trusted, the CLI shows an error when you try to commit the configuration. Before you configure IP source guard, be sure that you have: Enabled DHCP snooping on the VLAN or VLANs on which you will configure IP source guard. See Enabling DHCP Snooping (CLI Procedure) on page 889.
904
Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
To enable IP source guard on a VLAN, all VLANs, or a VLAN range (a series of tagged VLANs) by using the CLI:
NOTE: Replace values displayed in italics with values for your configuration. On a specific VLAN:
[edit ethernet-switching-options secure-access port] user@switch#set vlan default ip-source-guard
On all VLANs:
[edit ethernet-switching-options secure-access port] user@switch# set vlan all ip-source-guard
On a VLAN range:
a.
b.
Associate an interface with a VLAN-range number (100 in the following example) and set the port mode to access:
[edit interfaces] user@switch# set ge-0/0/6 unit 0 family ethernet-switching port-mode access vlan members 100
c.
NOTE: You can use the no-ip-source-guard statement to disable IP source guard for a specific VLAN after you have enabled the feature for all VLANs. To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt.
Related Topics
Verifying That IP Source Guard Is Working Correctly on page 918 Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848
905
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855 Understanding IP Source Guard for Port Security on EX-series Switches on page 751
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the DHCP snooping database. These bindings are labeled as static in the database, while those bindings that have been added through the process of DHCP snooping are labeled dynamic. To configure a static IP address/MAC address binding in the DHCP snooping database, by using the CLI:
NOTE: Replace values displayed in italics with values for your configuration.
[edit ethernet-switching-options secure-access port] user@switch#set interface ge-0/0/2 static-ip 10.0.10.12 vlan 00:05:85:3A:82:80
data-vlan
mac
To view results of the configuration steps before committing the configuration, type the show command at the user prompt. To commit these changes to the active configuration, type the commit command at the user prompt.
Related Topics
Verifying That DHCP Snooping Is Working Correctly on page 910 Understanding DHCP Snooping for Port Security on EX-series Switches on page 738
906
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
Chapter 47
Verifying 802.1X Authentication on page 907 Monitoring 802.1X Authentication on page 908 Monitoring Port Security on page 909 Verifying That DHCP Snooping Is Working Correctly on page 910 Verifying That a Trusted DHCP Server Is Working Correctly on page 911 Verifying That DAI Is Working Correctly on page 912 Verifying That MAC Limiting Is Working Correctly on page 913 Verifying That MAC Move Limiting Is Working Correctly on page 917 Verifying That IP Source Guard Is Working Correctly on page 918
Verify that supplicants are being authenticated on an interface on an EX-series switch with the interface configured for 802.1X authentication, and display the method of authentication being used. Display detailed information about an interface configured for 802.1X (here, the interface is ge-0/0/16):
user@switch> show dot1x interface ge-0/0/16.0 detail ge-0/0/16.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Reauthentication interval: 40 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: user5, 00:30:48:8C:66:BD Operational state: Authenticated Authentication method: Radius Authenticated VLAN: v200 Reauthentication due in 17 seconds
Action
907
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Meaning
The sample output from the show dot1x interface detail command shows that the Number of connected supplicants is 1. The supplicant that was authenticated and is now connected to the LAN is known as user5 on the RADIUS server and has the MAC address 00:30:48:8C:66:BD. The supplicant was authenticated by means of the 802.1X authentication method called Radius authentication. When the Radius authentication method is used, the supplicant is configured on the RADIUS server, the RADIUS server communicates this to the switch, and the switch opens LAN access on the interface to which the supplicant is connected. The sample output also shows that the supplicant is connected to VLAN v200. Other 802.1X authentication methods supported on EX-series switches in addition to the RADIUS method are:
Guest VLANA nonresponsive host is granted Guest-VLAN access. MAC RadiusA nonresponsive host is authenticated based on its MAC address.
The MAC address is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.
Server-fail denyIf the RADIUS servers time out, all supplicants are denied access
to the LAN, preventing traffic from flowing from the supplicant through the interface. This is the default.
permitted access to the LAN as if the supplicant had been successfully authenticated by the RADIUS server.
previously authenticated supplicants are granted access, but new supplicants are denied LAN access.
the RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN must already exist on the switch.)
Related Topics
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Configuring MAC RADIUS Authentication (CLI Procedure) on page 871 Configuring Server Fail Fallback (CLI Procedure) on page 872
Use the monitoring feature to display details of authenticated users and users who have failed authentication. To display authentication details in the J-Web interface, select Monitoring > Security > 802.1X. To display authentication details in the CLI, enter the following commands:
Action
908
show dot1x interface detail | display xml show dot1x interface detail <interface> | display xml show dot1x auth-failed-users
Meaning
A list of authenticated users. The total number of users connected. A list of users who have failed authentication
You can also specify an interface for which the details must be displayed.
Related Topics
Configuring 802.1X Authentication (J-Web Procedure) on page 868 Configuring 802.1X Authentication (CLI Procedure) on page 866 Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779
DHCP snooping database for a VLAN or all VLANs ARP inspection details for all interfaces
Action
To monitor port security in the J-Web interface, select Monitor > Security > Port Security. To monitor and manipulate the DHCP snooping database and ARP inspection statistics in the CLI, enter the following commands:
show dhcp snooping binding clear dhcp snooping bindingIn addition to clearing the whole database, you can
Meaning
DHCP SnoopingDisplays the DHCP snooping database for all the VLANs for which DHCP snooping is enabled. To view the DHCP snooping database for a specific VLAN, select the specific VLAN from the list. ARP InspectionDisplays the ARP inspection details for all interfaces. The information includes details of the number of packets that passed ARP inspection and the number of packets that failed the inspection. The pie chart graphically represents these statistics when you select an interface. To view ARP inspection statistics for a specific interface, select the interface from the list.
909
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Clear ALLClears the DHCP snooping database, either for all VLANs if the option ALL has been selected in the Select VLANs list or for the specific VLAN that has been selected in that list. ClearDeletes a specific IP address from the DHCP snooping database.
To clear ARP statistics on the page, click Clear All in the ARP Statistics section. Use the CLI commands to show and clear DHCP snooping database and ARP inspection statistics details.
Related Topics
Configuring Port Security (CLI Procedure) on page 886 Configuring Port Security (J-Web Procedure) on page 887 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808
Verify that DHCP snooping is working on the switch and that the DHCP snooping database is correctly populated with both dynamic and static bindings. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease (seconds) Type 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:27:32:88 192.0.2.17 192.0.2.18 192.0.2.19 192.0.2.20 192.0.2.21 192.0.2.22 600 653 720 932 1230 dynamic dynamic dynamic dynamic dynamic static
Action
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires. Static IP addresses have no assigned lease time. The statically configured entry never expires. If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
910
DHCP Snooping Information: MAC address IP address 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:27:32:88 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 192.0.2.22
In the preceding output sample, IP addresses and lease times are not assigned to the dynamically learned bindings because the DHCP clients do not have a trusted server to which they can send requests. In the database, the clients' MAC addresses are shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time is shown as a dash in the Lease column).
Related Topics
Enabling DHCP Snooping (CLI Procedure) on page 889 Enabling DHCP Snooping (J-Web Procedure) on page 890 Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 906 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Monitoring Port Security on page 909 Troubleshooting Port Security
Verify that a DHCP trusted server is working on the switch. See what happens when the DHCP server is trusted and then untrusted. Send some DHCP requests from network devices (here they are DHCP clients) connected to the switch. Display the DHCP snooping information when the interface on which the DHCP server connects to the switch is trusted. The following output results when requests are sent from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -----------------------------00:05:85:3A:82:77 192.0.2.17 600 00:05:85:3A:82:79 192.0.2.18 653
Action
911
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Meaning
When the interface on which the DHCP server connects to the switch has been set to trusted, the output (see preceding sample) shows, for each MAC address, the assigned IP address and lease timethat is, the time, in seconds, remaining before the lease expires. If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address Lease -------------------------- ----00:05:85:3A:82:77 0.0.0.0 00:05:85:3A:82:79 0.0.0.0 00:05:85:3A:82:80 0.0.0.0 00:05:85:3A:82:81 0.0.0.0 00:05:85:3A:82:83 0.0.0.0 00:05:85:27:32:88 0.0.0.0 -
In the preceding output sample, IP addresses and lease times are not assigned because the DHCP clients do not have a trusted server to which they can send requests. In the database, the clients' MAC addresses are shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time is shown as a dash in the Lease column).
Related Topics
Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Enabling a Trusted DHCP Server (J-Web Procedure) on page 891 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Monitoring Port Security on page 909 Troubleshooting Port Security
Verify that dynamic ARP inspection (DAI) is working on the switch. Send some ARP requests from network devices connected to the switch. Display the DAI information:
user@switch> show arp inspection statistics
912
ARP inspection statistics: Interface Packets received --------------- --------------ge-0/0/1.0 7 ge-0/0/2.0 10 ge-0/0/3.0 12
Meaning
The sample output shows the number of ARP packets received and inspected per interface, with a listing of how many packets passed and how many failed the inspection on each interface. The switch compares the ARP requests and replies against the entries in the DHCP snooping database. If a MAC address or IP address in the ARP packet does not match a valid entry in the database, the packet is dropped.
Related Topics
Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Enabling Dynamic ARP Inspection (J-Web Procedure) on page 898 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Monitoring Port Security on page 909
Maximum number of dynamic MAC addresses allowed per interfaceAs soon as the limit is reached, incoming packets with new MAC addresses are dropped. Specific allowed MAC addresses for the access interfaceAny MAC address that is not in the list of configured addresses is not learned.
To verify MAC limiting configurations: 1. Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly on page 913 2. Verifying That Allowed MAC Addresses Are Working Correctly on page 914 3. Verifying Results of Various Action Settings When the MAC Limit Is Exceeded on page 914 4. Customizing the Ethernet Switching Table Display to View Information for a Specific Interface on page 916
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Purpose
Verify that MAC limiting for dynamic MAC addresses is working on the switch.
913
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action
Display the MAC addresses that have been learned. The following sample output shows the results when two DHCP requests were sent from hosts on ge-0/0/1 and five DHCP requests were sent from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the action drop:
user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan * 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 Flood Learn Learn Learn Learn Learn Learn
Age 0 0 0 0 0 0
Meaning
The sample output shows that with a MAC limit of 4 for each interface, the DHCP request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.
Verify that allowed MAC addresses are working on the switch. Display the MAC cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC cache after 5 allowed MAC addresses had been configured on interface ge/0/0/2. In this instance, the interface was also set to a dynamic MAC limit of 4 with action drop.
user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan 00:05:85:3A:82:80 00:05:85:3A:82:81 00:05:85:3A:82:83 00:05:85:3A:82:85 * Learn Learn Learn Learn Flood
Action
Age 0 0 0 0 -
Meaning
Because the MAC limit value for this interface had been set to 4, only four of the five configured allowed addresses were learned and thus added to the MAC cache. Because that fifth address was not learned, an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
Purpose
Verify the results provided by the various action settings for MAC limitsdrop, log, and shutdownwhen the limits are exceeded. Display the results of the various action settings.
Action
914
NOTE: You can view log messages by using the show log messages command. You can also have the log messages displayed by configuring the monitor start messages with the monitor start messages command.
drop actionFor MAC limiting configured with a drop action and with the MAC limit set to 5:
user@switch> show ethernet-switching table
Age
Interfaces
0 0 0 0 0
log actionFor MAC limiting configured with a log action and with MAC limit set to 5:
user@switch> show ethernet-switching table Ethernet-switching table: 74 entries, 73 learned VLAN MAC address Type
Age
Interfaces
0 0 0 0 0 0 0 0
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
915
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
shutdown actionFor MAC limiting configured with a shutdown action and with MAC limit set to 3:
user@switch> show ethernet-switching table Ethernet-switching table: 4 entries, 3 learned VLAN MAC address Type
Age
Interfaces
0 0 0
Meaning
For the drop action resultsThe sixth MAC address exceeded the MAC limit. The request packet for that address was dropped. Only five MAC addresses have been learned on ge-0/0/2. For the log action resultsThe sixth MAC address exceeded the MAC limit. No MAC addresses were blocked. For the shutdown action resultsThe fourth MAC address exceeded the MAC limit. The request packet for that address was dropped. Only three MAC addresses have been learned on ge-0/0/2. Data traffic on ge-0/0/2 is blocked.
NOTE: With action set to shutdown, the show ethernet-switching interfaces detail command shows the interface as blocked. If you set a MAC limit to apply to all interfaces on the switch, you can override that setting for a particular interface by specifying action none. See Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure) on page 904.
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
Purpose
You can use the show ethernet-switching table interface command to view information for a specific interface. For example, to view information for just the ge-0/0/2 interface, type:
user@switch> show ethernet-switching table interface ge-0/0/2.0
Action
Related Topics
Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808
916
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Monitoring Port Security on page 909
Verify that MAC move limiting is working on the switch. Display the MAC addresses in the Ethernet switching table when MAC move limiting has been configured for a VLAN. The following sample shows results after two of the hosts on ge-0/0/2 sent DHCP requests after the MAC addresses for those hosts had moved to other interfaces more than five times in 1 second. The VLAN, employee-vlan, was set to a MAC move limit of 5 with the action drop:
user@switch> show ethernet-switching table
Action
Ethernet-switching table: 7 entries, 4 learned VLAN MAC address Type employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan employee-vlan 00:05:85:3A:82:77 00:05:85:3A:82:79 00:05:85:3A:82:80 00:05:85:3A:82:81 * * Learn Learn Learn Learn Flood Flood
Age 0 0 0 0 -
Meaning
The last two lines of the sample output show that DHCP requests for two hosts on ge-/0/0/2 were dropped when the hosts had been moved back and forth from the original interfaces more than five times in 1 second. The MAC addresses for those hosts were not learned.
NOTE: For descriptions of the results of the various action settingsdrop, log, and shutdownsee Verifying That MAC Limiting Is Working Correctly on page 913
Related Topics
Configuring MAC Move Limiting (CLI Procedure) on page 902 Configuring MAC Move Limiting (J-Web Procedure) on page 903 Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Monitoring Port Security on page 909
917
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verify that IP source guard is enabled and is mitigating the effects of any source IP spoofing attacks on the EX-series switch. Display the IP source guard database.
user@switch> show ip-source-guard IP source guard information: Interface Tag IP Address MAC Address ge-0/0/12.0 ge-0/0/13.0 ge0/0/13.0 0 0 100 10.10.10.7 10.10.10.9 * 00:30:48:92:A5:9D 00:30:48:8D:01:3D *
Action
Meaning
The IP source guard database table contains the VLANs enabled for IP source guard, the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there are any, and the IP addresses and MAC addresses that are bound to one another. If a switch interface is associated with multiple VLANs and some of those VLANs are enabled for IP source guard and others are not, the VLANs that are not enabled for IP source guard have a star (*) in the IP Address and MAC Address fields. See the entry for the voice VLAN in the preceding sample output.
Related Topics
918
Chapter 48
[edit access] Configuration Statement Hierarchy on page 919 [edit ethernet-switching-options] Configuration Statement Hierarchy on page 919 [edit forwarding options] Configuration Statement Hierarchy on page 921 [edit protocols] Configuration Statement Hierarchy on page 922
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
919
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } output { interface interface-name; vlan (vlan-id | vlan-name); } } } bpdu-block { interface (all | [interface-name]); disable-timeout timeout; } dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100]) } redundant-trunk-group { group-name name { interface interface-name <primary>; } } secure-access-port { interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted ); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection ); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp ); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } }
920
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } unknown-unicast-forwarding { vlan (all | vlan-name) { interface interface-name; } } voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ; forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } }
Related Topics
Port Mirroring on EX-series Switches Overview on page 1269 Port Security for EX-series Switches Overview on page 734 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
921
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vendor-id <string>; } interface { interface-name { dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id <string>; } } } } }
Related Topics
Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 Understanding DHCP Option 82 for Port Security on EX-series Switches on page 748 For more information about the [edit forwarding-options] hierarchy and all its options, see the JUNOS Software Policy Framework Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos93/index.html.
922
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name); server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } } gvrp { disable; interface (all | [interface-name]) { disable; } join-timer millseconds; leave-timer milliseconds; leaveall-timer milliseconds; } igmp-snooping { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } vlan (vlan-id | vlan-number { disable{ interface interface-name } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); }
923
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
transmit-delay seconds; } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } } mstp { disable; bpdu-block-on-edge; bridge-priority priority; configuration-name name; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; max-hops hops; msti msti-id { vlan (vlan-id | vlan-name); interface interface-name { disable; cost cost; edge; mode mode; priority priority; } } revision-level revision-level; traceoptions {
924
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } rstp { disable; bpdu-block-on-edge; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } stp { disable; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } sflow {
925
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
collector { ip-address; udp-port port-number; } disable; interfaces interface-name { disable; polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; }
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Configure Automatic VLAN Administration Using GVRP on page 432 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 IGMP Snooping on EX-series Switches Overview on page 659 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
926
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
access
Syntax
access { profile profile-name { authentication-order [ldap radius | none]; accounting { order [radius | none]; stop-on-access-deny; stop-on-failure; } radius { accounting-server [server-addresses]; authentication-server [server-addresses]; } } } [edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure authentication, authorization, and accounting (AAA) services. The statements are explained separately.
Not enabled adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
access
927
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
accounting
Syntax
accounting { order radius | none; stop-on-access-deny; stop-on-failure; } } [edit access profile profile-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the authentication order for authentication, authorization, and accounting (AAA) services. Not enabled
noneUse no authentication for specified subscribers. radiusUse RADIUS authentication for specified subscribers.
Default Options
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Understanding 802.1X and AAA Accounting on EX-series Switches on page 727
928
accounting
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
accounting-server
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the Remote Authentication Dial-In User Service (RADIUS) server for authentication. To configure multiple RADIUS servers, include multiple server addresses. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. Not enabled
server-addresses One or more addresses of RADIUS authentication servers.
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
show network-access aaa statistics authentication Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Understanding 802.1X and AAA Accounting on EX-series Switches on page 727
accounting-server
929
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
advertisement-interval
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For switches configured for Link Layer Discovery Protocol, configure the frequency at which LLDP advertisements are sent. Disabled.
seconds(Optional) The number of seconds.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
930
advertisement-interval
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
allowed-mac
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify particular MAC addresses to be added to the MAC address cache. Allowed MAC addresses take precedence over dynamic MAC values that have been applied with the mac-limit statement.
mac-address-list One or more MAC addresses configured as allowed MAC addresses
Options
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
mac-limit Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
allowed-mac
931
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
arp-inspection
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Perform dynamic ARP inspection on all VLANs or on the specified VLAN.
Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Enabling Dynamic ARP Inspection (J-Web Procedure) on page 898
932
arp-inspection
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
authentication-order
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the order of authentication, authorization, and accounting (AAA) servers to use while sending authentication messages. Not enabled
ldapLightweight Directory Access Protocol. noneNo authentication for specified subscribers. radiusRemote Authentication Dial-In User Service authentication.
Default Options
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
authentication-order
933
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
authentication-profile-name
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the name of the access profile to be used for 802.1X authentication. No access profile is specified.
access-profile-name Name of the access profile. The access profile is configured at the [edit access profile] hierarchy level and contains the RADIUS server IP address
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X Authentication on EX-series Switches on page 719
934
authentication-profile-name
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
authentication-server
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the Remote Authentication Dial-In User Service (RADIUS) server for authentication. To configure multiple RADIUS servers, include multiple server addresses. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. Not enabled
server-addresses Configure one or more RADIUS server addresses.
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 show network-access aaa statistics authentication Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756
authentication-server
935
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
authenticator
Syntax
authenticator { authentication-profile-name access-profile-name; static { mac-address { vlan-assignment (vlan-id |vlan-name); interface interface-names; } } } [edit protocols dot1x]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure an authenticator for 802.1X authentication. The statements are explained separately.
No static MAC address or VLAN is configured. routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Understanding 802.1X Static MAC on EX-series Switches on page 730
936
authenticator
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
ca-type
Syntax
ca-type { number { ca-value value; } } [edit protocols lldp-med interface (all | interface-name location civic-based)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure the address elements. These elements are included in the location information to be advertised from the switch to the MED. This information is used during emergency calls to identify the location of the MED. For further information about the values that can be used to comprise the location,, refer to RFC 4776, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option for Civic Addresses Configuration Information. A subset of those values is provided below. The ca-value statement is explained separately.
Default Options
Disabled.
valueCivic address elements that represent the civic or postal address. Values are:
0A code that specifies the language used to describe the location. 16The leading-street direction, such as N. 17A trailing street suffix, such as SW. 18A street suffix or type, such as Ave or Platz. 19A house number, such as 6450. 20A house-number suffix, such as A or 1/2. 21A landmark, such as Stanford University. 22Additional location information, such as South Wing. 23The name and occupant of a location, such as Carrillo's Holiday Market. 24A house-number suffix, such as 95684. 25A building structure, such as East Library.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch
ca-type
937
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ca-value
Syntax Hierarchy Level
ca-value value; [edit protocols lldp-med interface (all | interface-name ) location civic-based ca-type number]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure location information, such as street address and city, that is indexed by the ca-type code. This information is advertised from the switch to the MED and is used during emergency calls to identify the location of the MED. Disabled. valueSpecify a value that correlates to the ca-type. See ca-type for a list of codes and suggested values. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Default Options
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
938
ca-value
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
circuit-id
Syntax
circuit-id { prefix hostname; use-interface-description; use-vlan-id; } [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82] [edit forwarding-options helpers bootp dhcp-option82] [edit forwarding-options helpers bootp interface interface-name dhcp-option82]
Hierarchy Level
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the circuit-id suboption (suboption 1) of DHCP option 82 (the DHCP relay agent information option) in DHCP packets destined for a DHCP server. This suboption identifies the circuit (interface and/or VLAN) on which the DHCP request arrived. The format of the circuit-id information for Gigabit Ethernet interfaces that use VLANs is interface-name:vlan-name . On a Layer 3 interface, the format is just interface-name. The remaining statements are explained separately.
Default
If DCHP option 82 is enabled on the switch, the circuit ID is supplied by default in the format interface-name:vlan-name or, on a Layer 3 interface, just interface-name . routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
circuit-id
939
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
civic-based
Syntax
civic-based { what number; country-code code; ca-type { number { ca-value value; } } } [edit protocols lldp-med interface (all | interface-name) location]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), configure the geographic location to be advertised from the switch to the MED. This information is used during emergency calls to identify the location of the MED. The statements are explained separately.
Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
940
civic-based
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
country-code
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure the two-letter country code to include in the location information. Location information is advertised from the switch to the MED, and is used during emergency calls to identify the location of the MED. The country code is required when configuring LLDP-MED based on location. Disabled.
codeTwo-letter ISO 3166 country code in capital ASCII letters; for example, US or
Default Options
DE.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
country-code
941
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
dhcp-option82
Syntax
dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id <string>; } [edit ethernet-switching-options secure-access-port vlan (all | vlan-name)] [edit forwarding-options helpers bootp] [edit forwarding-options helpers bootp interface interface-name]
Hierarchy Level
Statement introduced in JUNOS Release 9.3 for EX-series switches. When the switch receives a DHCP request from a DHCP client connected on one of the switch's interfaces, have the switch insert DHCP option 82 (also known as the DHCP relay agent information option) information in the DHCP request packet header before it forwards or relays the request to a DHCP server. The server uses the option 82 information, which provides details about the circuit and host the request came from, in formulating the reply; the server does not, however, make any changes to the option 82 information in the packet header. The switch receives the reply and then removes the DHCP option 82 information before forwarding the reply to the client. The remaining statements are explained separately.
Insertion of DHCP option 82 information is not enabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
942
dhcp-option82
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
dhcp-trusted
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Allow DHCP responses from the specified interfaces (ports) or all interfaces.
Trusted for trunk ports, untrusted for access ports. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Enabling a Trusted DHCP Server (J-Web Procedure) on page 891
dhcp-trusted
943
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
disable
Syntax Hierarchy Level Release Information Description Default Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.0 for EX-series switches. Disable 802.1X authentication on a specified interface or all interfaces. 802.1X authentication is disabled on all interfaces. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868
944
disable
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
disable
Syntax Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Disable the LLDP configuration on the switch or on one or more interfaces. If you do not configure LLDP, it is disabled on the switch and on specific switch interfaces. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
disable
Syntax Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Disable the LLDP-MED configuration on the switch or on one or more interfaces. If you do not configure LLDP-MED, it is disabled on the switch and on specific switch interfaces. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
disable
945
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
dot1x
Syntax
dot1x { authenticator { authentication-profile-name access-profile-name; static { mac-address { vlan-assignment (vlan-id |vlan-name ); interface interface-names; } } interface (all | [ interface-names ]) { disable; guest-vlan (vlan-name | vlan-id); mac-radius <restrict>; maximum-requests number; no-reauthentication; quiet-period seconds; reauthentication { interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name); server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } } [edit protocols]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure 802.1X authentication for Port-Based Network Access Control. The remaining statements are explained separately.
802.1X is disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x clear dot1x Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766
946
dot1x
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Configuring MAC RADIUS Authentication (CLI Procedure) on page 871 Configuring Server Fail Fallback (CLI Procedure) on page 872
elin
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure the Emergency Line Identification Number (ELIN) as location information. Location information is advertised from the switch to the MED and is used during emergency calls to identify the location of the MED. Disabled.
numberConfigure a 10-digit number (area code and telephone number).
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
elin
947
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ethernet-switching-options
Syntax
ethernet-switching-options { analyzer { name { loss-priority priority; ratio number; input { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } output { interface interface-name; vlan (vlan-id | vlan-name); } } } bpdu-block { interface (all | [interface-name]); disable-timeout timeout; } dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100) } redundant-trunk-group { group-name name { interface interface-name <primary>; interface interface-name; } } secure-access-port { interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description;
948
ethernet-switching-options
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } unknown-unicast-forwarding { vlan (all | vlan-name) { interface interface-name; } } voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ; forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } }
Hierarchy Level Release Information
[edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Support for storm control and BPDU protection added in JUNOS Release 9.1 for EX-series switches. Options static-ip and ip-source-guard added in JUNOS Release 9.2 for EX-series switches. Options dhcp-option82, dot1q-tunneling, and no-allowed-mac-log added in JUNOS Release 9.3 for EX-series switches. Configure Ethernet switching options. The remaining statements are explained separately.
Description
ethernet-switching-options
949
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487 Port Mirroring on EX-series Switches Overview on page 1269 Port Security for EX-series Switches Overview on page 734 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
examine-dhcp
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Enable DHCP snooping on all VLANs or on the specified VLAN.
Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks on page 832 Enabling DHCP Snooping (CLI Procedure) on page 889 Enabling DHCP Snooping (J-Web Procedure) on page 890
950
examine-dhcp
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
fast-start
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the frequency at which Link Layer Discovery Protocol Media Endpoint (LLDP-MED) advertisements are sent from the switch in the first second after it has detected an LLDP-MED device (such as an IP telephone).
count secondsNumber of advertisements.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP-MED (CLI Procedure) on page 882 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
fast-start
951
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
forwarding-class
Syntax
forwarding-class < assured-forwarding | best-effort | expedited-forwarding |network-control >; [edit ethernet-switching-options voip interface <all | interface-name | access-ports]> vlan (vlan-id | vlan-name | untagged)]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. For EX-series switches, configure the forwarding class used to handle packets on the VoIP interface. Disabled. classForwarding class:
Default Options
can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with three drop probabilities: low, medium, and high.
best-effortProvides no service profile. For the best effort forwarding class, loss
priority is typically not carried in a class-of-service (CoS) value, and random early detection (RED) drop profiles are more aggressive.
control.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication on page 792 Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support on page 798
952
forwarding-class
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
guest-vlan
Syntax Hierarchy Level Release Information Description
guest-vlan (vlan-id | vlan-name); [edit protocols dot1x authenticator interface (all | [interface-names ])]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the switch. None
vlan-id VLAN tag identifier of the guest VLAN. vlan-name Name of the guest VLAN.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Understanding Guest VLANs for 802.1X on EX-series Switches on page 726
guest-vlan
953
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
hold-multiplier
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the multiplier used in combination with the advertisement-interval value to determine the length of time LLDP information is held before it is discarded. The default value is 4 (or 120 seconds). Disabled.
numberA number used as a multiplier.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
954
hold-multiplier
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
interface
Syntax
interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } [edit ethernet-switching-options secure-access-port]
Statement introduced in JUNOS Release 9.0 for EX-series switches. static-ip introduced in JUNOS Release 9.2 for EX-series switches. no-allowed-mac-log introduced in JUNOS Release 9.3 for EX-series switches. Apply port security features to all interfaces or to the specified interface. The statements are explained separately.
Description
Options
allApply port security features to all interfaces. interface-name Apply port security features to the specified interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch from Rogue DHCP Server Attacks on page 819 Configuring MAC Limiting (CLI Procedure) on page 899 Enabling a Trusted DHCP Server (CLI Procedure) on page 891 Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 906
interface
955
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax
interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } [edit protocols lldp-med]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) on all interfaces or on a specific interface. Not enabled
allAll interfaces on the switch. interface-nameName of a specific interface.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
956
interface
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
interface
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Link Layer Discovery Protocol (LLDP) on all interfaces or on a specific interface. None
allAll interfaces on the switch. interface-nameName of a specific interface.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
interface
957
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax
interface (all | [interface-name] | access-ports) { vlan vlan-name ); forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } [edit ethernet-switching-options voip]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Enable voice over IP (VoIP) for all interfaces or specific interfaces.
all | interface-name | access-portsEnable VoIP on all interfaces, on a specific
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication on page 792 Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support on page 798
958
interface
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
interface
Syntax
interface (all | [ interface-names ]) { disable; guest-vlan (vlan-name | vlan-id); mac-radius <restrict>; maximum-requests number; no-reauthentication; quiet-period seconds; reauthentication { interval seconds; } retries number; server-fail (deny | permit | use-cache | vlan-id | vlan-name); server-reject-vlan (vlan-id | vlan-name); server-timeout seconds; supplicant (single | single-secure | multiple); supplicant-timeout seconds; transmit-period seconds; } [edit protocols dot1x authenticator]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure 802.1X authentication for Port-Based Network Access Control for all interfaces or for specific interfaces.
allConfigure all interfaces for 802.1X authentication.
Options
[ interface-names ] List of names of interfaces to configure for 802.1X authentication. The remaining statements are explained separately.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch on page 766 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Configuring 802.1X Authentication (CLI Procedure) on page 866
interface
959
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring 802.1X Authentication (J-Web Procedure) on page 868 Configuring MAC RADIUS Authentication (CLI Procedure) on page 871
interface
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For MAC addresses that are on the static MAC list and excluded from 802.1X authentication, configure a list of interfaces from which this MAC address is allowed to connect to the LAN. If it is detected on any other interface, the authentication is not bypassed.
interface-names A list of interfaces from which this MAC address is allowed to
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x static-mac-address vlan-assignment show dot1x static-mac-address Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X Static MAC on EX-series Switches on page 730
960
interface
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
ip-source-guard
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.2 for EX-series switches. Perform IP source guard checking on packets sent from access interfaces. Validate source IP addresses and source MAC addresses on all VLANs or on the specified VLAN or VLAN range. Forward packets with valid addresses and drop those with invalid addresses.
Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848 Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855 Configuring IP Source Guard (CLI Procedure) on page 904
ip-source-guard
961
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
lldp
Syntax
lldp { disable; advertisement-interval seconds; fast-start number; hold-multiplier number; interface (all | [interface-name]) { disable; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } transmit-delay seconds; } [edit protocols]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Link Layer Discovery Protocol (LLDP). The switch uses LLDP to advertise its identity and capabilities on a LAN, as well as receive information about other network devices. LLDP is defined in the IEEE standard 802.1AB-2005. The statements are explained separately.
LLDP is enabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP-MED (CLI Procedure) on page 882 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
962
lldp
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
lldp-med
Syntax
lldp-med { disable;
fast-start number;
interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } } } } } }
Hierarchy Level Release Information Description
[edit protocols]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure Link Layer Discovery Protocol Media Endpoint Discovery. LLDP-MED is an extension of LLDP. The switch uses LLDP-MED to support device discovery of VoIP telephones and to create location databases for these telephone locations for emergency services. LLDP-MED is defined in the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA). The statements are explained separately.
Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
lldp-med
963
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
location
Syntax
location { elin number; civic-based { what number; country-code code; ca-type{ number { ca-value value; } } } } [edit protocols lldp-med interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), configure the location information. Location information is advertised from the switch to the MED. This information is used during emergency calls to identify the location of the MED. The statements are explained separately.
Disabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
964
location
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
mac
Syntax Hierarchy Level
mac mac-address; [edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip ip-address vlan vlan-name]
Statement introduced in JUNOS Release 9.2 for EX-series switches. Media access control (MAC) address, or hardware address, for the device connected to the specified interface.
mac-address Value (in hexadecimal format) for address assigned to this device.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 906
mac
965
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mac-limit
Syntax Hierarchy Level Release Information Description
mac-limit limit action action; [edit ethernet-switching-options secure-access-port interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Number of MAC addresses to dynamically add to the MAC address cache for this interface (port) and action to be taken by the switch if the MAC address learning limit is reached on the interface (port). The default limit is 5 MAC addresses for each interface (port). The default action is no action (none).
limitMaximum number of MAC addresses. action actionAction to take when the MAC address limit is reached:
Default
Options
noneNo action. This is the default. dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry .
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
allowed-mac Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks on page 815 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
966
mac-limit
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
mac-move-limit
Syntax Hierarchy Level Release Information Description
mac-move-limit limit action action; [edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Number of times a MAC address can move to a new interface (port) in 1 second, and the action to be taken by the switch if the MAC address move limit is reached. The default move limit is unlimited. The default action is no action (none).
limitMaximum number of moves to a new interface per second. action actionAction to take when the MAC address move limit is reached:
Default Options
noneNo action. This is the default. dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
mac-limit Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Configuring MAC Move Limiting (CLI Procedure) on page 902 Configuring MAC Move Limiting (J-Web Procedure) on page 903
mac-move-limit
967
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
mac-radius
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure 802.1X MAC RADIUS authentication for specific interfaces. MAC RADIUS authentication allows LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN. You can configure other 802.1X authentication methods on a single interface except when the optional keyword restrict is configured for MAC RADIUS. In restrictive mode, all 802.1X packets are eliminated, and the attached device on the interface is considered a nonresponsive host.
Options
determine if the device connected to an interface is a responsive host (802.1X-enabled) or a nonresponsive host.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Configuring MAC RADIUS Authentication (CLI Procedure) on page 871 Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723
968
mac-radius
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
maximum-requests
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant before the authentication session times out. Two retransmission attempts
number Number of retransmission attempts.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868
maximum-requests
969
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
no-allowed-mac-log
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Specify that the switch is to create log messages when it receives packets from invalid MAC addresses on an interface that has been configured for particular (allowed) MAC addresses. Disabled. routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
allowed-mac Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks on page 837 Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 829 Configuring MAC Limiting (CLI Procedure) on page 899 Configuring MAC Limiting (J-Web Procedure) on page 901
no-reauthentication
Syntax Hierarchy Level Release Information Description Default Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, disables reauthentication. Not disabled routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X Authentication on EX-series Switches on page 719
970
no-allowed-mac-log
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
order
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the order of authentication, authorization, and accounting (AAA) servers to use while sending accounting messages and updates. Not enabled
noneNo accounting for specified subscribers. radiusRemote Authentication Dial-In User Service accounting for specified
Default Options
subscribers.
[ radius | none ] Use multiple types of accounting in the order specified. RADIUS
accounting is initially used. However, if RADIUS servers are not available, no accounting is done.
