Professional Documents
Culture Documents
www.juniper.net
Part Number: , Revision R1
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue
Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public
domain.
This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software
included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by
Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol.
Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the
University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and
other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOS for EX-series Software Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Copyright 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writing: Appumon Joseph, Aviva Garrett, Bhargava Y.P, Brian Deutscher, Hareesh Kumar K N, Janet Bein, Keldyn West, Regina Roman, Tim Harrington,
Vinita Kurup
Editing: Cindy Martin
Illustration: Faith Bradford Brown
Cover Design: Christine Nay
Revision History
12 August 2008Revision R1
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain
uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
ii
iii
7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customers
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively Taxes). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customers ability to export the Software without an export license.
12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of
the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris tout
avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
iv
Table of Contents
About This Topic Collection
xxxix
Part 1
Chapter 1
Product Overview
Table of Contents
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Part 2
Chapter 2
25
Part 3
Chapter 3
39
43
vi
Table of Contents
Table of Contents
Part 4
Chapter 5
Initial Configuration
57
Software Installation
63
71
Table of Contents
vii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Chapter 8
Licenses
83
Part 5
System Basics
Chapter 9
91
93
99
viii
Table of Contents
Table of Contents
119
123
radius-options .............................................................................................123
Chapter 14
125
Part 6
Virtual Chassis
Chapter 15
133
Table of Contents
ix
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
147
Table of Contents
Table of Contents
Chapter 17
197
213
Table of Contents
xi
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Chapter 19
223
225
237
xii
Table of Contents
Table of Contents
Part 7
Interfaces
Chapter 22
Understanding Interfaces
259
267
Configuring Interfaces
289
Verifying Interfaces
299
Table of Contents
xiii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Chapter 26
Troubleshooting Interfaces
303
311
331
xiv
Table of Contents
Table of Contents
Part 8
Chapter 29
359
369
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch ....369
Example: Setting Up Bridging with Multiple VLANs for EX-series
Switches ...............................................................................................376
Example: Connecting an Access Switch to a Distribution Switch .................384
Example: Configure Automatic VLAN Administration Using GVRP ..............393
Example: Configuring Redundant Trunk Links for Faster Recovery .............400
Example: Configuring Storm Control to Prevent Network Outages on EX-series
Switches ...............................................................................................404
Chapter 31
407
417
419
Table of Contents
xv
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
427
483
xvi
Table of Contents
Table of Contents
interface ......................................................................................................509
interface ......................................................................................................510
interface ......................................................................................................511
join-timer ....................................................................................................512
l3-interface ................................................................................................1167
leaveall-timer ...............................................................................................513
leave-timer ..................................................................................................514
level ............................................................................................................515
mac-limit .....................................................................................................516
mac-table-aging-time .................................................................................1167
max-age ......................................................................................................518
max-hops ....................................................................................................519
members ...................................................................................................1167
mode ...........................................................................................................521
msti .............................................................................................................522
mstp ............................................................................................................523
native-vlan-id .............................................................................................1167
no-broadcast ...............................................................................................525
no-root-port .................................................................................................526
no-unknown-unicast ....................................................................................527
port-mode .................................................................................................1167
priority ........................................................................................................529
redundant-trunk-group ................................................................................530
rstp ..............................................................................................................531
storm-control ..............................................................................................532
stp ...............................................................................................................533
traceoptions ................................................................................................534
translate ....................................................................................................1167
vlan ...........................................................................................................1167
vlan ...........................................................................................................1167
vlan-id .......................................................................................................1167
vlan-range ...................................................................................................539
vlans ...........................................................................................................540
Chapter 36
541
Table of Contents
xvii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Part 9
Layer 3 Protocols
Chapter 37
579
585
589
Chapter 41
603
613
xviii
Table of Contents
Table of Contents
multicast-router-interface ..........................................................................1167
query-interval ............................................................................................1167
query-last-member-interval .......................................................................1167
query-response-interval .............................................................................1167
robust-count ..............................................................................................1167
traceoptions ..............................................................................................1167
vlan ...........................................................................................................1167
Chapter 42
627
Part 10
Chapter 43
639
Table of Contents
xix
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches ................................................................................664
MAC Limiting ........................................................................................664
MAC Move Limiting ..............................................................................664
Actions for MAC Limiting and MAC Move Limiting ...............................665
MAC Addresses That Exceed the MAC Limit or MAC Move Limit ..........665
Understanding Trusted DHCP Servers for Port Security on EX-series
Switches ...............................................................................................666
Understanding IP Source Guard for Port Security on EX-series Switches .....666
IP Address Spoofing ..............................................................................666
How IP Source Guard Works .................................................................666
The IP Source Guard Database ..............................................................667
Typical Uses of Other JUNOS Software Features with IP Source
Guard .............................................................................................667
Chapter 44
669
xx
Table of Contents
Table of Contents
755
785
Table of Contents
xxi
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
795
xxii
Table of Contents
Table of Contents
maximum-requests .....................................................................................839
no-reauthentication .....................................................................................839
order ...........................................................................................................840
profile ..........................................................................................................841
quiet-period .................................................................................................842
radius ..........................................................................................................843
reauthentication ..........................................................................................844
retries ..........................................................................................................845
secure-access-port .....................................................................................1167
server-timeout .............................................................................................847
static ...........................................................................................................848
static-ip .....................................................................................................1167
stop-on-access-deny ....................................................................................849
stop-on-failure .............................................................................................850
supplicant ....................................................................................................851
supplicant-timeout .......................................................................................852
traceoptions ..............................................................................................1167
traceoptions ..............................................................................................1167
traceoptions ..............................................................................................1167
transmit-delay ...........................................................................................1167
transmit-period ...........................................................................................859
vlan ...........................................................................................................1167
vlan ...........................................................................................................1167
vlan-assignment ..........................................................................................861
voip .............................................................................................................862
what ............................................................................................................863
Chapter 48
865
Table of Contents
xxiii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Part 11
Packet Filtering
Chapter 49
899
923
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches ................................................................................923
Chapter 51
945
xxiv
Table of Contents
Table of Contents
Chapter 52
959
963
967
981
Table of Contents
xxv
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Part 12
CoS
Chapter 56
Understanding CoS
993
1011
Configuring CoS
1029
xxvi