Required Privilege Level Related Topics
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
order
971
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
prefix
Syntax Hierarchy Level
prefix hostname; [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82 circuit-id] [edit forwarding-options helpers bootp dhcp-option82 circuit-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 circuit-id]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure an optional prefix for the circuit ID suboption in the DHCP option 82 information that is inserted by the switch into the packet header of a DHCP request before it forwards or relays the request to a DHCP server. If prefix is not explicitly specified, no prefix is appended to the circuit ID. When prefix is specified, it is specified as prefix hostname (and the value is the hostname of the switch).
hostnameName of the host system (the switch) that is forwarding or relaying the
Default
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
972
prefix
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
prefix
Syntax Hierarchy Level
prefix hostname | mac | none; [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82 remote-id] [edit forwarding-options helpers bootp dhcp-option82 remote-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure an optional prefix for the remote ID suboption in the DHCP option 82 information that is inserted by the switch into the packet header of a DHCP request before it forwards or relays the request to a DHCP server. If prefix is not explicitly specified, no prefix is appended to the remote ID.
hostnameName of the host system (the switch) that is forwarding or relaying the
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
prefix
973
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
profile
Syntax
profile profile-name { accounting { order [radius | none]; stop-on-access-deny; stop-on-failure; } authentication-order [authentication-method]; radius { accounting-server [server-addresses]; authentication-server [server-addresses]; } } [edit access]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure an access profile. The access profile contains the entire authentication, authorization, and accounting (AAA) configuration that aids in handling AAA requests, including the authentication method and order, AAA server addresses, and AAA accounting. Not enabled
profile-name Profile name of up to 32 characters.
Default Options
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
974
profile
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
quiet-period
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, configure the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication. 60 seconds
seconds Number of seconds the interface remains in the wait state.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show network-access aaa statistics authentication Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756
quiet-period
975
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
radius
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the Remote Authentication Dial-In User Service (RADIUS) servers for authentication and for accounting. To configure multiple RADIUS servers, include multiple radiusstatements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. The statements are explained separately.
adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
976
radius
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
reauthentication
Syntax
reauthentication { interval seconds; } [edit protocols dot1x authenticator interface (all | [interface-names])]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, specify reauthentication parameters. 3600 seconds.
disableDisables the periodic reauthentication of the supplicant. interval seconds Sets the periodic reauthentication time interval. The range is 1
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X Authentication on EX-series Switches on page 719
reauthentication
977
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
remote-id
Syntax
remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82] [edit forwarding-options helpers bootp dhcp-option82] [edit forwarding-options helpers bootp interface interface-name dhcp-option82]
Hierarchy Level
Statement introduced in JUNOS Release 9.3 for EX-series switches. Insert the remote-id suboption of DHCP option 82 (also known as the DHCP relay agent information option) in DHCP request packet headers before forwarding or relaying requests to a DHCP server. This suboption provides a trusted identifier for the host system that has forwarded or relayed requests to the server. The remaining statements are explained separately.
Default
If remote-id is not explicitly set, no remote ID value is inserted in the DHCP request packet header. If the remote-id option is specified but is not qualified by a keyword, the MAC address of the host device (the switch) is used as the remote ID. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
978
remote-id
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
retries
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, configure the number of times the switch attempts to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt. 3 retries
number Number of retries.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X Authentication on EX-series Switches on page 719
retries
979
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
secure-access-port
Syntax
secure-access-port { interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id <string>; } (examine-dhcp | no-examine-dhcp); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } [edit ethernet-switching-options]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Options static-ip and ip-source-guard introduced in JUNOS Release 9.2 for EX-series switches. Options dhcp-option82 and no-allowed-mac-log introduced in JUNOS Release 9.3 for EX-series switches. Configure port security features, including MAC limiting and whether interfaces can receive DHCP responses, and apply dynamic ARP inspection, DHCP snooping, IP source guard, DHCP option 82, and MAC move limiting to no VLANs, specific VLANs, or all VLANs. The remaining statements are explained separately.
Description
980
secure-access-port
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second Switch on page 840 Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848 Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Understanding How to Protect Access Ports on EX-series Switches from Common Attacks on page 736
secure-access-port
981
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
server-fail
Syntax Hierarchy Level Release Information Description
server-fail (deny | permit | use-cache | vlan-id | vlan-name); [edit protocols dot1x authenticator interface (all | [interface-names])]
Statement introduced in JUNOS Release 9.3 for EX-series switches. For EX-series switches configured for 802.1X authentication, specify the server fail fallback action the switch takes when all RADIUS authentication servers are unreachable. When you specify the action vlan-name or vlan-id, the VLAN must already be configured on the switch.
Default Options
Authentication is denied.
denyForce fail the supplicant authentication. No traffic will flow through the
interface.
permitForce succeed the supplicant authentication. Traffic will flow through the
authenticated successfully. This action ensures that already authenticated supplicants are not affected.
vlan-idMove supplicant on the interface to the VLAN specified by this numeric
identifier. This action is allowed only if it is the first supplicant connecting to the interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated.
vlan-nameMove supplicant on the interface to the VLAN specified by this name.
This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch on page 761 Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring Server Fail Fallback (CLI Procedure) on page 872 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725
982
server-fail
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
server-reject-vlan
Syntax Hierarchy Level Release Information Description
server-reject-vlan (vlan-id | vlan-name); [edit protocols dot1x authenticator interface (all | [interface-names])]
Statement introduced in JUNOS Release 9.3 for EX-series switches. For EX-series switches configured for 802.1X authentication, specify that when the switch receives an Extensible Authentication Protocol Over LAN (EAPOL) Access-Reject message during the authentication process between the switch and the RADIUS authentication server, supplicants attempting access to the LAN are granted access and moved to a specific VLAN. Any VLAN name or VLAN ID sent by a RADIUS server as part of the EAPOL Access-Reject message is ignored. When you specify the VLAN ID or VLAN name, the VLAN must already be configured on the switch.
Default Options
None
vlan-id Numeric identifier of the VLAN to which the supplicant is moved. vlan-nameName of the VLAN to which the supplicant is moved.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring Server Fail Fallback (CLI Procedure) on page 872 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725
server-reject-vlan
983
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
server-timeout
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, configure the amount of time a port will wait for a reply when relaying a response from the supplicant to the authentication server before timing out and invoking the server-fail action. 30 seconds
seconds Number of seconds.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x clear dot1x Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 802.1X for EX-series Switches Overview on page 718
984
server-timeout
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
static
Syntax
static { mac-address { vlan-assignment (vlan-id |vlan-name ); interface interface-names; } } [edit protocols dot1x authenticator authentication-profile-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure MAC addresses to exclude from 802.1X authentication. The static MAC list provides an authentication bypass mechanism for supplicants connecting to a port, permitting devices such as printers that are not 802.1X-enabled to be connected to the network on 802.1X-enabled ports. Using this 802.1X authentication-bypass mechanism, the supplicant connected to the MAC address is assumed to be successfully authenticated and the port is opened for it. No further authentication is done for the supplicant. You can optionally configure the VLAN that the supplicant is moved to or the interfaces on which the MAC address can gain access from.
Options
mac-address The MAC address of the device for which 802.1X authentication should
be bypassed and the device permitted access to the port. The remaining statements are explained separately.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x static-mac-address Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring 802.1X Authentication (CLI Procedure) on page 866 Configuring 802.1X Authentication (J-Web Procedure) on page 868 Understanding 802.1X Static MAC on EX-series Switches on page 730
static
985
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
static-ip
Syntax
static-ip ip-address { vlan vlan-name; mac mac-address; } [edit ethernet-switching-options secure-access-port interface (all|interface-name)]
Statement introduced in JUNOS Release 9.2 for EX-series switches. Static (fixed) IP address and static MAC address, with an associated VLAN, added to the DHCP snooping database.
ip-address IP address assigned to a device connected on the specified interface.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 906
stop-on-access-deny
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configures the authentication order for authentication, authorization, and accounting (AAA) services to send an Acct-Stop message if the AAA server denies access to a supplicant. Not enabled adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 show network-access aaa statistics authentication
986
static-ip
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
stop-on-failure
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure authentication order for authentication, authorization, and accounting (AAA) services to send an Acct-Stop message if a supplicant fails AAA authorization, but the RADIUS server grants access. For example, a supplicant might fail AAA authentication due to an internal error such as a timeout. Not enabled adminTo view this statement in the configuration. admin-controlTo add this statement to the configuration.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874, Understanding 802.1X and AAA Accounting on EX-series Switches on page 727,
stop-on-failure
987
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
supplicant
Syntax Hierarchy Level Release Information Description Default Options
supplicant (single | single-secure | multiple); [edit protocols dot1x authenticator interface (all | [interface-name])
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, configure the method used to authenticate supplicants. Single.
singleAuthenticates only the first supplicant that connects to an authenticator port.
All other supplicants connecting to the authenticator port after the first supplicant, regardless if they are 802.1X-enabled or not, are permitted free access to the port without further authentication. If the first authenticated supplicant logs out, all other supplicants are locked out until a supplicant authenticates again.
single-secureAuthenticates only one supplicant to connect to an authenticator port.
No other supplicants can connect to the authenticator port until the first supplicant logs out.
multipleAuthenticates multiple supplicants individually on one authenticator port.
You can configure the number of supplicants per port. If you configure a maximum number of devices that can be connected to a port through port security settings, the lower of the configured values is used to determine the maximum number of supplicants allowed per port.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
supplicant-timeout Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Understanding 802.1X Authentication on EX-series Switches on page 719
988
supplicant
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
supplicant-timeout
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, configure how long the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. 30 seconds
seconds Number of seconds.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
supplicant Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Understanding 802.1X Authentication on EX-series Switches on page 719
supplicant-timeout
989
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
traceoptions
Syntax
traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag ; } [edit protocols dot1x]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define tracing operations for the 802.1X protocol. Tracing operations are disabled.
file filenameName of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. file number(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum xk to specify KB, xm to specify MB, or xg to
specify gigabytes number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the sizeoption. Range: 2 through 1000 Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
allAll tracing operations. config-internalTrace internal configuration operations. generalTrace general operations. normalTrace normal operations. parseTrace reading of the configuration. regex-parseTrace regular-expression parsing operations. stateTrace protocol state changes. taskTrace protocol task operations. timerTrace protocol timer operations.
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
990
traceoptions
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabyte Range: 10 KB through 1gigabyte Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring 802.1X Authentication (CLI Procedure) on page 866 802.1X for EX-series Switches Overview on page 718
traceoptions
991
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
traceoptions
Syntax
traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } [edit protocols lldp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define tracing operations for the LLDP protocol. Tracing operations are disabled.
file filenameName of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. files number(Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
GB number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
allAll tracing operations. configTrace configuration operations. packetTrace packet events. rtsockTrace routing socket operations.
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restrict file access to the user who created the file. size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify GB Range: 10 KB through 1 GB
992
traceoptions
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring LLDP-MED (CLI Procedure) on page 882 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
traceoptions
993
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
traceoptions
Syntax
traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } [edit ethernet-switching-options]
Statement introduced in JUNOS Release 9.2 for EX-series switches. Define global tracing operations for access security features on Ethernet switches. The traceoptions feature is disabled by default.
disable(Optional) Disable the tracing operation. You can use this option to disable
a single operation when you have defined a broad group of tracing operations, such as all.
file filename Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. files number (Optional) Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached ( xk to specify KB, xm to specify MB, or xg to specify gigabytes), at which point the oldest trace
file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files
flag flag Tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
access-securityTrace access security events. allAll tracing operations. config-internalsTrace internal configuration operations. forwarding-databaseTrace forwarding database and next-hop events. generalTrace general events. interfaceTrace interface events. ip-source-guardTrace IP source guard events. krtTrace communications over routing sockets. libTrace library calls. normalTrace normal events. parseTrace reading of the configuration.
994
traceoptions
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
regex-parseTrace regular-expression parsing operations. rtgTrace redundant trunk group events. stateTrace state transitions. stpTrace spanning-tree events. taskTrace Ethernet-switching task processing. timerTrace Ethernet-switching timer processing. vlanTrace VLAN events.
Default: If you omit this option, timestamp information is placed at the beginning of each line of the tracing output.
no-world-readable(Optional) Restrict file access to the user who created the file. replace(Optional) Replace an existing trace file if there is one rather than appending
to it. Default: If you do not include this option, tracing output is appended to an existing trace file.
size size (Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes. When a trace file named trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the files option. Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes Range: 10 KB through 1 gigabyte Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Port Security for EX-series Switches Overview on page 734 EX-series Switches Interfaces Overview on page 279 Understanding IP Source Guard for Port Security on EX-series Switches on page 751 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding STP for EX-series Switches on page 485 Understanding Bridging and VLANs on EX-series Switches on page 395
traceoptions
995
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
transmit-delay
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the delay between 2 successive LLDP advertisements. Disabled.
secondsNumber of seconds between two successive LLDP advertisements.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
transmit-period
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. For 802.1X authentication, how long the port waits before retransmitting the initial EAPOL PDUs to the supplicant. 30 seconds secondsNumber of seconds the port waits before retransmitting the initial EAPOL PDUs to the supplicant. Range: 1 through 65,535 seconds Default: 30 seconds routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Default Options
Configuring 802.1X Authentication (CLI Procedure) on page 866 802.1X for EX-series Switches Overview on page 718
996
transmit-delay
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
use-interface-description
Syntax Hierarchy Level
use-interface-description; [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82 circuit-id] [edit forwarding-options helpers bootp dhcp-option82 circuit-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 circuit-id] [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82 remote-id] [edit forwarding-options helpers bootp dhcp-option82 remote-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Use the interface description rather than the interface name (the default) in the circuit ID or remote ID value in the DHCP option 82 information. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
use-interface-description
997
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
use-string
Syntax Hierarchy Level
use-string string; [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82 remote-id] [edit forwarding-options helpers bootp dhcp-option82 remote-id] [edit forwarding-options helpers bootp interface interface-name dhcp-option82 remote-id]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Use a string rather than the MAC address of the host system (the default) in the remote ID value in the DHCP option 82 information.
string Character string used as the remote ID value.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
998
use-string
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
use-vlan-id
Syntax Release Information Description
use-vlan-id;
Statement introduced in JUNOS Release 9.3 for EX-series switches. Use the VLAN ID rather than the VLAN name (the default) in the circuit ID value in the DHCP option 82 information. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921 RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
use-vlan-id
999
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
vendor-id
Syntax Hierarchy Level
vendor-id <string>; [edit ethernet-switching-options secure-access-port vlan (all | vlan-name) dhcp-option82] [edit forwarding-options helpers bootp dhcp-option82] [edit forwarding-options helpers bootp interface interface-name dhcp-option82]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Insert a vendor ID in the DHCP option 82 information in a DHCP request packet header before forwarding or relaying the request to a DHCP server. If vendor-id is not explicitly configured for DHCP option 82, no vendor ID is set.
string (Optional) A single string that designates the vendor ID.
Default Options
Range: 1255 characters Default: If you specify vendor-id with no string value, the default vendor ID Juniper is configured.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Example: Setting Up DHCP Option 82 with an EX-series Switch as Relay Agent Between Clients and a DHCP Server on page 822 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892 Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 895 [edit forwarding options] Configuration Statement Hierarchy on page 921
1000
vendor-id
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
vlan
Syntax
vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id <string>; } (examine-dhcp | no-examine-dhcp); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } [edit ethernet-switching-options secure-access-port]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Option ip-source-guard introduced in JUNOS Release 9.2 for EX-series switches. Option dhcp-option82 introduced in JUNOS Release 9.3 for EX-series switches. Apply DHCP snooping, dynamic ARP inspection (DAI), IP source guard, DHCP option 82, and MAC move limiting. The remaining statements are explained separately.
Description
Options
allApply DHCP snooping, DAI, IP source guard, DHCP option 82, and MAC move
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855 Example: Setting Up DHCP Option 82 on an EX-series Switch with No Relay Agent Between Clients and DHCP Server on page 825 Enabling Dynamic ARP Inspection (CLI Procedure) on page 898 Enabling DHCP Snooping (CLI Procedure) on page 889
vlan
1001
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring IP Source Guard (CLI Procedure) on page 904 Configuring MAC Move Limiting (CLI Procedure) on page 902 Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure) on page 892
vlan
Syntax Hierarchy Level
vlan vlan-name; [edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip ip-address]
Statement introduced in JUNOS Release 9.2 for EX-series switches. Associate the static IP address with the specified VLAN associated with the specified interface.
vlan-name Name of a specific VLAN associated with the specified interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure) on page 906
vlan-assignment
Syntax Hierarchy Level Release Information Description
vlan-assignment (vlan-id | vlan-name); [edit protocols dot1x authenticator authentication-profile-name static mac-address]
Statement introduced in JUNOS Release 9.0 for EX-series switches. For MAC addresses that are on the static MAC list and excluded from 802.1X authentication, configure the VLAN that is associated with the device.
vlan-id | vlan-name The name of the VLAN or the VLAN tag identifier to associate
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show dot1x static-mac-address Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Understanding 802.1X Static MAC on EX-series Switches on page 730
1002
vlan
Chapter 48: Configuration Statements for 802.1X, Port Security, and VoIP
voip
Syntax
voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ); forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } [edit ethernet-switching-options]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure voice over IP (VoIP) interfaces. The statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Example: Configuring VoIP on an EX-series Switch Without Including 802.1X Authentication on page 792 Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support on page 798
voip
1003
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
what
Syntax Hierarchy Level Release Information Description
what number; [edit protocols lldp-med interface (all | interface-name) location civic-based]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Modified in JUNOS Release 9.2 for EX-series switches to display new default. For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure the location to which the DHCP entry refers. This information is advertised, along with other location information, from the switch to the MED. It is used during emergency calls to identify the location of the MED. Options 0 and 1 should not be used unless it is known that the DHCP client is in close physical proximity to the server or network element.
Default Options
1
numberLocation:
0Location of the DHCP server. 1Location of a network element believed to be closest to the client. 2Location of the client.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
show lldp Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring LLDP-MED (CLI Procedure) on page 882
1004
what
Chapter 49
1005
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Clear ARP inspection statistics. clear
show arp inspection statistics Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That DAI Is Working Correctly on page 912
clear arp inspection statistics on page 1006 This command produces no output.
user@switch> clear arp inspection statistics
1006
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
clear dhcp snooping binding <mac (all | mac-address)> <vlan (all | vlan-name)> <vlan (all | vlan-name) mac (all | mac-address)>
Command introduced in JUNOS Release 9.0 for EX-series switches. Clear the DHCP snooping database information.
mac (all | mac-address )(Optional) Clear DHCP snooping information for the specified
clear
show dhcp snooping binding Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That DHCP Snooping Is Working Correctly on page 910
clear dhcp snooping binding on page 1007 This command produces no output.
user@switch> clear dhcp snooping binding
1007
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
clear dot1x
Syntax
Command introduced in JUNOS Release 9.0 for EX-series switches. Reset the authentication state of a port. When you reset a port, reauthentication on the port is also triggered. The switch sends out a multicast message on the port to restart the authentication of all connected supplicants. If a MAC address is reset, then the switch sends out a unicast message to that specific MAC address to restart authentication. If a supplicant is sending traffic when the clear dot1x interface command is issued, the authenticator immediately initiates reauthenticataion. This process happens very quickly, and it may seem that reauthentication did not occur. To verify that reauthentication has happened, issue the operational mode command show dot1x interface detail. The value for Reauthentication due and Reauthentication interval will be about the same.
Options
all(Optional) Clears all ports, or specific ports or specific MAC addresses. interface interface-names(Optional) Resets the authentication state of all supplicants
connected to the specified ports (when the port is an authenticator) or for itself (when the port is a supplicant).
mac-address mac-addressesResets the authentication state only for the specified
MAC addresses.
Required Privilege Level Related Topics
view
show dot1x Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875
clear dot1x interface on page 1008 clear dot1x mac-address on page 1008
user@switch> clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0] user@switch> clear dot1x macaddress 00:04:ae:cd:23:5f
1008
clear dot1x
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Command introduced in JUNOS Release 9.0 for EX-series switches. Clear the learned remote neighbor information on all or selected interfaces.
noneClear the remote neighbor information on all interfaces. interface interface(Optional) Clear the remote neighbor information from one or
view
show lldp Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
List of Sample Output clear lldp neighbors clear lldp neighbors interface ge-0/1/1.0
clear lldp neighbors on page 1009 clear lldp neighbors interface ge-0/1/1.0 on page 1009
user@switch> clear lldp neighbors user@switch> clear lldp neighbors interface ge-0/1/1.0
1009
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Clear LLDP statistics on one or more interfaces.
noneClears LLDP statistics on all interfaces. interface interface-names(Optional) Clear LLDP statistics on one or more interfaces.
view
Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
List of Sample Output clear lldp statistics clear lldp statistics interface ge-0/1/1.0
clear lldp statistics on page 1010 clear lldp statistics interface ge-0/1/1.0 on page 1010
user@switch> clear lldp statistics user@switch> clear lldp statistics interface ge-0/1/1.0
1010
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Command introduced in JUNOS Release 9.0 for EX-series switches. Display ARP inspection statistics. view
clear arp inspection statistics Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That DAI Is Working Correctly on page 912
show arp inspection statistics on page 1011 Table 121 on page 1011 lists the output fields for the show arp inspection statistics command. Output fields are listed in the approximate order in which they appear.
Field Description Interface on which ARP inspection has been applied. Total number of packets total that underwent ARP inspection. Total number of packets that passed ARP inspection. Total number of packets that failed ARP inspection.
Level of Output All levels All levels All levels All levels
user@switch> show arp inspection statistics Interface --------ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 Packets received ----------------0 0 0 0 0 0 0 703 ARP inspection pass ------------------0 0 0 0 0 0 0 701 ARP inspection failed --------------------0 0 0 0 0 0 0 2
1011
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the DHCP snooping database information. view
clear dhcp snooping binding Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series Switch on page 808 Verifying That DHCP Snooping Is Working Correctly on page 910
show dhcp snooping binding on page 1012 Table 122 on page 1012 lists the output fields for the show dhcp snooping binding command. Output fields are listed in the approximate order in which they appear.
Field Description MAC address of the network device; bound to the IP address. IP address of the network device; bound to the MAC address. Lease granted to the IP address. How the MAC address was acquired. VLAN name of the network device whose MAC address is shown. Interface address (port).
Level of Output All levels All levels All levels All levels All levels All levels
user@switch> show dhcp snooping binding DHCP Snooping Information: MAC Address IP Address -------------------------00:00:01:00:00:03 192.0.2.0 00:00:01:00:00:04 192.0.2.1 00:00:01:00:00:05 192.0.2.5
1012
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
show dot1x
Syntax
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the current operational state of all ports with the list of connected users.
noneDisplay information for all authenticator ports. brief | detail(Optional) Display the specified level of output. interface interface-names Display information for the specified port with a list of
connected supplicants.
Required Privilege Level Related Topics
view
clear dot1x Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch on page 779 Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX-series Switch on page 761 Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756 Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch and a RADIUS Server on page 775 Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874 Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) on page 875 Verifying 802.1X Authentication on page 907
show dot1x interface brief on page 1016 show dot1x interface detail on page 1016 Table 123 on page 1013 lists the output fields for the show dot1x command. Output fields are listed in the approximate order in which they appear.
Field Description Name of a port. The MAC address of the connected supplicant on the port.
show dot1x
1013
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description The 802.1X authentication role of the interface. When 802.1X is enabled on an interface, the role is Authenticator. As Authenticator, the interface blocks LAN access until a supplicant is authenticated through 802.1X or bypassed using static MAC bypass or MAC RADIUS authentication. The state of the port:
Level of Output
brief, detail
State
brief
AuthenticatingThe supplicant is authenticating through the RADIUS server. HeldAn action has been triggered through server fail fallback during a
RADIUS server timeout. A supplicant is denied access, permitted access through a specified VLAN, or maintains the authenticated state granted to it before the RADIUS server timeout occurred.
Admin-state
detail
result. (Default)
authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic.
authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic.
Supplicant
detail
connect later to the port are allowed full access without any further authentication. They effectively piggyback on the first supplicants authentication.
The number of seconds the port remains in the wait state following a failed authentication exchange with the supplicant before reattempting the authentication. The default value is 60 seconds. The range is 0 through 65,535 seconds. The number of seconds the port waits before retransmitting the initial EAPOL PDUs to the supplicant. The default value is 30 seconds. The range is 1 through 65,535 seconds. The reauthentication state:
detail
Transmit period
detail
Reauthentication
detail
disablePeriodic reauthentication of the client is disabled. intervalSets the periodic reauthentication time interval. The default value
1014
show dot1x
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Field Description The number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default value is 30 seconds. The range is 1 through 60 seconds. The number of seconds the port waits for a reply when relaying a response from the supplicant to the authentication server before timing out. The default value is 30 seconds. The range is 1 through 60 seconds. The maximum number of retransmission times of an EAPOL request packet to the supplicant before the authentication session times out. The default value is 2. The range is 1 through 10. The number of non-802.1X clients granted access to the LAN by means of static MAC bypass. The following fields are displayed:
Level of Output
detail
Server timeout
detail
detail
detail
ClientMAC address of the client. vlan The name of the VLAN to which the client is connected. detail
The VLAN to which a supplicant is connected when the supplicant is authenticated using a guest VLAN. If a guest VLAN is not configured on the interface, this field displays <not configured>. The number of supplicants connected to a port.
detail
The user name and MAC address of the connected supplicant. The 802.1X authentication method used for a supplicant:
detail detail
Guest VLANA supplicant is connected to the LAN through the guest VLAN. MAC RadiusA nonresponsive host is authenticated based on its MAC
address. The MAC address is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.
server communicates this to the switch, and the switch opens LAN access on the interface to which the supplicant is connected.
Server-fail denyIf the RADIUS servers time out, all supplicants are denied
access to the LAN, preventing traffic from flowing from the supplicant through the interface. This is the default.
is still permitted access to the LAN as if the supplicant had been successfully authenticated by the RADIUS server.
reauthentication, previously authenticated supplicants are reauthenticated, but new supplicants are denied LAN access.
VLAN if the RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN must already exist on the switch.)
Authenticated VLAN
detail
show dot1x
1015
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description The number of seconds in which reauthentication will occur again for the connected supplicant.
Level of Output
detail
user@switch> show dot1x interface [ge-0/0/1 ge-0/0/2 ge0/0/3] brief Interface Role State --------- -------ge-0/0/1 Authenticator Authenticated Authenticating ge-0/0/2 Authenticator Connecting ge-0/0/3 Supplicant Authenticated MAC address -----------------00:a0:d2:18:1a:c8 00:a0:e5:32:97:af 00:a6:55:f2:94:ae
user@switch> show dot1x interface ge-0/0/16.0 detail ge-0/0/16.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Strict: Disabled Reauthentication: Enabled Reauthentication interval: 40 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 1 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: abc, 00:30:48:8C:66:BD Operational state: Authenticated Authentication method: Radius Authenticated VLAN: v200 Reauthentication due in 17 seconds
1016
show dot1x
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Command introduced in JUNOS Release 9.0 for EX-series switches. Displays supplicants (users) that have failed 802.1X authentication. view
clear dot1x Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring 802.1X Authentication (CLI Procedure) on page 866
show dot1x authentication-failed-users on page 1017 Table 124 on page 1018 lists the output fields for the show dot1x authentication-failed-users command. Output fields are listed in the approximate order in which they appear.
Field Description The MAC address configured to bypass 802.1X authentication. The MAC address configured statically on the interface. The user that is configured on the RADIUS server and that has failed 802.1X authentication.
Level of Output
all all all
user@switch> show dot1x authentication-failed-users Interface ge-0/0/0.0 MAC address 00:00:00:10:00:02 User md5user02
1017
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Displays all the static MAC addresses that are configured to bypass 802.1X authentication on the switch.
interface [ interface-name ](Optional) Display static MAC addresses for a specific
Options
interface.
Required Privilege Level Related Topics
view
clear dot1x Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch on page 770 Configuring 802.1X Authentication (CLI Procedure) on page 866 Understanding 802.1X Static MAC on EX-series Switches on page 730
show dot1x static-mac-address on page 1018 show dot1x static-mac-address interface ge-0/0/0.1 on page 1018 Table 124 on page 1018 lists the output fields for the show dot1x static-mac-address command. Output fields are listed in the approximate order in which they appear.
Field Description The MAC address of the device that is configured to bypass 802.1X authentication. The name of the VLAN to which the device is assigned. The name of the interface on which authentication is bypassed for a given MAC address.
Level of Output
all
VLAN-Assignment Interface
all all
user@switch> show dot1x static-mac-address MAC address 00:00:00:11:22:33 00:00:00:00:12:12 00:00:00:02:34:56 VLAN-Assignment Interface ge-0/0/3.0 ge-0/0/1.0
facilities
user@switch> show dot1x static-mac-address interface ge-0/0/0.1 MAC address 00:00:00:12:24:12 00:00:00:72:30:58 VLAN-Assignment support support Interface ge-0/0/1.0 ge-0/0/1.0
1018
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Command introduced in JUNOS Release 9.0 for EX-series switches. Display information about switched Ethernet interfaces.
none(Optional) Display brief information for Ethernet-switching interfaces. brief | detail | summary(Optional) Display the specified level of output. interface interface-name (Optional) Display Ethernet-switching information for a
specific interface.
Required Privilege Level List of Sample Output
view show show show show show ethernet-switching ethernet-switching ethernet-switching ethernet-switching ethernet-switching interfaces on page 1020 interfaces summary on page 1020 interfaces brief on page 1020 interfaces detail on page 1020 interfaces ge-0/0/0.0 on page 1021
Output Fields
Table 70 on page 1019 lists the output fields for the show ethernet-switching interfaces command. Output fields are listed in the approximate order in which they appear.
Field Description Name of a switching interface. Interface state. Values are up or down.
VLAN members
Name of a VLAN.
Blocking
blockedTraffic is not being forwarded on the interface. unblockedTraffic is forwarded on the interface.
The VLAN index internal to JUNOS software. Specifies whether the interface forwards 802.1Q-tagged or untagged traffic.
detail detail
1019
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch> show ethernet-switching interfaces Interface ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ge-0/0/8.0 ge-0/0/9.0 ge-0/0/10.0 ge-0/0/11.0 ge-0/0/12.0 ge-0/0/13.0 ge-0/0/14.0 ge-0/0/15.0 ge-0/0/16.0 ge-0/0/17.0 ge-0/0/18.0 ge-0/0/19.0 ge-0/1/0.0 ge-0/1/1.0 ge-0/1/2.0 ge-0/1/3.0 State up down down down down down down down down up down down down down down down down down down up down down down down VLAN members T1122 default default default default default default default default T111 default default default default default default default default default T111 default default default default Blocking unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked unblocked
user@switch> show ethernet-switching interfaces summary ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/8.0 ge-0/0/10.0 ge-0/0/11.0 user@switch> show ethernet-switching interfaces brief Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked ge-0/0/1.0 down employee-vlan unblocked ge-0/0/2.0 down employee-vlan unblocked ge-0/0/3.0 down employee-vlan unblocked ge-0/0/8.0 down employee-vlan unblocked ge-0/0/10.0 down default unblocked ge-0/0/11.0 down employee-vlan unblocked user@switch> show ethernet-switching interfaces detail Interface: ge-0/0/0.0 Index: 65 State: down VLANs: default untagged unblocked Interface: ge-0/0/1.0 Index: 66 State: down VLANs: employee-vlan untagged Interface: ge-0/0/2.0 Index: 67 State: down VLANs:
unblocked
1020
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
employee-vlan
untagged
unblocked
Interface: ge-0/0/3.0 Index: 68 State: down VLANs: employee-vlan untagged Interface: ge-0/0/8.0 Index: 69 State: down VLANs: employee-vlan untagged Interface: ge-0/0/10.0 Index: 70 State: down VLANs: default untagged Interface: ge-0/0/11.0 Index: 71 State: down VLANs: employee-vlan tagged
unblocked
unblocked
unblocked
unblocked
user@switch> show ethernet-switching interfaces ge-0/0/0.0 Interface State VLAN members Blocking ge-0/0/0.0 down default unblocked
1021
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show ip-source-guard
Syntax Release Information Description Required Privilege Level Related Topics
show ip-source-guard
Command introduced in JUNOS Release 9.2 for EX-series switches. Display IP source guard database information. view
Example: Configuring IP Source Guard on a Data VLANThat Shares an Interface with a Voice VLAN on page 848 Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 855 Verifying That IP Source Guard Is Working Correctly on page 918
show ip-source-guard on page 1022 Table 42 on page 1306 lists the output fields for the show ip-source-guard command. Output fields are listed in the approximate order in which they appear.
Field Description VLAN on which IP source guard is enabled. Access interface associated with the VLAN in column 1. VLAN ID for the VLAN in column 1. Possible values are:
IP Address
Source IP address for a device connected to the interface in column 2. A value of * (star, or asterisk) indicates that IP source guard is not enabled on this VLAN but the interface is shared with a VLAN that is enabled for IP source guard. Source MAC address for a device connected to the interface in column 2. A value of * (star, or asterisk) indicates that IP source guard is not enabled on this VLAN but the interface is shared with a VLAN that is enabled for IP source guard.
MAC Address
show ip-source-guard
user@switch> show ip-source-guard IP source guard information: Interface Tag IP Address MAC Address ge-0/0/12.0 ge-0/0/13.0 0 0 10.10.10.7 10.10.10.9 00:30:48:92:A5:9D 00:30:48:8D:01:3D
1022
show ip-source-guard
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
ge0/0/13.0
100
voice
show ip-source-guard
1023
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show lldp
Syntax
Command introduced in JUNOS Release 9.0 for EX-series switches. Display information about Link Layer Discovery Protocol (LLDP). LLDP is used to learn and distribute device information on network links.
noneDisplay LLDP information for all interfaces. detail(Optional) Display detailed LLDP information for all interfaces.
Options
view
Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
show lldp on page 1026 show lldp (detail) on page 1027 Table 128 on page 1024 lists the output fields for the show lldp command. Output fields are listed in the approximate order in which they appear.
Field Description The LLDP operating state. The state can be enabled or disabled. The frequency, in seconds, at which LLDP advertisements are sent. The default value is 30 seconds. The delay between two successive LLDP advertisements. The default value is 2 seconds. The multiplier used in combination with the advertisement-interval value to determine the length of time LLDP information is held before it is discarded. The default value is 4 (or 120 seconds). The Link Level Discovery Protocol Media Endpoint Discovery (LLDP-MED) operating state. The state can be enabled or disabled. The number of advertisements sent from a switch to a device, such as a VoIP telephone, when the device is first detected by the switch. These increased advertisements are temporary. After a device and a switch exchange information and can communicate, advertisements are reduced to one per second. The default value is 3. The range is from 1 through 10.
Transmit Delay
All levels
Hold Timer
All levels
LLDP-MED
All levels
All levels
1024
show lldp
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
PortThe port number. LLDPThe LLDP operating state. The state can be enabled or disabled. LLDP-MEDThe LLDPMED operating state. The state can be enabled or disabled. Neighbor Count(detail) The total number of new LLDP neighbors detected
detail
PortThe interface on which LLDP is configured. Vlan-idThe VLAN tag associated with the interface sending LLDP frames.
NotificationEnabled
Chassis IdentifierThe MAC address associated with the local system. Port identifierThe port identification for the specified port in the local
system.
System NameThe user configured name of the local system. The system
the software and current image running on the system. This information is not configurable, but taken from the software.
capabilities that system supports are defined; for example, bridge or router. This information is not configurable, but based on the model of the product.
show lldp
1025
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Level of Output
detail
Power via MDIA TLV that advertises MDI power support, PSE power pair,
the physical interface, such as autonegotiation status and support and MAU type. The information is not configurable, but based on the physical interface structure.