Table of Contents
Table of Contents
Verifying CoS
Monitoring
Monitoring
Monitoring
Monitoring
Monitoring
Monitoring
Chapter 60
1047
1055
1079
Table of Contents
xxvii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Part 13
PoE
Chapter 62
Understanding PoE
1087
1091
Configuring PoE
1099
Verifying PoE
1103
1105
1115
xxviii
Table of Contents
Table of Contents
Part 14
Port Mirroring
Chapter 68
1123
1127
1139
1147
1159
Table of Contents
xxix
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Part 15
Network Management
Chapter 73
1163
Part 16
Index
Index .........................................................................................................1171
xxx
Table of Contents
List of Figures
Figure 1: Basic VRRP on EX-series Switches ..................................................14
Figure 2: VRRP on EX 4200 Virtual Chassis Switches ....................................14
Figure 3: LCD Panel .......................................................................................59
Figure 4: Connecting PC to Port 0 .................................................................60
Figure 5: Connecting to the Console Port on the EX-series Switch ...............119
Figure 6: Console Session Redirection .........................................................141
Figure 7: Management Ethernet Port Redirection to VME ............................142
Figure 8: Basic Virtual Chassis with Master and Backup ..............................149
Figure 9: Expanded Virtual Chassis in Single Wiring Closet .........................154
Figure 10: Default Configuration of Multimember Virtual Chassis in a Single
Wiring Closet ........................................................................................159
Figure 11: A Virtual Chassis Interconnected Across Wiring Closets ..............167
Figure 12: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................174
Figure 13: Maximum Size Virtual Chassis Interconnected Across Wiring
Closets ..................................................................................................188
Figure 14: Network Ports on the 24Port EX-series Switch ..........................262
Figure 15: Network Ports on the 48-Port EX-series Switch ...........................262
Figure 16: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................269
Figure 17: Redundant Trunk Group, Link 1 Active .......................................366
Figure 18: Redundant Trunk Group, Link 2 Active .......................................366
Figure 19: Topology for Configuring the Redundant Trunk Links .................402
Figure 20: Network Topology for RSTP ........................................................428
Figure 21: Network Topology for MSTP .......................................................443
Figure 22: BPDU Protection Topology .........................................................464
Figure 23: BPDU Protection Topology .........................................................469
Figure 24: Network Topology for Loop Protection .......................................473
Figure 25: Network Topology for Root Protection ........................................478
Figure 26: IGMP Traffic Flow with IGMP Snooping Enabled .........................582
Figure 27: IGMP Traffic Flow with Routed VLAN Intefaces ..........................583
Figure 28: Example 802.1X Topology .........................................................643
Figure 29: Authentication Process ...............................................................644
Figure 30: Process Flowchart for Non-Responsive Host Requests ................651
Figure 31: VoIP Multiple Supplicant Topology .............................................652
Figure 32: VoIP Single Supplicant Topology .................................................653
Figure 33: DHCP Snooping ..........................................................................659
Figure 34: DHCP Server Connected to Switch ..............................................660
Figure 35: Topology for Configuration .........................................................672
Figure 36: Topology for Guest VLAN Example .............................................677
Figure 37: Topology for Static MAC Authentication Configuration ...............682
Figure 38: Topology for Configuring Supplicant Modes ................................687
List of Figures
xxxi
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
xxxii
List of Figures
List of Tables
Table 1: Summary of Software Features Available on EX-series Switches ........4
Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not
Supported .................................................................................................8
Table 3: JUNOS Software Processes ...............................................................18
Table 4: EX 3200 Switch Models ...................................................................21
Table 5: EX 4200 Switch Models ...................................................................22
Table 6: J-Web Interface ................................................................................46
Table 7: J-Web Interface ................................................................................46
Table 8: J-Web Edit Point & Click Configuration Links ...................................48
Table 9: J-Web Edit Point & Click Configuration Icons ...................................49
Table 10: J-Web Edit Point & Click Configuration Buttons .............................49
Table 11: Switching Platform Configuration Interfaces ..................................51
Table 12: Install Remote Summary ...............................................................67
Table 13: Upload Package Summary .............................................................68
Table 14: Configuration File Terms ...............................................................72
Table 15: J-Web Configuration History Summary ..........................................73
Table 16: J-Web Configuration Database Information Summary ...................74
Table 17: Options for the load command ......................................................75
Table 18: Alarm Terms ..................................................................................91
Table 19: Secure Management Access Configuration Summary ....................94
Table 20: Date and Time Settings ..................................................................95
Table 21: J-Web Ping Host Field Summary ..................................................100
Table 22: Packet Capture Field Summary ....................................................101
Table 23: Traceroute field summary ............................................................104
Table 24: Summary of Key System Properties Output Fields .......................105
Table 25: Summary of System Process Information Output Fields ..............106
Table 26: User Management > Add a User Configuration Page
Summary ..............................................................................................109
Table 27: Add an Authentication Server ......................................................109
Table 28: Summary of Key Alarm Output Fields .........................................114
Table 29: Filtering System Log Messages .....................................................114
Table 30: Viewing System Log Messages .....................................................116
Table 31: show smp rmon history Output Fields .........................................127
Table 32: Components of the Basic Virtual Chassis Access Switch
Topology ...............................................................................................149
Table 33: Components of the Expanded Virtual Chassis Access Switch .......154
Table 34: Components of a Virtual Chassis Interconnected Across Multiple
Wiring Closets .......................................................................................166
Table 35: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................269
Table 36: Components of a Preprovisioned Virtual Chassis Interconnected
Across Multiple Wiring Closets ..............................................................187
List of Tables
xxxiii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
xxxiv
List of Tables
List of Tables
List of Tables
xxxv
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
xxxvi
List of Tables
List of Tables
List of Tables
xxxvii
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
xxxviii
List of Tables
Description
How to use the J-Web graphical user interface (GUI) with JUNOS for
EX-series software
xxxix
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Downloading Software
You can download the JUNOS for EX-series software from the Download Software
area at http://www.juniper.net/customers/support/. To download the software, you must
have a Juniper Networks user account. For information about obtaining an account,
see http://www.juniper.net/entitlement/setupAccountInfo.do.
xl
Downloading Software
Notice
Meaning
Icons
Description
Informational note
Caution
Warning
Laser warning
Convention
Description
Examples
To enter configuration mode, type the
configure command:
user@host> configure
| (pipe symbol)
broadcast | multicast
[edit]
root@# set system domain-name
domain-name
xli
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
# (pound sign)
[ ] (square brackets)
; (semicolon)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. Send email to techpubs-comments@juniper.net with the
following:
Software version
Getting Support
For technical support, open a support case with the Case Manager link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada,
or Mexico) or 1-408-745-9500 (from elsewhere).
xlii
Documentation Feedback
Part 1
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Chapter 1
Product Overview
Software Overview
Software Overview
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
EX-series Feature
Introduced
in Release
JUNOS 9.0R2
JUNOS 9.1R1
Security
JUNOS 9.0R2
JUNOS 9.1R1
JUNOS 9.1R1
JUNOS 9.1R1
Storm control
JUNOS 9.1R1
JUNOS 9.0R2
JUNOS 9.0R2
Port security:
JUNOS 9.0R2
DHCP snooping
MAC limiting
IP source guard
JUNOS 9.2R1
802.1X authentication
JUNOS 9.0R2
MAC-based VLAN
JUNOS 9.2R1
JUNOS 9.0R2
JUNOS 9.0R2
Internet Protocols
IPv4
JUNOS 9.0R2
IP Address Management
Static addresses
JUNOS 9.0R2
JUNOS 9.0R2
EX-series Feature
Introduced
in Release
JUNOS 9.0R2
JUNOS 9.0R2
JUNOS 9.0R2
Intermediate System-to-Intermediate
System (IS-IS)
JUNOS 9.0R2
Encapsulation
Traffic Management
JUNOS 9.0R2
IGMP snooping
JUNOS 9.1R1
JUNOS 9.0R2
JUNOS 9.0R2
JUNOS 9.0R2
Single-source multicast
JUNOS 9.0R2
Static routes
JUNOS 9.0R2
Ethernet:
JUNOS 9.0R2
802.1p tagging
JUNOS 9.0R2
JUNOS 9.0R2
Transparent bridging
JUNOS 9.0R2
JUNOS 9.0R2
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
EX-series Feature
Introduced
in Release
JUNOS 9.0R2
JUNOS 9.0R2
Redundant interfaces
JUNOS 9.0R2
JUNOS 9.1R1
JUNOS 9.0R2
Link aggregation
JUNOS 9.0R2
JUNOS 9.0R2
JUNOS 9.0R2
JUNOS 9.0R2
J-Web licensing
JUNOS 9.1R1
JUNOS 9.0R2
JUNOS 9.0R2
Traceroute
JUNOS 9.0R2
JUNOS 9.0R2
Autoinstallation
JUNOS 9.0R2
Configuration rollback
JUNOS 9.0R2
JUNOS 9.0R2
Software upgrades
JUNOS 9.0R2
JUNOS 9.0R2
System Management
Administration
Commit scripts
Operation scripts
Event policies
Related Topics
Protocol
Notes
BGP
BFD
Fully supported.
DVMRP
GRE
Fully supported.
ICMP
Fully supported.
IGMP
Fully supported.
IS-IS
OSPF
PIM
RIP
Fully supported.
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
RIPng
Fully supported.
SNMP
Fully supported.
VRRP
Fully supported.
Related Topics
BGP:
Multiprotocol BGP
(MBGP)
vpn-apply-export statement
DVMRP
IPSec
IPv6
Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature
IS-IS:
clns-routing statement
ES-IS
ipv6multicast statement
IPv6
ipv6unicast statement
Traffic engineering
lsp-interval statement
label-switched-path statement
lsp-lifetime statement
no-ipv6-routing statement
te-metric statement
Logical routers
MLD
MPLS:
MSTP
All of MPLS
Label Distribution
Protocol (LDP)
Layer 3 VPNs
Multiprotocol BGP
(MP-BGP) for VPN-IPv4
family
Pseudowire emulation
(PWE3)
Resource Reservation
Protocol (RSVP)
Routing policy
statements related to
Layer 3 VPNs and MPLS
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature
OSPF:
demand-circuit statement
IPv6
Traffic engineering
poll-interval statement
sham-link statement
te-metric statement
OSPFv3
PIM
inet6 family
RIPng
Routing instances:
no-vrf-advertise statement
route-distinguisher statement
vrf-export statement
vrf-import statement
vrf-table-label statement
vrf-target statement
MPLS and
label-switched-paths
IPv6
route-distinguisher-id statement
10
IPv6
Routing instance
forwarding
Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature
cflowd statement
export-format-cflowd-version-5 statement
flow-active-timeout statement
flow-export-destination statement
flow-inactive-timeout statement
interface statement
port-mirroring statement
NOTE: Implement port mirroring on EX-series switches using the analyzer and subordinate
statements.
Related Topics
11
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Access privilege levels configurable for login classes and user templates.