Port VlanA TLV that advertises the VLAN name configured on the
interface.
LLDP-MED TLVs Enabled
detail
LLDP MED CapabilitiesA TLV that advertises the primary function of the
0 Capabilities 1 Network Policy 2 Location Identification 3 Extended Power via MDI-PSE 4 Inventory 515 Reserved
0 Class not defined. 1 Class 1 Device. 2 Class 2 Device. 3 Class 3 Device. 4 Network Connectivity Device 5255 Reserved.
Network PolicyA TLV that advertises the port VLAN configuration and
associated Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application types, such as voice or streaming video, 802.1q VLAN tagging, and 802.1p priority bits and Diffserv code points.
endpoint.
Extended Power via MDI A TLV that advertises the power type, power
source, power priority, and power value of the port. It is the responsibility of the PSE device (network connectivity device) to advertise the power priority on a port.
show lldp
user@host> show lldp LLDP Advertisement interval Transmit Delay : Enabled : 30 seconds : 2 seconds
1026
show lldp
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Hold timer
: 120 seconds
LLDP-MED : Enabled LLDP-MED fast start count: 3 LLDP Port Configuration: Port LLDP LLDP-MED ----------------All Enabled Disabled ge-0/1/0.0 Enabled Enabled ge-0/1/1.0 Enabled Enabled ge-0/1/2.0 Enabled Disabled ge-0/1/3.0 Enabled Disabled ge-0/1/4.0 Enabled Disabled ge-0/1/5.0 Enabled Disabled ge-0/1/5.0 Enabled Disabled ge-0/1/7.0 Disabled Disabled
user@switch> show lldp detail LLDP Advertisement interval Transmit Delay Hold timer : : : : Enabled 30 seconds 2 seconds 120 seconds
LLDP-MED : Enabled LLDP-MED fast start count: 3 LLDP Port Configuration: Port LLDP LLDP-MED Neighbor count -----------------------------All Enabled Disabled 11 ge-0/1/0.0 Enabled Enabled 1 ge-0/1/1.0 Enabled Enabled 2 ge-0/1/2.0 Enabled Disabled 2 ge-0/1/3.0 Enabled Disabled 2 ge-0/1/4.0 Enabled Disabled 2 ge-0/1/5.0 Enabled Disabled 1 ge-0/1/6.0 Enabled Disabled 1 ge-0/1/7.0 Disabled Disabled 0
LLDP Vlan export details: Port Vlan-id Vlan-name -----------------ge-0/0/0.0 100 Voice ge-0/0/1.0 200 Voice NotificationEnabled: ------------------R(lldpRemTablesChange),T(lldpXMEDTopologyChangeDetected) LLDP Basic TLVs Supported: ------------------------Chassis identifier, Port identifier, Port Description , System Name , System Description, System Capabilities, Management Address. LLDP 802.3 TLVs Supported: ------------------------Power via MDI, MAC/PHY Configuration Status, Link Aggregation, Maximum Frame Size, Port Vlan, Port and Protocol Vlan ID,
show lldp
1027
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Protocol Identity. LLDP-MED TLVs Enabled: --------------------LLDP MED Capabilities, Network Policy, Endpoint Location, Extended Power Via MDI.
1028
show lldp
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Command introduced in JUNOS Release 9.0 for EX-series switches. Displays learned information about Link Layer Discovery Protocol (LLDP) on local interfaces.
noneDisplay learned LLDP information on all local interfaces and devices.
view
Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
show lldp local-info on page 1029 Table 129 on page 1029 lists the output fields for the show lldp local-info command. Output fields are listed in the approximate order in which they appear.
Chassis ID The MAC address associated with the local system. System name The user configured name of the local system. Sytem descr The system description containing information about the
software and current image running on the system. This information is not configurable, but taken from the software.
Interface NameThe name of the interface. Interface IDThe port component of the MAC Service Access Point (MSAP)
Interface DescrThe port description. The port description is the value entered at the [edit interfaces interface-name unit unit-number description ]
hierarchy level.
user@host> show lldp local-info LLDP Local MIB details ---------------------Chassis ID : 00:19:e2:50:4a:c0 System name : sw-java-u System descr : Juniper Networks, Inc. olive internet router, Version 8.5I0 [mgprasad] Build date: 2007-08-02 22:00:31 UTC Interface Name Interface ID Interface Descr
1029
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
-----------18 27 13
1030
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Command introduced in JUNOS Release 9.0 for EX-series switches. Display learned information about Link Layer Discovery Protocol (LLDP) on all neighboring interfaces or on selected interfaces.
noneDisplay learned LLDP information on all neighboring interfaces and devices. interface interface-ids(Optional) Display learned LLDP information on the selected
Options
interface or device.
Required Privilege Level Related Topics
view
Configuring LLDP (CLI Procedure) on page 880 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728
show lldp neighbors on page 1032 show lldp neighbors interface ge-0/0/4.0 on page 1033 Table 130 on page 1031 lists the output fields for the show lldp neighbors command. Output fields are listed in the approximate order in which they appear.
LocalPortThe local port number. ChassisIdThe MAC address associated with the local system. PortInfoPort Info is either PortID or PortDescr, whichever is available.
LLDP agent.
Juniper Networks internal index. The age of the information propagated in LLDP frames. Time to live (TTL) value is between 0 and 65,535 seconds. Time filter for an entry.
Time mark
interface level
1031
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Field Description The value used to identify a chassis. For an EX-series switch, this is the MAC address. However, this value is vendor-specific. The value for chassis type is used by LLDP to identify a device. The neighbor's unique SNMP index for a port. The system description containing information about the software and current image running on the system. This information is not configurable, but taken from the software. The primary function performed by the system. The capabilities that the system supports are defined; for example, bridge. This information is not configurable, but based on the model of the product.
System capabilities
interface level
Supported The capabilities the system supports. Enabled The capabilities enabled on the system.
interface level
802 media.
interface level
classes:
Capabilities.
running on a port.
Media Policy Priority The media policy priority, defined in the VLAN tag,
advertised.
Media Policy Tagged Set based on the VLAN (tagged or untagged) used
by an application type.
user@switch> show lldp neighbors LLDP Remote Devices Information LocalPort --------ge-0/0/0.0 ge-0/0/1.0 ge-0/0/1.0 ChassisId --------10.209.192.12 10.209.192.12 10.209.192.13 PortInfo SysName --------------00 19 bb 20 de 80 AVA4C357D 00 19 bb 20 de 80 AVA4C357D 00 19 bb 20 de 81 AVA4C357E
1032
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
00 00 00 00 00 00
19 19 19 19 19 19
bb bb bb bb bb bb
20 20 20 20 20 20
de de de de de de
79 80 79 80 81 82
5 3 5 3 ge-0/0/3 ge-0/0/4
user@switch>show lldp neighbors interface ge-0/0/4.0 LLDP Remote Device Information Detail Index 6 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds Local Port : ge-0/0/4.0 ChassisType : mac-address ChassisId : 00 19 bb 20 de 80 PortType : local PortId : 3 SysName : apg-hp1 System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K.... PortDescr : 3 . . . System Capabilities Supported System Capabilities Enabled Remote Management Address Type : ipv4 Address : 10.204.34.35 : bridge, router : bridge
Index 7 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds Local Port : ge-0/0/4.0 ChassisType : mac-address ChassisId : 00 19 bb 20 de 79 PortType : local PortId : 5 SysName : apg-hp1 System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K.... PortDescr : 3 . . . System Capabilities Supported System Capabilities Enabled Remote Management Address Type : ipv4 Address : 10.204.34.35 : bridge, router : bridge
1033
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display LLDP statistics on all or selected interfaces.
noneDisplay LLDP statistics on all interfaces and devices. interface interface-ids(Optional) Display LLDP statistics on the selected devices.
view show lldp statistics on page 1034 show lldp statistics interface ge-0/1/1.0 on page 1034 Table 80 on page 1034 lists the output fields for the show lldp statistics command. Output fields are listed in the approximate order in which they appear.
Field Description Name of an interface. The total number of LLDP frames received on an interface. The total number of LLDP frames transmitted on an interface. The number of unrecognized LLDP TLVs received on an interface. The number of invalid LLDP TLVs received on an interface. The number of LLDP TLVs received and then discarded on an interface.
Level of Output All levels All levels All levels All levels All levels All levels
user@switch> show lldp statistics Interface --------ge-0/1/1.0 ge-0/1/2.0 ge-0/1/3.0 ge-0/1/4.0 ge-0/1/5.0 ge-0/1/6.0 ge-0/1/7.0 Received -------544 540 544 544 544 544 0 Transmitted ---------540 500 540 540 540 540 0 Unknown-TLVs -----------0 0 0 0 0 0 0 With-Errors ----------0 0 0 0 0 0 0 Discarded --------0 0 0 0 0 0 0
1034
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Interface --------ge-0/1/1.0
Received -------544
Transmitted ---------540
Unknown-TLVs -----------0
With-Errors ----------0
Discarded --------0
1035
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Statement introduced in JUNOS Release 9.0 for EX-series switches. Display authentication, authorization, and accounting (AAA) accounting statistics. view
accounting-server stop-on-access-deny Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 874
show network-access aaa statistics accounting on page 1036 Table 132 on page 1036 lists the output fields for the show network-access aaa statistics accounting command. Output fields are listed in the approximate order in which they appear.
Field Description The number of accounting-request packets sent from a switch to a RADIUS accounting server. The number of accounting-response failure packets sent from the RADIUS accounting server to the switch. The number of accounting-response success packets sent from the RADIUS accounting server to the switch. The number of requests-timedout packets sent from the RADIUS accounting server to the switch.
user@switch> show network-access aaa statistics accounting Accounting module statistics Requests received: 1 Accounting Response failures: 0 Accounting Response Success: 1 Requests timedout: 0
1036
Chapter 49: Operational Mode Commands for 802.1X, Port Security, and VoIP
Statement introduced in JUNOS Release 9.0 for EX-series switches. Display authentication, authorization, and accounting (AAA) authentication statistics. view
authentication-server Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756
show network-access aaa statistics authentication on page 1037 Table 133 on page 1037 lists the output fields for the show network-access aaa statistics authentication command. Output fields are listed in the approximate order in which they appear.
Field Description The number of authentication requests received by the switch. The number of authentication accepts received by the RADIUS server. The number authentication rejects sent by the RADIUS server. The number of authentication challenges sent by the RADIUS server.
user@switch> show network-access aaa statistics authentication Authentication module statistics Requests received: 2 Accepts: 1 Rejects: 0 Challenges: 1
1037
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Statement introduced in JUNOS Release 9.0 for EX-series switches. Display authentication, authorization, and accounting (AAA) authentication statistics for disconnects. view
authentication-server Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch on page 756
show network-access aaa statistics authentication on page 1038 Table 134 on page 1038 lists the output fields for the show network-access aaa statistics dynamic-requests command. Output fields are listed in the approximate order in which they appear.
Field Description The number of dynamic requests received by the RADIUS server. The number of dynamic requests successfully processed by the RADIUS server.
The number of errors that occurred while the RADIUS server was processing the dynamic request.
user@switch> show network-access aaa statistics dynamic-requests Dynamic-requests module statistics Requests received: 0 Processed successfully: 0 Errors during processing: 0 Silently dropped: 0
1038
Part 11
Understanding Firewall Filters on page 1041 Examples of Configuring Firewall Filters on page 1065 Configuring Firewall Filters on page 1087 Verifying Firewall Filters on page 1101 Troubleshooting Firewall Filters on page 1105 Configuration Statements for Firewall Filters on page 1109 Operational Mode Commands for Firewall Filters on page 1123
1039
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1040
Chapter 50
Firewall Filters for EX-series Switches Overview on page 1041 Understanding Planning of Firewall Filters on page 1043 Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches on page 1045 Understanding How Firewall Filters Control Packet Flows on page 1047 Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Understanding How Firewall Filters Are Evaluated on page 1057 Understanding Firewall Filter Match Conditions on page 1059 Understanding How Firewall Filters Test a Packet's Protocol on page 1063 Understanding the Use of Policers in Firewall Filters on page 1063
Firewall Filter Types on page 1041 Firewall Filter Components on page 1042 Firewall Filter Processing on page 1042
Port (Layer 2) firewall filterPort firewall filters apply to Layer 2 switch ports. You can apply port firewall filters in both ingress and egress directions on a physical port.
1041
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
VLAN firewall filterVLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN firewall filters in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all packets that are forwarded to or forwarded from the VLAN. Router (Layer 3) firewall filterYou can apply a router firewall filter in both ingress and egress directions on Layer 3 (routed) interfaces and routed VLAN interfaces (RVI). You can also apply a router firewall filter in ingress direction on the loopback interface.
NOTE: Firewall filters are not supported on aggregated Ethernet interfaces. To apply a firewall filter, you must:
1. 2.
Configure the firewall filter. Apply the firewall filter to a port, VLAN, or router interface.
Match conditionsSpecifies the values or fields that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, TCP flags, and interfaces. ActionSpecifies what to do if a packet matches the match conditions. Possible actions are to accept or discard a packet. In addition, packets can be counted to collect statistical information. If no action is specified for a term, the default action is to accept the packet.
1042
does not match any terms in a firewall filter, the default action is to discard the packet.
Related Topics
Understanding Planning of Firewall Filters on page 1043 Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches on page 1045 Understanding How Firewall Filters Are Evaluated on page 1057 Understanding Firewall Filter Match Conditions on page 1059 Understanding the Use of Policers in Firewall Filters on page 1063 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065
What is the purpose of the firewall filter? For example, you can use a firewall filter to limit traffic to source and destination MAC addresses, specific protocols, or certain data rates or to prevent denial of service (DoS) attacks.
2.
Determine the packet header fields that the packet must contain for a match. Possible fields include:
Layer 2 header fieldsSource and destination MAC addresses, dot1q tag, Ethernet type, VLAN Layer 3 header fieldsSource and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, TTL type) TCP header fieldsSource and destination ports and flags ICMP header fieldsPacket type and code
1043
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
b.
Determine the port, VLAN, or router interface on which the packet was received.
3.
What are the appropriate actions to take if a match occurs? Possible actions to take if a match occurs are accept and discard.
4.
What additional action modifiers might be required? Determine if additional actions are required if a packet matches a match condition; for example, you can specify an action modifier to count, analyze, or police packets.
5.
On what interface should the firewall filter be applied? Start with the following basic guidelines:
If all the packets entering a port need to be exposed to filtering, then use port firewall filters. If all the packets that are bridged need filtering, then use VLAN firewall filters. If all the packets that are routed need filtering, then use router firewall filters.
Before you choose the interface at which to apply a firewall filter, understand how that placement can impact traffic flow to other interfaces. In general, apply a firewall filter that filters on source and destination IP addresses, IP protocols, or protocol informationsuch as ICMP message types, and TCP and UDP port numbersnearest to the source devices. However, typically apply a firewall filter that filters only on a source IP address nearest to the destination devices. When applied too close to the source device, a firewall filter that filters only on a source IP address could potentially prevent that source device from accessing other services that are available on the network.
NOTE: Egress firewall filters do not affect the flow of locally generated control packets from the Routing Engine. In which direction should the firewall filter be applied? You can apply firewall filters to ports on the switch to filter packets that are entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed) interfaces to filter packets that are entering or exiting a VLAN or routed interface. Typically, you configure different sets of actions for traffic entering an interface than you configure for traffic exiting an interface.
Related Topics
6.
Firewall Filters for EX-series Switches Overview on page 1041 Understanding the Use of Policers in Firewall Filters on page 1063
1044
Understanding How Firewall Filters Are Evaluated on page 1057 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches
EX-series switches are multilayered switches that provide Layer 2 switching and Layer 3 routing. You apply firewall filters at multiple processing points in the packet forwarding path on EX-series switches. At each processing point, the action to be taken on a packet is determined based on the results of the lookup in the switch's forwarding table. A table lookup determines which exit port on the switch to use to forward the packet. For both bridged unicast packets and routed unicast packets, firewall filters are evaluated and applied hierarchically. First, a packet is checked against the port firewall filter, if present. If the packet is permitted, it is then checked against the VLAN firewall filter, if present. If the packet is permitted, it is then checked against the router firewall filter, if present. The packet must be permitted by the router firewall filter before it is processed. Figure 67 on page 1046 shows the various firewall filter processing points in the packet forwarding path in a multilayered switching platform.
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches
1045
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Figure 67: Firewall Filter Processing Points in the Packet Forwarding Path
For a multicast packet that results in replications, an egress firewall filter is applied to each copy of the packet based on its corresponding egress VLAN. For Layer 2 (bridged) unicast packets, the following firewall filter processing points apply:
Ingress port firewall filter Ingress VLAN firewall filter Egress port firewall filter Egress VLAN firewall filter
For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall filter processing points apply:
Ingress port firewall filter Ingress VLAN firewall filter (Layer 2 CoS) Ingress router firewall filter (Layer 3 CoS) Egress router firewall filter Egress VLAN firewall filter
1046
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches
Related Topics
Firewall Filters for EX-series Switches Overview on page 1041 Understanding How Firewall Filters Control Packet Flows on page 1047 Understanding Bridging and VLANs on EX-series Switches on page 395 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065
Ingress firewall filters affect the flow of data packets that are received by the switch's interfaces. The Packet Forwarding Engine (PFE) handles this flow. When a switch receives a data packet on an interface, the switch determines where to forward the packet by looking in the forwarding table for the best route (Layer 2 switching, Layer 3 routing) to a destination. Data packets are forwarded to their destination through an outgoing interface. Locally destined packets are forwarded to the Routing Engine. Egress firewall filters affect the flow of data packets that are transmitted from the switch's interfaces but do not affect the flow of locally generated control packets from the Routing Engine. The Packet Forwarding Engine handles the flow of data packets that are transmitted from the switch, and egress firewall filters are applied here. The Packet Forwarding Engine also handles the flow of control packets from the Routing Engine.
Figure 68 on page 1048 illustrates the application of ingress and egress firewall filters to control the flow of packets through the switch.
1047
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1. 2. 3.
Ingress firewall filter applied to control locally destined packets that are received on the switch's interfaces and are destined for the Routing Engine. Ingress firewall filter applied to control incoming packets on the switch's interfaces. Egress firewall filter applied to control packets that are transiting the switch's interfaces. Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches on page 1045 Understanding How Firewall Filters Are Evaluated on page 1057
Related Topics
1048
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches
Match Condition
destination-address ip-address
Description IP destination address field, which is the address of the final destination node.
Direction/Interface Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
destination-mac-address mac-address
destination-port number
TCP or User Datagram Protocol (UDP) destination port field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed):
afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20),
Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
1049
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition Description
http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104) dot1q-tag number
Direction/Interface
The tag field in the ethernet header. The tag values can be 14095.
1050
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
dot1q-user-priority number
Description User-priority field of the tagged Ethernet packet. User-priority values can be 07. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
background (1)Background best-effort (0)Best effort controlled-load (4)Controlled load excellent-load (3)Excellent load network-control (7)Network control
reserved traffic
dscp number
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
af11 (10), af12 (12), af13 (14); af21 (18), af22 (20), af23 (22); af31 (26), af32 (28), af33 (30); af41 (34), af42 (36), af43 (38)
These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.
1051
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
ether-type [ipv4 | arp | mpls | dot1q | value]
Description Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms:
(0x8100)
0x0800)
(0x8847)
fragment-flags [ is-fragment | more-fragment | dont-fragment]
IP fragmentation flags.
for: Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
fragment-flags [more-fragment | dont-fragment] supported for: Ingress
1052
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
icmp-code number
Description ICMP code field. This value or keyword provides more specific information than icmp-type. Because the values meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
Direction/Interface Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
parameter-problemip-header-bad (0), required-option-missing (1) redirectredirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceededttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachablecommunication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-type number
ICMP packet type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), unreachable (3)
Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
1053
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
interface interface-name
Description Interface on which the packet is received. You can specify the wildcard character * as part of an interface name. NOTE: An interface from which a packet is sent cannot be used as a match condition.
Direction/Interface Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
ip-options
Presence of the options field in the IP header. Length of the received packet, in bytes. IP precedence. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
Ingress ports, VLANs, and router interfaces. Ingress router interfaces. Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
critical-ecp (5) flash (3) flash-override (4) immediate (2) internet-control (6) net-control (7) priority (1) routine (0)
IPv4 protocol value. In place of the numeric value, you can specify one of the following text synonyms:
egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17)
Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
source-address ip-address
IP source address field, which is the address of the source node sending the packet.
Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
source-mac-address mac-address
source-port number
TCP or UDP source-port field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.
Ingress ports, VLANs, and router interfaces. Egress VLANs and router interfaces.
1054
Table 135: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
packet-length bytes
Direction/Interface Ingress ports, VLANs, and router interfaces. Ingress ports, VLANs, and router interfaces.
logical operators& (logical AND), ! (negation) numerical value 0x01 through 0x20 text synonymtcp-initial
To specify multiple flags, use logical operators. NOTE: tcp-flags is not supported on egress firewall filters.
tcp-initial
Matches the first TCP packet of a connection. tcp-initial is a synonym for the bit names ""(syn & !ack)".
tcp-initial does not implicitly check that
the protocol is TCP. To do so, specify the protocol tcp match condition.
ttl value
TTL type to match. The value range is 1 through 255. The VLAN that is associated with the packet.
Some of the numeric range and bit-field match conditions allow you to specify a text synonym. For a list of all the synonyms for a match condition, do any of the following:
If you are using the J-Web Configuration page, select the synonym from the appropriate list. If you are using the CLI, type a question mark (?) after the from statement.
To specify the bit-field value to match, you must enclose the values in quotations marks (" "). For example, a match occurs if the RST bit in the TCP flags field is set:
tcp-flags "rst;
For information about logical operators and how to use bit-field logical operations to create expressions that are evaluated for matches, see Understanding Firewall Filter Match Conditions on page 1059.
1055
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
When you define one or more terms that specify the filtering criteria, you also define the action to take if the packet matches all criteria. Table 136 on page 1056 shows the actions that you can specify in a term.
Table 136: Actions for Firewall Filters
Action
accept discard
Description Accept a packet. Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.
In addition to the actions, you can specify action modifiers. Table 137 on page 1056 shows the action modifers that you can specify in a term.
Table 137: Action Modifiers for Firewall Filters
Action Modifier
analyzer analyzer-name
Description Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. Mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port. The analyzer-name must be configured under [edit ethernet-switching-actions analyzer]. You can specify mirroring for ingress port, VLAN and router firewall filters only.
Count the number of packets that pass this filter, term, or policer. Classify packet in one of the following forwarding classes:
Set the Packet Loss Priority (PLP). Apply rate limits to the traffic. You can specify a policer for ingress port, VLAN and router firewall filters only.
Related Topics
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches on page 1110 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Understanding Firewall Filter Match Conditions on page 1059 Understanding How Firewall Filters Are Evaluated on page 1057
1056
Understanding How Firewall Filters Test a Packet's Protocol on page 1063 Understanding the Use of Policers in Firewall Filters on page 1063
If the packet matches all the conditions, the action in the then statement is taken. If the packet matches all the conditions, and no action is specified in the then statement, the default action accept is taken.
When a firewall filter consists of more than one term, the firewall filter is evaluated sequentially:
1. 2.
The packet is evaluated against the conditions in the from statement in the first term. If the packet matches all the conditions in the term, the action in the then statement is taken and the evaluation ends. Subsequent terms in the filter are not evaluated. If the packet does not match all the conditions in the term, the packet is evaluated against the conditions in the from statement in the second term. This process continues until either the packet matches the conditions in the from statement in one of the subsequent terms or there are no more terms in the filter.
3.
4.
If a packet passes through all the terms in the filter without a match, the packet is discarded.
Figure 69 on page 1058 shows how an EX-series switch evaluates the terms within a firewall filter.
1057
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
If a term does not contain a from statement, the packet is considered to match and the action in the then statement of the term is taken. If a term does not contain a then statement, or if an action has not been configured in the then statement, and the packet matches the conditions in the from statement of the term, the packet is accepted. Every firewall filter contains an implicit deny statement at the end of the filter, which is equivalent to the following explicit filter term:
term implicit-rule { then discard; }
Consequently, if a packet passes through all the terms in a filter without matching any conditions, the packet is discarded. If you configure a firewall filter that has no terms, all packets that pass through the filter are discarded.
NOTE: Firewall filtering is supported on packets that are at least 48 bytes long.
Related Topics
Firewall Filters for EX-series Switches Overview on page 1041 Understanding Firewall Filter Match Conditions on page 1059 Understanding the Use of Policers in Firewall Filters on page 1063 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065
1058
Filter Match Conditions on page 1059 Numeric Filter Match Conditions on page 1059 Interface Filter Match Conditions on page 1060 IP Address Filter Match Conditions on page 1060 MAC Address Filter Match Conditions on page 1061 Bit-Field Filter Match Conditions on page 1061
Single numberA match occurs if the value of the field matches the number. For example:
source-port 25;
Text synonym for a single number A match occurs if the value of the field matches the number that corresponds to the synonym. For example:
source-port http;
1059
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To specify more than one value in a filter term, you enter each value in its own match statement. For example, a match occurs in the following term if the value of vlan field is 10 or 30.
[edit firewall family family-name filter filter-name term term-name from] vlan 10; vlan 30;
You cannot specify a range of values. You cannot specify a list of comma-separated values. You cannot exclude a specific value in a numeric filter match condition. For example, you cannot specify a condition that would match only if the match condition was not equal to a given value.
Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter that is applied to a router interface can specify the logical unit number in the interface filter match condition, for example:
[edit firewall family family-name filter filter-name term term-name from] user@host# set interface ge-0/1/0.0
You can include the * wildcard as part of the interface name, for example:
[edit firewall user@host# set user@host# set user@host# set family family-name filter filter-name term term-name from] interface ge-0/*/1 interface ge-0/1/* interface ge-*
1060
Each prefix contains an implicit 0/0 except statement, which means that any prefix that does not match the prefix that is specified is explicitly considered not to match. To specify the address prefix, use the notation prefix/prefix-length. If you omit prefix-length, it defaults to /32. For example:
[edit firewall family family-name filter filter-name term term-name from] user@host# set destination-address 10 [edit firewall family family-name filter filter-name term term-name from] user@host# show destination-address { 10.0.0.0/32; }
To specify more than one IP address in a filter term, you enter each address in its own match statement. For example, a match occurs in the following term if the value of the source-address field matches either of the following source-address prefixes:
[edit firewall family family-name filter filter-name term term-name from] user@host# set source-address 10.0.0.0/8 user@host# set source-address 10.1.0.0/16
To specify more than one MAC address in a filter term, you enter each MAC address in its own match statement. For example, a match occurs in the following term if the value of the source-mac-address field matches either of the following addresses.
[edit firewall family family-name filter filter-name term term-name from] user@host# set source-mac-address 00:11:22:33:44:55 user@host# set source-mac-address 00:11:22:33:20:15
1061
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To specify the bit-field value to match, enclose the value in double quotation marks. For example, a match occurs if the RST bit in the TCP flags field is set:
[edit firewall family family-name filter filter-name term term-name from] user@host# set tcp-flags "rst"
Typically, you specify the bits to be tested by using keywords. Bit-field match keywords always map to a single bit value. You also can specify bit fields as hexadecimal or decimal numbers. To match multiple bit-field values, use the logical operators, which are described in Table 138 on page 1062. The operators are listed in order from highest precedence to lowest precedence. Operations are left-associative.
Table 138: Actions for Firewall Filters
Logical Operators
! & or +
To negate a match, precede the value with an exclamation point. For example, a match occurs only if the RST bit in the TCP flags field is not set:
[edit firewall family family-name filter filter-name term term-name from] user@host# set tcp-flags "!rst"
In the following example of a logical AND operation, a match occurs if the packet is the initial packet on a TCP session:
[edit firewall family family-name filter filter-name term term-name from] user@host# set tcp-flags "syn" & "!ack"
You can use text synonyms to specify some common bit-field matches. You specify these matches as a single keyword. In the following example of a text synonym, a match occurs if the packet is the initial packet on a TCP session:
[edit firewall family family-name filter filter-name term term-name from] user@host# set tcp-flags tcp-initial
Logical OR operations are not supported; however you can specify the equivalent OR functionality by specifying two of the same match conditions in a single term or in two consecutive terms. For example, in the following term, a match occurs if the packet in a TCP session is urgent or has priority :
[edit firewall family family-name filter filter-name term term-name from] user@host# set tcp-flags "urgent" user@host# set tcp-flags "push"
1062
Related Topics
Firewall Filters for EX-series Switches Overview on page 1041 Understanding How Firewall Filters Test a Packet's Protocol on page 1063 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048
destination-portSpecify the match protocol tcp or protocol udp. source-portSpecify the match protocol tcp or protocol udp.
If you do not specify the protocol when using the preceding fields, design your filters carefully to ensure that they perform the expected matches. For example, if you specify a match of destination-port ssh, the switch deterministically matches any packets that have a value of 22 in the two-byte field that is two bytes beyond the end of the IP header without ever checking the IP protocol field.
Related Topics
Firewall Filters for EX-series Switches Overview on page 1041 Understanding Firewall Filter Match Conditions on page 1059 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065
BandwidthThe number of bits per second permitted, on average. Maximum burst sizeThe maximum size permitted for bursts of data that exceed the given bandwidth limit.
1063
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts up to a specified maximum value. After you name and configure a policer, it is stored as a template. You can then use a policer in a firewall filter configuration. Each policer that you configure includes an implicit counter that counts the number of packets that exceed the rate limits that are specified for the policer. To get filter or term-specific packets counts, you must configure a new policer for each filter or term that requires policing.
Related Topics
Firewall Filters for EX-series Switches Overview on page 1041 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048
1064
Chapter 51
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches
This example shows how to configure and apply firewall filters to control traffic that is entering or exiting a port on the switch, a VLAN on the network, and a Layer 3 interface on the switch. Firewall filters define the rules that determine whether to forward or deny packets at specific processing points in the packet flow.
Requirements on page 1065 Overview on page 1066 Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic on page 1069 Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic on page 1075 Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN on page 1077 Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN on page 1079 Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet on page 1081 Verification on page 1083
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches. Two Juniper Networks EX 3200-48T switches: one to be used as an access switch, the other to be used as a distribution switch One Juniper Networks EX-UM-4SFP uplink module One Juniper Networks J-series router
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches
1065
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Before you configure and apply the firewall filters in this example, be sure you have:
An understanding of firewall filter concepts, policers, and CoS Installed the uplink module in the distribution switch. See Installing an Uplink Module in an EX 3200 or EX 4200 Switch.
Overview
This configuration example show how to configure and apply firewall filters to provide rules to evaluate the contents of packets and determine when to discard, forward, classify, count, and analyze packets that are destined for or originating from the EX-series switches that handle all voice-vlan, employee-vlan, and guest-vlan traffic. Table 139 on page 1066 shows the firewall filters that are configured for the EX-series switches in this example.
Table 139: Configuration Components: Firewall Filters
Component Purpose/Description
Assigns priority queueing to packets with a source MAC address that matches the phone MAC addresses. The forwarding class expedited-forwarding provides low loss, low delay, low jitter, assured bandwidth, and end-to-end service for all voice-vlan traffic. Performs rate limiting on packets that enter the ports for employee-vlan. The traffic rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000 bytes.
This firewall filter is applied to port interfaces on the access switch. VLAN firewall filter,
ingress-vlan-rogue-block
Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device that manages call registration, admission, and call status for VoIP calls. Only TCP or UDP ports should be used; and only the gatekeeper uses HTTP. That is, all voice-vlan traffic on TCP ports should be destined for the gatekeeper device. This firewall filter applies to all phones on voice-vlan, including communication between any two phones on the VLAN and all communication between the gatekeeper device and VLAN phones. This firewall filter is applied to VLAN interfaces on the access switch.
Accepts employee-vlan traffic destined for the corporate subnet, but does not monitor this traffic. Employee traffic destined for the Web is counted and analyzed. This firewall filter is applied to vlan interfaces on the access switch.
Prevents guests (non-employees) from talking with employees or employee hosts on employee-vlan. Also prevents guests from using peer-to-peer applications on guest-vlan, but allows guests to access the Web. This firewall filter is applied to VLAN interfaces on the access switch.
Prioritizes employee-vlan traffic, giving highest forwarding-class priority to employee traffic destined for the corporate subnet. This firewall filter is applied to a routed port (Layer 3 uplink module) on the distribution switch.
1066
Overview
Figure 70 on page 1067 shows the application of port, VLAN, and Layer 3 routed firewall filters on the switch.
Figure 70: Application of Port, VLAN, and Layer 3 Routed Firewall Filters
Network Topology
The topology for this configuration example consists of one EX-3200-48T switch at the access layer, and one EX-3200-48T switch at the distribution layer. The distribution switch's uplink module is configured to support a Layer 3 connection to a J-series router. The EX-series switches are configured to support VLAN membership. Table 140 on page 1067 shows the VLAN configuration components for the VLANs.
Table 140: Configuration Components: VLANs
VLAN Name VLAN ID VLAN Subnet and Available IP Addresses 192.0.2.0/28 192.0.2.1 through 192.0.2.14 192.0.2.15 is subnets broadcast address VLAN Description
voice-vlan
10
Network Topology
1067
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
VLAN Description
employee-vlan
20
broadcast address
VLAN standalone PCs, PCs connected to the network through the hub in VoIP telephones, wireless access points, and printers. This VLAN completely includes the voice VLAN. Two VLANs (voice-vlan and employee-vlan) must be configured on the ports that connect to the telephones. VLAN for guests data devices (PCs). The scenario assumes that the corporation has an area open to visitors, either in the lobby or in a conference room, that has a hub to which visitors can plug in their PCs to connect to the Web and to their companys VPN. VLAN for the corporate security cameras.
guest-vlan
30
broadcast address
camera-vlan
40
broadcast address
Ports on the EX-series switches support Power over Ethernet (PoE) to provide both network connectivity and power for VoIP telephones connecting to the ports. Table 141 on page 1068 shows the switch ports that are assigned to the VLANs and the IP and MAC addresses for devices connected to the switch ports:
Table 141: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Switch and Port Number ge-0/0/0, ge-0/0/1 VLAN Membership
voice-vlan, employee-vlan
ge-0/0/2, ge-0/0/3
employee-vlan
1068
Network Topology
Table 141: Configuration Components: Switch Ports on a 48-Port All-PoE Switch (continued)
Switch and Port Number ge-0/0/4, ge-0/0/5 VLAN Membership
guest-vlan
Port Devices Two hubs into which visitors can plug in their PCs. Hubs are located in an area open to visitors, such as a lobby or conference room Two security cameras
ge-0/0/6, ge-0/0/7
camera-vlan
ge-0/0/9
voice-vlan
Gatekeeper device. The gatekeeper manages call registration, admission, and call status for VoIP phones. Layer 3 connection to a router; note that this is a port on the switchs uplink module
ge-0/1/0
IP address: 192.0.2.65
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks:
CLI Quick Configuration
To quickly configure and apply a port firewall filter to prioritize voice traffic and rate-limit packets that are destined for the employee-vlan subnet, copy the following commands and paste them into the switch terminal window:
[edit] set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k bandwidth-limit 1m set firewall policer tcp-connection-policer then discard set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k bandwidth-limit 1m set firewall policer icmp-connection-policer then discard set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address 00.05.85.00.00.01 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address 00.05.85.00.00.02 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high from protocol udp set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high then forwarding-class expedited-forwarding set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term voip-high then loss-priority low set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term network-control from precedence net-control
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
1069
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term network-control then forwarding-class network-control set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term network-control then loss-priority low set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection from protocol tcp set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then policer tcp-connection-policer set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then count tcp-counter set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then forwarding-class best-effort set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term tcp-connection then loss-priority high set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection from protocol icmp set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then policer icmp-connection-policer set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then count icmp-counter set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then forwarding-class best-effort set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term icmp-connection then loss-priority high set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term best-effort then forwarding-class best-effort set firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp term best-effort then loss-priority high set interfaces ge-0/0/0 description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port" set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input ingress-port-voip-class-limit-tcp-icmp set interfaces ge-0/0/1 description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port" set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-voip-class-limit-tcp-icmp set class-of-service schedulers voice-high buffer-size percent 15 set class-of-service schedulers voice-high priority high set class-of-service schedulers net-control buffer-size percent 10 set class-of-service schedulers net-control priority high set class-of-service schedulers best-effort buffer-size percent 75 set class-of-service schedulers best-effort priority low set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class expedited-forwarding scheduler voice-high set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class network-control scheduler net-control
1070
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
Step-by-Step Procedure
To configure and apply a port firewall filter to prioritize voice traffic and rate-limit packets that are destined for the employee-vlan subnet:
1.
firewall policer tcp-connection-policer if-exceeding 30k bandwidth-limit 1m firewall policer tcp-connection-policer then discard firewall policer icmp-connection-policer if-exceeding 30k bandwidth-limit 1m firewall policer icmp-connection-policer then discard
2.