MAC move limitingDetects MAC movement and MAC spoofing on access ports.
Prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network.
Related Topics
12
VRRP on page 13
VRRP
For Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces
on EX-series switches, you can configure the Virtual Router Redundancy Protocol
(VRRP). The switches act as virtual routing platforms. VRRP enables hosts on a LAN
to make use of redundant routing platforms on that LAN without requiring more than
the static configuration of a single default route on the hosts. The VRRP routing
platforms share the IP address corresponding to the default route configured on the
hosts. At any time, one of the VRRP routing platforms is the master (active) and the
others are backups. If the master routing platform fails, one of the backup routing
platforms becomes the new master, providing a virtual default routing platform and
enabling traffic on the LAN to be routed without relying on a single routing platform.
Using VRRP, a backup EX-series switch can take over a failed default switch within
few seconds. This is done with minimum VRRP traffic and without any interaction
with the hosts.
NOTE: The VRRP master and backup routing platforms should not be confused with
the master and backup member switches of a Virtual Chassis configuration. The
master and backup members of a Virtual Chassis configuration compose a single
host. In a VRRP topology, one host operates as a master routing platform and another
host operates as a backup routing platform, as shown in Figure 2 on page 14.
Switches running VRRP dynamically elect master and backup routing platforms. You
can also force assignment of master and backup routing platforms using priorities
from 1 through 255, with 255 being the highest priority. In VRRP operation, the
default master routing platform sends advertisements to backup routing platforms
at regular intervals. The default interval is 1 second. If a backup routing platform
does not receive an advertisement for a set period, the backup routing platform with
the next highest priority takes over as master and begins forwarding packets.
Figure 1 on page 14 illustrates a basic VRRP topology with EX-series switches. In
this example, Switches A, B, and C are running VRRP and together they make up a
virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1
(the same address as the physical interface of Switch A).
13
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Because the virtual routing platform uses the IP address of the physical interface of
Switch A, Switch A is the master VRRP routing platform, while switches B and C
function as backup VRRP routing platforms. Clients 1 through 3 are configured with
the default gateway IP address of 10.10.0.1. As the master router, Switch A forwards
packets sent to its IP address. If the master virtual routing platform fails, the switch
configured with the higher priority becomes the master virtual routing platform and
14
provides uninterrupted service for the LAN hosts. When Switch A recovers, it becomes
the master virtual routing platform again.
VRRP is defined in RFC 3768, Virtual Router Redundancy Protocol.
Provides the forwarding table to the Packet Forwarding Engines (PFEs) in all the
member switches of the Virtual Chassis configuration
Runs other management and control processes for the entire Virtual Chassis
configuration
The master Routing Engine, which is in the master of the Virtual Chassis configuration,
runs JUNOS software in the master role. It receives and transmits routing information,
builds and maintains routing tables, communicates with interfaces and Packet
Forwarding Engine components of the member switches, and has full control over
the Virtual Chassis configuration.
15
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The backup Routing Engine, which is in the backup of the Virtual Chassis
configuration, runs JUNOS software in a backup role. It stays in sync with the master
Routing Engine in terms of protocol states, forwarding tables, and so forth. If the
master becomes unavailable, the backup Routing Engine takes over the functions
that the master Routing Engine performs.
Link Aggregation
You can combine multiple physical Ethernet ports to form a logical point-to-point
link, known as a link aggregation group (LAG) or bundle. A LAG provides more
bandwidth than a single Ethernet link can provide. Additionally, link aggregation
provides network redundancy by load-balancing traffic across all available links. If
one of the links should fail, the system automatically load-balances traffic across all
remaining links.
You can select up to eight Ethernet interfaces and include them within a link
aggregation group. In an EX 4200 Virtual Chassis configuration composed of multiple
members, the interfaces that compose a LAG can be on different members of the
Virtual Chassis. See Understanding Virtual Chassis Configurations and Link
Aggregation on page 144.
16
For more information on high availability features, see the JUNOS Software High
Availability Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.
Creates the packet forwarding switch fabric for the switch, providing route
lookup, filtering, and switching on incoming data packets, then directing
outbound packets to the appropriate interface for transmission to the network
Maintains the routing tables used by the switch and controls the routing
protocols that run on the switch.
17
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Provides control and monitoring functions for the switch, including controlling
power and monitoring system status.
Name
Description
Chassis process
chassisd
Ethernet
switching
process
eswd
Handles Layer 2 switching functionality such as MAC address learning, Spanning Tree
protocol and access port security. The process is also responsible for managing Ethernet
switching interfaces, VLANs, and VLAN interfaces.
Manages Ethernet switching interfaces, VLANs, and VLAN interfaces.
Forwarding
process
pfem
Defines how routing protocols operate on the switch. The overall performance of the
switch is largely determined by the effectiveness of the forwarding process.
Interface
process
dcd
Management
process
mgd
Routing protocol
process
18
rpd
Defines how routing protocols such as RIP, OSPF, and BGP operate on the device,
including selecting routes and maintaining forwarding tables.
Related Topics
For more information about processes, see the JUNOS Network Operations Guide
at http://www.juniper.net/techpubs/software/junos/junos90/index.html.
For more information about basic system parameters, supported protocols, and
software processes, see JUNOS System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.
Supported Hardware
Have options of full (all ports) or partial (8 ports) Power over Ethernet (PoE)
capability
Supported Hardware
19
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
EX 3200 Switches
EX 3200 switches provide connectivity for low-density environments. Typically, you
deploy these switches in branch environments or wiring closets where only one
switch is required.
EX 3200 switches are available in models with either 24 or 48 ports and with either
all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE.
All ports have 10/100/1000Base-T Gigabit Ethernet connectors.
EX 3200 switches include:
JUNOS software with its modular design that enables failed system processes to
gracefully restart.
EX 4200 Switches
EX 4200 switches provide connectivity for medium- and high-density environments
and scalability for growing networks. These switches can be deployed wherever you
need a high density of Gigabit Ethernet ports (24 to 480 ports) or redundancy.
Typically, EX 4200 switches are used in large branch offices, campus wiring closets,
and data centers where they can be positioned as the top device in a rack to provide
connectivity for all the devices in the rack.
You can connect individual EX 4200 switches together to form one unit and manage
the unit as a single chassis, called a virtual chassis. You can add more member
switches to the virtual chassis as needed, up to a total of 10 members.
EX 4200 switches are available in models with 24 or 48 ports and with either all
ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. All
models provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors and
optional small form-factor pluggable (SFP) transceivers or 10-gigabit small form-factor
pluggable (XFP) transceivers for use with fiber connections.
Additionally, a 24-port model provides 100Base-FX/1000Base-X SFP transceivers.
This model is typically used as a small distribution switch.
All EX 4200 switches have dedicated 64-Gbps virtual chassis ports that allow you to
connect the switches to each other. You can also use optional 10-Gbps uplink ports
to connect members of a virtual chassis across multiple wiring closets.
To provide carrier-class reliability, EX 4200 switches include:
20
A field-replaceable fan tray with three fans. The switch remains operational if a
single fan fails.
JUNOS software with its modular design that enables failed system processes to
gracefully restart.
Uplink Modules
Optional uplink modules are available for all EX 3200 and EX 4200 models. Uplink
modules provide either two 10-gigabit small form-factor pluggable (XFP) transceivers
or four 1-gigabit small form-factor pluggable (SFP) transceivers. You can use SFP or
XFP ports to connect an access switch to a distribution switch or to interconnect
member switches of a virtual chassis across multiple wiring closets.
Typical Deployment
Access Ports
Number of PoE-enabled
Ports
Power Supply
(Minimum)
EX 3200-24T
Access or Distribution
switch
24 Gigabit Ethernet
First 8 ports
320 W
EX 3200-24P
Access switch
24 Gigabit Ethernet
All 24 ports
600 W
21
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Typical Deployment
Access Ports
Number of PoE-enabled
Ports
Power Supply
(Minimum)
EX 3200-48T
Access or Distribution
switch
48 Gigabit Ethernet
First 8 ports
320 W
EX 3200-48P
Access switch
48 Gigabit Ethernet
All 48 ports
930 W
Related Topics
Ports
Power Supply
(Minimum)
EX 4200-24T
24 Gigabit Ethernet
First 8 ports
320 W
EX 4200-24P
24 Gigabit Ethernet
All 24 ports
600 W
EX 4200-48T
48 Gigabit Ethernet
First 8 ports
320 W
EX 4200-48P
48 Gigabit Ethernet
All 48 ports
930 W
EX 4200-24F
Not applicable
320 W
Related Topics
22
Part 2
23
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
24
Chapter 2
25
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
26
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
}
Related Topics
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
27
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable
| no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Related Topics
28
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
aggregated-ether-options {
lacp mode {
periodic interval;
}
}
29
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
mtu bytes;
unit logical-unit-number {
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
vlan-id vlan-id-number;
}
vlan-tagging;
}
}
Related Topics
30
31
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
32
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
33
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
Related Topics
34
35
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
36
Part 3
37
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
38
Chapter 3
JUNOS CLI
CLI Overview
JUNOS CLI is a Juniper Networks specific command shell that runs on top of a
UNIX-based operating system kernel. The CLI provides command help and command
completion.
The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard
sequences that allow you to move around on a command line and scroll through
recently executed commands, regular expression matching to locate and replace
values and identifiers in a configuration, filter command output, or log file entries,
store and archive router files on a UNIX-based file system, and exit from the CLI
environment and create a UNIX C shell or Bourne shell to navigate the file system,
manage switch processes, and so on.
JUNOS CLI
39
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To complete a command, statement, or option that you have partially typed, press
the Tab key or the Spacebar. If the partially typed letters uniquely identify a command,
the complete command name appears. Otherwise, a beep indicates that you have
entered an ambiguous command and the possible completions are displayed. This
completion feature also applies to other strings, such as filenames, interface names,
usernames, and configuration statements.
Configuration mode is indicated by the # prompt, and includes the current location
in the configuration hierarchyfor example:
[edit interfaces ge-0/0/12]
user@switch#
In configuration mode, you are actually viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the current operating configuration,
called the active configuration. When you commit the changes you added to the
candidate configuration, the system updates the active configuration. Candidate
configurations enable you to alter your configuration without causing potential damage
to your current network operations.
To activate your configuration changes, enter the commit command.
To return to operational mode, go to the top of the configuration hierarchy and then
quitfor example:
[edit interfaces ge-0/0/12]
user@switch# top
[edit]
user@switch# exit
You can also activate your configuration changes and exit configuration mode with
a single command, commit and-quit. This command succeeds only if there are no
mistakes or syntax errors in the configuration.
Tip
40
When you commit the candidate configuration, you can require an explicit
confirmation for the commit to become permanent by using the commit confirmed
command. This is useful for verifying that a configuration change works correctly
and does not prevent management access to the switch. After you issue the commit
confirmed command, you must issue another commit command within the defined
period of time (10 minutes by default) or the system reverts to the previous
configuration.
Related Topics
41
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
42
Chapter 4
Using the CLI Viewer in the J-Web Interface to View Configuration Text on page 47
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration
Text on page 48
Using the CLI Editor in the J-Web Interface to Edit Configuration Text on page 49
J-Web Interface
NOTE: The browser and the network must support receiving and processing HTTP
1.1 GZIP compressed data.
Each page of the J-Web interface is divided into panes.
J-Web Interface
43
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The layout of the panes allows you to quickly navigate through the interface.
Table 6 on page 46 summarizes the elements of the J-Web interface.
The J-Web interface provides CLI tools that allow you to perform all of the tasks that
you can perform from the JUNOS command-line interface (CLI), including a CLI
Viewer to view the current configuration, a CLI Editor for viewing and modifying the
configuration, and a Point & Click CLI editor that allows you to click through all of
the available CLI statements.
Table 6: J-Web Interface
J-Web Interface Element
Description
Top Pane
hostname
Help
About
Displays information about the J-Web interface, such as the version number.
Logout
Ends your current login session with the switch and returns you to the login page.
Taskbar
Menu of J-Web main options. Click the tab to access the option.
MaintainManage files and licenses, upgrade software, and reboot the switch.
Main Pane
44
Description
Icon legend
(Applies to the Point & Click CLI editor only) Explains icons that appear in the user
interface to provide information about configuration statements:
CComment. Move your cursor over the icon to view a comment about the
configuration statement.
Task Pane
Configuration hierarchy
Related Topics
(Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of
committed statements in the switch configuration.
Click Hide all to display only the statements at the top level.
NOTE: The browser and the network must support receiving and processing HTTP
1.1 GZIP compressed data.
Each page of the J-Web interface is divided into panes.
45
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The layout of the panes allows you to quickly navigate through the interface.
Table 6 on page 46 summarizes the elements of the J-Web interface.
The J-Web interface provides CLI tools that allow you to perform all of the tasks that
you can perform from the JUNOS command-line interface (CLI), including a CLI
Viewer to view the current configuration, a CLI Editor for viewing and modifying the
configuration, and a Point & Click CLI editor that allows you to click through all of
the available CLI statements.
Table 7: J-Web Interface
J-Web Interface Element
Description
Top Pane
hostname
Help
About
Displays information about the J-Web interface, such as the version number.
Logout
Ends your current login session with the switch and returns you to the login page.
Taskbar
Menu of J-Web main options. Click the tab to access the option.
MaintainManage files and licenses, upgrade software, and reboot the switch.
Main Pane
46
Description
Icon legend
(Applies to the Point & Click CLI editor only) Explains icons that appear in the user
interface to provide information about configuration statements:
CComment. Move your cursor over the icon to view a comment about the
configuration statement.
Task Pane
Configuration hierarchy
Related Topics
(Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of
committed statements in the switch configuration.
Click Hide all to display only the statements at the top level.
Using the CLI Viewer in the J-Web Interface to View Configuration Text
To view the entire configuration file contents in text format, select Configure>CLI
Tools >CLI Viewer. The main pane displays the configuration in text format.
Each level in the hierarchy is indented to indicate each statement's relative position
in the hierarchy. Each level is generally set off with braces, with an open brace ({)
at the beginning of each hierarchy level and a closing brace (}) at the end. If the
statement at a hierarchy level is empty, the braces are not displayed. Each leaf
statement ends with a semicolon (;), as does the last statement in the hierarchy.
This indented representation is used when the configuration is displayed or saved
as an ASCII file. However, when you load an ASCII configuration file, the format of
the file is not so strict. The braces and semicolons are required, but the indention
and use of new lines are not required in ASCII configuration files.
Using the CLI Viewer in the J-Web Interface to View Configuration Text
47
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
To edit the configuration on a series of pages of clickable options that steps you
through the hierarchy, select Configure>CLI Tools>Point&Click CLI. The side pane
displays the top level of the configured hierarchy, and the main pane displays
configured hierarchy options and the Icon Legend.
To expand or hide the hierarchy of all the statements in the side pane, click Expand
all or Hide all. To expand or hide an individual statement in the hierarchy, click the
expand (+) or collapse () icon to the left of the statement.
Tip
Only those statements included in the committed configuration are displayed in the
hierarchy.
The configuration information in the main pane consists of configuration options
that correspond to configuration statements. Configuration options that contain
subordinate statements are identified by the term Nested.
To include, edit, or delete statements in the candidate configuration, click one of the
links described in Table 8 on page 48. Then specify configuration information by
typing in a field, selecting a value from a list, or clicking a check box (toggle).
Function
Displays fields and lists for a statement identifier, allowing you to add a new identifier to a
statement.
Configure
Displays information for a configuration option that has not been configured, allowing you to
include a statement.
Delete
Deletes the corresponding statement or identifier from the configuration. All subordinate statements
and identifiers contained within a deleted statement are also discarded.
Edit
Displays information for a configuration option that has already been configured, allowing you to
edit a statement.
Identifier
Displays fields and lists for an existing statement identifier, allowing you to edit the identifier.
As you navigate through the configuration, the hierarchy level is displayed at the top
of the main pane. You can click a statement or identifier in the hierarchy to display
the corresponding configuration options in the main pane.
The main pane includes icons that display information about statements and
identifiers when you place your cursor over them. Table 9 on page 49 describes
these icons.
48
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
Function
Indicates that a statement has been added or modified but has not been committed.
After typing or selecting your configuration edits, click a button in the main pane
(described in Table 10 on page 49) to apply your changes or cancel them, refresh
the display, or discard parts of the candidate configuration. An updated configuration
does not take effect until you commit it.
Table 10: J-Web Edit Point & Click Configuration Buttons
Button
Function
Refresh
Updates the display with any changes to the configuration made by other users.
Commit
Verifies edits and applies them to the current configuration file running on the switch.
Discard
Removes edits applied to or deletes existing statements or identifiers from the candidate
configuration.
Related Topics
Using the CLI Editor in the J-Web Interface to Edit Configuration Text
Use the CLI Editor to edit configuration if you know the JUNOS CLI or prefer a
command interface.
To edit the entire configuration in text format:
CAUTION: We recommend that you use this method to edit and commit the
configuration only if you have experience editing configurations through the CLI.