3.
4.
5.
Define the term tcp-connection to configure rate limits for TCP traffic:
[edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp] user@switch# set term tcp-connection from destination-address 192.0.2.16/28 user@switch# set term tcp-connection from protocol tcp user@switch# set term tcp-connection then policer tcp-connection-policer user@switch# set term tcp-connection then count tcp-counter user@switch# set term tcp-connection then forwarding-class best-effort user@switch# set term tcp-connection then loss-priority high
6.
Define the term icmp-connection to configure rate limits for ICMP traffic:
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
1071
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp] user@switch# set term icmp-connection from destination-address 192.0.2.16/28 user@switch# set term icmp-connection from protocol icmp user@switch# set term icmp-connection then policer icmp-policer user@switch# set term icmp-connection then count icmp-counter user@switch# set term icmp-connection then forwarding-class best-effort user@switch# set term icmp-connection then loss-priority high
7.
Define the term best-effort with no match conditions for an implicit match on all packets that did not match any other term in the firewall filter:
[edit firewall family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp] user@switch# set term best-effort then forwarding-class best-effort user@switch# set term best-effort then loss-priority high
8.
Apply the firewall filter ingress-port-voip-class-limit-tcp-icmp as an input filter to the port interfaces for employee-vlan :
[edit interfaces] user@switch# set ge-0/0/0 description "voice priority and tcp and traffic rate-limiting filter at ingress port" user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp user@switch# set ge-0/0/1 description "voice priority and tcp and traffic rate-limiting filter at ingress port" user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter ingress-port-voip-class-limit-tcp-icmp
9.
Configure the parameters that are desired for the different schedulers.
NOTE: When you configure parameters for the schedulers, define the numbers to match your network traffic patterns.
[edit class-of-service] user@switch# set schedulers voice-high buffer-size percent 15 user@switch# set schedulers voice-high priority high user@switch# set schedulers networkcontrol buffer-size percent 10 user@switch# set schedulers networkcontrol priority high user@switch# set schedulers best-effort buffer-size percent 75 user@switch# set schedulers best-effort priority low
10.
1072
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
11.
Results
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
1073
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
from { destination-address 192.0.2.16/28; protocol tcp; } then { policer tcp-connection-policer; count tcp-counter; forwarding-class best-effort; loss-priority high; } } term icmp-connection from { protocol icmp; } then { policer icmp-connection-policer; count icmp-counter; forwarding-class best-effort; loss-priority high; } } term best-effort { then { forwarding-class best-effort; loss-priority high; } } } } } interfaces { ge-0/0/0 { description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port"; unit 0 { family ethernet-switching { filter { input ingress-port-voip-class-limit-tcp-icmp; } } } } ge-0/0/1 { description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port"; unit 0 { family ethernet-switching { filter { input ingress-port-voip-class-limit-tcp-icmp; } } } } } scheduler-maps {
1074
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
ethernet-diffsrv-cos-map { forwarding-class expedited-forwarding scheduler voice-high; forwarding-class network-control scheduler net-control; forwarding-class best-effort scheduler best-effort; } } interfaces { ge/0/1/0 { scheduler-map ethernet-diffsrv-cos-map; } }
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks:
CLI Quick Configuration
To quickly configure a VLAN firewall filter on voice-vlan to prevent rogue devices from using HTTP sessions to mimic the gatekeeper device that manages VoIP traffic, copy the following commands and paste them into the switch terminal window:
[edit] set firewall family ethernet-switching filter ingress-vlan-rogue-block to-gatekeeper from destination-address 192.0.2.14 set firewall family ethernet-switching filter ingress-vlan-rogue-block to-gatekeeper from destination-port 80 set firewall family ethernet-switching filter ingress-vlan-rogue-block to-gatekeeper then accept set firewall family ethernet-switching filter ingress-vlan-rogue-block from-gatekeeper from source-address 192.0.2.14 set firewall family ethernet-switching filter ingress-vlan-rogue-block from-gatekeeper from source-port 80 set firewall family ethernet-switching filter ingress-vlan-rogue-block from-gatekeeper then accept set firewall family ethernet-switching filter ingress-vlan-rogue-block not-gatekeeper from destination-port 80 set firewall family ethernet-switching filter ingress-vlan-rogue-block not-gatekeeper then count rogue-counter set firewall family ethernet-switching filter ingress-vlan-rogue-block not-gatekeeper then discard set vlans voice-vlan description "block rogue devices on voice-vlan" set vlans voice-vlan filter input ingress-vlan-rogue-block
Step-by-Step Procedure
To configure and apply a VLAN firewall filter on voice-vlan to prevent rogue devices from using HTTP to mimic the gatekeeper device that manages VoIP traffic:
1.
Define the firewall filter ingress-vlan-rogue-block to specify filter matching on the traffic you want to permit and restrict:
[edit firewall] user@switch# set family ethernet-switching filter ingress-vlan-rogue-block
2.
Define the term to-gatekeeper to accept packets that match the destination IP address of the gatekeeper:
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
1075
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit firewall family user@switch# set term user@switch# set term user@switch# set term
ethernet-switching filter ingress-vlan-rogue-block] to-gatekeeper from destination-address 192.0.2.14 to-gatekeeper from destination-port 80 to-gatekeeper then accept
3.
Define the term from-gatekeeper to accept packets that match the source IP address of the gatekeeper:
[edit firewall family user@switch# set term user@switch# set term user@switch# set term ethernet-switching filter ingress-vlan-rogue-block] from-gatekeeper from source-address 192.0.2.14 from-gatekeeper from source-port 80 from-gatekeeper then accept
4.
Define the term not-gatekeeper to ensure all voice-vlan traffic on TCP ports is destined for the gatekeeper device:
[edit firewall family user@switch# set term user@switch# set term user@switch# set term ethernet-switching filter ingress-vlan-rogue-block] not-gatekeeper from destination-port 80 not-gatekeeper then count rogue-counter not-gatekeeper then discard
5.
Apply the firewall filter ingress-vlan-rogue-block as an input filter to the VLAN interface for the VoIP telephones:
[edit interfaces] user@switch# set vlans voicevlan description "block rogue devices on voice-vlan" user@switch# set vlans voicevlan filter input ingress-vlan-rogue-block
Results
1076
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
} term not-gatekeeper { from { destination-port 80; } then { count rogue-counter; discard; } } } vlans { voice-vlan { description "block rogue devices on voice-vlan"; filter { input ingress-vlan-rogue-block; } } }
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks:
CLI Quick Configuration
A firewall filter is configured and applied to VLAN interfaces to filter employee-vlan egress traffic. Employee traffic destined for the corporate subnet is accepted but not monitored. Employee traffic destined for the Web is counted and analyzed. To quickly configure and apply a VLAN firewall filter, copy the following commands and paste them into the switch terminal window:
[edit] set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-web then count employee-web-counter set firewall family ethernet-switching filter egress-vlan-watch-employee term employee-to-web then analyzer employee-monitor set vlans employee-vlan description "filter at egress VLAN to count and analyze employee to Web traffic" set vlans employee-vlan filter output egress-vlan-watch-employee
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
1077
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
To configure and apply an egress port firewall filter to count and analyze employee-vlan traffic that is destined for the Web:
1.
2.
Define the term employee-to-corp to accept but not monitor all employee-vlan traffic destined for the corporate subnet:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee] user@switch# set term employee-to-corp from destination-address 192.0.2.16/28 user@switch# set term employee-to-corp then accept
3.
Define the term employee-to-web to count and monitor all employee-vlan traffic destined for the Web:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee] user@switch# set term employee-to-web from destination-port 80 user@switch# set term employee-to-web then count employee-web-counter user@switch# set term employee-to-web then analyzer employee-monitor
NOTE: See Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 for information about configuring the employee-monitor analyzer. Apply the firewall filter egress-vlan-watch-employee as an output filter to the port interfaces for the VoIP telephones:
[edit] user@switch# set vlans employee-vlan description "filter at egress VLAN to count and analyze employee to Web traffic" user@switch# set vlans employee-vlan filter output egress-vlan-watch-employee
4.
Results
1078
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
} } term employee-to-web { from { destination-port 80; } then { count employee-web-counter: analyzer employee-monitor; } } } } } vlans { employee-vlan { description "filter at egress VLAN to count and analyze employee to Web traffic"; filter { output egress-vlan-watch-employee; } } }
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks:
CLI Quick Configuration
In the following example, the first filter term permits guests to talk with other guests but not employees on employee-vlan. The second filter term allows guests Web access but prevents them from using peer-to-peer applications on guest-vlan. To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking guests from talking with employees or employee hosts on employee-vlan or attempting to use peer-to-peer applications on guest-vlan, copy the following commands and paste them into the switch terminal window:
[edit] set firewall family ethernet-switching filter ingress-vlan-limit-guest term guest-to-guest from destination-address 192.0.2.33/28 set firewall family ethernet-switching filter ingress-vlan-limit-guest term guest-to-guest then accept set firewall family ethernet-switching filter ingress-vlan-limit-guest term no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF set firewall family ethernet-switching filter ingress-vlan-limit-guest term no-guest-employee-no-peer-to-peer then accept set vlans guest-vlan description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN" set vlans guest-vlan filter input ingress-vlan-limit-guest
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
1079
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
To configure and apply a VLAN firewall filter to restrict guest-to-employee traffic and peer-to-peer applications on guest-vlan:
1.
2.
Define the term guest-to-guest to permit guests on the guest-vlan to talk with other guests but not employees on the employee-vlan:
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest] user@switch# set term guest-to-guest from destination-address 192.0.2.33/28 user@switch# set term guest-to-guest then accept
3.
Define the term no-guest-employee-no-peer-to-peer to allow guests on guest-vlan Web access but prevent them from using peer-to-peer applications on the guest-vlan.
NOTE: The destination-mac-address is the default gateway, which for any host in a VLAN is the next-hop router.
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest] user@switch# set term no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF user@switch# set term no-guest-employee-no-peer-to-peer then accept
4.
Apply the firewall filter ingress-vlan-limit-guest as an input filter to the interface for guest-vlan :
[edit] user@switch# set vlans guest-vlan description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN" user@switch# set vlans guest-vlan filter input ingress-vlan-limit-guest
Results
1080
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
from { destination-mac-address 00.05.85.00.00.DF; } then { accept; } } } } } vlans { guest-vlan { description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN"; filter { input ingress-vlan-limit-guest; } } }
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
To configure and apply firewall filters for port, VLAN, and router interfaces, perform these tasks:
CLI Quick Configuration
To quickly configure a firewall filter for a routed port (Layer 3 uplink module) to filter employee-vlan traffic, giving highest forwarding-class priority to traffic destined for the corporate subnet, copy the following commands and paste them into the switch terminal window:
[edit] set firewall family inet filter egress-router-corp-class term corp-expedite from destination-address 192.0.2.16/28 set firewall family inet filter egress-router-corp-class term corp-expedite then forwarding-class expedited-forwarding set firewall family inet filter egress-router-corp-class term corp-expedite then loss-priority low set firewall family inet filter egress-router-corp-class term not-to-corp then accept set interfaces ge-0/1/0 description "filter at egress router to expedite destined for corporate network" set ge-0/1/0 unit 0 family inet source-address 103.104.105.1 set interfaces ge-0/1/0 unit 0 family inet filter output egress-router-corp-class
Step-by-Step Procedure
To configure and apply a firewall filter to a routed port (Layer 3 uplink module) to give highest priority to employee-vlan traffic destined for the corporate subnet:
1.
2.
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
1081
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit firewall] user@switch# set family inet filter egress-router-corp-class term corp-expedite from destination-address 192.0.2.16/28 user@switch# set family inet filter egress-router-corp-class term corp-expedite then forwarding-class expedited-forwarding user@switch# set family inet filter egress-router-corp-class term corp-expedite then loss-priority low
3.
4.
Apply the firewall filter egress-router-corp-class as an output filter for the port on the switch's uplink module, which provides a Layer 3 connection to a router:
[edit interfaces] user@switch# set ge-0/1/0 description "filter at egress router to expedite employee traffic destined for corporate network" user@switch# set ge-0/1/0 unit 0 family inet source-address 103.104.105.1 user@switch# set ge-0/1/0 unit 0 family inet filter output egress-router-corp-class
Results
1082
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
Verification
To confirm that the firewall filters are working properly, perform the following tasks:
Verifying that Firewall Filters and Policers are Operational on page 1083 Verifying that Schedulers and Scheduler-Maps are Operational on page 1083
Verify the operational state of the firewall filters and policers that are configured on the switch. Use the operational mode command:
user@switch> show firewall Filter: ingress-port-voip-class-limit-tcp-icmp Counters: Name icmp-counter tcp-counter Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: egress-vlan-watch-employee Counters: Name employee-webcounter
Action
Packets 0 0 Packets 0 0
Packets 0
Meaning
The show firewall command displays the names of the firewall filters, policers, and counters that are configured on the switch. The output fields show byte and packet counts for all configured counters and the packet count for all policers.
Verify that schedulers and scheduler-maps are operational on the switch. Use the operational mode command:
user@switch> show class-of-service scheduler-map
Verification
1083
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Scheduler: default-be, Forwarding class: Transmit rate: 95 percent, Rate Limit: Priority: low Drop profiles: Loss priority Protocol Index Low non-TCP 1 Low TCP 1 High non-TCP 1 High TCP 1
Scheduler: default-nc, Forwarding class: network-control, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: low Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 default-drop-profile Low TCP 1 default-drop-profile High non-TCP 1 default-drop-profile High TCP 1 default-drop-profileScheduler map: ethernet-diffsrv-cos-map, Index: 21657 Scheduler: best-effort, Forwarding class: best-effort, Index: 61257 Transmit rate: remainder, Rate Limit: none, Buffer size: 75 percent, Priority: low Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 <default-drop-profile> Low TCP 1 <default-drop-profile> High non-TCP 1 <default-drop-profile> High TCP 1 <default-drop-profile> Scheduler: voice-high, Forwarding class: expedited-forwarding, Index: 3123 Transmit rate: remainder, Rate Limit: none, Buffer size: 15 percent, Priority: high Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 <default-drop-profile> Low TCP 1 <default-drop-profile> High non-TCP 1 <default-drop-profile> High TCP 1 <default-drop-profile> Scheduler: net-control, Forwarding class: network-control, Index: 2451 Transmit rate: remainder, Rate Limit: none, Buffer size: 10 percent, Priority: high Drop profiles: Loss priority Protocol Index Name Low non-TCP 1 <default-drop-profile> Low TCP 1 <default-drop-profile> High non-TCP 1 <default-drop-profile> High TCP 1 <default-drop-profile>
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Example: Configuring CoS on EX-series Switches on page 1153 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092
1084
Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 [edit firewall] Configuration Statement Hierarchy on page 31
1085
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1086
Chapter 52
Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) on page 1099
Configuring a Firewall Filter on page 1087 Applying a Firewall Filter to a Port on a Switch on page 1090 Applying a Firewall Filter to a VLAN on a Network on page 1091 Applying a Firewall Filter to a Layer 3 (Routed) Interface on page 1091
1087
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1.
For a firewall filter that is applied to a port or VLAN, specify the family address type ethernet-switching (or bridge) to filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets, for example:
[edit firewall] user@switch# set family ethernet-switching
For a firewall filter that is applied to a Layer 3 (routed) interface, specify the family address type inet to filter IPv4 packets, for example:
[edit firewall] user@switch# set family inet
2.
The filter name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. Each filter name must be unique.
3.
The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. A firewall filter can contain one or more terms. Each term name must be unique within a filter.
NOTE: For EX-series switches, the number of terms allowed per firewall filter cannot exceed 2048. If you attempt to configure a firewall filter that exceeds this limit, the switch returns the following message after the commit operation:
Number of filter terms 2048 exceeded: Only 2048 terms can be defined.
4.
In each firewall filter term, specify the match conditions to use to match components of a packet. To specify match conditions to match on packets that contain a specific source-address and source-portfor example:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one]
1088
You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if included in a term, the from statement cannot be empty. If you omit the from statement, all packets are considered to match.
5.
In each firewall filter term, specify the actions to take if the packet matches all the conditions in that term. You can specify an action and/or action modifiers:
To specify a filter action, for example, to discard packets that match the conditions of the filter term:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one] user@switch# set then discard
You can specify no more than one action (accept or discard) per filter term.
To specify action modifiers, for example, to count and classify packets in a forwarding class:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one] user@switch# set then count counter-one user@switch# set then forwarding-class expedited-forwarding
You can specify any of the following action modifiers in a then statement:
analyzer analyzer-nameMirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. An analyzer must be configured under the ethernet-switching family address type.
For information, see Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1285.
term.
NOTE: We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.
1089
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
loss-priority prioritySet the priority of dropping a packet. policer policer-nameApply rate-limiting to the traffic.
If you omit the then statement or do not specify an action, packets that match all the conditions in the from statement are accepted. However, you should always explicitly configure an action and/or action modifier in the then statement. You can include no more than one action statement, but any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.
NOTE: Implicit discard is also applicable to a firewall filter applied to the loopback interface, lo0.
Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied:
[edit interfaces] user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter at trunk port for employee-vlan and voice-vlan"
2.
Specify the unit number and family address type for the interface:
[edit interfaces] user@switch# set ge-0/0/1 unit 0 family ethernet-switching
For firewall filters that are applied to ports, the family address type must be ethernet-switching (or bridge).
3.
You cannot apply a firewall filter to filter packets that are exiting ports.
NOTE: You can apply no more than one firewall filter per ingress port.
1090
Specify the VLAN name and VLAN ID and provide a meaningful description of the firewall filter and the VLAN to which the filter is applied:
[edit vlans] user@switch# set employeevlan vlan 20 vlan-description "filter to rate limit traffic on employee-vlan"
2.
Apply firewall filters to filter packets that are entering or exiting a VLAN:
To apply a firewall filter to filter packets that are entering the VLAN:
[edit vlans] user@switch# set employee-vlan vlan 20 filter input ingress-vlan-filter
To apply a firewall filter to filter packets that are exiting the VLAN:
[edit vlans] user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter
NOTE: You can apply no more than one firewall filter per VLAN, per direction.
Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied:
[edit interfaces] user@switch# set ge-0/1/0 description "filter to count and monitor employeevlan traffic on layer 3 interface"
2.
Specify the unit number, family address type, and address for the interface:
[edit interfaces] user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
For firewall filters applied to Layer 3 routed interfaces, the family address type must be inet.
3.
You can apply firewall filters to filter packets that are entering or exiting a Layer 3 routed interface:
To apply a firewall filter to filter packets that are entering a Layer 3 interface:
1091
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit interfaces] user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24 filter input ingress-router-filter
To apply a firewall filter to filter packets that are exiting a Layer 3 interface, include the filter input statement, for example:
[edit interfaces] user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24 filter output egress-router-filter
NOTE: You can apply no more than one firewall filter per Layer 3 interface, per direction.
NOTE: Ingress firewall filters applied to the loopback interface, lo0, affect all inbound traffic destined for the CPU.
Related Topics
Configuring Firewall Filters (J-Web Procedure) on page 1092 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101 Monitoring Firewall Filter Traffic on page 1102 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) on page 1099 Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Firewall Filters for EX-series Switches Overview on page 1041
Select Configure > Security > Filters. The Firewall Filter Configuration screen displays a list of all configured VLAN or router filters and the ports or VLANs associated with a particular filter.
2.
Click one:
1092
AddSelect this option to create a new filter. Enter information as specified in Table 142 on page 1093. EditSelect this option to edit an existing filter settings. Enter information as specified in Table 142 on page 1093. DeleteSelect this option to delete a filter. Term UpSelect this option to move a term up in the filter term list. Term DownSelect this option to move a term down in the filter term list.
Enter a name. Click Add to add new terms. Enter information as specified in Table 143 on page 1093.
Association tab Port Associations Specifies the ports with which the filter is associated. NOTE: For a Port/VLAN filter type only Ingress direction is supported for port association.
1. 2. 3. 4.
Click Add. Select the direction: Ingress or Egress. Select the ports. Click OK. Click Add. Select the direction: Ingress or Egress. Select the VLANs. Click OK.
VLAN Associations
Specifies the VLANs with which the filter is associated. NOTE: Because Router firewall filters can be associated with ports only, this section is not displayed for a Router firewall filter.
1. 2. 3. 4.
1. 2. 3.
1093
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Your Action Click Edit to enter the IP address and select the ports for the source and destination.
Accept Discard
More
Select the Match conditions as specified in Table 144 on page 1094. Select the packet actions for the term as specified in Table 144 on page 1094.
ICMP Code
Select one:
Fragment Flags
Specifies the IP fragmentation flags. NOTE: Fragment flags is supported on ingress ports, VLANs, and router interfaces.
TCP Flags
Specifies one or more TCP flags. NOTE: TCP flags is supported on ingress ports, VLANs, and router interfaces.
IP Precedence
Specifies IP precedence. The options are: assured forwarding, best-effort, expedited-forwarding, network-control. NOTE: IP precedence and DSCP number cannot be specified together for the same term.
Interface
1094
Arp Dot 1q
dot1q-tag
Specifies the tag field in the Ethernet header. Values can be from 1 through 4095. NOTE: This option is not applicable for a Routing filter.
Specifies the user-priority field of the tagged Ethernet packet. User-priority values can be 07. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed)
background (1)Background best-effort (0)Best effort controlled-load (4)Controlled load excellent-load (3)Excellent load network-control (7)Network control reserved traffic standard (2)Standard or Spare video (5)Video voice (6)Voice
NOTE: This option is not applicable for a Routing filter. DSCP Number Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. Specifies the VLAN to be associated. NOTE: This option is not applicable for a Routing filter. TTL Value Specifies the time-to-live value. NOTE: This option is applicable for a Routing filter. Packet Length Specifies the length of the packet. NOTE: This option is applicable for a Routing filter. Action Counter Name Specifies the count of the number of packets that pass this filter, term, or policer. Enter a value. Enter a value. Enter a value. Select the DSCP number from the list.
Select VLAN
1095
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Loss Priority
Specifies the Packet Loss Priority. NOTE: Forwarding Class and Loss Priority should be specified together for the same term.
Analyzer
Specifies whether to perform port-mirroring on packets. Port-mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port.
Related Topics
Configuring Firewall Filters (CLI Procedure) on page 1087 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101 Firewall Filters for EX-series Switches Overview on page 1041
A maximum of 512 policers can be configured for port firewall filters. A maximum of 512 policers can be configured for VLAN and Layer 3 firewall filters.
If the policer configuration exceeds these limits, the switch returns the following message after the commit operation:
Cannot assign policers: Max policer limit reached
1096
1. Configuring Policers on page 1097 2. Specifying Policers in a Firewall Filter Configuration on page 1098 3. Applying a Firewall Filter That Is Configured with a Policer on page 1098
Configuring Policers
To configure a policer:
1.
The policer name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long.
2.
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one] user@switch# set if-exceeding bandwidth-limit 300k
Specify the maximum allowed burst size to control the amount of traffic bursting:
[edit firewall policer policer-one] user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur: burst size = bandwidth * allowable time for burst traffic The range for the burst-size limit is 1 through 2,147,450,880 bytes.
3.
Specify the policer action discard to discard packets that exceed the rate limits:
[edit firewall policer] user@switch# set policer-one then discard
Configuring Policers
1097
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: You can include policer actions on ingress firewall filters only.
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Verifying That Policers Are Operational on page 1102 Understanding the Use of Policers in Firewall Filters on page 1063
1098
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
You can configure firewall filters with multifield classifiers to classify packets transiting a port, VLAN, or Layer 3 interface on an EX-series switch. You specify multifield classifiers in a firewall filter configuration to set the forwarding class and packet loss priority (PLP) for incoming or outgoing packets. By default, the data traffic that is not classified is assigned to the best-effort class associated with queue 0. You can specify any of the following default forwarding classes:
Queue 0 1 5 7
Configure the family name and filter name for the filter at the [edit firewall] hierarchy level, for example:
[edit firewall] user@switch# set family ethernet-switching user@switch# set family ethernet-switching filter ingress-filter
2.
Configure the terms of the filter, including the forwarding-class and loss-priority action modifiers as appropriate. When you specify a forwarding class you must also specify the packet loss priority. For example, each of the following terms examines different packet header fields and assigns an appropriate classifier and the packet loss priority:
The term voice-traffic matches packets on the voice-vlan and assigns the forwarding class expedited-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter] user@switch# set term voice-traffic from vlan-id voice-vlan user@switch# set term voice-traffic then forwarding-class expedited-forwarding user@switch# set term voice-traffic then loss-priority low
The term data-traffic matches packets on employee-vlan and assigns the forwarding class assured-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter] user@switch# set term data-traffic from vlan-id employee-vlan
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
1099
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@switch# set term data-traffic then forwarding-class assured-forwarding user@switch# set term data-traffic then loss-priority low
Because loss of network-generated packets can jeopardize proper network operation, delay is preferable to discard of packets. The following term, network-traffic, assigns the forwarding class network-control and packet loss priority low:
[edit firewall family user@switch# set term user@switch# set term user@switch# set term ethernet-switching filter ingress-filter] network-traffic from precedence net-control network-traffic then forwarding-class network network-traffic then loss-priority low
The last term accept-traffic matches any packets that did not match on any of the preceding terms and assigns the forwarding class best-effort and packet loss priority low:
[edit firewall family user@switch# set term user@switch# set term user@switch# set term ethernet-switching filter ingress-filter] accept-traffic from precedence net-control accept-traffic then forwarding-class best-effort accept-traffic then loss-priority low
3.
Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information about applying the filter, see Configuring Firewall Filters (CLI Procedure) on page 1087. Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101 Monitoring Firewall Filter Traffic on page 1102 Defining CoS Classifiers (CLI Procedure) on page 1175 Defining CoS Classifiers (J-Web Procedure) on page 1176 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092
Related Topics
1100
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
Chapter 53
Verifying That Firewall Filters Are Operational on page 1101 Verifying That Policers Are Operational on page 1102 Monitoring Firewall Filter Traffic on page 1102
After you configure and apply firewall filters to ports, VLANs, or Layer 3 interfaces, you can perform the following task to verify that the firewall filters configured on EX-series switches are working properly. Use the operational mode command to verify that the firewall filters on the switch are working properly:
user@switch> show firewall Filter: egress-vlan-watch-employee Counters: Name counter-employee-web Filter: ingress-port-voip-class-limit-tcp-icmp Counters: Name icmp-counter Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest
Action
Bytes 0
Packets 0
Bytes 0 Packets 0 0
Packets 0
Meaning
The show firewall command displays the names of all firewall filters, policers, and counters that are configured on the switch. For each counter that is specified in a filter configuration, the output field shows the byte count and packet count for the term in which the counter is specified. For each policer that is specified in a filter configuration, the output field shows the packet count for packets that exceed the specified rate limits.
Related Topics
Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096
1101
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Monitoring Firewall Filter Traffic on page 1102
After you configure policers and include them in firewall filter configurations, you can perform the following tasks to verify that the policers configured on EX-series switches are working properly. Use the operational mode command to verify that the policers on the switch are working properly:
user@switch> show policer Filter: egress-vlan-watch-employee Filter: ingress-port-filter Filter: ingress-port-voip-class-limit-tcp-icmp Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest
Action
Packets 0 0
Meaning
The show policer command displays the names of all firewall filters and policers that are configured on the switch. For each policer that is specified in a filter configuration, the output field shows the current packet count for all packets that exceed the specified rate limits.
Related Topics
Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Monitoring Firewall Filter Traffic on page 1102
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch on page 1103 Monitoring Traffic for a Specific Firewall Filter on page 1103 Monitoring Traffic for a Specific Policer on page 1103
1102
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
Purpose
Perform the following task to monitor the number of packets and bytes that matched the firewall filters and monitor the number of packets that exceeded policer rate limits: Use the operational mode command:
user@switch> show firewall Filter: egress-vlan-watch-employee Counters: Name counter-employee-web Filter: ingress-port-voip-class-limit-tcp-icmp Counters: Name icmp-counter Policers: Name icmp-connection-policer tcp-connection-policer Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest
Action
Bytes 3348
Packets 27
Packets 49
Meaning
The show firewall command displays the names of all firewall filters, policers, and counters that are configured on the switch. The output fields show byte and packet counts for counters and packet count for policers.
Perform the following task to monitor the number of packets and bytes that matched a firewall filter and monitor the number of packets that exceeded the policer rate limits. Use the operational mode command:
user@switch> show firewall filter ingress-vlan-rogue-block Filter: ingress-vlan-rogue-block Counters: Name Bytes rogue-counter 2308
Action
Packets 20
Meaning
The show firewall filter filter-name command displays the name of the firewall filter, the packet and byte count for all counters configured with the filter, and the packet count for all policers configured with the filter.
Perform the following task to monitor the number of packets that exceeded policer rate limits: Use the operational mode command:
user@switch> show policer tcp-connection-policer
Action
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
1103
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Packets 0
Meaning
The show policer policer-name command displays the name of the firewall filter that specifies the policer-action and displays the number of packets that exceeded rate limits for the specified filter.
Related Topics
Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101
1104
Chapter 54
When a firewall filter configuration exceeds the amount of available TCAM space, the switch returns the following syslogd message:
No space available in tcam. Rules for filter filter-name will not be installed.
The switch returns this message during the commit operation if the firewall filter that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of available TCAM space. However, the commit operation for the firewall filter configuration is completed in the CLI module.
Solution
When a firewall filter configuration exceeds the amount of available TCAM table space, you must configure a new firewall filter with fewer filter terms so that the space requirements for the filter do not exceed the available space in the TCAM table. You can perform either of the following procedures to correct the problem: To delete the firewall filter and its bind points and apply the new smaller firewall filter to the same bind points:
1.
Delete the firewall filter configuration and the bind points to ports, VLANs, or Layer 3 interfacesfor example:
[edit] user@switch# delete firewall family ethernet-switching filter filter-ingress-vlan user@switch# delete vlans voice-vlan description "filter to block rogue devices on voice-vlan" user@switch# delete vlans voice-vlan filter input mini-filteringress-vlan
2.
1105
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
3.
Configure a smaller filter with fewer terms that does not exceed the amount of available TCAM space on the switchfor example:
[edit] user@switch# set firewall family ethernet-switching filter newfilter-ingress-vlan ...
4.
Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interfacefor example:
[edit] user@switch# set vlans voice-vlan description "filter to block rogue devices on voice-vlan" user@switch# set vlans voice-vlan filter input new-filteringress-vlan
5.
To apply a new firewall filter and overwrite the existing bind points:
1.
Configure a firewall filter with fewer terms than the original filter:
[edit] user@switch# set firewall family ethernet-switching filter new-filter-ingress-vlan...
2.
Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the bind points of the original filterfor example:
[edit] user@switch# set vlans voice-vlan description "smaller filter to block rogue devices on voice-vlan" user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan
3.
Only the original bind points, and not the original firewall filter itself, are deleted.
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101
1106
Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092
1107
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1108
Chapter 55
[edit firewall] Configuration Statement Hierarchy on page 1109 Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches on page 1110
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches on page 1110 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087
1109
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Firewall Filters for EX-series Switches Overview on page 1041
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
You configure firewall filters to filter packets based on their components and to perform an action on packets that match the filter. Table 145 on page 1110 lists the options that are supported for the firewall statement in JUNOS Software for EX-series switches.
Table 145: Supported Options for Firewall Filter Statements
Statement and Option family family-name { } Description The family-name option specifies the version or type of addressing protocol:
filter filter-name { }
The filter-name option identifies the filter. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ). The term-name option identifies the term. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (" " ). Each term name must be unique within a filter. The from statement is optional. If you omit it, all packets are considered to match.
term term-name { }
For information about the action and action-modifiers options, see Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048.
The policer-name option identifies the policer. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).
1110
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
Range: 1000 (1k) through 102,300,000,000 (102.3g) bps The burst-size-limit bytes option specifies the maximum allowed burst size to control the amount of traffic bursting. To determine the value for the burst-size limit, you can multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur: burst size = bandwidth * allowable time for burst traffic You can specify a decimal value or a decimal number followed by k (thousand) or m (million). Range: 1 through 2,147,450,880 bytes then { policer-action } Use the policer-action option to specify discard to discard traffic that exceeds the rate limits.
JUNOS software for EX-series switches does not support some of the firewall filter statements that are supported by other JUNOS software packages. Table 146 on page 1112 shows the firewall filter statements that are not supported by JUNOS Software for EX-series switches.
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
1111
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 146: Firewall Filter Statements That Are Not Supported byJUNOS Software for EX-series switches
Statements not supported
bandwidth-percent number;
Related Topics
Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Firewall Filters for EX-series Switches Overview on page 1041
1112
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
bandwidth-limit
Syntax Hierarchy Level Release Information Description Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the traffic rate in bits per second.
bps Traffic rate to be specified in bits per second. Specify bps as a decimal value
k (thousand) m (million) g (billion, which is also called a thousand million) Range: 1000 (1k) through 102,300,000,000 (102.3g) bps
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Understanding the Use of Policers in Firewall Filters on page 1063
burst-size-limit
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the maximum allowed burst size to control the amount of traffic bursting.
bytes Decimal value or a decimal number followed by k (thousand) or m (million).
Range: 1 through 2,147,450,880 bytes firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Understanding the Use of Policers in Firewall Filters on page 1063
bandwidth-limit
1113
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
family
Syntax
family family-name { filter filter-name { term term-name { from { match-conditions; } then { action; action-modifiers; } } } } [edit firewall]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a firewall filter for IP version 4.
family-name Version or type of addressing protocol:
bridgeFilter Layer 2 (Ethernet) packets and Layer 3 (IP) packets. ethernet-switchingFilter Layer 2 (Ethernet) packets and Layer 3 (IP) packets. inetFilter IPv4 packets.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Firewall Filters for EX-series Switches Overview on page 1041
1114
family
filter
Syntax
filter filter-name { term term-name { from { match-conditions; } then { action; action-modifiers; } } } [edit firewall family family-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure firewall filters.
filter-name Name that identifies the filter. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long. To include spaces in the name, enclose it in quotation marks. The remaining statements are explained separately.
Required Privilege Level Related Topics
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Firewall Filters for EX-series Switches Overview on page 1041
filter
1115
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
filter
Syntax Hierarchy Level Release Information Description
filter (input | output) filter-name; [edit interfaces ge-chassis/slot/port unit logical-unit-number family family-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the Layer 3 interface. All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all outgoing traffic is sent unmodified from the port or Layer 3 interface.
filter-name Name of a firewall filter defined in the filter statement.
Default
Options
inputApply a firewall filter to traffic entering the port or Layer 3 interface. outputApply a firewall filter to traffic exiting the Layer 3 interface.
interfaceTo view this statement in the configuration. interface-controlTo add this statement to the configuration.
Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 321 Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 317 JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Firewall Filters for EX-series Switches Overview on page 1041 JUNOS Software Network Interfaces Configuration Guide at www.juniper.net/techpubs/software/junos/
1116
filter
from
Syntax
from { match-conditions; } [edit firewall family family-name filter filter-name term term-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.
match-conditions Conditions that define the values or fields that the incoming or
Options
outgoing packets must contain for a match. You can specify one or more match conditions. If you specify more than one, they all must match for a match to occur and for the action in the then statement to be taken.
Required Privilege Level Related Topics
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Understanding Firewall Filter Match Conditions on page 1059
from
1117
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
if-exceeding
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure policer rate limits. The remaining statements are explained separately.
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Understanding the Use of Policers in Firewall Filters on page 1063
1118
if-exceeding
policer
Syntax
policer policer-name { if-exceeding { bandwidth-limit bps; burst-size-limit bytes; } then { policer-action; } } [edit firewall]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure policer rate limits and actions. To activate a policer, you must include the policer action modifier in the then statement in a firewall filter term. Each policer that you configure includes an implicit counter. To ensure term-specific packet counts, you configure a policer for each term in the filter that requires policing.
policer-name Name that identifies the policer. The name can contain letters,
Options
numbers, hyphens (-), and can be up to 64 characters long. The remaining statements are explained separately.
Required Privilege Level Related Topics
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Understanding the Use of Policers in Firewall Filters on page 1063
policer
1119
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
term
Syntax
term term-name { from { match-conditions; } then { action; action-modifiers; } } [edit firewall family family-name filter filter-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define a firewall filter term.
term-name Name that identifies the term. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long. To include spaces in the name, enclose it in quotation marks. The remaining statements are explained separately.
Required Privilege Level Related Topics
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Firewall Filters for EX-series Switches Overview on page 1041
1120
term
then
Syntax
then { action; action-modifiers; } [edit firewall family family-name filter filter-name term term-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a filter action.
action Actions to accept or discard packets that match all match conditions specified
in a filter term.
action-modifiers Additional actions to analyze, classify, count, or police packets that
firewallTo view this statement in the configuration. firewall-controlTo add this statement to the configuration.
Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Understanding Firewall Filter Match Conditions on page 1059
then
1121
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
then
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a policer action.
policer-action Allowed policer action is discard, which discards traffic that exceeds
firewallTo view this statement in the configuration. firewall -controlTo add this statement to the configuration.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096 Configuring Firewall Filters (CLI Procedure) on page 1087 Configuring Firewall Filters (J-Web Procedure) on page 1092 Understanding the Use of Policers in Firewall Filters on page 1063
1122
then
Chapter 56
1123
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
clear firewall
Syntax
Command introduced in JUNOS Release 9.0 for EX-series switches. Clear statistics about configured firewall filters.
noneClear the packet and byte counts for all firewall filter counters and clear the
filter.
Required Privilege Level Related Topics
clear
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101 Verifying That Policers Are Operational on page 1102 Firewall Filters for EX-series Switches Overview on page 1041 Understanding the Use of Policers in Firewall Filters on page 1063
clear firewall (all) clear firewall (counter counter-name) clear firewall (filter filter-name)
1124
clear firewall
show firewall
Syntax
Command introduced in JUNOS Release 9.0 for EX-series switches. Display statistics about configured firewall filters.
noneDisplay statistics about all configured firewall filters, counters, and policers. counter counter-name (Optional) Display statistics about a particular firewall filter
counter.
filter filter-name (Optional) Display statistics about a particular firewall filter.
Required Privilege Level Related Topics
view
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101 Verifying That Policers Are Operational on page 1102 Firewall Filters for EX-series Switches Overview on page 1041 Understanding the Use of Policers in Firewall Filters on page 1063
show firewall on page 1126 show firewall (filter filter-name) on page 1126 show firewall (counter counter-name) on page 1126 Table 42 on page 1306 lists the output fields for the show firewall command. Output fields are listed in the approximate order in which they appear.
Output Fields
Field Description Name of the filter that is configured with the filter statement at the [edit firewall] hierarchy level. Display filter counter information:
Counters
All levels
NameName of a filter counter that has been configured with the counter firewall filter action BytesNumber of bytes that match the filter term where the counter action was specified. PacketsNumber of packets that matched the filter term where the counter action was specified.
show firewall
1125
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NameName of policer. PacketsNumber of packets that matched the filter term where the policer action was specified. This is the number of packets that exceed the rate limits that the policer specifies.
show firewall
user@host> show firewall Filter: egress-vlan-filter Counters: Name employee-web-counter Filter: ingress-port-filter Counters: Name ingress-port-counter Filter: ingress-port-voip-class-filter Counters: Name icmp-counter Policers: Name icmp-connection-policer tcp-connection-policer
Bytes 0
Packets 0
Bytes 0
Packets 0
Bytes 0 Packets 0 0
Packets 0
user@host> show firewall filter egress-vlan-filter Filter: egress-vlan-filter Counters: Name employee-web-counter user@host> show firewall counter icmp-counter Filter: ingress-port-voip-class-filter Counters: Name icmp-counter
Bytes 0
Packets 0
Bytes 0
Packets 0
1126
show firewall
Command introduced in JUNOS Release 9.0 for EX-series switches. Display firewall filters that are configured on each interface in a system.
noneDisplay firewall filter information about all interfaces. interface-name(Optional) Display firewall filter information about a particular interface: ge-fpc/pic/port.
view
show interfaces filters on page 1127 show interfaces filters <interface-name> on page 1128 Table 42 on page 1306 lists the output fields for the show interfaces filters command. Output fields are listed in the approximate order in which they appear.
Field Description Name of the physical interface. Interface state: up or down. Link state: up or down. Protocol that is configured on the interface. Name of the firewall filter to be evaluated when packers are received on the interface. Name of the firewall filter to be evaluated when packets are transmitted on the interface.
Level of Output All levels All levels All levels All levels All levels
Output Filter
All levels
user@host> show interfaces filters Interface Admin Link Proto Input Filter ge-0/0/0 up down ge-0/0/0.0 up down eth-switch unknown ge-0/0/1 up down ge-0/0/1.0 up down eth-switch unknown ge-0/0/2 up down ge-0/0/3 up down
Output Filter
1127
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
up up up up up up up up
user@host> show interfaces filters ge-0/0/0 Interface Admin Link Proto Input Filter ge-0/0/0 up down ge-0/0/0.0 up down eth-switch unknown
Output Filter
1128
Command introduced before JUNOS Release 9.0 for EX-series switches. Display all policers that are configured on each interface in a system.
noneDisplay policer information about all interfaces. interface-name(Optional) display firewall filters information about a particular
interface.
Required Privilege Level Related Topics
view
show interfaces policers on page 1129 show interfaces policers on page 1130 show interfaces policers ( interface-name) on page 1130 Table 42 on page 1306 lists the output fields for the show interfaces policers command. Output fields are listed in the approximate order in which they appear.
Output Fields
Field Description Name of the interface. Interface state: up or down. Link state: up or down. Protocol configured on the interface. Policer to be evaluated when packets are received on the interface. It has the format interface-name-in-policer. Policer to be evaluated when packets are transmitted on the interface. It has the format interface-name-out-policer.
Level of Output All levels All levels All levels All levels All levels
Output Policer
All levels
user@host> show interfaces policers Interface Admin Link Proto Input Policer ge-0/0/0 up down ge-0/0/0.0 up down eth-switch Interface Admin Link Proto Input Policer
Output Policer
Output Policer
1129
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ge-0/0/1 ge-0/0/1.0 Interface ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/10.0
up up Admin up up up up up up up up up up
down down eth-switch Link Proto Input Policer down down down down down down down down down down eth-switch Output Policer
user@host> show interfaces policers Interface Admin Link Proto Input Policer ge-0/0/0 up down ge-0/0/0.0 up down eth-switch Interface ge-0/0/1 ge-0/0/1.0 Interface ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/10.0 Admin Link Proto Input Policer up down up down eth-switch Admin Link Proto Input Policer up down up down up down up down up down up down up down up down up down up down eth-switch
Output Policer
Output Policer
Output Policer
user@host> show interfaces policers ge-0/0/1 Interface Admin Link Proto Input Policer ge-0/0/0 up down ge-0/0/0.0 up down eth-switch
Output Policer
1130
show policer
Syntax
Command introduced in JUNOS Release 9.0 for EX-series switches. Display statistics about configured policers.
noneDisplay the count of policed packets for all configured policers in the system. policer-name (Optional) Display the count of policed packets for the specified policer.
view
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Verifying That Firewall Filters Are Operational on page 1101 Verifying That Policers Are Operational on page 1102 Firewall Filters for EX-series Switches Overview on page 1041 Understanding the Use of Policers in Firewall Filters on page 1063
show policer on page 1131 show policer (policer-name) on page 1132 Table 42 on page 1306 lists the output fields for the show policer command. Output fields are listed in the approximate order in which they appear.
Field Description Name of filter that is configured with the filter statement at the [edit firewall] hierarchy level. Display policer information:
Policers
All levels
FilterName of filter that specifies the policer action. NameName of policer. PacketsNumber of packets that matched the filter term where the policer action is specified. This is the number of packets that exceed the rate limits that the policer specifies.
show policer
user@host> show policer Filter: egress-vlan-filter Filter: ingress-port-filter Policers: Name icmp-connection-policer
Packets 0
show policer
1131
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Packets 0
1132
show policer
Part 12
CoS
Understanding CoS on page 1135 Examples of Configuring CoS on page 1153 Configuring CoS on page 1171 Verifying CoS on page 1189 Configuration Statements for CoS on page 1197 Operational Mode Commands for CoS on page 1221
CoS
1133
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1134
CoS
Chapter 57
Understanding CoS
JUNOS CoS for EX-series Switches Overview on page 1135 Understanding JUNOS CoS Components for EX-series Switches on page 1137 Understanding CoS Code-Point Aliases on page 1139 Understanding CoS Classifiers on page 1142 Understanding CoS Forwarding Classes on page 1144 Understanding CoS Tail Drop Profiles on page 1146 Understanding CoS Schedulers on page 1146 Understanding CoS Two-Color Marking on page 1149 Understanding CoS Rewrite Rules on page 1150 Understanding Port Shaping and Queue Shaping for CoS on EX-series Switches on page 1151 Understanding JUNOS EZQoS for CoS Configurations on EX-series Switches on page 1151
How JUNOS CoS Works on page 1136 Default CoS Behavior on EX-series Switches on page 1136
1135
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1136
mappings, such as explicit default classifiers and rewrite rules, are in operation only if you explicitly associate them with an interface.
Related Topics
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Understanding JUNOS EZQoS for CoS Configurations on EX-series Switches on page 1151 Example: Configuring CoS on EX-series Switches on page 1153
Code-Point Aliases on page 1137 Policers on page 1137 Classifiers on page 1137 Forwarding Classes on page 1138 Tail Drop Profiles on page 1138 Schedulers on page 1138 Rewrite Rules on page 1138
Code-Point Aliases
A code-point alias assigns a name to a pattern of code-point bits. You can use this name instead of the bit pattern when you configure other CoS components such as classifiers, drop-profile maps, and rewrite rules.
Policers
Policers limit traffic of a certain class to a specified bandwidth and burst size. Packets exceeding the policer limits can be discarded. You define policers with filters that can be associated with input interfaces. For more information about policers, see Understanding the Use of Policers in Firewall Filters on page 1063.
NOTE: You can configure policers to discard packets that exceed the rate limits. If you want to configure CoS parameters such as loss-priority and forwarding-class, you must use firewall filters.
Classifiers
Packet classification associates incoming packets with a particular CoS servicing level. In JUNOS software, classifiers associate packets with a forwarding class and loss priority and, based on the associated forwarding class, assign packets to output queues. JUNOS software supports two general types of classifiers:
1137
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Behavior aggregate or CoS value traffic classifiersExamines the CoS value in the packet header. The value in this single field determines the CoS settings applied to the packet. BA classifiers allow you to set the forwarding class and loss priority of a packet based on the Differentiated Services code point (DSCP) value, IP precedence value, and IEEE 802.1p value. Multifield traffic classifiersExamines multiple fields in the packet such as source and destination addresses and source and destination port numbers of the packet. With multifield classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules.
Forwarding Classes
Forwarding classes group the packets for transmission. Based on forwarding classes, you assign packets to output queues. Forwarding classes affect the forwarding, scheduling, and marking policies applied to packets as they transit a switching platform. By default, four categories of forwarding classes are defined: best effort, assured forwarding, expedited forwarding, and network control. For EX-series switches, 16 forwarding classes are supported, providing granular classification capability.
Schedulers
Each switch interface has multiple queues assigned to store packets. The switch determines which queue to service based on a particular method of scheduling. This process often involves determining which type of packet should be transmitted before another. You can define the priority, bandwidth, delay buffer size, and tail drop profiles to be applied to a particular queue for packet transmission. Scheduler map associates a specified forwarding class with a scheduler configuration. You can associate up to four user-defined scheduler maps with the interfaces.
Rewrite Rules
A rewrite rule sets the appropriate CoS bits in the outgoing packet thus allowing the next downstream device to classify the packet into the appropriate service group. Rewriting, or marking, outbound packets is useful when the switch is at the border of a network and must alter the CoS values to meet the policies of the targeted peer.
1138
NOTE: Rewrite rules are applied when the packets are routed. Rewrite rules are not applied when the packets are forwarded. Egress firewall filters can also assign forwarding class and loss priority so that the packets are rewritten based on forwarding class and loss priority. Understanding CoS Code-Point Aliases on page 1139 Understanding CoS Classifiers on page 1142 Understanding CoS Forwarding Classes on page 1144 Understanding CoS Tail Drop Profiles on page 1146 Understanding CoS Schedulers on page 1146 Understanding CoS Two-Color Marking on page 1149 Understanding CoS Rewrite Rules on page 1150 Example: Configuring CoS on EX-series Switches on page 1153
Related Topics
dscpHandles incoming IPv4 packets. ieee-802.1Handles Layer 2 CoS. inet-precedenceHandles incoming IPv4 packets. IP precedence mapping requires only the upper three bits of the DSCP field.
1139
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1140
Related Topics
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172
1141
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
For a specified interface, you can configure both an MF classifier and a BA classifier without conflicts. In such cases, BA classification is performed first, followed by MF classification. In case of conflict, the MF classification result overrides the BA classification result.
NOTE: When a source MAC address is learned, the frame that contains the source MAC address is always sent out on queue 0 while egressing from the network interface, irrespective of the classifier applied to the ingress interface. Behavior Aggregate Classifiers on page 1142 Multifield Classifiers on page 1143
Differentiated Services code point (DSCP) for IP DiffServ IP precedence bits IEEE 802.1p CoS bits
BA classifiers are based on fixed-length fields, which makes them computationally more efficient than MF classifiers. Therefore core devices, which handle high traffic volumes, are normally configured to perform BA classification. In most cases, you need to rewrite a given marker (IP precedence, DSCP, or IEEE 802.1p) at the ingress node to accommodate BA classification by core and egress devices.
NOTE: When you want to replace an existing classifier of a certain type with a new classifier of a different type, you must explicitly remove the existing classifier before you apply the new classifier.
1142
Untrusted
When you explicitly associate a classifier with a logical interface, you are in effect overriding the implicit default classifier with an explicit classifier.
NOTE: By default, all BA classifiers classify traffic into either the best-effort forwarding class or the network-control forwarding class.
Multifield Classifiers
Multifield classifiers examine multiple fields in a packet such as source and destination addresses and source and destination port numbers of the packet. With MF classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules. MF classification is normally performed at the network edge because of the general lack of DiffServ code point (DSCP) or IP precedence support in end-user applications. On an edge switch, an MF classifier provides the filtering functionality that scans through a variety of packet fields to determine the forwarding class for a packet. Typically, a classifier performs matching operations on the selected fields against a configured value.
Related Topics
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 Defining CoS Classifiers (J-Web Procedure) on page 1176
1143
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Expedited forwarding (EF)Provides a low loss, low latency, low jitter, assured bandwidth, end-to-end service. Assured forwarding (AF)Provides a group of values you can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with two drop probabilities: low and high. Best effort (BE)Provides no service profile. Loss priority is typically not carried in a class-of-service (CoS) value. Network control (NC)This class is typically high priority because it supports protocol control.
EX-series switches support up to 16 forwarding classes, thus allowing granular packet classification. For example, you can configure multiple classes of EF traffic such as EF, EF1, and EF2. EX-series switches support up to eight output queues. Therefore, if you configure more than eight forwarding classes, you must map multiple forwarding classes to single output queues.
expedited-forwarding (ef)
1144
CoS configurations that specify more queues than the switch can support are not accepted. The commit fails with a detailed message that states the total number of queues available. All default CoS configurations are based on queue number. The name of the forwarding class that shows up when the default configuration is displayed is the forwarding class currently associated with that queue. Understanding JUNOS CoS Components for EX-series Switches on page 1137 Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 Defining CoS Forwarding Classes (J-Web Procedure) on page 1179
Related Topics
1145
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: The default drop profile associated with the packets whose loss priority is low cannot be modified. You can configure custom drop profile only for those packets whose loss priority is high.
Related Topics
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Example: Configuring CoS on EX-series Switches on page 1153 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183
Default Schedulers on page 1147 Transmission Rate on page 1147 Scheduler Buffer Size on page 1147
1146
Priority Scheduling on page 1148 Scheduler Drop-Profile Maps on page 1148 Scheduler Maps on page 1149
Default Schedulers
Each forwarding class has an associated scheduler priority. Only two forwarding classes, best-effort and network-control (queue 0 and queue 7), are used in the default scheduler configuration. By default, the best-effort forwarding class (queue 0) receives 95 percent of the bandwidth and buffer space for the output link, and the network-control forwarding class (queue 7) receives 5 percent. The default drop profile causes the buffer to fill completely and then to discard all incoming packets until it has space. The expedited-forwarding and assured-forwarding classes have no schedulers because, by default, no resources are assigned to queue 5 and queue 1. However, you can manually configure resources for the expedited-forwarding and assured-forwarding classes. Also by default, each queue can exceed the assigned bandwidth if additional bandwidth is available from other queues. When a forwarding class does not fully use the allocated transmission bandwidth, the remaining bandwidth can be used by other forwarding classes if they receive a larger amount of offered load than their allocated bandwidth allows.
Transmission Rate
The transmission-rate control determines the actual traffic bandwidth from each forwarding class you configure. The rate is specified in bits per second. Each queue is allocated some portion of the bandwidth of the outgoing interface. This bandwidth amount can be a fixed value, such as 1 megabit per second (Mbps), a percentage of the total available bandwidth, or the rest of the available bandwidth. You can allow transmission bandwidth to exceed the configured rate if additional bandwidth is available from other queues. In case of congestion, configured amount of transmission rate is guaranteed for the queue. This property allows you to ensure that each queue receives the amount of bandwidth appropriate to its level of service.
1147
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
For each scheduler, you can configure the buffer size as one of the following:
A percentage of the total buffer. The remaining buffer available. The remainder is the buffer percentage that is not assigned to other queues. For example, if you assign 40 percent of the delay buffer to queue 0, allow queue 7 to keep the default allotment of 5 percent, and assign the remainder to queue 3, then queue 3 uses approximately 55 percent of the delay buffer.
Priority Scheduling
Priority scheduling determines the order in which an output interface transmits traffic from the queues, thus ensuring that queues containing important traffic are provided better access to the outgoing interface. Priority scheduling is accomplished through a procedure in which the scheduler examines the priority of the queue. JUNOS software supports two levels of transmission priority:
LowThe scheduler determines if the individual queue is within its defined bandwidth profile. This binary decision, which is reevaluated on a regular time cycle, compares the amount of data transmitted by the queue against the amount of bandwidth allocated to it by the scheduler. When the transmitted amount is less than the allocated amount, the queue is considered to be in profile. A queue is out of profile when its transmitted amount is larger than its allocated amount. Out of profile queue will be transmitted only if bandwidth is available. Otherwise, it will be buffered. A queue from the set is selected based on the shaped deficit weighted round robin (SDWRR) algorithm, which operates within the set.
Strict-highStrict-high priority queue receives preferential treatment over low priority queue. Unlimited bandwidth is assigned to strict-high priority queue. Queues are scheduled according to the queue number, starting with the highest queue 7, with decreasing priority down through queue 0. Traffic in higher queue numbers is always scheduled prior to traffic in lower queue numbers. In other words, in case of two high priority queues, the queue with higher queue number is processed first.
Packets in low priority queues are transmitted only when strict-high priority queues are empty.
1148
Scheduler Maps
A scheduler map associates a specified forwarding class with a scheduler configuration. After configuring a scheduler, you must include it in a scheduler map and then associate the scheduler map with an output interface. EX-series switches allow you to associate up to four user-defined scheduler maps with interfaces.
Related Topics
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Schedulers (CLI Procedure) on page 1180 Defining CoS Schedulers (J-Web Procedure) on page 1180
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Understanding the Use of Policers in Firewall Filters on page 1063 Configuring Policers to Control Traffic Rates (CLI Procedure) on page 1096
1149
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: When an IP precedence rewrite rule is active, bits 3,4, and 5 of the ToS byte are always reset to zero when code-points are rewritten. Default Rewrite Rule on page 1150
1150
Related Topics
Understanding JUNOS CoS Components for EX-series Switches on page 1137 Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 Defining CoS Rewrite Rules (J-Web Procedure) on page 1184
Understanding Port Shaping and Queue Shaping for CoS on EX-series Switches
If the amount of traffic on a switch's network interface is more than the maximum bandwidth allowed on the interface, it leads to congestion. Port shaping and queue shaping can be used to manage the excess traffic and avoid congestion. Port shaping defines the maximum bandwidth allocated to a port, while queue shaping defines a limit on excess-bandwidth usage per queue. This topic covers:
Port Shaping
Port shaping enables you to shape the aggregate traffic through a port or channel to a rate that is less than the line or port rate.
Queue Shaping
Queue shaping throttles the rate at which queues transmit packets. For example, using queue shaping, you can rate-limit a strict-priority queue so that the strict-priority queue does not lock out (or starve) low-priority queues. Similarly, for any queue, you can configure queue shaping.
Related Topics
Understanding CoS Schedulers on page 1146 Defining CoS Schedulers (CLI Procedure) on page 1180
Understanding Port Shaping and Queue Shaping for CoS on EX-series Switches
1151
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
JUNOS CoS allows you to divide traffic into classes and offer various levels of throughput and packet loss when congestion occurs. You can use CoS to ensure that different types of traffic (voice, video, and data) get the bandwidth and consideration they need to meet user expectations and business objectives. Configuring CoS requires careful consideration of your service needs and thorough planning and design to ensure consistency across all switches in a CoS domain. To configure CoS manually, you must define and fine-tune all CoS components such as classifiers, rewrite rules, forwarding classes, schedulers, and scheduler-maps and then apply these components to the interfaces. Therefore, configuring CoS can be a fairly complex and time-consuming task. EZQoS works by automatically assigning preconfigured values to all CoS parameters based on the typical application requirements. These preconfigured values are stored in a template with a unique name. You can change the preconfigured values of these parameters to suit your particular application needs. For using EZQoS, you must identify which switch ports are being used for a specific application (such as VoIP, video, and data) and manually apply the corresponding application-specific EZQoS template to these switch ports.
NOTE: Currently, we provide an EZQoS template for configuring CoS for VoIP.
NOTE: We recommend that you do not use the term EZQoS for defining a classifier.
Related Topics
JUNOS CoS for EX-series Switches Overview on page 1135 Configuring JUNOS EZQoS for CoS (CLI Procedure) on page 1188
1152
Chapter 58
Requirements on page 1153 Overview and Topology on page 1153 Configuration on page 1156 Verification on page 1167
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One Juniper Networks EX-series 3200 switch
1153
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The topology for this configuration example consists of one EX-series switch at the access layer. The EX-series access switch is configured to support VLAN membership. Switch ports ge-0/0/0and ge-0/0/1 are assigned to the voice-vlan for two VoIP phones. Switch port ge-0/0/2 is assigned to the camera-vlan for the surveillance camera. Switch ports ge-0/0/3, ge-0/0/4, ge-0/0/5, and ge-0/0/6 are assigned to the server-vlan for the servers hosting various applications such as those provided by Citrix, Microsoft, Oracle, and SAP. Table 155 on page 1155 shows the VLAN configuration components.
1154
VLAN Description
voice-vlan
10
broadcast address.
camera-vlan 20 192.168.1.13/32 192.168.1.14 through 192.168.1.20 192.168.1.21 is the subnets
broadcast address.
server-vlan 30 192.168.1.22/32 192.168.1.23 through 192.168.1.35 192.168.1.36 is the subnets
broadcast address.
Ports on the EX-series switches support Power over Ethernet (PoE) to provide both network connectivity and power for VoIP telephones connecting to the ports. Table 156 on page 1155 shows the switch interfaces that are assigned to the VLANs and the IP addresses for devices connected to the switch ports:
Table 156: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Interfaces
ge-0/0/0, ge-0/0/1
VLAN Membership
voice-vlan
IP Addresses
192.168.1.1 through 192.168.1.2 192.168.1.14 192.168.1.23 through 192.168.1.26
camera-vlan sevrer-vlan
Surveillance camera. Four servers hosting applications such as those provided by Citrix, Microsoft, Oracle, and SAP.
1155
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: This example shows how to configure CoS on a single EX-series switch. This example does not consider across-the-network applications of CoS in which you might implement different configurations on ingress and egress switches to provide differentiated treatment to different classes across a set of nodes in a network.
Configuration
CLI Quick Configuration
To quickly configure CoS, copy the following commands and paste them into the switch terminal window:
[edit] set class-of-service forwarding-classes class app queue-num 5 set class-of-service forwarding-classes class mail queue-num 1 set class-of-service forwarding-classes class db queue-num 2 set class-of-service forwarding-classes class erp queue-num 3 set class-of-service forwarding-classes class video queue-num 4 set class-of-service forwarding-classes class best-effort queue-num 0 set class-of-service forwarding-classes class voice queue-num 6 set class-of-service forwarding-classes class network-control queue-num 7 set firewall family ethernet-switching filter voip_class term voip from source-address 192.168.1.1/32 set firewall family ethernet-switching filter voip_class term voip from source-address 192.168.1.2/32 set firewall family ethernet-switching filter voip_class term voip from protocol udp set firewall family ethernet-switching filter voip_class term voip from source-port 2698 set firewall family ethernet-switching filter voip_class term voip then forwarding-class voice loss-priority low set firewall family ethernet-switching filter voip_class term network_control from precedence [net-control internet-control] set firewall family ethernet-switching filter voip_class term network_control then forwarding-class network-control loss-priority low set firewall family ethernet-switching filter voip_class term best_effort_traffic then forwarding-class best-effort loss-priority low set interfaces ge-0/0/0 description phone1voip-ingress-port set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input voip_class set interfaces ge-0/0/1 description phone2voip-ingress-port set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input voip_class set firewall family ethernet-switching filter video_class term video from source-address 192.168.1.14/32 set firewall family ethernet-switching filter video_class term video from protocol udp set firewall family ethernet-switching filter video_class term video from source-port 2979 set firewall family ethernet-switching filter video_class term video then forwarding-class video loss-priority low set firewall family ethernet-switching filter video_class term network_control from precedence [net-control internet-control] set firewall family ethernet-switching filter video_class term network_control then forwarding-class network-control loss-priority low set firewall family ethernet-switching filter video_class term best_effort_traffic then forwarding-class best-effort loss-priority low set interfaces ge-0/0/2 description video-ingress-port set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input video_class
1156
set firewall family ethernet-switching filter app_class term app from source-address 192.168.1.23/32 set firewall family ethernet-switching filter app_class term app from protocol tcp set firewall family ethernet-switching filter app_class term app from source-port [1494 2512 2513 2598 2897] set firewall family ethernet-switching filter app_class term app then forwarding-class app loss-priority low set firewall family ethernet-switching filter app_class term mail from source-address 192.168.1.24/32 set firewall family ethernet-switching filter app_class term mail from protocol tcp set firewall family ethernet-switching filter app_class term mail from source-port [25 143 389 691 993 3268 3269] set firewall family ethernet-switching filter app_class term mail then forwarding-class mail loss-priority low set firewall family ethernet-switching filter app_class term db from source-address 192.168.1.25/32 set firewall family ethernet-switching filter app_class term db from protocol tcp set firewall family ethernet-switching filter app_class term db from source-port [1521 1525 1527 1571 1810 2481] set firewall family ethernet-switching filter app_class term db then forwarding-class db loss-priority low set firewall family ethernet-switching filter app_class term erp from source-address 192.168.1.26/32 set firewall family ethernet-switching filter app_class term erp from protocol tcp set firewall family ethernet-switching filter app_class term erp from source-port [3200 3300 3301 3600] set firewall family ethernet-switching filter app_class term erp then forwarding-class erp loss-priority low set firewall family ethernet-switching filter app_class term network_control from precedence [net-control internet-control] set firewall family ethernet-switching filter app_class term network_control then forwarding-class network-control loss-priority low set firewall family ethernet-switching filter app_class term best_effort_traffic then forwarding-class best-effort loss-priority low set interfaces ge-0/0/3 unit 0 family ethernet-switching filter input app_class set interfaces ge-0/0/4 unit 0 family ethernet-switching filter input app_class set interfaces ge-0/0/5 unit 0 family ethernet-switching filter input app_class set interfaces ge-0/0/6 unit 0 family ethernet-switching filter input app_class set class-of-service schedulers voice-sched buffer-size percent 10 set class-of-service schedulers voice-sched priority strict-high set class-of-service schedulers voice-sched transmit-rate percent 10 set class-of-service schedulers video-sched buffer-size percent 15 set class-of-service schedulers video-sched priority low set class-of-service schedulers video-sched transmit-rate percent 15 set class-of-service schedulers app-sched buffer-size percent 10 set class-of-service schedulers app-sched priority low set class-of-service schedulers app-sched transmit-rate percent 10 set class-of-service schedulers mail-sched buffer-size percent 5 set class-of-service schedulers mail-sched priority low set class-of-service schedulers mail-sched transmit-rate percent 5 set class-of-service schedulers db-sched buffer-size percent 10 set class-of-service schedulers db-sched priority low set class-of-service schedulers db-sched transmit-rate percent 10 set class-of-service schedulers erp-sched buffer-size percent 10 set class-of-service schedulers erp-sched priority low set class-of-service schedulers erp-sched transmit-rate percent 10 set class-of-service schedulers nc-sched buffer-size percent 5 set class-of-service schedulers nc-sched priority strict-high
Configuration
1157
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
set class-of-service schedulers nc-sched transmit-rate percent 5 set class-of-service schedulers be-sched buffer-size percent 35 set class-of-service schedulers be-sched priority low set class-of-service schedulers be-sched transmit-rate percent 35 set class-of-service scheduler-maps ethernet-cos-map forwarding-class voice scheduler voice-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class video scheduler video-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class app scheduler app-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class mail scheduler mail-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class db scheduler db-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class erp scheduler erp-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class network-control scheduler nc-sched set class-of-service scheduler-maps ethernet-cos-map forwarding-class best-effort scheduler be-sched set class-of-service interfaces ge-0/0/20 scheduler-map ethernet-cos-map
Step-by-Step Procedure
Configure one-to-one mapping between eight forwarding classes and eight queues:
[edit class-of-service] user@switch# set forwarding-classes class app queue-num 5 user@switch# set forwarding-classes class mail queue-num 1 user@switch# set forwarding-classes class db queue-num 2 user@switch# set forwarding-classes class erp queue-num 3 user@switch# set forwarding-classes class video queue-num 4 user@switch# set forwarding-classes class best-effort queue-num 0 user@switch# set forwarding-classes class voice queue-num 6 user@switch# set forwarding-classes class network-control queue-num 7
2.
3.
voip_class term voip voip_class term voip voip_class term voip voip_class term voip voip_class term voip
4.
1158
Configuration
[edit firewall] user@switch# set family ethernet-switching filter voip_class term network_control from precedence [net-control internet-control] user@switch# set family ethernet-switching filter voip_class term network_control then forwarding-class network-control loss-priority low
5.
6.
Apply the firewall filter voip_class as an input filter to the interfaces for the VoIP phones:
[edit interfaces] user@switch# set ge-0/0/0 user@switch# set ge-0/0/0 voip_class user@switch# set ge-0/0/1 user@switch# set ge-0/0/1 voip_class
description phone1voip-ingress-port unit 0 family ethernet-switching filter input description phone2voip-ingress-port unit 0 family ethernet-switching filter input
7.
8.
video_class term video video_class term video video_class term video video_class term video
9.
10.
Configuration
1159
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
11.
Apply the firewall filter video_class as an input filter to the interface for the surveillance camera:
[edit interfaces] user@switch# set ge-0/0/2 description video-ingress-port user@switch# set ge-0/0/2 unit 0 family ethernet-switching filter input video_class
12.
Define the firewall filter app_class to classify the application server traffic:
[edit firewall] user@switch# set family ethernet-switching filter app_class
13.
filter app_class term app from filter app_class term app filter app_class term app filter app_class term app then
14.
15.
app_class term db from app_class term db app_class term db app_class term db then
16.
1160
Configuration
user@switch# set family ethernet-switching filter app_class term erp protocol tcp user@switch# set family ethernet-switching filter app_class term erp source-port [3200 3300 3301 3600] user@switch# set family ethernet-switching filter app_class term erp then forwarding-class erp loss-priority low
17.
18.
19.
Apply the firewall filter app_class as an input filter to the interfaces for the servers hosting applications:
[edit interfaces] user@switch# set ge-0/0/3 app_class user@switch# set ge-0/0/4 app_class user@switch# set ge-0/0/5 app_class user@switch# set ge-0/0/6 app_class
unit 0 family ethernet-switching filter input unit 0 family ethernet-switching filter input unit 0 family ethernet-switching filter input unit 0 family ethernet-switching filter input
20.
Configure schedulers:
[edit class-of-service] user@switch# set schedulers voice-sched buffer-size percent 10 user@switch# set schedulers voice-sched priority strict-high user@switch# set schedulers voice-sched transmit-rate percent 10 user@switch# set schedulers video-sched buffer-size percent 15 user@switch# set schedulers video-sched priority low user@switch# set schedulers video-sched transmit-rate percent 15 user@switch# set schedulers app-sched buffer-size percent 10 user@switch# set schedulers app-sched priority low user@switch# set schedulers app-sched transmit-rate percent 10 user@switch# set schedulers mail-sched buffer-size percent 5 user@switch# set schedulers mail-sched priority low user@switch# set schedulers mail-sched transmit-rate percent 5 user@switch# set schedulers db-sched buffer-size percent 10 user@switch# set schedulers db-sched priority low user@switch# set schedulers db-sched transmit-rate percent 10 user@switch# set schedulers erp-sched buffer-size percent 10 user@switch# set schedulers erp-sched priority low user@switch# set schedulers erp-sched transmit-rate percent 10 user@switch# set schedulers nc-sched buffer-size percent 5
Configuration
1161
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
priority strict-high transmit-rate percent 5 buffer-size percent 35 priority low transmit-rate percent 35
21.
Assign the forwarding classes to schedulers with the scheduler map ethernet-cos-map:
[edit class-of-service] user@switch# set scheduler-maps ethernet-cos-map forwarding-class voice scheduler voice-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class video scheduler video-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class app scheduler app-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class mail scheduler mail-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class db scheduler db-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class erp scheduler erp-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class network-control scheduler nc-sched user@switch# set scheduler-maps ethernet-cos-map forwarding-class best-effort scheduler be-sched
22.
Results
1162
Configuration
precedence [net-control internet-control]; } then { forwarding-class network-control; loss-priority low; } } term best_effort_traffic { then { forwarding-class best-effort; loss-priority low; } } } filter video_class { term video { from { source-address { 192.168.1.14/32; } protocol udp; source-port 2979; } then { forwarding-class video; loss-priority low; } } term network control { from { precedence [net-control internet-control]; } then { forwarding-class network-control; loss-priority low; } } term best_effort_traffic { then { forwarding-class best-effort; loss-priority low; } } } filter app_class { term app { from { source-address { 192.168.1.23/32; } protocol tcp; source-port [1491 2512 2513 2598 2897]; } then { forwarding-class app; loss-priority low;
Configuration
1163
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} } term mail { from { source-address { 192.168.1.24/32; } protocol tcp; source-port [25 143 389 691 993 3268 3269]; } then { forwarding-class mail; loss-priority low; } } term db { from { source-address { 192.168.1.25/32; } protocol tcp; source-port [1521 1525 1527 1571 1810 2481]; } then { forwarding-class db; loss-priority low; } } term erp { from { source-address { 192.168.1.26/32; } protocol tcp; source-port [3200 3300 3301 3600]; } then { forwarding-class erp; loss-priority low; } } term network control { from { precedence [net-control internet-control]; } then { forwarding-class network-control; loss-priority low; } } term best_effort_traffic { then { forwarding-class best-effort; loss-priority low; } }
1164
Configuration
} } user@switch# show class-of-service forwarding-classes { class app queue-num 5; class mail queue-num 1; class db queue-num 2; class erp queue-num 3; class video queue-num 4; class best-effort queue-num 0; class voice queue-num 6; class network-control queue-num 7; } schedulers { voice-sched { buffer-size percent 10; priority strict-high; transmit-rate percent 10; } video-sched { buffer-size percent 15; priority low; transmit-rate percent 15; } app-sched { buffer-size percent 10; priority low; transmit-rate percent 10; } mail-sched { buffer-size percent 5; priority low; transmit-rate percent 5; } db-sched { buffer-size percent 10; priority low; transmit-rate percent 10; } erp-sched { buffer-size percent 10; priority low; transmit-rate percent 10; } nc-sched { buffer-size percent 5; priority strict-high; transmit-rate percent 5; } be-sched { buffer-size percent 35; priority low; transmit-rate percent 35; }
Configuration
1165
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} scheduler-maps { ethernet-cos-map { forwarding-class voice scheduler voice-sched; forwarding-class video scheduler video-sched; forwarding-class app scheduler app-sched; forwarding-class mail scheduler mail-sched; forwarding-class db scheduler db-sched; forwarding-class erp scheduler erp-sched; forwarding-class network-control scheduler nc-sched; forwarding-class best-effort scheduler be-sched; } } user@switch# show interfaces ge-0/0/0 { unit 0 { family ethernet { filter { input voip_class; } } } } ge-0/0/1 { unit 0 { family ethernet { filter { input voip_class; } } } } ge-0/0/2 { unit 0 { family ethernet { filter { input video_class; } } } } ge-0/0/3 { unit 0 { family ethernet { filter { input app_class; } } } } ge-0/0/4 { unit 0 { family ethernet { filter {
1166
Configuration
input app_class; } } } } ge-0/0/5 { unit 0 { family ethernet { filter { input app_class; } } } } ge-0/0/6 { unit 0 { family ethernet { filter { input app_class; } } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Defined Forwarding Classes Exist and Are Mapped to Queues on page 1167 Verifying That the Forwarding Classes Have Been Assigned to Schedulers on page 1168 Verifying That the Scheduler Map Has Been Applied to the Interface on page 1169
Verifying That the Defined Forwarding Classes Exist and Are Mapped to Queues
Purpose
Verify that the following forwarding classes app, db, erp, mail, video, and voice have been defined and mapped to queues.
user@switch> show class-of-service forwarding-class Forwarding class ID Queue app 0 5 db 1 2 erp 2 3 best-effort 3 0 mail 4 1 voice 5 6 video 6 4 network-control 7 7
Action
Meaning
This output shows that the forwarding classes have been defined and mapped to appropriate queues.
Verification
1167
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Action
1168
High
TCP
<default-drop-profile>
Scheduler: nc-sched, Forwarding class: network-control, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: Strict-high Drop profiles: Loss priority Protocol Index Name High non-TCP 1 <default-drop-profile> High TCP 1 <default-drop-profile>
Meaning
This output shows that the forwarding classes have been assigned to schedulers.
Verifying That the Scheduler Map Has Been Applied to the Interface
Purpose
Verify that the scheduler map has been applied to the interface.
user@switch> show class-of-service interface ... Physical interface: ge-0/0/20, Index: 149 Queues supported: 8, Queues in use: 8 Scheduler map: ethernet-cos-map, Index: 43366 Input scheduler map: <default>, Index: 3 ...
Action
Meaning
This output shows that the scheduler map (ethernet-cos-map) has been applied to the interface (ge-0/0/20).
Related Topics
Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 Defining CoS Classifiers (CLI Procedure) on page 1175 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 Defining CoS Schedulers (CLI Procedure) on page 1180 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Configuring Firewall Filters (CLI Procedure) on page 1087
Verifying That the Scheduler Map Has Been Applied to the Interface
1169
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1170
Verifying That the Scheduler Map Has Been Applied to the Interface
Chapter 59
Configuring CoS
Configuring CoS (J-Web Procedure) on page 1171 Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 Defining CoS Classifiers (CLI Procedure) on page 1175 Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Defining CoS Schedulers (CLI Procedure) on page 1180 Defining CoS Schedulers (J-Web Procedure) on page 1180 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Configuring JUNOS EZQoS for CoS (CLI Procedure) on page 1188
In the J-Web interface, select Configure>Class of Service. On the Class of Service Configuration page, select one of the following options depending on the CoS component that you want to define. Enter information into the pages as described in the respective table:
1171
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
To define or edit CoS value aliases, select CoS Value Aliases . To define or edit forwarding classes and assign queues, select Forwarding Classes. To define or edit classifiers, select Classifiers . To define or edit rewrite rules, select Rewrite Rules. To define or edit schedulers, select Schedulers. To define or edit virtual channel groups, select Interface Associations.
3. Related Topics
Click Apply after completing configuration on any Configuration page. Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Defining CoS Schedulers (J-Web Procedure) on page 1180 Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186
Function
Your Action
DSCP
Allows you to define aliases for DiffServ code point (DSCP) IPv4 values. You can refer to these aliases when you configure classes and define classifiers.
Click DSCP.
IPv4 Precedence
Allows you to define aliases for IPv4 precedence values. Precedence values are modified in the IPv4 type-of-service (TOS) field and mapped to values that correspond to levels of service.
Alias Name
None.
1172
None.
Click Add.
Delete
Select the check box next to the CoS value alias and click Delete.
Assigns a name to a CoS value. A CoS value can be of different typesDSCP or IP precedence. Specifies the CoS value for which an alias is defined. Changing this value alters the behavior of all classifiers that refer to this alias.
For DSCP CoS values, use the format xxxxxx, where x is 1 or 0for example, 101110. For IP precedence CoS values, use the format xxx, where x is 1 or 0for example, 111.
Related Topics
Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 Monitoring CoS Value Aliases on page 1195 Example: Configuring CoS on EX-series Switches on page 1153
1173
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
DSCPHandles incoming IPv4 packets. IEEE 802.1pHandles Layer 2 CoS. Inet precedenceHandles incoming IPv4 packets. IP precedence mapping requires only the higher order three bits of the DSCP field.
To configure a code-point alias for a specified CoS marker type (dscp), assign an alias (my1) to the code-point (110001):
[edit class-of-service code-point-aliases] user@switch# set dscp my1 110001
Related Topics
Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring CoS Value Aliases on page 1195 Understanding CoS Code-Point Aliases on page 1139
1174
Behavior aggregate or CoS value traffic classifiersExamines the CoS value in the packet header. The value in this single field determines the CoS settings applied to the packet. BA classifiers allow you to set the forwarding class and loss priority of a packet based on the Differentiated Services code point (DSCP) value, IP precedence value, and IEEE 802.1p value. Multifield traffic classifiersExamines multiple fields in the packet such as source and destination addresses and source and destination port numbers of the packet. With multifield classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules.
This procedure describes how to configure the DSCP BA classifier ba-classifier as the default DSCP map and apply it to the Gigabit Ethernet interface ge-0/0/0 of the EX-series switch. The BA classifier assigns loss priorities, as shown in Table 158 on page 1175, to incoming packets in the four forwarding classes.
Table 158: BA-classifier Loss Priority Assignments
Forwarding Class be ef af nc For CoS Traffic Type ba-classifier Assignment
High-priority code point: 000001 High-priority code point: 101110 High-priority code point: 001100 High-priority code point: 110001
Associate code point 000001 with forwarding class be and loss priority high:
[edit class-of-service classifiers] user@switch# set dscp ba-classifier import default forwarding-class be loss-priority high code-points 000001
2.
Associate code point 101110 with forwarding class ef and loss priority high:
[edit class-of-service classifiers] user@switch# set dscp ba-classifier forwarding-class ef loss-priority high code-points 101110
3.
Associate code point 001100 with forwarding class af and loss priority high:
[edit class-of-service classifiers]
1175
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
4.
Associate code point 110001 with forwarding class nc and loss priority high:
[edit class-of-service classifiers] user@switch# set dscp ba-classifier forwarding-class nc loss-priority high code-points 110001
5.
Related Topics
Defining CoS Classifiers (J-Web Procedure) on page 1176 Example: Configuring CoS on EX-series Switches on page 1153 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Monitoring CoS Classifiers on page 1189 Understanding CoS Classifiers on page 1142
Function
Your Action
Defines classifiers for DSCP code point values. Defines classifiers for IPv4 precedence values. Displays the names of classifiers. Allows you to edit a specific classifier.
Click DSCP. Click IPv4 Precedence. To edit a classifier, click its name.
Incoming Code Point (Alias) Classify to Forwarding Class Classify to Loss Priority
Displays CoS values and aliases to which forwarding class and loss priority are mapped. Displays forwarding classes that are assigned to specific CoS values and aliases of a classifier. Displays loss priorities that are assigned to specific CoS values and aliases of a classifier.
None.
None.
None.
1176
Delete
To delete a classifier, locate the classifier, select the check box next to it, and click Delete.
Classifier Name
Sets the forwarding classes and the packet loss priorities (PLPs) for specific CoS values and aliases. Specifies the CoS value in bits and the alias of a classifier for incoming packets.
To specify a CoS value and alias, either select preconfigured ones from the list or type new ones. For information about forwarding classes and aliases assigned to well-known DSCPs, see the JUNOS Class of Service Configuration Guide.
Forwarding Class
Assigns the forwarding class to the specified CoS value and alias.
To assign a forwarding class, select either one of the following default forwarding classes or one that you have configured:
expedited-forwardingProvides low loss, low delay, low jitter, assured bandwidth, and end-to-end service. Packets can be forwarded out of sequence or dropped. best-effortProvides no special CoS handling of packets. Typically, RED drop profile is aggressive and no loss priority is defined. assured-forwardingProvides high assurance for packets within the specified service profile. Excess packets are dropped. network-controlPackets can be delayed but not dropped.
Loss Priority
highPacket has a high loss priority. lowPacket has a low loss priority.
Add
Assigns a forwarding class and loss priority to the specified CoS value and alias. A classifier examines the incoming packet's header for the specified CoS value and alias and assigns it the forwarding class and loss priority that you have defined.
To assign a forwarding class and loss priority to a specific CoS value and alias, click Add.
1177
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Defining CoS Classifiers (CLI Procedure) on page 1175 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring CoS Classifiers on page 1189 Understanding CoS Classifiers on page 1142
Using class statementYou can configure up to 16 forwarding classes and you can map multiple forwarding classes to single queue. Using queue statementYou can configure up to 8 forwarding classes and you can map one forwarding class to one queue. This example uses the class statement to configure forwarding classes.
Related Topics
Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Example: Configuring CoS on EX-series Switches on page 1153 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Monitoring CoS Forwarding Classes on page 1190 Understanding CoS Forwarding Classes on page 1144
1178
Function
Your Action
Queue #
Displays internal queue numbers to which forwarding classes are assigned. By default, if a packet is not classified, it is assigned to the class associated with queue 0. You can have more than one forwarding class to a queue number. Allows you to edit an assigned forwarding class.
To edit an assigned forwarding class, click the queue number to which the class is assigned.
Displays the forwarding class names assigned to specific internal queue numbers. By default, four forwarding classes are assigned to queue numbers 0 (best-effort), 1 (assured-forwarding), 5 (expedited-forwarding), and 7 (network-connect).
None.
Add
Opens a page that allows you to assign forwarding classes to internal queue numbers.
Queue #
To specify an internal queue number, type an integer from 0 through 7, as supported by your platform. To assign a forwarding class name to a queue, type the namefor example, be-class.
Specifies the forwarding class name assigned to the internal queue number.
Related Topics
Defining CoS Forwarding Classes (CLI Procedure) on page 1178 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring CoS Forwarding Classes on page 1190 Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Understanding CoS Forwarding Classes on page 1144
1179
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
2.
Configure a scheduler map (be-map) that associates the scheduler (be-sched) with the forwarding class (best-effort):
[edit class-of-service scheduler-maps] user@switch# set be-map forwarding-class best-effort scheduler be-sched
3.
Related Topics
Defining CoS Schedulers (J-Web Procedure) on page 1180 Example: Configuring CoS on EX-series Switches on page 1153 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Monitoring CoS Scheduler Maps on page 1193 Understanding CoS Schedulers on page 1146
Create a scheduler and specify attributes for it. For a description of scheduler-related fields, see Table 161 on page 1181.
1180
2.
Associate the scheduler to a forwarding class. Because the forwarding class is assigned to a queue number, the queue inherits this scheduler's attributes. For a description of scheduler map-related fields, see Table 161 on page 1181.
Function
Your Action
Scheduler Name
Displays the names of defined schedulers. Allows you to edit a specific scheduler.
Scheduler Information
Displays a summary of defined settings for a scheduler, such as bandwidth, delay buffer size, and transmit rates. Opens a page that allows you to add a scheduler. Removes a scheduler.
None.
Add
Click Add.
Delete
Click Delete.
Scheduler Name
To name a scheduler, type the namefor example, be-scheduler. To define a delay buffer size for a scheduler, select the appropriate option:
Buffer Size
Defines the size of the delay buffer. By default, queues 0 through 7 have the following percentage of the total available buffer space:
To specify no buffer size, select Unconfigured. To specify buffer size as a percentage of the total buffer, select Percent and type an integer from 1 through 100. To specify buffer size as the remaining available buffer, select Remainder.
Queue 095 percent Queue 10 percent Queue 20 percent Queue 30 percent Queue 40 percent Queue 50 percent Queue 60 percent Queue 75 percent
NOTE: A large buffer size value correlates with a greater possibility of packet delays. This might not be practical for sensitive traffic such as voice or video.
1181
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
lowPackets in this queue are transmitted last. stricthighPackets in this queue are transmitted first.
To not specify transmit rate, select Unconfigured. To specify the remaining transmission capacity, select Remainder Available. To specify a percentage of transmission capacity, select Percent and type an integer from 1 through 100.
Queue 095 percent Queue 10 percent Queue 20 percent Queue 35 percent Queue 40 percent Queue 60 percent Queue 75 percent
To enforce the exact transmission rate or percentage you configured, select the Exact Transmit Rate check box.
Function
Your Action
Displays the names of defined scheduler maps. Scheduler maps link schedulers to forwarding classes. Allows you to edit a scheduler map.
For each map, displays the schedulers and the forwarding classes that they are assigned to. Opens a page that allows you to add a scheduler map. Removes a scheduler map.
None.
Add
Click Add.
Delete
1182
Related Topics
Defining CoS Schedulers (CLI Procedure) on page 1180 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring CoS Scheduler Maps on page 1193
Related Topics
Example: Configuring CoS on EX-series Switches on page 1153 Understanding CoS Tail Drop Profiles on page 1146
1183
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring CoS Rewrite Rules on page 1192 Understanding CoS Rewrite Rules on page 1150
1184
Function
Your Action
DSCP
Redefines DSCP code point values of outgoing packets. Redefines IPv4 precedence code point values. Displays names of defined rewrite rules. Allows you to edit a specific rule.
Click DSCP.
Forwarding Class
Displays forwarding classes associated with a specific rewrite rule. Displays loss priority values associated with a specific rewrite rule. Displays the CoS values and aliases that a specific rewrite rule has set for a specific forwarding class and loss priority. Opens a page that allows you to define a new rewrite rule. Removes specified rewrite rules.
None.
Loss Priority
None.
None.
Add
Delete
To remove a rule, select the check box next to it and click Delete.
To name a rule, type the namefor example, rewrite-dscps. To configure the CoS value assignment, follow these steps:
Rewrites outgoing CoS values of a packet based on the forwarding class and loss priority. Allows you to remove a code point mapping entry.
1. 2.
From the Forwarding Class list, select a class. Select a priority from the following:
lowRewrite rule applies to packets with a low loss priority. highRewrite rule applies to packets with a high loss priority.
3.
For Rewritten Code Point, either select a predefined CoS value and alias or type a new CoS value and alias. For information about predefined CoS values and aliases, see the JUNOS Class of Service Configuration Guide.
4.
Click Add.
1185
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Defining CoS Rewrite Rules (CLI Procedure) on page 1184 Understanding CoS Rewrite Rules on page 1150 Monitoring CoS Rewrite Rules on page 1192 Example: Configuring CoS on EX-series Switches on page 1153
Forwarding classesAssign only to logical interfaces. ClassifiersAssign only to logical interfaces. Scheduler mapsAssign to either physical or logical interfaces.
To assign CoS components to interfaces, associate a CoS component (scheduler map named ethernet-cos-map) with an interface (ge-0/0/20):
[edit class-of-service interfaces] user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map
Related Topics
Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring Interfaces That Have CoS Components on page 1191 Understanding JUNOS CoS Components for EX-series Switches on page 1137
In the J-Web interface, select Configure>Class of Service>Interface Association. Enter information into these pages, as described in Table 164 on page 1187. Click one:
To apply the configuration click OK. To cancel your entries click Cancel.
1186
Add CoS Service to a Physical Interface/Edit CoS Physical Interface Physical Interface Name Specifies the name of a physical interface. Allows you to assign CoS components to a set of interfaces at the same time. To specify an interface for CoS assignment, type its name in the Physical Interface Name box. To specify a set of interfaces for CoS assignment, use the wildcard character (*)for example, ge-0/*/0. Scheduler Map Specifies a predefined scheduler map for the physical interface. A scheduler map enables the physical interface to have more than one set of output queues. Add Allows you to add a CoS service to a logical interface on a specified physical interface. To add a CoS Service to a logical interface, click Add. To specify a map for an interface, select it from the Scheduler Map list.
Add CoS Service to a Logical Interface Unit/Edit CoS Logical Interface Unit Logical Interface Unit Name Specifies the name of a logical interface. Allows you to assign CoS components to a logical interface configured on a physical interface at the same time. To specify an interface for CoS assignment, type its name in the Logical Interface Unit Name box. To assign CoS services to all logical interfaces configured on this physical interface, type the wildcard character (*). Forwarding Class Assigns a predefined forwarding class to incoming packets on a logical interface. Allows you to apply classification maps to a logical interface. Classifiers assign a forwarding class and loss priority to an incoming packet based on its CoS value.
To assign a forwarding class to the interface, select it. To assign a classification map to the interface, select an appropriate classifier for each CoS value type used on the interface.
Classifiers
Related Topics
Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Example: Configuring CoS on EX-series Switches on page 1153 Monitoring Interfaces That Have CoS Components on page 1191
1187
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: Currently, we provide an EZQoS template for configuring CoS for VoIP applications. The EZQoS VoIP template is stored in /etc/config/ezqos-voip.conf. To configure EZQoS using the CLI:
1.
2.
3.
4.
Related Topics
Example: Configuring CoS on EX-series Switches on page 1153 Understanding JUNOS EZQoS for CoS Configurations on EX-series Switches on page 1151
1188
Chapter 60
Verifying CoS
Monitoring CoS Classifiers on page 1189 Monitoring CoS Forwarding Classes on page 1190 Monitoring Interfaces That Have CoS Components on page 1191 Monitoring CoS Rewrite Rules on page 1192 Monitoring CoS Scheduler Maps on page 1193 Monitoring CoS Value Aliases on page 1195
Use the monitoring functionality to display the mapping of incoming CoS values to forwarding class and loss priority for each classifier. To monitor CoS classifiers in the J-Web interface, select Monitor>Class of Service>Classifiers To monitor CoS classifiers in the CLI, enter the following CLI command:
show class-of-service classifier
Action
Meaning
Table 165 on page 1189 summarizes key output fields for CoS classifiers.
802.1 type.
1189
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Defining CoS Classifiers (CLI Procedure) on page 1175 Defining CoS Classifiers (J-Web Procedure) on page 1176 Example: Configuring CoS on EX-series Switches on page 1153
Use the monitoring functionality to view the current assignment of CoS forwarding classes to queue numbers on the system. To monitor CoS forwarding classes in the J-Web interface, select Monitor>Class of Service>Forwarding Classes. To monitor CoS forwarding classes in the CLI, enter the following CLI command:
show class-of-service forwarding-class
Action
Meaning
Table 166 on page 1191 summarizes key output fields for CoS forwarding classes.
1190
Additional Information
assured-forwardingProvides high
assurance for packets within specified service profile. Excess packets are dropped.
network-controlPackets can be
delayed but not dropped. Queue Queue number corresponding to the forwarding class name. By default, four queues, 0, 1, 5 or 7, are assigned to forwarding classes.
Related Topics
Defining CoS Forwarding Classes (CLI Procedure) on page 1178 Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Example: Configuring CoS on EX-series Switches on page 1153
Use the monitoring functionality to display details about the physical and logical interfaces and the CoS components assigned to them. To monitor interfaces that have CoS components in the J-Web interface, select Monitor>Class of Service>Interface Association. To monitor interfaces that have CoS components in the CLI, enter the following command:
show class-of-service interface interface
Action
Meaning
Table 167 on page 1191 summarizes key output fields for CoS interfaces.
1191
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Queues Supported
Object
Name
Type
Index
Related Topics
Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Example: Configuring CoS on EX-series Switches on page 1153
Use the monitoring functionality to display information about CoS value rewrite rules, which are based on the forwarding class and loss priority. To monitor CoS rewrite rules in the J-Web interface, select Monitor>Class of Service>Rewrite Rules. To monitor CoS rewrite rules in the CLI, enter the following command:
show class-of-service rewrite-rules
Action
Meaning
Table 168 on page 1192 summarizes key output fields for CoS rewrite rules.
1192
Table 168: Summary of Key CoS Rewrite Rules Output Fields (continued)
Field CoS Value Type Values Rewrite rule type:
Additional Information To display forwarding classes, loss priorities, and rewritten CoS values, click the plus sign (+).
dscpFor IPv4 DiffServ traffic. ieee-802.1For Layer 2 traffic. inet-precedenceFor IPv4 traffic.
Internal index for this particular rewrite rule. Forwarding class that is used to determine CoS values for rewriting in combination with loss priority. Loss priority that is used to determine CoS values for rewriting in combination with forwarding class. Value that the CoS value is rewritten to. Rewrite rules are applied to CoS values in outgoing packets based on forwarding class and loss priority setting.
Loss Priority
Related Topics
Defining CoS Rewrite Rules (CLI Procedure) on page 1184 Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Example: Configuring CoS on EX-series Switches on page 1153
Use the monitoring functionality to display assignments of CoS forwarding classes to schedulers. To monitor CoS scheduler maps in the J-Web interface, select Monitor>Class of Service>Scheduler Maps. To monitor CoS scheduler maps in the CLI, enter the following CLI command:
show class-of-service scheduler-map
Action
Meaning
Table 169 on page 1193 summarizes key output fields for CoS scheduler maps.
Scheduler Name
1193
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Table 169: Summary of Key CoS Scheduler Maps Output Fields (continued)
Field Forwarding Class Values Forwarding classes this scheduler is assigned to. Configured transmit rate of the scheduler in bits per second (bps). The rate value can be either of the following:
Additional Information
Transmit Rate
A percentageThe scheduler receives the specified percentage of the total interface bandwidth.
remainder The scheduler receives the
remaining bandwidth of the interface after bandwidth allocation to other schedulers. Buffer Size Delay buffer size in the queue or the amount of transmit delay (in milliseconds). The buffer size can be either of the following:
according to what remains after other scheduler buffer allocations. Priority Scheduling priority of a queue:
transmitted first.
transmitted last. Drop Profiles Name and index of a drop profile that is assigned to a specific loss priority and protocol pair. Packet loss priority corresponding to a drop profile. Transport protocol corresponding to a drop profile. Name of the drop profile. Index of a specific objectscheduler maps, schedulers, or drop profiles.
Loss Priority
Protocol
Related Topics
Defining CoS Schedulers (CLI Procedure) on page 1180 Defining CoS Schedulers (J-Web Procedure) on page 1180 Example: Configuring CoS on EX-series Switches on page 1153
1194
Use the monitoring functionality to display information about the CoS value aliases that the system is currently using to represent DSCP, IEEE 802.1p, and IPv4 precedence bits. To monitor CoS value aliases in the J-Web interface, select Monitor>Class of Service>CoS Value Aliases. To monitor CoS value aliases in the CLI, enter the following command:
show class-of-service code-point-aliases
Action
Meaning
Table 170 on page 1195 summarizes key output fields for CoS value aliases.
Additional Information To display aliases and bit patterns, click the plus sign (+).
inet-precedenceExamines Layer 3
packet headers for IP packet classification. CoS Value Alias Name given to a set of bitsfor example, af11 is a name for 001010 bits. Set of bits associated with an alias.
CoS Value
Related Topics
Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Example: Configuring CoS on EX-series Switches on page 1153
1195
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1196
Chapter 61
1197
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name; priority priority; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } }
Related Topics
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186
1198
buffer-size
Syntax Hierarchy Level Release Information Description Default
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify buffer size. If you do not include this statement, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
percent percentage Buffer size as a percentage of total buffer. remainderRemaining buffer available.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Understanding CoS Schedulers on page 1146
buffer-size
1199
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
class
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure up to 16 forwarding classes with multiple forwarding classes mapped to single queues. If you want to configure up to eight forwarding classes with one-to-one mapping to output queues, use the queue statement instead of the class statement at the [edit class-of-service forwarding-classes] hierarchy level.
class-name Name of forwarding class.. queue-num queue-number Output queue number.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Understanding CoS Forwarding Classes on page 1144
1200
class
class-of-service
Syntax
class-of-service { classifiers { (dscp | ieee-802.1 | inet-precedence) classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6 bit-patterns ]; } } } } code-point-aliases { (dscp | ieee-802.1 | inet-precedence) { alias-name bits; } } forwarding-classes { class class-name queue-num queue-number; } interfaces { interface-name { scheduler-map map-name; unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | ieee-802.1 | inet-precedence) (classifier-name | default); } } } } rewrite-rules { (dscp | ieee-802.1 | inet-precedence) rewrite-name { import (rewrite-name | default); forwarding-class class-name { loss-priority priority code-point (alias | bits); } } } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name; } } schedulers { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name; priority priority; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); }
class-of-service
1201
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
} }
Hierarchy Level Release Information Description
[edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure class-of-service parameters on EX-series switches. The statements are explained separately.
If you do not configure any CoS features, the default CoS settings are used. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 JUNOS CoS for EX-series Switches Overview on page 1135
1202
class-of-service
classifiers
Syntax
classifiers { (dscp | ieee-802.1 | inet-precedence) classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6bit-patterns ]; } } } } [edit class-of-service], [edit class-of-service interfaces interface-name unit logical-unit-number]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Apply a CoS aggregate behavior classifier to a logical interface. You can apply a default classifier or one that has been previously defined. The statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Understanding CoS Classifiers on page 1142
classifiers
1203
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
code-point-aliases
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define an alias for a CoS marker. The statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Understanding CoS Code-Point Aliases on page 1139
code-points
Syntax Hierarchy Level
code-points [ aliases ] [ 6 bit-patterns ]; [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) forwarding-class class-name loss-priority level]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify one or more DSCP code-point aliases or bit sets for association with a forwarding class.
aliases Name of the DSCP alias. 6 bit-patterns Value of the code-point bits, in decimal form.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Understanding CoS Classifiers on page 1142
1204
code-point-aliases
drop-profile-map
Syntax Hierarchy Level Release Information Description Options
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name; [edit class-of-service schedulers scheduler-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define the loss priority value for the specified drop profile.
drop-profile profile-name Name of the drop profile.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Understanding CoS Schedulers on page 1146
drop-profile-map
1205
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
dscp
Syntax
dscp classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6bit-patterns ]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [editclass-of-service interfaces interface-name unit logical-unit-number classifiers], [edit class-of-service rewrite-rules]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define the Differentiated Services code point (DSCP) mapping that is applied to the packets.
classifier-name Name of the classifier.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Understanding CoS Classifiers on page 1142
1206
dscp
forwarding-class
Syntax
forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6bit-patterns ]; } } [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name], [editclass-of-service interfaces interface-name unit logical-unit-number], [edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name], [edit class-of-service scheduler-maps map-name]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define forwarding class name and option values.
class-name Name of the forwarding class.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Understanding CoS Forwarding Classes on page 1144
forwarding-class
1207
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
forwarding-class
Syntax
forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6bit-patterns ]; } } [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name], [editclass-of-service interfaces interface-name unit logical-unit-number], [edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name], [edit class-of-service scheduler-maps map-name]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Define forwarding class name and option values.
class-name Name of the forwarding class.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Understanding CoS Forwarding Classes on page 1144
1208
forwarding-class
ieee-802.1
Syntax
ieee-802.1 classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6 bit-patterns ]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [editclass-of-service interfaces interface-name unit logical-unit-number classifiers], [edit class-of-service rewrite-rules]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Apply an IEEE-802.1 rewrite rule.
classifier-name Name of the classifier.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Understanding CoS Classifiers on page 1142 Understanding CoS Rewrite Rules on page 1150
ieee-802.1
1209
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
import
Syntax Hierarchy Level
import (classifier-name | default); [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name], [edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify a default or previously defined classifier.
classifier-name Name of the classifier mapping configured at the [edit class-of-service classifiers] hierarchy level. defaultDefault classifier mapping.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Understanding CoS Classifiers on page 1142 Understanding CoS Rewrite Rules on page 1150
1210
import
inet-precedence
Syntax
inet-precedence classifier-name { import (classifier-name | default); forwarding-class class-name { loss-priority level { code-points [ aliases ] [ 6bit-patterns ]; } } } [edit class-of-service classifiers], [edit class-of-service code-point-aliases], [editclass-of-service interfaces interface-name unit logical-unit-number classifiers], [edit class-of-service rewrite-rules]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Apply an IPv4 precedence rewrite rule. classifier-nameName of the classifier. The remaining statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Code-Point Aliases (CLI Procedure) on page 1174 or Defining CoS Code-Point Aliases (J-Web Procedure) on page 1172 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Understanding CoS Classifiers on page 1142 Understanding CoS Rewrite Rules on page 1150
inet-precedence
1211
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interfaces
Syntax
interfaces { interface-name { scheduler-map map-name; unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | ieee-802.1 | inet-precedence) (classifier-name | default); } } } } [edit class-of-service]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure interface-specific CoS properties for incoming packets.
interface-name Name of the interface.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 EX-series Switches Interfaces Overview on page 279
1212
interfaces
loss-priority
Syntax
loss-priority level { code-points [ aliases ] [ 6bit-patterns ]; } [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name forwarding-class class-name], [edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name forwarding-class class-name]
Hierarchy Level
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify packet loss priority value for a specific set of code-point aliases and bit patterns.
level Can be one of the following:
Options
highPacket has high loss priority. lowPacket has low loss priority.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Classifiers (CLI Procedure) on page 1175 or Defining CoS Classifiers (J-Web Procedure) on page 1176 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Understanding CoS Classifiers on page 1142 Understanding CoS Rewrite Rules on page 1150
loss-priority
1213
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
priority
Syntax Hierarchy Level Release Information Description Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify packet-scheduling priority value.
priority It can be one of the following:
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Understanding CoS Schedulers on page 1146
protocol
Syntax Hierarchy Level Release Information Description Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the protocol type for the specified drop profile.
drop-profile profile-name Name of the drop profile. protocol Type of protocol. It can be:
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1183 Understanding CoS Tail Drop Profiles on page 1146
1214
priority
rewrite-rules
Syntax
rewrite-rules { (dscp | ieee-802.1 | inet-precedence) rewrite-name { import (rewrite-name | default); forwarding-class class-name { loss-priority level code-point (alias | bits); } } } [edit class-of-service]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify a rewrite-rules mapping for the traffic that passes through all queues on the interface. The remaining statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Rewrite Rules (CLI Procedure) on page 1184 or Defining CoS Rewrite Rules (J-Web Procedure) on page 1184 Understanding CoS Rewrite Rules on page 1150
scheduler-map
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.0 for EX-series switches. Associate a scheduler map name with an interface.
map-name Name of the scheduler map.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186 Understanding CoS Schedulers on page 1146
rewrite-rules
1215
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
scheduler-maps
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify a scheduler map name and associate it with the scheduler configuration and forwarding class.
map-name Name of the scheduler map.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Forwarding Classes (CLI Procedure) on page 1178 or Defining CoS Forwarding Classes (J-Web Procedure) on page 1179 Understanding CoS Schedulers on page 1146 Understanding CoS Forwarding Classes on page 1144
1216
scheduler-maps
schedulers
Syntax
schedulers { scheduler-name { buffer-size (percent percentage | remainder); drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name; priority priority; shaping-rate (rate | percent percentage); transmit-rate (rate | percent percentage | remainder); } } [edit class-of-service]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify scheduler name and parameter values.
scheduler-nameName of the scheduler.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Understanding CoS Schedulers on page 1146
schedulers
1217
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
shaping-rate
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure shaping rate to throttle the rate at which queues transmit packets. We recommend that you configure the shaping rate as an absolute maximum usage and not as additional usage beyond the configured transmit rate.
Default
If you do not include this statement, the default shaping rate is 100 percent, which is the same as no shaping at all.
percentpercentageShaping rate as a percentage of the available interface bandwidth.
Options
either as a complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Range: 3200 through 32,000,000,000 bps
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Understanding JUNOS CoS Components for EX-series Switches on page 1137
1218
shaping-rate
transmit-rate
Syntax Hierarchy Level Release Information Description Default
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the transmit rate or percentage for a scheduler. If you do not include this statement, the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
rate Transmission rate, in bps. You can specify a value in bits per second either
Options
as a complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Range: 3200 through 160,000,000,000 bps
percent percentage Percentage of transmission capacity. A percentage of zero
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Defining CoS Schedulers (CLI Procedure) on page 1180 or Defining CoS Schedulers (J-Web Procedure) on page 1180 Understanding CoS Schedulers on page 1146
transmit-rate
1219
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
unit
Syntax
unit logical-unit-number { forwarding-class class-name; classifiers { (dscp | ieee-802.1 | inet-precedence) (classifier-name | default); } } [edit class-of-service interfaces interface-name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a logical interface on the physical device. You must configure a logical interface to be able to use the physical device.
logical-unit-number Number of the logical unit.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring CoS on EX-series Switches on page 1153 Assigning CoS Components to Interfaces (CLI Procedure) on page 1186 or Assigning CoS Components to Interfaces (J-Web Procedure) on page 1186
1220
unit
Chapter 62
1221
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show class-of-service
Syntax Release Information Description Options Required Privilege Level Related Topics
show class-of-service
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the class of service (CoS) information. This command has no options. view
Example: Configuring CoS on EX-series Switches on page 1153 Monitoring CoS Value Aliases on page 1195 Monitoring CoS Classifiers on page 1189 Monitoring CoS Forwarding Classes on page 1190 Monitoring CoS Scheduler Maps on page 1193 Monitoring CoS Rewrite Rules on page 1192
show class-of- service on page 1223 Table 171 on page 1222 lists the output fields for the show class-of-service command. Output fields are listed in the approximate order in which they appear.