1.
Select Configure>CLI Tools>CLI Editor. The main pane displays the configuration
in a text editor.
2.
Using the CLI Editor in the J-Web Interface to Edit Configuration Text
49
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
You can edit the candidate configuration using standard text editor
operationsinsert lines (by using the Enter key), delete lines, and modify, copy,
and paste text.
3.
Related Topics
Before you can use you must configure the CLI terminal the domain name and
hostname of the switch. See Configuring System Identity for the EX-Series Switch
(J-Web Procedure) for more information.
To access the CLI through the J-Web interface, your management device requires
the following features:
Java applet supportMake sure that your Web browser supports Java applets.
NOTE: The CLI terminal is supported on JRE version 1.4 and later only.
To access the CLI terminal, select Troubleshoot >CLI Terminal.
Related Topics
50
Configure menu
CLI Editor
Description
Function
Use
Configure
menu
Interfaces
Switching
Virtual Chassis
Security
Services
System Properties
Routing
Point &
Click CLI
editor
System parameters
Interfaces
VLAN properties
Secure Access
Services
Routing protocols
51
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
System parameters
Interfaces
VLAN properties
Secure Access
Services
Routing protocols
2.
After http:// or https:// in your Web browser, type the hostname or IP address
of the switch and press Enter.
The J-Web login page appears.
3.
On the login page, type your username and password, and click Log In.
To correct or change the username or password you typed, click Reset, type the
new entry or entries, and click Log In.
NOTE: The default username is root with no password. You must change this during
initial configuration or the system does not accept the configuration.
The Chassis Dashboard information page appears.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics
52
53
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
54
Part 4
Licenses on page 83
55
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
56
Chapter 5
Initial Configuration
Connect the console port to a laptop or PC using the RJ-45 to DB-9 serial port
adapter. The RJ-45 cable and RJ-45 to DB-9 serial port adapter are supplied with
the switch.
2.
3.
4.
Enter the root password. You are prompted to re-enter the root password.
5.
Enter yes to enable services like Telnet and SSH. By default, Telnet is not enabled
and SSH is enabled.
6.
Configure in-band management. In this scenario you have the following two
options:
Create a new VLANIf you select this option, you are prompted to
specify the VLAN name, VLAN ID, management IP address, default
gateway. Select the ports that must be part of this VLAN.
Specify the SNMP Read Community, Location, and Contact to configure SNMP
parameters. These parameters are optional.
8.
Specify the system date and time. Select the time zone from the list. These
options are optional.
The configured parameters are displayed. Enter yes to commit the configuration.
57
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The configuration is committed as the active configuration for the switch. You
can now log in with the CLI or the J-Web interface to continue configuring the
switch. If you use the J-Web interface to continue configuring the switch, the
Web session is redirected to the new management IP address. If the connection
cannot be made, the J-Web interface displays instructions for starting a J-Web
session.
Related Topics
EX-series SwitchLCD
NOTE: To obtain an IP address dynamically, you must enable a DHCP client on the
management PC you connect to the switch. If you have configured a static IP on
your PC, you will not be able to connect to the switch.
58
1.
To transition the switch into initial setup mode, use the Menu and Enter buttons
to the right of the LCD panel on the front panel of the switch (see
Figure 3 on page 59):
ALM
SYS
LEDs
g020093
MST
Press Menu until you see MAINTENANCE MENU. Then press Enter.
Press Menu until you see ENTER EZSetup. Then press Enter.
NOTE: If EZSetup does not appear as an option in the Maintenance menu, select
Factory Default to return the switch to the factory default configuration. EZSetup is
displayed in the menu only when the switch is set to the factory default configuration.
The ge-0/0/0 interface on the front panel of the switch is configured as the DHCP
server with the default IP address, 192.168.1.1. The switch can assign an IP
address to the management PC in the IP address range 192.168.1.2 through
192.168.1.253.
NOTE: You must complete the initial configuration using the J-Web interface within
10 minutes. The LCD displays a count-down timer once you connect the switch to
the management PC. The switch exits the EZSetup mode after 10 minutes and reverts
to factory configuration, and the PC loses connectivity to the switch.
2.
Insert one end of the Ethernet cable into the Ethernet port on the PC and connect
the other end to port 0 (ge-0/0/0) on the front panel of the switch (see
Figure 4 on page 60).
59
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
From the PC, open a Web browser, type http://192.168.1.1 in the address field,
and press Enter.
4.
On the Login page, type root as the username, leave the password field blank,
and click Login.
5.
6.
On the Basic Settings page, modify the hostname, the root password, and date
and time settings.
Synchronize the date and time settings of the switch with the management
PC or set them manually by selecting the appropriate option button. This is
optional.
Click Next.
7.
60
8.
Click Next.
9.
On the Manage Access page, you may select options to enable Telnet, SSH, and
SNMP services. For SNMP, you can configure the read community, location, and
contact.
The configuration is committed as the active configuration for the switch. You can
now log in with the CLI or the J-Web interface to continue configuring the switch. If
you use the J-Web interface to continue configuring the switch, the Web session is
redirected to the new management IP address. If the connection cannot be made,
the J-Web interface displays instructions for starting a J-Web session.
NOTE: After the configuration takes effect, you might lose connectivity between the
PC and the switch. To renew the connection, release and renew the IP address by
executing the appropriate commands on the management PC or by removing and
re-inserting the Ethernet cable.
Related Topics
EX-series SwitchLCD
61
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
62
Chapter 6
Software Installation
Software Installation
Software Installation
63
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
During a successful upgrade, the upgrade package removes all files from /var/tmp
and completely reinstalls the existing software. It retains configuration files, and
similar information, such as secure shell and host keys, from the previous version.
The previous software package is preserved in a separate disk partition, and you can
manually revert back to it if necessary. If the software installation fails for any reason,
such as loss of power during the installation process, the system returns to the
originally active installation when you reboot.
After a successful upgrade, remember to back up the new current configuration to
the secondary device.
NOTE: You can also use this procedure to load two versions of JUNOS software in
separate partitions on the switch.
Related Topics
64
m.n is the software release, with m representing the major release number and
n representing the minor release numberfor example, 9.1.
distribution indicates the area for which the software package is providedFor
most JUNOS packages, domestic is used for the United States and Canada and
export for worldwide distribution. However, for EX-series software, the domestic
Using a Web browser, follow the links to the download URL on the Juniper
Networks Web page. For EX-series, there are not separate software packages
for Canada the U.S. and other locations. Therefore, select Canada and U.S.
Version regardless of your location:
2.
https://www.juniper.net/support/csc/swdist-domestic/
65
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
3.
Using the J-Web interface or the CLI, select the appropriate software package for
your application. See JUNOS Software Package Names on page 65.
4.
2.
Copy the software package to the switch. We recommend that you use FTP to
copy the file to the /var/tmp directory.
3.
To install the new package on the switch, enter the following command:
user@switch> request system software add source [member member_id] reboot
Include the member option to install the software package on only one member
of a virtual chassis. Other members of the virtual chassis are not affected. To
install the software on all members of the virtual chassis, do not include the
member option.
Replace source with one of the following paths:
For software packages that are downloaded and installed from a remote
location:
ftp://hostname/pathname/package-name
http://hostname/pathname/package-name
66
See the JUNOS Software System Basics and Services Command Reference for details
about the request system software add command.
2.
3.
4.
On the Install Remote page, enter information into the fields described in
Table 12 on page 67.
5.
Click Fetch and Install Package. The software is activated after the switch has
rebooted.
Function
Your Action
Package Location
(required)
User
Password
Reboot If Required
67
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
2.
3.
On the Upload Package page, enter information into the fields described in
Table 13 on page 68.
4.
Click Upload Package. The software is activated after the switching platform has
rebooted.
Function
Your Action
Reboot If Required
Related Topics
If the JUNOS software loads but the CLI is not working for any reason, or if the switch
has no software installed, you can use this recovery installation procedure to install
the JUNOS software.
Solution
If there is already a JUNOS image on the system, you can either install the new JUNOS
package in a separate partition and both JUNOS images will remain on the system,
or you can wipe the disk clean before the new installation proceeds.
To perform a recovery installation:
1.
2.
68
Press the space bar to enter the manual loader. The loader> prompt displays.
3.
Where:
formatUse this option to wipe the installation media (internal disk or USB
drive) before installing the software package. If you do not include this option,
the system installs the new JUNOS software package in a different partition
from that of the most recently installed JUNOS software package.
Network address of the server and the path on the server; for example,
tftp://192.17.1.28/junos/jinstall-ex-9.2R1-domestic.tgz
An EX-series switch ships with the JUNOS software loaded on the system disk in
partition 1. The first time you upgrade, the new software package is installed in
partition 2. When you finish the installation and reboot, partition 2 becomes the
active partition. Similarly, subsequent software packages are installed in the non-active
partition which becomes the active partition when you reboot at the end of the
installation process.
If you performed an upgrade and rebooted, the system resets the active partition.
You can use this procedure to manually boot from the non-active partition.
NOTE: If you have completed the installation of the software image but have not yet
rebooted, you can issue a request system software rollback to return to the original
software installation package.
Solution
69
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: If you cannot access the CLI, you can reboot from the non-active partition
using the following procedure from the loader script prompt:
1.
Unload and clear the interrupted boot from the active partition:
loader> unload
loader> unset vfs.root.mountfrom
2.
Related Topics
70
Chapter 7
To make changes to the configuration file, you have to work in the configuration
mode in the CLI or use the configuration tools in the J-Web interface. When making
changes to a configuration file, you are viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the active configuration or causing
potential damage to your current network operations. Once you commit the changes
made to the candidate configuration, the system updates the active configuration.
Related Topics
71
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Definition
active configuration
candidate configuration
A working copy of the configuration that allows users to make configurational changes
without causing any operational changes until this copy is committed.
configuration group
Group of configuration statements that can be inherited by the rest of the configuration.
commit a configuration
Have the candidate configuration checked for proper syntax, activated, and marked as
the current configuration file running on the switching platform.
configuration hierarchy
The JUNOS software configuration consists of a hierarchy of statements. There are two
types of statements: container statements, which contain other statements, and leaf
statements, which do not contain other statements. All the container and leaf statements
together form the configuration hierarchy.
default configuration
The default configuration contains the initial values set for each configuration parameter
when a switch is shipped.
Related Topics
72
View a configuration.
Roll back the configuration to any of the previous versions stored on the switch.
Description
Number
Date/Time
User
Client
junoscriptA JUNOScript client performed the operation. Commit operations performed by users
Comment
Comment.
Log Message
Action
Imported via paste Configuration was edited and loaded with the Configure>CLI Tools>Edit
Configuration Text option.
Imported upload [filename]Configuration was uploaded with the Configure>CLI Tools>Point Click
Editor option.
Modified via JWeb Configure Configuration was modified with the J-Web Configure menu.
Rolled back via user-interface Configuration was rolled back to a previous version through the user
interface specified by user-interface, which can be Web Interface or CLI.
Action to perform with the configuration file. The action can be Download or Rollback.
73
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Description
User Name
Start Time
Idle Time
Elapsed time since the user issued a configuration command from the CLI.
Terminal
PID
Edit Flags
Edit Path
Select Config Management >History. A list of the current and the previous 49
configurations is displayed as Configuration History in the main pane.
2.
Select the check boxes to the left of the two configuration versions you want to
compare.
3.
Click Compare.
The main pane displays the differences between the two configuration files at
each hierarchy level as follows:
Lines that exist only in the more recent configuration file are displayed in
red on the left.
Lines that exist only in the older configuration file are displayed in blue on
the right.
2.
In the Action column, click Download for the version of the configuration you
want to download.
3.
Select the options your Web browser provides that allow you to save the
configuration file to a target directory on your local system.
The file is saved as an ASCII file.
74
2.
In the Action column, click Rollback for the version of the configuration you want
to load.
The main pane displays the results of the rollback operation.
NOTE: When you click Rollback, the switch loads and commits the selected
configuration. This behavior is different from the switch's behavior that occurs after
you enter the rollback configuration mode command from the CLI. In the latter case,
the configuration is loaded but not committed.
Related Topics
Create the configuration file using a text editor such as Notepad, making sure
that the syntax of the configuration file is correct. For more information about
testing the syntax of a configuration file see JUNOS Software System Basics and
Services Command Reference at http://www.juniper.net/techpubs/software/junos/.
2.
In the configuration text file, use an option to perform the required action when
the file is loaded. Table 17 on page 75 lists and describes some options for the
load command.
Description
merge
75
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Description
override
replace
3.
4.
Press Ctrl+C to copy the contents of the configuration text file to the Clipboard.
5.
6.
You will see this output, with the hash or pound mark indicating configuration
mode.
Entering configuration mode
[edit]
user@switch#
7.
8.
At the cursor, paste the contents of the Clipboard using the mouse and the Paste
icon:
[edit]
user@switch# load merge terminal
[Type ^D at a new line to end input]
>Cursor is here. Paste the contents of the clipboard here<
9.
Press Enter.
To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.You can also edit the configuration interactively using the CLI and
commit it at a later time.
Related Topics
76
2.
3.
Specify the name of the file to upload using one of the following methods:
Type the absolute path and filename in the File to Upload box.
Related Topics
Default: 0
77
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
2.
Related Topics
NOTE: In this example, ge-0/0/0 through ge-0/0/23 are the network interface ports.
Optional uplink modules provide either two 10-gigabit small form-factor pluggable
(XFP) transceivers (xe-0/1/0 and xe-0/1/1) or four 1-gigabit small form-factor
pluggable (SFP) transceivers (ge-0/1/0 through ge-0/1/3). Although you can install
only one uplink module, the interfaces for both are shown below.
When you commit changes to the configuration, a new configuration file is created
which becomes the active configuration. You can always revert to the factory default
configuration.
This topic shows the factory default configuration file of a 24-port EX 3200 or EX
4200 switch:
system {
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
78
}
file interactive-commands {
interactive-commands any;
}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
79
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
80
}
ge-0/0/20 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
}
protocols {
lldp {
interface all;
}
81
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
rstp;
}
poe {
interface all;
}
Related Topics
82
Chapter 8
Licenses
Related Topics
Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.
83
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
License IDAlphanumeric string that uniquely identifies the license key. When
a license is generated, it is given a license ID.
License dataBlock of binary data that defines and stores all license key objects.
For example, in the following typical license key, the string li29183743 is the license
ID, and the trailing block of data is the license data:
li29183743 4ky27y acasck 82fsj6 jzsn4q ix8i8d adj7kr
8uq38t ix8i8d jzsn4q ix8i8d 4ky27y acasck
82fsj6 ii8i7e adj7kr 8uq38t ks2923 a9382e
The license data defines the device ID for which the license is valid and the version
of the license.
Related Topics
Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.
84
Chapter 8: Licenses
To add a license key from a file or URL, enter the following command,
specifying the filename of the file or the URL where the key is located:
user@switch> request system license add filename | url
To add a license key from the terminal, enter the following command:
user@switch> request system license add terminal
2.
When prompted, enter the license key, separating multiple license keys with a
blank line.
If the license key you enter is invalid, an error appears in the CLI output when
you press Ctrl+d to exit license entry mode.
Deleting Licenses
To delete one or more license keys from the switch with the CLI, enter the following
operational mode CLI command for each license, specifying the license ID.
user@switch> request system license delete license-id
For example, the following command saves the installed license keys to a file named
license.conf:
user@switch> request system license save ftp://user@switch/license.conf
Related Topics
85
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
licensed feature. The licenses are on an honor system, meaning that after you have
configured the features, you have a 30-day grace period to install the license. You
will see a warning message if the switch does not have a license for the feature after
those 30 days.
Before you begin managing licenses, be sure that you have:
Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.
2.
3.
Do one of the following, using a blank line to separate multiple license keys:
4.
In the License File URL box, type the full URL to the destination file containing
the license key to be added.
In the License Key Text box, paste the license key text, in plain-text format,
for the license to be added.
A list of features that use the license key is displayed. The table also lists the ID, state,
and version of the license key.
Deleting Licenses
To delete one or more license keys from a switch with the J-Web license manager:
1.
2.
Select the check box of the license or licenses you want to delete.
3.
Click Delete.
86
1.
2.
Under Installed Licenses, click Display Keys to display all the license keys installed
on the switch.
Chapter 8: Licenses
A screen displaying the license keys in text format appears. Multiple licenses are
separated by a blank line.
Downloading Licenses
To download the license keys installed on the switch with the J-Web license manager:
Related Topics
1.
2.
Under Installed Licenses, click Download Keys to download all the license keys
installed on the switch to a single file.
3.
Select Save it to disk and specify the file to which the license keys are to be
written. You can also download the license file to your system.
Verify that the expected licenses are installed and active on the switch.
From the CLI, enter the show system license command.
The output shows a list of the license usage and a list of the licenses installed on the
switch. Verify the following information:
A state of invalid indicates that the license key is not a valid license key. Either it was
entered incorrectly or it is not valid for the specific device.
The feature for each license is the expected feature. The features enabled are
listed by license. An all-inclusive license has All features listed.