Forwarding className of the forwarding class. IDForwarding class ID. QueueQueue number.
All levels
dscpAliases for DiffServ code point (DSCP) values. ieee802.1Aliases for IEEE 802.1p values. inet-precedenceAliases for IP precedence values.
Names given to CoS values. Set of bits associated with an alias. Name of the classifier. Code-point values. Loss priority assigned to specific CoS values and aliases of the classifier.
All levels All levels All levels All levels All levels
1222
show class-of-service
Field Description Name of the rewrite-rule. Name of the drop profile. Type of drop profile. EX-series switches support only the discrete type of drop-profile. Percentage of queue buffer fullness of high packets after which high packets are dropped. Name of the scheduler. Transmission rate of the scheduler. Delay buffer size in the queue. Drop profiles configured for the specified scheduler. Transport protocol corresponding to the drop profile. Name of the drop profile. Number of queues that can be configured on the interface. Number of queues currently configured. Name of the physical interface. Name of the scheduler map. Internal index of a specific object.
Fill level
All levels
Scheduler Transmit rate Buffer size Drop profiles Protocol Name Queues supported Queues in use Physical interface Scheduler map Index
All levels All levels All levels All levels All levels All levels All levels All levels All levels All levels All levels
user@switch> show class-of-service Forwarding class best-effort expedited-forwarding assured-forwarding network-control Code point type: dscp Alias Bit pattern af11 001010 af12 001100 ... ... Code point type: ieee-802.1 Alias Bit pattern af11 010 ... ... Code point type: inet-precedence Alias Bit pattern af11 001
ID 0 1 2 3
Queue 0 5 1 7
show class-of-service
1223
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
...
...
Classifier: dscp-default, Code point type: dscp, Index: 7 Code point Forwarding class Loss priority 000000 best-effort low 000001 best-effort low ... ... ... Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 best-effort low 100 best-effort low 101 best-effort low 110 network-control low 111 network-control low Classifier: ipprec-default, Code point type: inet-precedence, Index: 12 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 best-effort low 100 best-effort low 101 best-effort low 110 network-control low 111 network-control low Classifier: ieee8021p-untrust, Code point type: ieee-802.1, Index: 16 Code point Forwarding class Loss priority 000 best-effort low 001 best-effort low 010 best-effort low 011 best-effort low 100 best-effort low 101 best-effort low 110 best-effort low 111 best-effort low Rewrite rule: dscp-default, Code point type: dscp, Index: Forwarding class Loss priority best-effort low best-effort high expedited-forwarding low expedited-forwarding high assured-forwarding low assured-forwarding high network-control low network-control high 27 Code point 000000 000000 101110 101110 001010 001100 110000 111000
Rewrite rule: ieee8021p-default, Code point type: ieee-802.1, Index: 30 Forwarding class Loss priority Code point best-effort low 000 best-effort high 001 expedited-forwarding low 100 expedited-forwarding high 101 assured-forwarding low 010 assured-forwarding high 011 network-control low 110
1224
show class-of-service
network-control
high
111
Rewrite rule: ipprec-default, Code point type: inet-precedence, Index: 31 Forwarding class Loss priority Code point best-effort low 000 best-effort high 000 expedited-forwarding low 101 expedited-forwarding high 101 assured-forwarding low 001 assured-forwarding high 001 network-control low 110 network-control high 111 Drop profile:<default-drop-profile>, Type: discrete, Index: 1 Fill level 100 Scheduler map: <default>, Index: 2 Scheduler: <default-be>, Forwarding class: best-effort, Index: 20 Transmit rate: 95 percent, Rate Limit: none, Buffer size: 95 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 <default-drop-profile> High TCP 1 <default-drop-profile> Scheduler: <default-nc>, Forwarding class: network-control, Index: 22 Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent, Priority: low Drop profiles: Loss priority Protocol Index Name High non-TCP 1 <default-drop-profile> High TCP 1 <default-drop-profile> Physical interface: ge-0/0/0, Index: 129 Queues supported: 8, Queues in use: 4 Scheduler map: <default>, Index: 2 Physical interface: ge-0/0/1, Index: 130 Queues supported: 8, Queues in use: 4 Scheduler map: <default>, Index: 2 ... ... ...
Fabric priority: low Scheduler: <default-fabric>, Index: 23 Drop profiles: Loss priority Protocol Index High non-TCP 1 High TCP 1 Fabric priority: high Scheduler: <default-fabric>, Index: 23 Drop profiles: Loss priority Protocol Index High non-TCP 1 High TCP 1
show class-of-service
1225
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1226
show class-of-service
Part 13
PoE
Understanding PoE on page 1229 Examples of Configuring PoE on page 1233 Configuring PoE on page 1241 Verifying PoE on page 1245 Configuration Statements for PoE on page 1247 Operational Mode Commands for PoE on page 1257
PoE
1227
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1228
PoE
Chapter 63
Understanding PoE
PoE and Power Supply Units in EX-series Switches on page 1229 Power Management Mode on page 1230 Classes of Powered Devices on page 1230 Global and Specific PoE Parameters on page 1231
320-W power supply unit: Supports 8 ports of PoE power at 15.4 W per port, plus system power. 600-W power supply unit: Supports 24 ports of PoE power at 15.4 W per port, plus system power. 930-W power supply unit: Supports 48 ports of PoE power at 15.4 W per port, plus system power.
NOTE: PoE is not supported on a switch using DC power. All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if you follow the recommended guidelines for selecting power supply units to support
1229
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
the number of PoE ports, the switch should be able to supply power to all connected powered devices. If you install a higher capacity power supply unit on a switch model that has only 8 PoE ports, it does not extend PoE capabilities to the non-PoE ports.
Per port limit (PPL)The factor that decides the maximum power consumption permitted on a particular interface. If the power consumption by the powered device exceeds the specified value, PoE is shut down over that interface. Power allocated for each interfaceThe factor that ensures that a certain amount of power is reserved for an individual interface from the total power budget for all interfaces. If at any point the total of the allocated power for all interfaces exceeds the total budget, the lower priority interfaces are turned off and the power allocated for those interfaces drops to 0.
StaticIn this mode the power allocated for each interface can be configured. The PPL value is the maximum value configured per interface. ClassIn this mode the power allocation for interfaces is determined based on the class of powered device connected. PPL is the maximum power value of the class of the powered device connected to the interface. The power allocated per interface is the maximum power of the powered device class, except for classes 0 and 3. For class 0 and class 3 powered devices, the momentary power consumption is considered as the power allocated for that interface. Therefore, PPL and power allocated per interface values change based on the powered device connected to the interface.
0 1 2
1230
Optional
15.4 W
maximum-powerThis setting defaults to 15.4 W. If you follow the recommended guidelines for the installed power supply unit (see Table 172 on page 1230), the switch should be able to provide sufficient power for all PoE ports using the default power setting. priorityThis setting defaults to low. If a port is set as high priority and a situation arises where there is not sufficient power for all the PoE ports, the available power is directed to the higher priority port(s). If the switch needs to shut down powered devices because a power supply fails and there is insufficient power, low priority devices are shut before high priority powered devices. Thus, security cameras, emergency phones, and other high priority phones should be set to high priority. telemetriesThis setting allows you to monitor per port PoE power consumption. It is not included in the default PoE configuration. EX-series Switches Interfaces Overview on page 279 Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236
Related Topics
1231
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1232
Chapter 64
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236
Requirements on page 1233 Overview and Topology on page 1234 Configuration on page 1234 Verification on page 1235 Troubleshooting on page 1235
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches One EX-series 4200 switch
1233
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details.
Switch hardware
EX-series 4200-E-24T switch, with 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
default ge-0/0/0 ge-0/0/1 through ge-0/0/7
VLAN name Connection to a wireless access point (requires PoE) Connections to Avaya IP telephonewith integrated hub, to connect phone and desktop PC to a single port (requires PoE) Direct connections to desktop PCs, file servers, integrated printer/fax/copier machines (no PoE required) Unused ports (for future expansion)
Configuration
To enable the default PoE configuration on the switch:
CLI Quick Configuration
By default, PoE interfaces are created for all PoE ports and PoE is enabled. You can simply connect powered devices to the PoE ports. To use the PoE interfaces with default values:
1. 2. 3.
Step-by-Step Procedure
Make sure the switch is powered on. Connect the wireless access point to switch port ge-0/0/0. Connect the eight Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.
1234
Verification
To verify that PoE interfaces have been created and are operational, perform this task:
Verifying That the PoE Interfaces Have Been Created on page 1235
Verify that the PoE interfaces have been created on the switch. List all the PoE interfaces configured on the switch:
user@switch> show poe interface Interface ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ge-0/0/7 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled status ON ON ON ON ON ON ON ON max-power 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W 15.4W priority Low Low Low Low Low Low Low Low power-consumption Class 12.95W 0 12.95W 0 12.95W 0 12.95W 0 12.95W 0 12.95W 0 12.95W 0 12.95W 0
Meaning
The show poe interface command lists PoE interfaces configured on the switch, with their status, priority, power consumption, and class. This output shows that eight interfaces have been created with default values and are consuming power at the expected rates.
Troubleshooting
Troubleshooting PoE Interfaces
Problem Solution
The PoE port is not supplying power to the port. Check for the following:
Items to Check
Explanation
If you are using a partial PoE model, only interfaces ge-0/0/0 through ge-0/0/7 can function as PoE ports. Use the show poe interface command to check PoE interface status. Check the hardware. Check the history of power consumption on the interface by using the show poe telemetries interface command.
Is the cable properly seated in the port socket? Enable telemetries for the interface.
Verification
1235
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243
Requirements on page 1236 Overview and Topology on page 1236 Configuration on page 1237 Verification on page 1238 Troubleshooting on page 1239
Requirements
This example uses the following software and hardware components:
JUNOS Release 9.0 or later for EX-series switches One EX-series 4200 switch
Performed the initial switch configuration. See Connecting and Configuring an EX 3200 or EX 4200 Switch (CLI Procedure) on page 59 or Connecting and Configuring an EX 3200 or EX 4200 Switch (J-Web Procedure) on page 60 for details.
1236
network connectivity and electric power for devices such as VoIP telephones, wireless access points, and some IP security cameras. The remaining 16 ports provide only network connectivity. You use the standard ports to connect devices that have their own power sources, such as desktop and laptop computers, printers, and servers. Table 174 on page 1237 details the topology used in this configuration example.
Table 174: Components of the PoE Configuration Topology
Property Settings
Switch hardware
EX-series 4200E-24T switch, with 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
default ge-0/0/0 ge-0/0/1 and ge-0/0/2 high ge-0/0/3 high ge-0/0/4 high ge-0/0/5 through ge-0/0/7 ge-0/0/8 through ge-0/0/20
VLAN name Connection to a wireless access point (requires PoE) Security IP Cameras (require PoE) Emergency VoIP phone (requires PoE) VoIP phone in Executive Office (requires PoE) Other VoIP phones (require PoE) Direct connections to desktop PCs, file servers, integrated printer/fax/copier machines (no PoE required) Unused ports (for future expansion)
Configuration
Configure Power over Ethernet Interfaces:
CLI Quick Configuration
By default, PoE interfaces are created for all PoE ports and PoE is enabled. The default priority for PoE interfaces is low. To quickly configure PoE with some interfaces set to high priority and others to the default low priority, and to include a description of the interfaces, copy the following commands and paste them into the switch terminal window:
[edit] set poe interface ge-0/0/1 priority set poe interface ge-0/0/2 priority set poe interface ge-0/0/3 priority set poe interface ge-0/0/4 priority set poe interface all set interfaces ge-0/0/0 description set interfaces ge-0/0/1 description set interfaces ge-0/0/2 description set interfaces ge-0/0/3 description set interfaces ge-0/0/4 description set interfaces ge-0/0/5 description set interfaces ge-0/0/6 description
"wireless access point" "security camera front door" "security camera back door" "emergency phone" "Executive Office VoIP phone" "staff VoIP phone" "staff VoIP phone"
Configuration
1237
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Step-by-Step Procedure
Configure the PoE interfaces at the [edit poe] hierarchy level with some interfaces set to high priority and others to the default low priority, thus enabling the logging of per-port power consumption for the high priority ports.
[edit poe] user@switch# user@switch# user@switch# user@switch# user@switch#
2.
"wireless access point" "security camera front door" "security camera back door" "emergency phone" "Executive Office VoIP phone" "staff VoIP phone" "staff VoIP phone" "staff VoIP phone"
3.
Connect the wireless access point to switch interface ge-0/0/0. This interface is PoE-enabled for the default settings based on the factory configuration. Telemetries are not enabled. Connect the two security cameras to switch interfaces ge-0/0/1 and ge-0/0/2. These interfaces are set to high priority with telemetries enabled. Connect the emergency VoIP phone to switch interface ge-0/0/3. This interface is set to high priority with telemetries enabled. Connect the Executive Office VoIP phone to switch interface ge-0/0/4. This interface is set to high priority with telemetries enabled.
4. 5. 6.
Results
Connect the staff VoIP phones to switch interfaces ge-0/0/5 through ge-0/0/7. These interfaces are set to the default values. Telemetries are not enabled.
Verification
To verify that PoE interfaces have been created and are operational, perform the following tasks:
Verifying That the PoE Interfaces Have Been Created with Desired Priorities on page 1238
Verifying That the PoE Interfaces Have Been Created with Desired Priorities
Purpose
Verify that the PoE interfaces on the switch are now set to the desired priority settings.
1238
Verification
Action
Meaning
The show poe interface command lists PoE interfaces configured on the switch, with their status, priority, power consumption, and class. This output shows that eight PoE interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as priority high. The remaining interfaces are configured with the default values.
Troubleshooting
Troubleshooting PoE Interfaces
Problem Solution
The PoE port is not supplying power to the port. Check for the following:
Items to Check
Explanation
If you are using a partial PoE model, only interfaces ge-0/0/0 through ge-0/0/7 can function as PoE ports. Use the show poe interface command to check PoE interface status. Check the hardware. Check the history of power consumption on the interface by using the show poe telemetries interface command.
Is the cable properly seated in the port socket? Enable telemetries for the interface.
Related Topics
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243
Troubleshooting
1239
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1240
Chapter 65
Configuring PoE
Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243
Enable PoE:
poe
interface all
2.
By default the power management mode is static. To change the power management mode to class:
[edit] user@switch# set poe management class
NOTE: When the power management mode is set to class, the maximum power value is overridden by the maximum power value of the class of power device connected.
1241
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
3.
4.
5.
Enable logging of PoE power consumption with the default telemetries settings:
6.
Reserve a specified wattage of power for the switch in case of a spike in PoE consumption (the default is 0):
[edit] user@switch# set poe guard-band 15
Related Topics
Configuring PoE (J-Web Procedure) on page 1243 Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Monitoring PoE on page 1245 PoE and EX-series Switches Overview on page 1229
1242
In the Configure menu, select Power over Ethernet. The page displays a list of all interfaces except uplink ports. Specific operational details about an interface are displayed in the Details section of the page. The details include the PoE Operational Status and Port class.
2.
Click one:
Priority
Lists the power priority (Low or High) configured on ports enabled for PoE. Specifies the maximum PoE wattage available to provision active PoE ports on the switch.
Maximum Power
1243
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Configuring PoE (CLI Procedure) on page 1241 Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Monitoring PoE on page 1245 PoE and EX-series Switches Overview on page 1229
1244
Chapter 66
Verifying PoE
Monitoring PoE on page 1245 Verifying Status of PoE Interfaces on an EX-series Switch on page 1246
Monitoring PoE
Purpose
Use the monitoring functionality to view real-time data of the power consumed by each PoE interface, and to enable and configure Telemetries values. When Telemetries is enabled, the software measures the power consumed by each interface and stores the data for future reference. To monitor PoE using the J-Web interface, select Monitor > Power over Ethernet. To monitor PoE using the CLI:
Action
To display the real-time PoE status for all PoE interfaces, enter show poe interface . To display the real-time PoE status for a specific PoE interface, enter show poe interface interface-name .
The show poe interface command displays the power consumption of the interface at the moment that the command is issued. To monitor the PoE interface's power consumption over a period of time, you can enable telemetries for the interface with the telemetries configuration statement. When Telemetries is enabled, you can display the log of the interface's power consumption by using the CLI command:
show poe telemetries interface interface-name all| x
Meaning
In the J-Web interface the PoE Monitoring screen is divided into two parts. The top half of the screen displays real-time data of the power consumed by each interface and a list of ports that utilize maximum power. Select a particular interface to view a graph of the power consumed by the selected interface. The bottom half of the screen displays telemetries values for interfaces. The telemetry status displays whether telemetry has been enabled on the interface. Click the Show Graph button to view a graph of the telemetries. The graph can be based on power or voltage. To modify telemetries values, click Edit. Specify Interval in minutes,
Monitoring PoE
1245
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Duration in hours, and select Log Telemetries to enable telemetries on the selected interface.
Related Topics
Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Verifying Status of PoE Interfaces on an EX-series Switch on page 1246
Verify that the PoE interfaces on the switch are enabled and set to the desired priority settings. List all the PoE interfaces configured on the switch:
user@switch> show poe interface Interface Enabled Status Max-Power ge-0/0/0 Enabled ON 15.4W ge-0/0/1 Enabled ON 15.4W ge-0/0/2 Enabled ON 15.4W ge-0/0/3 Enabled ON 15.4W ge-0/0/4 Enabled ON 15.4W ge-0/0/5 Enabled ON 15.4W ge-0/0/6 Enabled ON 15.4W ge-0/0/7 Enabled OFF 15.4W
Action
Meaning
The show poe interface command lists PoE interfaces configured on the switch, with their status, priority, power consumption, and class. This command has been executed on a switch with partial PoE (8 PoE ports). The output shows that all eight PoE interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as priority high. The remaining interfaces were configured with the default values.
Related Topics
Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Monitoring PoE on page 1245
1246
Chapter 67
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
1247
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
disable
Syntax Hierarchy Level
disable; [edit poe interface (all | interface-name)], [edit poe interface (all | interface-name) telemetries]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Disables the PoE capabilities of this port. The port operates as a standard network access port. If the disable statement is specified after the telemetries statement, it disables the logging of PoE power consumption for this port. To disable the monitoring and retain the stored configuration values for interval and duration for possible future use, you can specify the disable substatement in the substanza for telemetries.
Default
The PoE capabilities are automatically enabled when a PoE interface is set. If the telemetries statement is specified, monitoring of PoE per-port power consumption is enabled. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
1248
disable
duration
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Modify the duration for logging telemetries if you are monitoring the per-port power consumption for PoE interfaces.
hours Hours the logging continues.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
duration
1249
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
guard-band
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Reserve the specified amount of power for the switch in case of a spike in PoE consumption. 0W
watts Amount of power to be reserved for the switch in case of a spike in PoE
Default Options
routerTo view this statement in the configuration. router-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
1250
guard-band
interface
Syntax
interface (all | interface-name) { disable; maximum-power watts; priority value; telemetries { disable; interval minutes; duration hours; } } [edit poe]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Enable a PoE interface for a PoE port. An interface must be enabled in order for the port to provide power to a connected powered device. The PoE interface is enabled by default.
allAll interfaces on the switch. interface-name Name of the specific interface.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
interface
1251
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interval
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Modify the interval for logging telemetries if you are monitoring the per-port power consumption for PoE interfaces.
minutes Frequency of logging.
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
1252
interval
management
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. class option introduced in JUNOS Release 9.3 for EX-series switches. Designate the way that the switch's PoE controller allocates power to the PoE ports. static
type Management type:
classThe power available for the interface is determined based class of powered
device connected. See section Classes of Powered Devices in PoE and EX-series Switches Overview on page 1229 for more information.
staticThe switch reserves a certain amount of power for the PoE port even
when a powered device is not connected to the port. This setting ensures that power is available when needed.
Required Privilege Level Related Topics
routerTo view this statement in the configuration. router-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
management
1253
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
maximum-power
Syntax Hierarchy Level Release Information Description Default Options
Statement introduced in JUNOS Release 9.0 for EX-series switches. Maximum amount of power that can be supplied to the port. 15.4 W
watts
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
1254
maximum-power
priority
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Set the priority for shutdown of individual ports when there is insufficient power for all PoE ports. If a port is set as high priority and a situation arises where there is not sufficient power for all the PoE ports, the available power is directed to the higher priority port(s). If the switch needs to shut down powered devices because a power supply fails and there is insufficient power, low priority devices are shut down before high priority devices.
low value high or low:
Default Options
allocation. If there is insufficient power for all the PoE ports, the available power is directed to this port. If the switch needs to shut down powered devices because a power supply fails and there is insufficient power, the power is not shut down on this port until after it has been shut down on all the low priority ports.
allocation. If there is insufficient power for all the PoE ports, power is not supplied to this port. If the switch needs to shut down powered devices because a power supply fails and there is insufficient power, the power is shut down on this port before it is shut down on high priority ports.
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
priority
1255
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
telemetries
Syntax
telemetries { disable; duration hours; interval minutes; } [edit poe interface (all | interface-name)]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Allows you to log per port PoE power consumption. If you want to log per-port power consumption, you must explicitly specify the telemetriesstatement. You can enable telemetries for all the PoE interfaces by setting poe interface all. However, if you modify the configuration of any individual PoE interface (for example, to change the priority, you must also specify the telemetries for that interface in order to maintain the logging. If you do not specify telemetries for a PoE interface, logging is disabled. The statements are explained separately.
Default
If the telemetries statement is specified, logging is enabled with the default values for interval and duration, routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Configuring PoE (CLI Procedure) on page 1241 Configuring PoE (J-Web Procedure) on page 1243 PoE and EX-series Switches Overview on page 1229
1256
telemetries
Chapter 68
1257
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the status of the Power over Ethernet (PoE) software module controller.
noneDisplay general parameters of the PoE software module controller. detail | summary(Optional) Display the specified level of output.
view
show poe interface Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Monitoring PoE on page 1245
show poe controller on page 1258 Table 177 on page 1258 lists the output fields for the show poe controller command. Output fields are listed in the approximate order in which they appear.
Field Description Identifies the controller. Specifies the maximum power that can be provided by the switch to PoE ports. Specifies the total amount of power being used by the PoE ports, as measured by the specified telemetries settings. Specifies the amount of power that has been placed in reserve. Specifies the management mode. Static is the only management mode supported.
Guard-band Management
user@host> show poe controller Ctrl-index 0 Max-power power-consumption 305 W 0W Guard-band 15W Management Static
1258
Command introduced in JUNOS Release 9.0 for EX-series switches. Display the status of Power over Ethernet (PoE) ports.
noneDisplay status of all PoE ports on the switch. ge-fpc/pic/port(Optional) Display the status of a specific PoE port on the switch.
view
Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Monitoring PoE on page 1245
show status for all poe interfaces on the switch on page 1259 show status for a specific PoE interface on the switch on page 1260 Table 178 on page 1259 lists the output fields for the show poe interface command. Output fields are listed in the approximate order in which they appear.
Field Description Specifies the interface address. Specifies whether PoE capabilities are enabled or disabled. Specifies whether PoE is currently being provided to the port. Specifies the maximum power that can be provided to the port. Specifies whether the port is high or low priority. Specifies how much power is being used by the port, as measured by the specified telemetries settings. Indicates the IEEE 802.af classification that defines the maximum power requirements for a powered device.
user@host> show poe interface Interface Enabled status max-power ge-0/0/1 Enabled OFF 15.4W ge-0/0/3 Enabled OFF 12.0W ge-0/0/5 Enabled OFF 15.4W
1259
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
user@host> show poe interface ge-0/0/3 PoE interface status: PoE interface : PoE capability of the interface : Current status of power supply on interface : Power limit on the interface : Priority : Power consumed : Class of power device :
1260
Command introduced in JUNOS Release 9.0 for EX-series switches. Display a history of power consumption on the specified interface.
ge-fpc/pic/port Display telemetries for the specified PoE interface. allDisplay all telemetries records for the specified PoE interface. x Display the specified number of telemetries records for the specified PoE
interface.
Required Privilege Level Related Topics
view
show poe interface Example: Configuring PoE Interfaces on an EX-series Switch on page 1233 Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch on page 1236 Monitoring PoE on page 1245
show poe telemetries interface ( Last 10 Records) on page 1261 show poe telemetries interface (All Records) on page 1262 Table 179 on page 1261 lists the output fields for the show poe telemetries interface command. Output fields are listed in the approximate order in which they appear.
Field Description Number of the record for the specified port. Record number 1 is the most recent. Time that the power-consumption data was gathered. Amount of power provided by the specified port at the time the data was gathered. Maximum voltage provided by the specified port at the time the data was gathered.
Timestamp Power
Voltage
user@switch> show poe telemetries Sl No Timestamp 1 01-27-2008 18:19:58 UTC 2 01-27-2008 18:18:58 UTC 3 01-27-2008 18:17:58 UTC 4 01-27-2008 18:16:58 UTC
interface ge-0/0/0 10 Power Voltage 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V
1261
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
5 6 7 8 9 10
user@switch> show poe telemetries Sl No Timestamp 1 01-27-2008 18:19:58 UTC 2 01-27-2008 18:18:58 UTC 3 01-27-2008 18:17:58 UTC 4 01-27-2008 18:16:58 UTC 5 01-27-2008 18:15:58 UTC 6 01-27-2008 18:14:58 UTC 7 01-27-2008 18:13:58 UTC 8 01-27-2008 18:12:57 UTC 9 01-27-2008 18:11:57 UTC 10 01-27-2008 18:10:57 UTC 11 01-27-2008 18:09:57 UTC 12 01-27-2008 18:08:57 UTC 13 01-27-2008 18:07:57 UTC 14 01-27-2008 18:06:57 UTC 15 01-27-2008 18:05:57 UTC 16 01-27-2008 18:04:56 UTC 17 01-27-2008 18:03:56 UTC 18 01-27-2008 18:02:56 UTC 19 01-27-2008 18:01:56 UTC 20 01-27-2008 18:00:56 UTC 21 01-27-2008 17:59:56 UTC 22 01-27-2008 17:58:56 UTC 23 01-27-2008 17:57:56 UTC 24 01-27-2008 17:56:55 UTC 25 01-27-2008 17:55:55 UTC 26 01-27-2008 17:54:55 UTC 27 01-27-2008 17:53:55 UTC 28 01-27-2008 17:52:55 UTC 29 01-27-2008 17:51:55 UTC 30 01-27-2008 17:50:55 UTC 31 01-27-2008 17:49:55 UTC 32 01-27-2008 17:48:55 UTC 33 01-27-2008 17:47:54 UTC 34 01-27-2008 17:46:54 UTC 35 01-27-2008 17:45:54 UTC 36 01-27-2008 17:44:54 UTC 37 01-27-2008 17:43:54 UTC 38 01-27-2008 17:42:54 UTC 39 01-27-2008 17:41:54 UTC 40 01-27-2008 17:40:54 UTC 41 01-27-2008 17:39:53 UTC 42 01-27-2008 17:38:53 UTC 43 01-27-2008 17:37:53 UTC 44 01-27-2008 17:36:53 UTC
interface ge-0/0/0 all Power Voltage 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V 15.4W 51.6V
1262
Part 14
Understanding Network Monitoring on page 1265 Understanding Port Mirroring on page 1269 Examples of Configuring Port Mirroring on page 1273 Configuring Port Mirroring on page 1285 Configuration Statements for Port Mirroring on page 1291 Operational Mode Commands for Port Mirroring on page 1305 Understanding sFlow Technology on page 1307 Example of sFlow Technology Configuration on page 1309 Configuring sFlow Technology on page 1315 Configuration Statements for sFlow Technology on page 1317 Operational Mode Commands for sFlow Technology on page 1327 Configuration Statements for Network Management on page 1331
1263
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1264
Chapter 69
Monitor time delays between devices. Monitor time delays at the protocol level. Set thresholds to trigger SNMP traps when values are exceeded. You can configure thresholds for round-trip time, ingress or egress delay, standard deviation, jitter, successive lost probes, and total lost probes per test. (SNMP trap results are stored in pingResultsTable, jnxPingResultsTable, jnxPingProbeHistoryTable, and pingProbeHistoryTable.)
Determine automatically whether a path exists between a host router or switch and its configured Border Gateway Protocol (BGP) neighbors. You can view the results of the discovery using an SNMP client. Use the history of the most recent 50 probes to analyze trends in your network and predict future needs.
RPM provides MIB support with extensions for RFC 2925, Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup Operations. This topic includes:
RPM Packet Collection on page 1266 Tests and Probe Types on page 1266 Hardware Timestamps on page 1266 Limitations of RPM on page 1268
1265
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Ping tests:
HTTP tests:
HTTP get probe (not available for BGP RPM services) HTTP get metadata probe
Hardware Timestamps
To account for latency in the communication of probe messages, you can enable timestamping of the probe packets (hardware timestamps). If hardware timestamps are not configured, then timers are generated at the software level and are less accurate than they would have been with hardware timestamps.
NOTE: EX-series switches support hardware timestamps for UDP and ICMP probes. EX-series switches do not support hardware timestamps for HTTP or TCP probes. You should configure both the requester and the responder (see Figure 73 on page 1267) to timestamp the RPM packets in order to get more meaningful results. If you do not configure timestamps on the responder, for example, if the responder does not support hardware timestamps, RPM can only report round-trip measurements that include the processing time on the responder.
1266
NOTE: Hardware timestamps are supported on all EX-series switches and on the Adaptive Services and MultiServices PICs for M-series and T-series routing platforms. Figure 73 on page 1267 shows the timestamps:
Figure 73: RPM Timestamps
T1 is the time the packet leaves the requester port. T2 is the time the responder receives the packet. T3 is the time the responder sends the response. T4 is the time the requester receives the response.
The round-trip time is (T2 T1) + (T4 T3). If the responder does not support hardware timestamps, then the round-trip time is (T4 T1) / 2, and thus includes the processing time of the responder. You can use RPM probes to find the following time measurements:
Minimum round-trip time Maximum round-trip time Average round-trip time Standard deviation of the round-trip time Jitter of the round-trip timeDifference between the minimum and maximum round-trip time
NOTE: Configure timestamps by specifying the destination interface using the destination-interface statement at the [edit services rpm probe probe-owner test test-name] hierarchy level on the requester. (For configuration details, see the JUNOS Software Services Interfaces Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos93.) Also, on the responder, specify the RPM client (the requester) using the rpm client statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level.
1267
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
The RPM feature provides an additional configuration option to set one-way hardware timestamps. Use one-way timestamps when you want information about one-way time, rather than round-trip times, for packets to traverse the network between the requester and the responder. As shown in Figure 73 on page 1267, one-way timestamps represent the time T2 T1 and the time from T4 T3. Use one-way timestamps when you want to gather information about delay in each direction and to find egress and ingress jitter values.
NOTE: For correct one-way measurement, the clocks of the requester and responder must be synchronized. If the clocks are not synchronized, one-way jitter measurements and calculations can include significant variations, in some cases orders of magnitude greater than the round-trip times. When you enable one-way timestamps in a probe, the following one-way measurements are reported:
Minimum, maximum, standard deviation, and jitter measurements for egress and ingress times Number of probes sent Number of probe responses received Percentage of lost probes
Limitations of RPM
Two-way Active Measurement Protocol (TWAMP) is not supported on EX-series switches. EX-series switches do not support user-configured class-of-service (CoS) classifiers or prioritization of RPM packets over regular data packets received on an input interface. Timestamps:
If the responder does not support hardware timestamps, RPM can only report the round-trip measurements and cannot calculate round-trip jitter. EX-series switches do not support hardware timestamps for HTTP and TCP probes. Timestamps apply only to IPv4 traffic.
Related Topics
Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307 Configuring SNMP (J-Web Procedure) on page 674 Monitoring Hosts Using the J-Web Ping Host Tool on page 101 Monitoring Network Traffic Using Traceroute on page 105
1268
Chapter 70
Port Mirroring Overview on page 1269 Port Mirroring Terminology on page 1271
1269
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
You can use port mirroring on an EX-series switch to mirror any of the following:
Packets entering or exiting a portIn any combination. For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN. Packets entering a VLANYou can mirror the packets entering a VLAN to either a local analyzer port or to an analyzer VLAN. Statistical sampleSample of the packets entering or exiting a port or entering a VLAN. Specify the sample number of packets by setting the ratio. You can send the sample of packets to either a local analyzer port or to an analyzer VLAN. Policy-based sampleSample of packets entering a port or VLAN. You can configure a firewall filter to establish a policy to select certain packets. You can send the sampled packets to a local analyzer interface or to an analyzer VLAN.
NOTE: Firewall filters are not supported on egress ports; therefore, you cannot specify policy-based sampling of packets exiting an interface.
NOTE: JUNOS software for EX-series switches implements port mirroring differently than other JUNOS software packages. JUNOS software for EX-series switches does not include the port-mirroring statement found in the edit forwarding-options level of the hierarchy of other JUNOS software packages, nor the port-mirror action in firewall filter terms.
Only one analyzer (port mirroring instance) can be configured on an EX-series switch. Packets with physical layer errors are filtered out and thus are not sent to the analyzer port or VLAN. Only one VLAN can be configured as input to an analyzer. The following interfaces cannot be configured as input to an analyzer:
1270
Analyzer
The name of the analyzer Source (input) ports or VLAN (optional) A destination for mirrored packets (either a monitor port or an analyzer VLAN) Ratio field for specifying statistical sampling of packets (optional) Loss-priority setting
Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected. The following limitations apply to analyzer output interfaces:
Cannot also be a source port. Cannot be used for switching. Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when it is part of a port mirroring configuration. When configured as an analyzer output interface, it loses any existing VLAN associations.
If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from the source ports, overflow packets are dropped. Analyzer VLAN Also known as monitor VLAN Input interface Also known as mirrored ports or monitored interfaces Mirror ratio Monitoring station Remote port mirroring See statistical sampling. A computer running a protocol analyzer application. Functions the same as local port mirroring, except that the mirrored traffic is not copied to a local analyzer port but is instead flooded into an analyzer VLAN that you create specifically for the purpose of receiving mirrored traffic. Mirroring of packets that match the match items in the defined firewall filter term. The action item analyzer analyzer-name is used in the firewall filter to send the packets to the port mirror analyzer. An application used to examine packets transmitted across a network segment. Also commonly called network analyzer, packet sniffer, or probe. You can configure the system to mirror a sampling of the packets, by setting a ratio of 1:x, where x is a value from 1 through 2047. For example, when the ratio is set to 1, all packets are copied to the analyzer. When the ratio is set to 200, 1 of every 200 packets is copied. An interface on the switch that is being mirrored, either on traffic entering or exiting the interface. An input interface cannot also be an output interface for an analyzer. VLAN to which mirrored traffic is sent and to which a protocol analyzer application. The analyzer VLAN is spread across the switches in your network.
Policy-based mirroring
Statistical sampling
1271
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Related Topics
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1289 or Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1285 Firewall Filter Match Conditions and Actions for EX-series Switches on page 1048
1272
Chapter 71
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches
EX-series switches allow you to configure port mirroring to send copies of packets entering or exiting an interface, or entering a VLAN, to an analyzer interface or VLAN. You can analyze the mirrored traffic using a protocol analyzer application installed on a system connected to the local destination interface (or a running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN). This example describes how to configure an EX-series switch to mirror traffic entering interfaces connected to employee computers to an analyzer output interface on the same switch. This example describes how to configure local port mirroring:
Requirements on page 1273 Overview and Topology on page 1274 Mirroring All Employee Traffic for Local Analysis on page 1274 Mirroring Employee-to-Web Traffic for Local Analysis on page 1275 Verification on page 1278
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX 3200 or EX 4200 switch
Before you configure port mirroring, be sure you have an understanding of port mirroring concepts.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches
1273
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Network Topology
In this example, ge-0/0/0 and ge-0/0/1 serve as connections for employee computers. In this example, one interface, ge-0/0/10, is reserved for analysis of mirrored traffic. Connect a PC running a protocol analyzer application to the analyzer output interface to analyze the mirrored traffic.
NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped packets. Figure 74 on page 1274 shows the network topology for this example.
Figure 74: Network Topology for Local Port Mirroring Example
To quickly configure local port mirroring for ingress traffic to the two ports connected to employee computers, copy the following commands and paste them into the switch terminal window:
[edit ethernet-switching-options]
1274
set analyzer employeemonitor input ingress interface ge-0/0/0.0 set analyzer employeemonitor input ingress interface ge-0/0/1.0 set analyzer employeemonitor output interface ge-0/0/10.0
Step-by-Step Procedure
To configure an analyzer called employee-monitor and specify the input (source) interfaces and the analyzer output interface.
1.
Configure each interface connected to employee computers as an input interface for the port-mirror analyzer that we are calling employee-monitor:
[edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge0/0/0.0 user@switch# set analyzer employee-monitor input ingress interface ge0/0/1.0
2.
Configure the output analyzer interface for the employee-monitor analyzer. This will be the destination interface for the mirrored packets:
[edit ethernet-switching-options] user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
3. Results
commit
To quickly configure local port mirroring of traffic from the two ports connected to employee computers, filtering so that only traffic to the external Web is mirrored, copy the following commands and paste them into the switch terminal window:
[edit]
1275
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
set ethernet-switching-options analyzer employeewebmonitor output interface ge-0/0/10.0 set firewall family ethernet-switching filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter watch-employee term employee_to_internet then analyzer employee-web-monitor set firewall family ethernet-switching filter watch-employee set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input watch-employee set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input watch-employee
Step-by-Step Procedure
To configure local port mirroring of employee-to-Web traffic from the two ports connected to employee computers:
1.
2.
Configure the employee-web-monitor analyzer output (the input to the analyzer comes from the action of the filter):
[edit ethernet-switching-options] user@switch# set analyzer employee-web-monitor output interface ge-0/0/10.0
3.
Configure a firewall filter called watch-employee to send mirrored copies of employee requests to the Web to the employee-web-monitor analyzer. Accept all traffic to and from the corporate subnet (destination or source address of 192.0.2.16/28). Send mirrored copies of all packets destined for the Internet (destination port 80) to the employee-web-monitor analyzer.
[edit firewall family ethernet-switching] user@switch# set filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28 user@switch# set filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 user@switch# set filter watch-employee term employee-to-corp then accept user@switch# set filter watch-employee term employee-to-web from destination-port 80 user@switch# set filter watch-employee term employee-to-web then analyzer employee-web-monitor
4.
1276
5. Results
commit
1277
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verification
To confirm that the configuration is correct, perform these tasks:
Verifying That the Analyzer Has Been Correctly Created on page 1278
Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces, and appropriate output interface. You can verify the port mirror analyzer is configured as expected using the show analyzer command.
user@switch> show analyzer Analyzer name Output interface Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces Egress monitored interfaces : : : : : : : employee-monitor ge-0/0/10.0 1 Low ge-0/0/0.0 ge-0/0/1.0 None
Action
Meaning
This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default setting), a loss priority of low (set this option to high only when the analyzer output is to a VLAN), is mirroring the traffic entering the ge-0/0/0 and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface.
Related Topics
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1285 Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1289 Port Mirroring on EX-series Switches Overview on page 1269
1278
Verification
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches
EX-series switches allow you to configure port mirroring to send copies of packets entering or exiting an interface, or entering a VLAN, to an analyzer interface or a VLAN. You can analyze the mirrored traffic using a protocol analyzer application running on a remote monitoring station if you are sending mirrored traffic to an analyzer VLAN. This topic includes two related examples that describe how to mirror traffic entering ports on the switch to the remote-analyzer VLAN so that you can perform analysis from a remote monitoring station. The first example shows how to mirror all traffic entering the ports connected to employee computers. The second example shows the same scenario, but includes a filter to mirror only the employee traffic going to the Web. This example describes how to configure remote port mirroring:
Requirements on page 1279 Overview and Topology on page 1279 Mirroring All Employee Traffic for Remote Analysis on page 1280 Mirroring Employee-to-Web Traffic for Remote Analysis on page 1281 Verification on page 1284
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.0 or later for EX-series switches One EX 3200 or EX 4200 switch connected to a distribution layer switch One uplink module to connect to the distribution layer switch
Before you configure port mirroring, be sure you have an understanding of port mirroring concepts.
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches
1279
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
In this example:
Ports ge-0/0/0 and ge-0/0/1 serve as connections for employee computers. Interface ge-0/1/1 is a Layer 2 interface on the uplink module that connects to a distribution switch. VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.
NOTE: The interface connected to the remote monitoring station must be a member of VLAN remote-analyzer, and this VLAN must be configured on all switches between the monitored switch and the monitoring station.
To quickly configure remote port mirroring of all traffic from the two ports connected to employee computers, copy the following commands and paste them into the terminal window:
[edit] set vlans remote-analyzer vlan-id 999 set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 999 set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/0.0 set ethernet-switching-options analyzer employee-monitor input ingress interface ge-0/0/1.0 set ethernet-switching-options analyzer employeemonitor loss-priority high output vlan remote-analyzer
1280
Step-by-Step Procedure
2.
Configure the interface on the uplink module connected to the distribution switch for trunk mode and associate it with the remote-analyzer VLAN:
[edit interfaces] user@switch# set ge-0/1/1 unit 0 family ethernet-switching port-mode trunk user@switch# set ge-0/1/1 unit 0 family ethernet-switching vlan members 999
3.
4. Results
commit
To quickly configure port mirroring mirror employee traffic to the external Web, copy the following commands and paste them into the terminal window:
1281
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
[edit] set ethernet-switching-options analyzer employee-web-monitor loss-priority high output vlan 999 set vlans remote-analyzer vlan-id 999 set interfaces ge-0/1/1 unit 0 family ethernet-switching port mode trunk set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 999 set firewall family ethernet-switching filter watch-employee term employee-to-corp from destination-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp from source-address 192.0.2.16/28 set firewall family ethernet-switching filter watch-employee term employee-to-corp then accept set firewall family ethernet-switching filter watch-employee term employee-to-web from destination-port 80 set firewall family ethernet-switching filter watch-employee term employee-to-web then analyzer employeeweb-monitor set interfaces ge-0/1/1.0 unit 0 family ethernet-switching filter input watch-employee
Step-by-Step Procedure
To configure port mirroring of all traffic from the two ports connected to employee computers to the remote-analyzer VLAN for use from a remote monitoring station:
1.
2.
3.
4.
5.
1282
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input employee-to-web user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input employee-to-web
6. Results
commit
1283
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
999; } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Analyzer Has Been Correctly Created on page 1284
Verify that the analyzer named employee-monitor or employee-web-monitor has been created on the switch with the appropriate input interfaces, and appropriate output interface. You can verify the port mirror analyzer is configured as expected using the show analyzer command. To view previously created analyzers that are disabled, go to the J-Web interface.
user@switch> show analyzer Analyzer name Output VLAN Mirror ratio Loss priority Ingress monitored interfaces Ingress monitored interfaces : : : : : : employee-monitor remote-analyzer 1 High ge-0/0/0.0 ge-0/0/1.0
Action
Meaning
This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring every packet, the default), a loss priority of high (set this option to high whenever the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and ge-0/0/1, and sending the mirrored traffic to the analyzer called remote-analyzer.
Related Topics
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1285 Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1289 Port Mirroring on EX-series Switches Overview on page 1269
1284
Verification
Chapter 72
Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1285 Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1289
NOTE: If you want to create additional analyzers without deleting the existing analyzer, first disable the existing analyzer using the disable analyzer analyzer-name command or the J-Web configuration page for port mirroring.
NOTE: Interfaces used as input or output for a port mirror analyzer must be configured as family ethernet-switching. Configuring Port Mirroring for Local Traffic Analysis on page 1286 Configuring Port Mirroring for Remote Traffic Analysis on page 1286 Filtering the Traffic Entering a Port Mirroring Analyzer on page 1287
1285
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Choose a name for the port mirroring configurationin this case, employee-monitorand specify the inputin this case, packets entering ge-0/0/0 and ge-0/0/1:
[edit ethernet-switching-options] user@switch# set analyzer employee-monitor input ingress interface ge0/0/0.0 user@switch# set analyzer employee-monitor input ingress interface ge0/0/1.0
2.
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options] user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer. You can use statistical sampling to reduce the volume of mirrored traffic, as a high volume of mirrored traffic can be performance intensive for the switch.
3.
4.
commit
Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this documentation:
[edit] user@switch# set vlans remote-analyzer vlan-id 999
2.
Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:
[edit] user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
3.
Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
1286
b.
Specify the traffic to be mirroredin this example the packets entering ports ge-0/0/0 and ge-0/0/1:
[edit ethernet-switching-options] user@switch# set analyzer employeemonitor input ingress interface ge-0/0/0.0 user@switch# set analyzer employeemonitor input ingress interface ge-0/0/1.0
c.
4.
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options] user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.
5.
commit
For local analysis, set the output to the local interface to which you will connect the computer running the protocol analyzer application:
[edit ethernet-switching-options] user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
1287
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
b.
For remote analysis, set the loss priority to high and set the output to the remote-analyzer VLAN:
[edit ethernet-switching-options] user@switch#set analyzer employeemonitor loss-priority high output vlan 999
2.
Create a firewall filter using any of the available match conditions and specify the action as analyzer employee-monitor: This example shows a firewall filter called example-filter, with two terms:
a.
Create the first term to define the traffic that should not pass through to the analyzer:
[edit firewall family ethernet-switching] user@switch# set filter example-filter term term-1 from match-condition1 user@switch# set filter example-filter term term-1 from match-condition2 user@switch# set filter example-filter term term-1 then accept
b.
Create the second term to define the traffic that should pass through to the analyzer:
[edit firewall family ethernet-switching] user@switch# set filter example-filter term term-2 from match-condition3 user@switch# set filter example-filter term term-2 then analyzer employeemonitor
3.
Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
[edit] user@switch# set interfaces interface-name unit 0 family ethernet-switching filter input example-filter user@switch# set vlan vlan-name unit 0 family ethernet-switching filter input example-filter
4. Related Topics
commit
Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1289 Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches on page 1065 Port Mirroring on EX-series Switches Overview on page 1269 Firewall Filters for EX-series Switches Overview on page 1041
1288
From the Configure menu, select Security > Port Mirroring. The first part of the screen displays analyzer details such as the name, status, analyzer port, ratio, and loss priority. The second part of the screen lists ingress and egress ports of the selected analyzer.
2.
Click one:
AddAdd an analyzer. Enter information as specified in Table 180 on page 1289. EditModify details of the selected analyzer. Enter information as specified in Table 180 on page 1289. DeleteDeletes the selected analyzer. Enable/DisableEnable or disable the selected analyzer (toggle).
NOTE: Only one analyzer can be enabled at a time. You can have multiple disabled analyzer configurations.
A ratio of 1 sends copies of all packets. A ratio of 2047 sends copies of 1 out of every 2047 packets. Keep the default of low, unless the output is to a VLAN.
Loss Priority
Specifies the loss priority of the mirrored packets. By default, the switch applies a lower priority to mirrored data than to regular port-to-port datamirrored traffic is dropped in preference for regular traffic when capacity is exceeded. For port mirroring configurations with output to an analyzer VLAN, set the loss priority to high.
1289
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Click Add and select Port or VLAN. Next, select the interfaces or VLANs. Click Remove to delete an ingress interface or VLAN.
Egress
Click Add to add egress interfaces. Click Remove to delete an egress interface.
Related Topics
Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1285 Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
1290
Chapter 73
1291
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
(dhcp-trusted | no-dhcp-trusted ); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection ); dhcp-option82 { circuit-id { prefix hostname; use-interface-description; use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp ); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } unknown-unicast-forwarding { vlan (all | vlan-name) { interface interface-name; } } voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ; forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } }
1292
Related Topics
Port Mirroring on EX-series Switches Overview on page 1269 Port Security for EX-series Switches Overview on page 734 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
1293
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
analyzer
Syntax
analyzer { name { ratio number; loss-priority priority; input { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } output { interface interface-name; vlan (vlan-id | vlan-name); } } } [editethernet-switching-options ]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure port mirroring. One analyzer (port mirroring configuration) can be enabled on the switch at a time, other analyzers can be present and disabled. Port mirroring is disabled and JUNOS software creates no default analyzers. nameName that identifies the analyzer. The name can be up to 125 characters long, must begin with a letter, and can include uppercase letters, lowercase letters, numbers, dashes, and underscores. No other special characters are allowed. The remaining statements are explained separately.
Default Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
1294
analyzer
egress
Syntax
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify ports for which traffic exiting the interface is mirrored in an port mirroring configuration. The statement is explained separately.
No default. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
egress
1295
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
ethernet-switching-options
Syntax
ethernet-switching-options { analyzer { name { loss-priority priority; ratio number; input { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } output { interface interface-name; vlan (vlan-id | vlan-name); } } } bpdu-block { interface (all | [interface-name]); disable-timeout timeout; } dot1q-tunneling { ether-type (0x8100 | 0x88a8 | 0x9100) } redundant-trunk-group { group-name name { interface interface-name <primary>; interface interface-name; } } secure-access-port { interface (all | interface-name) { allowed-mac { mac-address-list; } (dhcp-trusted | no-dhcp-trusted); mac-limit limit action action; no-allowed-mac-log; static-ip ip-address { vlan vlan-name; mac mac-address; } } vlan (all | vlan-name) { (arp-inspection | no-arp-inspection); dhcp-option82 { circuit-id { prefix hostname; use-interface-description;
1296
ethernet-switching-options
use-vlan-id; } remote-id { prefix hostname | mac | none; use-interface-description; use-string string; } vendor-id [string]; } (examine-dhcp | no-examine-dhcp); (ip-source-guard | no-ip-source-guard); mac-move-limit limit action action; } } storm-control { interface (all | interface-name) { level level; no-broadcast; no-unknown-unicast; } } traceoptions { file filename <files number> <no-stamp> <replace> <size size> <world-readable | no-world-readable>; flag flag <disable>; } unknown-unicast-forwarding { vlan (all | vlan-name) { interface interface-name; } } voip { interface (all | [interface-name | access-ports]) { vlan vlan-name ; forwarding-class <assured-forwarding | best-effort | expedited-forwarding | network-control>; } } }
Hierarchy Level Release Information
[edit]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Support for storm control and BPDU protection added in JUNOS Release 9.1 for EX-series switches. Options static-ip and ip-source-guard added in JUNOS Release 9.2 for EX-series switches. Options dhcp-option82, dot1q-tunneling, and no-allowed-mac-log added in JUNOS Release 9.3 for EX-series switches. Configure Ethernet switching options. The remaining statements are explained separately.
Description
ethernet-switching-options
1297
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
routingTo view this statement in the configuration. routingcontrolTo add this statement to the configuration.
Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches on page 487 Port Mirroring on EX-series Switches Overview on page 1269 Port Security for EX-series Switches Overview on page 734 Understanding Redundant Trunk Links on EX-series Switches on page 401 Understanding Storm Control on EX-series Switches on page 403 Understanding 802.1X and VoIP on EX-series Switches on page 732 Understanding Q-in-Q Tunneling on EX-series Switches on page 404 Understanding Unknown Unicast Forwarding on EX-series Switches on page 405
ingress
Syntax
ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } [edit ethernet-switching-options analyzer name input]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure ports or VLANs for which the entering traffic is mirrored as part of an port mirroring configuration. The statements are explained separately.
No default. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
1298
ingress
input
Syntax
input { ingress { interface (all | interface-name); vlan (vlan-id | vlan-name); } egress { interface (all | interface-name); } } [edit ethernet-switching-options analyzer name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. The definition of traffic to be mirrored in a port mirroring configurationcan be a combination of traffic entering or exiting specific ports, and traffic entering a VLAN. The statements are explained separately.
No default. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
input
1299
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax Hierarchy Level
interface (all | interface-name); [edit ethernet-switching-options analyzer name input egress], [edit ethernet-switching-options analyzer name input ingress], [edit ethernet-switching-options analyzer name output]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the interfaces for which traffic is mirrored. allApply port mirroring to all interfaces on the switch. Mirroring a high volume of traffic can be performance intensive for the switch. Therefore, you should generally select specific input interfaces in preference to using the all keyword, or use the all keyword in combination with setting a ratio for statistical sampling. interface-nameApply port mirroring to the specified interface only.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
1300
interface
loss-priority
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure a loss priority for mirrored packets. By default, the switch applies a lower priority to mirrored data than to regular port-to-port datamirrored traffic is dropped in preference for regular traffic when capacity is exceeded. For port mirroring configurations with output to an analyzer VLAN, set the loss priority to high. Low priorityThe value for priority can be low or high. Default: low routingTo view this statement in the configuration.routing-controlTo add this statement to the configuration.
Port Mirroring on EX-series Switches Overview on page 1269 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279
loss-priority
1301
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
output
Syntax
output { interface interface-name; vlan (vlan-id | vlan-name); } [edit ethernet-switching-options analyzer name]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the destination for mirrored traffic, either an interface on the switch, for local monitoring, or a VLAN, for remote monitoring. The statements are explained separately.
No default. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches on page 1273 Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
1302
output
ratio
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure port mirroring to copy a sampling of packets, by setting a ratio of 1:x, A ratio of 1 mirrors all packets, and 2047 mirrors 1 out of every 2047 packets. 1 numberThe number of packets in the sample, out of which 1 packet is mirrored. Range: 1 through 2047 Default: 1 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Default Options
vlan
Syntax Hierarchy Level
vlan (vlan-id | vlan-name); [edit ethernet-switching-options analyzer name input ingress], [edit ethernet-switching-options analyzer name output]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure mirrored traffic to be sent to a VLAN for remote monitoring. vlan-idNumeric VLAN identifer. vlan-nameName of the VLAN.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches on page 1279 Port Mirroring on EX-series Switches Overview on page 1269
ratio
1303
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1304
vlan
Chapter 74
1305
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show analyzer
Syntax Release Information Description Options Required Privilege Level List of Sample Output Output Fields
Command introduced in JUNOS Release 9.0 for EX-series switches. Display information about analyzers configured for port mirroring.
analyzer-name (Optional) Displays the status of a specific analyzer on the switch.
view show analyzer on page 1306 Table 42 on page 1306 lists the output fields for the command-name command. Output fields are listed in the approximate order in which they appear.
Field Description Displays the name of the analyzer. Specifies a local interface to which mirrored packets are sent. An analyzer can have output to either an interface or a VLAN, not both. Specifies a VLAN to which mirrored packets are sent. An analyzer can have output to either an interface or a VLAN, not both. Displays the ratio of packets to be mirrored, between 1 and 2047 where 1 sends copies of all packets and 2047 sends copies of 1 out of every 2047 packets. Displays the loss priority of mirrored packets. By default, loss priority is set to low, with mirrored traffic dropped in preference for regular traffic when capacity is exceeded. For analyzers with output to a VLAN, set the loss priority to high. Displays interfaces for which traffic exiting the interfaces is mirrored. Displays interfaces for which traffic entering the interfaces is mirrored. Displays VLANs for which traffic entering the VLAN is mirrored.
Output VLAN
Mirror ratio
Loss priority
show analyzer
user@host> show analyzer Analyzer name Output interface Output VLAN Mirror ratio Loss priority Egress monitored interfaces Ingress monitored interfaces Ingress monitored interfaces
: : : : : : : :
1306
show analyzer
Chapter 75
Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
Packet-based sampling: Samples one packet out of a specified number of packets from an interface enabled for sFlow technology. Time-based sampling: Samples interface statistics at a specified interval from an interface enabled for sFlow technology.
The sampling information is used to create a network traffic visibility picture. JUNOS software fully supports the sFlow standard described in RFC 3176, InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks (see RFC 3176).
NOTE: sFlow technology on EX-series switches samples only raw packet headers. A raw Ethernet packet is the complete Layer 2 network frame. An sFlow monitoring system consists of an sFlow agent embedded in the switch and a centralized collector. The sFlow agents two main activities are random sampling and statistics gathering. It combines interface counters and flow samples and sends them across the network to the sFlow collector. EX-series switches adopts the distributed sFlow architecture. The sFlow agent has two separate sampling entities that are associated with each packet forwarding engine. These sampling entities are known as subagents. Each subagent has a unique ID that is used by the collector to identify the data source. A subagent has its own independent state and forwards its own sample messages to the sFlow agent. The sFlow agent is responsible for packaging the samples into datagrams and sending them to the sFlow collector. Since sampling is distributed across subagents, the
1307
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
protocol overheads associated with sFlow are significantly reduced at the collector. If the mastership assignment changes in a Virtual Chassis setup, sFlow technology continues to function.
NOTE: JUNOS software on EX-series switches supports sFlow version 5. The sFlow collector uses the sFlow agents IP address to determine the source of the sFlow data. The IP address assigned to the agent is based on the following order of priority of interfaces configured on the switch: 1. Loopback interface 2. Virtual Management Ethernet (VME) interface 3. Management Ethernet interface 4. Any other Layer 3 interface If a particular interface has not been configured, the IP address of the next interface in the priority list is used as the IP address for the agent. For example, if the loopback interface has not been configured, then the IP address of the VME interface is assigned as the agents IP address. Once an IP address is assigned to the agent and an interface with a higher priority is configured, the agents IP address is not modified till the sFlow service is restarted. At least one interface has to be configured for an IP address to be assigned to the agent.
NOTE: If a loopback interface has the IP address 127.x.x.x, the agent is not assigned the IP address of that interface. The next interface on the priority list is used as the agents IP address. sFlow data can be used to provide network traffic visibility information. Infrequent sampling flows are not reported in the sFlow information, but over time the majority of flows are reported. Based on a defined sampling rate, 1 out of N packets is captured and sent to the collector. This type of sampling does not provide a 100 percent accurate result in the analysis, but it does provide a result with quantifiable accuracy. A polling interval defines how often the sFlow data for a specific interface are sent to the collector, but an sFlow agent is free to schedule polling.
Related Topics
Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315 Monitoring Interface Status and Traffic on page 329
1308
Chapter 76
Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309
Requirements on page 1309 Overview and Topology on page 1309 Configuration on page 1310 Verification on page 1312
Requirements
This example uses the following hardware and software components:
JUNOS Release 9.3 or later for EX-series switches One EX 3200 or EX 4200 switch
1309
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
counters and flow samples and sends them across the network to the sFlow collector. Figure 76 on page 1310 depicts the basic elements of the sFlow system.
Figure 76: sFlow Technology Monitoring System
Configuration
To configure sFlow technology, perform the following tasks:
CLI Quick Configuration
To quickly configure sFlow technology, copy the following commands and paste them into the switch terminal window:
[edit protocols sflow] set collector 10.204.32.46 set collector udp-port 5600 set interfaces ge-0/0/0.0 set polling-interval 20 set sample-rate 1000
1310
Configuration
Step-by-Step Procedure
NOTE: You can configure a maximum of 4 collectors. Configure the UDP port of the collector. The default UDP port assigned is 6343.
[edit protocols sflow] user@switch# set collector udp-port 5600
2.
3.
NOTE: You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface. You cannot enable sFlow technology on a LAG interface. sFlow technology can be enabled on the member interfaces of the LAG.
4.
NOTE: The polling interval can be specified as a global parameter also. Specify 0 if you do not want to poll the interface. Specify the rate at which packets must be sampled:
[edit protocols sflow] user@switch# set sample-rate 1000
5.
Results
Configuration
1311
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Verification
To confirm that the configuration is correct, perform these tasks:
Verifying That sFlow Technology Has Been Configured Properly on page 1312 Verifying That sFlow Technology Is Enabled on the Intended Interface on page 1312 Verifying the sFlow Collector Configuration on page 1313
Verify that sFlow technology has been configured properly. Use the show sflow command:
user@switch> show sflow sFlow : Enabled Sample rate : 1:1000 Sample limit : 300 packets/second Polling interval : 20 seconds
NOTE: The sample limit cannot be configured and is set to 300 packets/second.
Meaning
The output shows that sFlow technology is enabled and specifies the values for the sampling rate, sampling limit, and polling interval.
Verify that sFlow technology is enabled on interfaces and display the sampling parameters. Use the show sflow interface command:
user@switch> show sflow interface Interface Status Sample rate ge-0/0/0.0 Enabled 1000
Action
NOTE: The sample limit cannot be configured and is set to 300 packets/second.
1312
Verification
Meaning
The output indicates that sFlow technology is enabled on the ge-0/0/0.0 interface with a sampling rate of 1000, sampling limit of 300 packets per second and a polling interval of 20 seconds.
Verify the sFlow collector's configuration. Use the show sflow collector command:
user@switch> show sflow collector Collector address UDP-port No of samples 10.204.32.46 5600 1000 100.204.32.76 3400 1000
Meaning
The output displays the IP address of the collector and the UDP port. It also displays the packet sampling rate.
Related Topics
Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
1313
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1314
Chapter 77
Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
2.
Configure the UDP port of the collector. The default UDP port assigned is 6343.
[edit protocols sflow] user@switch# set collector udp-port <port-number>
3.
NOTE: You cannot enable sFlow technology on a Layer 3 VLAN-tagged interface. You cannot enable sFlow technology on a LAG interface. sFlow technology can be enabled on the member interfaces of the LAG.
4.
1315
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
NOTE: Specify 0 if you do not want to poll the interface. Specify the rate at which packets must be sampled:
[edit protocols sflow] user@switch# set sample-rate number
5.
6.
You can also configure the polling interval and sample rate at the interface level.
[edit protocols sflow interfaces] user@switch# set polling-interval seconds
Related Topics
Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
1316
Chapter 78
1317
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
leave-timer milliseconds; leaveall-timer milliseconds; } igmp-snooping { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } vlan (vlan-id | vlan-number { disable{ interface interface-name } immediate-leave; interface interface-name { multicast-router-interface; static { group ip-address; } } query-interval seconds; query-last-member-interval seconds; query-response-interval seconds; robust-count number; } } lldp { disable; advertisement-interval seconds; hold-multiplier number; interface (all | interface-name) { disable; } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>; flag flag (detail | disable | receive | send); } transmit-delay seconds; } lldp-med { disable; fast-start number; interface (all | interface-name) { disable; location { elin number; civic-based { what number; country-code code; ca-type { number { ca-value value; } }
1318
} } } } mstp { disable; bpdu-block-on-edge; bridge-priority priority; configuration-name name; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; max-hops hops; msti msti-id { vlan (vlan-id | vlan-name); interface interface-name { disable; cost cost; edge; mode mode; priority priority; } } revision-level revision-level; traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } rstp { disable; bpdu-block-on-edge; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost;
1319
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } stp { disable; bridge-priority priority; forward-delay seconds; hello-time seconds; interface (all | interface-name) { disable; bpdu-timeout-action { block; alarm; } cost cost; edge; mode mode; no-root-port; priority priority; } max-age seconds; } traceoptions { file filename <files number > <size size> <no-stamp | world-readable | no-world-readable>; flag flag; } } sflow { collector { ip-address; udp-port port-number; } disable; interfaces interface-name { disable; polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; }
Related Topics
802.1X for EX-series Switches Overview on page 718 Example: Configure Automatic VLAN Administration Using GVRP on page 432
1320
Understanding 802.1X MAC RADIUS Authentication on EX-series Switches on page 723 Understanding Server Fail Fallback and 802.1X Authentication on EX-series Switches on page 725 IGMP Snooping on EX-series Switches Overview on page 659 Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches on page 728 Understanding MSTP for EX-series Switches on page 487 Understanding RSTP for EX-series Switches on page 486 Understanding STP for EX-series Switches on page 485 Understanding Using sFlow Technology for Network Monitoring on an EX-series Switch on page 1307
collector
Syntax
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure a remote collector for sFlow network traffic monitoring. The switch sends sFlow UDP datagrams to this collector for analysis. You can configure up to four collectors on the switch. You configure a collector by specifying its IP address and a UDP port. The remaining statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
collector
1321
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
disable
Syntax Hierarchy Level
Statement introduced in JUNOS Release 9.3 for EX-series switches. Disable the sFlow monitoring protocol on all interfaces on the switch or on the specified interface. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
interfaces
Syntax
interfaces interface-name { disable; polling-interval seconds; sample-rate number; } [edit protocols sflow]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure sFlow network traffic monitoring on the specified interface on the switch. You can configure sFlow parameters such as polling interval and sample rate with different values on different interfaces, and you can also disable sFlow monitoring on individual interfaces. The remaining statements are explained separately.
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
1322
disable
polling-interval
Syntax Hierarchy Level
polling-interval seconds; [edit protocols sflow], [edit protocols sflow interfaces interface-name]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the interval (in seconds) that the switch waits between port statistics update messages. Polling refers to the switchs gathering various statistics for the network interfaces configured for sFlow monitoring and exporting the statistics to the configured sFlow collector. If no polling interval is configured for a particular interface, the switch waits the number of seconds that is configured for the global sFlow configuration. If no global interval is configured, the switch waits 20 seconds between messages.
secondsNumber of seconds between port statistics update messages. A 0 (zero)
Default
Options
value specifies that polling is disabled. Range: 03600 seconds Default: 20 seconds
Required Privilege Level Related Topics
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309
polling-interval
1323
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
sample-rate
Syntax Hierarchy Level
sample-rate number; [edit protocols sflow], [edit protocols sflow interfaces interface-name]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Set the ratio of the number of packets to be sampled in sFlow network traffic monitoring. For example, if you specify a rate of 1000, every thousandth packet (1 packet out of 1000) is sampled. If no sample rate is configured for a particular interface, the switch samples at the rate configured for the global sFlow configuration. If no global rate is configured, the switch samples 1 in 2000 packets.
numberDenominator of the ratio that composes the sample rate.
Default
Options
routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309
1324
sample-rate
sflow
Syntax
sflow { collector { ip-address; udp-port port-number; } disable; interfaces interface-name { disable; polling-interval seconds; sample-rate number; } polling-interval seconds; sample-rate number; } [edit protocols]
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure sFlow technology, designed for monitoring high-speed switched or routed networks, to continuously monitor traffic at wire speed on specified interfaces simultaneously. sFlow data can be used to provide network traffic visibility information. The remaining statements are explained separately.
The sFlow protocol is disabled by default. routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
sflow
1325
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
udp-port
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.3 for EX-series switches. Configure the UDP port for a remote collector for sFlow network traffic monitoring. The switch sends sFlow UDP datagrams to the collector for analysis.
port-numberUDP port number for this collector.
Default: 6343 routingTo view this statement in the configuration. routing-controlTo add this statement to the configuration.
[edit protocols] Configuration Statement Hierarchy on page 33 Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
1326
udp-port
Chapter 79
1327
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
show sflow
Syntax
Command introduced in JUNOS Release 9.3 for EX-series switches. Displays default sflow configuration information.
collector(Optional) Display standard status information about the specified sflow
collector.
interface(Optional) Display standard status information about the specified sflow
interface.
Required Privilege Level Related Topics
view
show sflow interface show sflow collector Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
Output Fields
Table 182 on page 1328 lists the output fields for the show sflow command. Output fields are listed in the approximate order in which they appear.
Field Description Status of the feature: enabled or disabled. Rate at which packets are sampled. Number of packets sampled per second. The sample limit cannot be configured and is set to 300 packets/second. Interval at which the sFlow agent polls the interface.
Polling interval
All levels
show sflow
sFlow : Enabled Sample rate : 1:1000 Sample limit : 300 packets/second Polling interval : 20 seconds
1328
show sflow
Command introduced in JUNOS Release 9.3 for EX-series switches. Displays a list of configured sFlow collectors and their properties. view
show sflow show sflow interface Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
Output Fields
Table 183 on page 1329 lists the output fields for the show sflow collector command. Output fields are listed in the approximate order in which they appear.
Field Description IP address of the collector. UDP port number. Packet sampling rate.
1329
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
Command introduced in JUNOS Release 9.3 for EX-series switches. Displays the interfaces on which sFlow technology is enabled and the sampling parameters. view
show sflow show sflow collector Example: Monitoring Network Traffic Using sFlow Technology on EX-series Switches on page 1309 Configuring sFlow Technology for Network Monitoring (CLI Procedure) on page 1315
Output Fields
Table 184 on page 1330 lists the output fields for the show sflow interface command. Output fields are listed in the approximate order in which they appear.
Field Description Interface on which sFlow technology is enabled. Rate at which packets are sampled. Number of packets sampled per second. Sample limit cannot be configured and is set to 300 packets/second.
Polling-interval
All levels
Interfaces ge-0/0/0.0
1330
Chapter 80
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
1331
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
bucket-size
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure the sampling of Ethernet statistics for network fault diagnosis, planning, and performance tuning.
50 numberNumber of discrete samples of Ethernet statistics requested.
snmpTo view this statement in the configuration. snmpcontrolTo add this statement to the configuration.
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
1332
bucket-size
history
Syntax
history history-index { bucket-size number; interface interface-name; interval seconds; owner owner-name; } [edit snmp rmon]
Statement introduced in JUNOS Release 9.0 for EX-series switches. Configure RMON history group entries. This RMON feature can be used with the Simple Network Management Protocol (SNMP) agent in the switch to monitor all the traffic flowing among switches on all connected LAN segments. It collects statistics in accordance with user-configurable parameters. The history group controls the periodic statistical sampling of data from various types of networks. This group contains configuration entries that specify an interface, polling period, and other parameters. The interface interface-name statement is mandatory. Other statements in the history group are optional.
Not configured.
history-indexIdentifies this history entry as an integer.
Range: 1 through 655535 snmpTo view this statement in the configuration. snmpcontrolTo add this statement to the configuration.
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
history
1333
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
interface
Syntax Hierarchy Level Release Information Description
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the interface to be monitored in the specified RMON history entry. Only one interface can be specified for a particular RMON history index. There is a one-to-one relationship between the interface and the history index. The interface must be specified in order for the RMON history to be created.
Options
snmpTo view this statement in the configuration. snmpcontrolTo add this statement to the configuration.
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
owner
Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Topics
Statement introduced in JUNOS Release 9.0 for EX-series switches. Specify the user or group responsible for this configuration.
owner-nameThe user or group responsible for this configuration.
Range: 0 through 32 alphanumeric characters snmpTo view this statement in the configuration. snmpcontrolTo add this statement to the configuration.
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
1334
interface
rmon
Syntax
rmon { history history-index { interface interface-name; bucket-size number; interval seconds; owner owner-name; } } [edit snmp]
Statement introduced in JUNOS Release 9.0 for EX-series switches. RMON is an existing feature of JUNOS software. The RMON specification provides network administrators with comprehensive network fault diagnosis, planning, and performance tuning information. It delivers this information in nine groups of monitoring elements, each providing specific sets of data to meet common network monitoring requirements. Each group is optional, so that vendors do not need to support all the groups within the MIB. JUNOS software supports RMON Statistics, History, Alarm, and Event groups. The EX-series documentation describes only the rmon history statement, which was added with this release. The statements are explained separately.
Disabled. snmpTo view this statement in the configuration. snmpcontrolTo add this statement to the configuration.
Configuring SNMP (J-Web Procedure) on page 674 JUNOS Software Network Management Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html
rmon
1335
Complete Software Guide for JUNOS Software for EX-series Switches, Release 9.3
1336
rmon