All configured features have the required licenses installed. The Licenses needed
column must show that no licenses are required.
Downloading Licenses
87
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Verify that the licenses fully cover the feature configuration on the switch.
From the CLI, enter the show system license usage command.
The output shows a list of the licenses installed on the switch and how they are used.
Verify the following information:
Each licensed feature and port is present. Features and ports are listed in
ascending alphabetical order by license name. The number of licenses is shown
in the fourth column. Verify that the appropriate number of licenses is installed.
The number of used licenses matches the number of configured features and
ports. If a licensed feature or port is configured, the feature or port is considered
used.
A license is installed on the switch for each configured feature and port. For
every feature or port configured that does not have a license, one license is
needed.
Related Topics
88
Verify that the expected license keys are installed on the switch.
From the CLI, enter the show system license keys command.
The output shows a list of the license keys installed on the switch. Verify that each
expected license key is present.
Part 5
System Basics
System Basics
89
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
90
System Basics
Chapter 9
Definition
alarm
Signal alerting you to conditions that might prevent normal operation. On a switch, the alarm
signal is the yellow ALARM LED lit on the front of the chassis.
alarm condition
alarm severity
Seriousness of the alarm. The level of severity can be either major (red) or minor (yellow).
chassis alarm
Predefined alarm triggered by a physical condition on the switch such as a power supply failure,
excessive component temperature, or media failure.
system alarm
Predefined alarm triggered by a missing rescue configuration or failure to install a license for a
licensed software feature.
Alarm Types
The switch supports these alarms:
Chassis alarms indicate a failure on the switch or one of its components. Chassis
alarms are preset and cannot be modified.
System alarms indicate a missing rescue configuration. System alarms are preset
and cannot be modified, although you can configure them to appear automatically
in the J-Web interface display or CLI display.
Major (red)Indicates a critical situation on the switch that has resulted from
one of the following conditions. A red alarm condition requires immediate action.
91
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
92
Chapter 10
Configuring Date and Time for the EX-series Switch (J-Web Procedure) on page 95
Click Edit to modify the configuration. Enter information into the Management
Access Configuration page, as described in Table 19 on page 94.
2.
To verify that Web access is enabled correctly, connect to the switch using the
appropriate method:
For HTTP accessIn your Web browser, type http://URL or http://IP address.
For SSL JUNOScript access To use this option, you must have aJUNOScript
client such as JUNOScope. For information about how to log into JUNOScope,
see the JUNOScope Software User Guide.
93
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Management Port IP
Subnet Mask
Default Gateway
Services
Enable JUNOScript
over Clear Text
Enable JUNOScript
over SSL
JUNOScript Certificate
94
To add a certificate:
1.
2.
3.
4.
5.
Related Topics
Configuring Date and Time for the EX-series Switch (J-Web Procedure)
To configure date and time:
1.
2.
To modify the information, click Edit. Enter information into the Edit Date &
Time page, as described in Table 20 on page 95.
3.
Click one:
To cancel your entries and return to the System Properties page, click Cancel.
Time Zone
Configuring Date and Time for the EX-series Switch (J-Web Procedure)
95
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Replace filename with the name of a file in which you want the SSL certificate
to be writtenfor example, new.pem.
2.
3.
NOTE: When you are ready to install the SSL certificate, open this file and copy its
contents so you can paste it into the Certificate box on the Secure Access
Configuration page.
You can use either J-Web Configuration or a configuration editor to install the SSL
certificate and enable HTTPS.
Related Topics
96
Set the first tried option in the authentication order to RADIUS server.
97
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
98
Chapter 11
Action
Use the J-Web ping host tool to verify that the host can be reached over the network.
The output is useful for diagnosing host and network connectivity problems. The
switch sends a series of ICMP echo (ping) requests to a specified host and receives
ICMP echo responses.
To use the J-Web ping host tool:
1.
2.
3.
Enter information into the Ping Host page, as described in Table 21 on page 100.
The Remote Host field is the only required field.
4.
Click Start.
The results of the ping operation are displayed in the main pane . If no options
are specified, each ping response is in the following format:
99
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
5.
Function
Your Action
Remote Host
Advanced Options
Don't Resolve
Addresses
Interface
Count
Don't Fragment
Type-of-Service
Routing Instance
Interval
Packet Size
Source Address
Time-to-Live
Record Route
100
Function
Your Action
Bypass Routing
Related Topics
Use the packet capture feature when you need to quickly capture and analyze switch
control traffic on a switch. The packet capture feature allows you to capture traffic
destined for or originating from the Routing Engine.
Action
To use the packet capture feature in the J-Web interface, select Troubleshoot>Packet
Capture.
To use the packet capture feature in the CLI, enter the following CLI command:
monitor traffic
Meaning
You can use the packet capture feature to compose expressions with various matching
criteria to specify the packets that you want to capture. You can decode and view
the captured packets in the J-Web interface as they are captured. The packet capture
feature does not capture transient traffic.
Function
Your Action
Interface
Detail level
101
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Packets
Addresses
1.
2.
3.
4.
Click Add.
Ports
Advanced Options
Absolute TCP
Sequence
Layer 2 Headers
Non-Promiscuous
Display Hex
Header
Expression
102
Function
Your Action
Packet Size
Don't Resolve
Addresses
No Timestamp
Write Packet
Capture File
Related Topics
Action
Use the Traceroute page in the J-Web interface to trace a route between the switch
and a remote host. You can use a traceroute task to display a list of waypoints
between the switch and a specified destination host. The output is useful for
diagnosing a point of failure in the path from the switch platform to the destination
host and addressing network traffic latency and throughput problems.
To use the traceroute tool:
1.
Select Troubleshoot>Traceroute.
2.
3.
Meaning
4.
Click Start.
5.
To stop the traceroute operation before it is complete, click OK while the results
of the traceroute operation are being displayed.
The switch generates the list of waypoints by sending a series of ICMP traceroute
packets in which the time-to-live (TTL) value in the messages sent to each successive
waypoint is incremented by 1. (The TTL value of the first traceroute packet is set to
1.) In this manner, each waypoint along the path to the destination host replies with
a Time Exceeded packet from which the source IP address can be obtained.
103
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The results of the traceroute operation are displayed in the main pane. If no options
are specified, each line of the traceroute display is in the following format:
hop-number host (ip-address) [as-number] time1 time2 time3
The switch sends a total of three traceroute packets to each waypoint along the path
and displays the round-trip time for each traceroute operation. If the switch times
out before receiving a Time Exceeded message, an asterisk (*) is displayed for that
round-trip time.
Table 23: Traceroute field summary
Field
Function
Your Action
Remote Host
Don't Resolve
Addresses
Gateway
Source Address
Bypass Routing
Interface
Time-to-live
Type-of-Service
Resolve AS
Numbers
Advanced Options
Related Topics
104
Use the monitoring functionality to view system properties such as the name and IP
address of the switch and resource usage.
Action
To monitor system properties in the J-Web interface, select Monitor > System View >
System Information.
To monitor system properties in the CLI, enter the following commands:
Meaning
Table 24 on page 105 summarizes key output fields in the system properties display.
Values
Additional Information
General Information
Serial
Number
JUNOS
Software
Version
Time Information
Current
Time
System
Booted
Time
Date and time when the switch was last booted and
how long it has been running.
Protocol
Started
Time
Last
Configured
Time
Load
Average
Used Memory
Used
Memory
105
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
User
Terminal
From
Login Time
Idle Time
Related Topics
Additional Information
Use the monitoring functionality to view the processes running on the switch.
To view the software processes running on the switch in the J-Web interface, select
Monitor>System View>Process Details.
To view the software processes running on the switch in the CLI, enter the following
command.
show system processes
Meaning
Table 25 on page 106 summarizes the output fields in the system process information
display.
The display includes the total CPU load and total memory utilization.
Values
PID
Name
State
CPU Load
Memory Utilization
106
Additional Information
Values
Start Time
Related Topics
Additional Information
For more information about show system properties command, see show system
uptime on page 246
2.
Select one:
3.
4.
Click Schedule. The J-Web interface requests confirmation to perform the reboot
or halt.
5.
If the reboot is scheduled to occur in the future, the Reboot page displays
the time until reboot. You have the option to cancel the request by clicking
Cancel Reboot on the J-Web interface Reboot page.
If the switch is halted, all software processes stop and you can access the
switching platform through the console port only. Reboot the switch by
pressing any key on the keyboard.
107
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
2.
Click Edit.
3.
4.
Click any desired option on the Authentication Methods and Order tab:
108
Table 26: User Management > Add a User Configuration Page Summary
Field
Function
Your Action
Username (required)
Full Name
Type the user's full name. If the full name contains spaces,
enclose it in quotation marks. Do not include colons or commas.
User Information
operator
read-only
super-user/superuser
unauthorized
Confirm Password
(required)
Type the login password for this user. The login password must
meet these criteria:
Function
Your Action
IP Address
Password
Confirm Password
Source Address
Retry Attempts
109
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Timeout
Related Topics
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
You can use the J-Web interface to rotate log files and delete unnecessary log,
temporary, and crash files on the switching platform.
1. Cleaning Up Files on page 110
2. Downloading Files on page 111
3. Deleting Files on page 111
Cleaning Up Files
If you are running low on storage space, use the file cleanup procedure to quickly
identify files to delete.
The file cleanup procedure performs the following tasks:
Rotates log filesArchives the current log files, and creates fresh log files.
Deletes log files in /var/logDeletes files that are not currently being written to.
Deletes temporary files in /var/tmpDeletes files that have not been accessed
within two days.
Deletes all crash files in /var/crashDeletes core files that the switch has written
during an error.
To rotate log files and delete unnecessary files with the J-Web interface:
1.
Select Maintain>Files.
2.
In the Clean Up Files section, click Clean Up Files. The switching platform rotates
log files and identifies files that can be safely deleted.
The J-Web interface displays the files that you can delete and the amount of
space that will be freed on the file system.
3.
110
Click one:
To delete the files and return to the Files page, click OK.
To cancel your entries and return to the list of files in the directory, click
Cancel.
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
Downloading Files
You can use the J-Web interface to download a copy of an individual log, temporary,
or crash file from the switching platform. When you download a file, it is not deleted
from the file system.
To download files with the J-Web interface:
1.
2.
Crash (Core) FilesLists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files located in the directory.
3.
Select the files that you want to download and click Download.
4.
Deleting Files
You can use the J-Web interface to delete an individual log, temporary, and crash
file from the switching platform. When you delete the file, it is permanently removed
from the file system.
CAUTION: If you are unsure whether to delete a file from the switching platform,
we recommend using the Clean Up Files tool described in Cleaning Up Files. This
tool determines which files can be safely deleted from the file system.
To delete files with the J-Web interface:
1.
Select Maintain>Files.
2.
Log FilesLists the log files in the /var/log directory on the switching
platform.
Crash (Core) FilesLists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files in the directory.
Downloading Files
111
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
4.
Click Delete.
The J-Web interface displays the files you can delete and the amount of space
that will be freed on the file system.
5.
To delete the files and return to the Files page, click OK.
To cancel your entries and return to the list of files in the directory, click
Cancel.
NOTE: If the rescue configuration does not exist, or if the rescue configuration is not
a complete, viable configuration [THIS SENTENCE WILL NOT BE CORRECT], the
rollback command fails, an error message appears, and the current configuration
remains active.
Related Topics
112
Related Topics
Action
Use the monitoring functionality to view alarm information for the EX-series switches
including alarm type, alarm severity, and a brief description for each active alarm
on the switching platform.
To view the active alarms:
1.
Select Monitor> Events and Alarms > View Alarms in the J-Web interface.
2.
Select an alarm filter based on alarm type, severity, description, and date range.
3.
Click Go.
All the alarms matching the filter are displayed.
NOTE: When the switch is reset, the active alarms are displayed.
Meaning
113
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
Type
Severity
Description
Time
Related Topics
Use the monitoring functionality to filter and view system log messages.
To view events in the J-Web interface, select Monitor > Events and Alarms > View
Events.
Apply a filter or a combination of filters to view messages. You can use filters to
display relevant events. Table 29 on page 114 describes the different filters, their
functions, and the associated actions.
To view events in the CLI, enter the following command:
show log
Function
Your Action
System Log
File
Specifies the name of a system log file for which you want
to display the recorded events.
Lists the names of all the system log files that you configure.
By default, a log file, messages, is included in the /var/log/
directory.
114
Function
Your Action
Event ID
Process
End Time
Meaning
115
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: By default, the View Events page in the J-Web interface displays the most
recent 25 events, with severity levels highlighted in different colors. After you specify
the filters, Event Summary displays the events matching the specified filters. Click
First, Next, Prev, and Last links to navigate through messages.
Function
Time
Process
Event ID
Event
Description
116
Additional Information
SeverityLevel of severity.
Function
Additional Information
Severity
Related Topics
117
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
118
Chapter 12
If you forget the root password for the switch, you can use the password recovery
procedure to reset the root password.
NOTE: You need physical access to the switch to recover the root password.
Solution
Power off your switch by unplugging the power cord or turning off the power at
the wall switch.
2.
Insert one end of the Ethernet cable into the serial port on the management
device and connect the other end to the console port on the back of the switch.
See Figure 5 on page 119
3.
4.
119
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Data bits: 8
Parity: None
Stop bits: 1
5.
Power on your switch by plugging in the power cord or turning on the power at
the wall switch.
6.
When the following prompt appears, press the Spacebar to access the switch's
bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 1 second...
7.
At the following prompt, type boot -s to start up the system in single-user mode:
loader> boot -s
8.
At the following prompt, type recovery to start the root password recovery
procedure:
Enter full path name of shell or 'recovery' for root password recovery or RETURN for
/bin/sh: recovery
root@switch# commit
commit complete
root@switch# exit
15. Exit operational mode in the CLI.
root@switch> exit
16. At the prompt, enter y to reboot the switch.
120
Related Topics
121
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
122
Chapter 13
Hierarchy Level
Release Information
radius-options {
attributes {
nas-ip-addressip-address;
}
password-protocol mschap-v2;
[edit system]
Description
Configure RADIUS options for NAS-IP address for outgoing RADIUS packets and
password protocol used in RADIUS packets.
Options
nas-ip-addressIP address of the network access server (NAS) that requests user
authentication.
mschap-v2Password protocol MS-CHAPv2, used in RADIUS packets.
Required Privilege Level
Related Topics
radius-options
123
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
124
radius-options
Chapter 14
125
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Options
126
clear
Release Information
Description
Options
history group.
sample-index(Optional) Display the statistics collected for the specified sample
view
Field Description
History Index
Identifies this RMON history entry within the RMON history group.
Owner
Status
Interface or Data
Source
The ifndex object that identifies the interface that is being monitored.
Interval
The interval (in seconds) configured for this RMON history entry.
Buckets Requested
The requested number of buckets (intervals) configured for this RMON history
entry.
Buckets Granted
127
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Sample Index
framing bits, but including FCS octets) of between 64 and 1518 octets,
inclusive, and had either a bad FCS with an integral number of octets (FCS
error) or a bad FCS with a nonintegral number of octets (alignment error).
that were less than 64 octets long (excluding framing bits but including
FCS octets) and were otherwise well formed.
that were longer than 1518 octets (excluding framing bits, but including
FCS octets) but were otherwise well formed.
(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. Fragment frames normally increment because
both runts (which are normal occurrences caused by collisions) and noise
hits are counted.
framing bits, but including FCS octets), and had either an FCS error or an
alignment error. This definition of jabber is different from the definition
in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2).
These documents define jabber as the condition in which any packet
exceeds 20 ms. The allowed range to detect jabber is from 20 ms to
150 ms.
171
50
10
128
CRC errors
Undersize Pkts
Oversize Pkts
Fragments
Jabbers
Collisions
Utilization(%)
0
0
0
0
0
0
0
1 00:08:35 1970
129
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
130
Part 6
Virtual Chassis
Virtual Chassis
131
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
132
Virtual Chassis
Chapter 15
133
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
134
The serial console port and dedicated out-of-band management port that are on the
rear panel of the individual switches have global virtual counterparts when the
switches are interconnected in a Virtual Chassis configuration. A virtual console
allows you to connect to the master by connecting a terminal directly to the console
port of any member switch. A virtual management Ethernet (VME) interface allows
you to remotely manage the Virtual Chassis configuration by connecting to the
out-of-band management port of any member switch through a single IP address.
See Understanding Global Management of a Virtual Chassis
Configuration on page 141.
135
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Master Role
The member that functions in the master role:
Represents all the member switches interconnected within the Virtual Chassis
configuration. (The hostname and other properties that you assign to this switch
during setup apply to all members of the Virtual Chassis configuration.)
136
Backup Role
The member that functions in the backup role:
Maintains a state of readiness to take over the master role if the master fails.
Synchronizes with the master in terms of protocol states, forwarding tables, and
so forth, so that it is prepared to preserve routing information and maintain
network connectivity without disruption in case the master is unavailable.
You must have at least two member switches in a Virtual Chassis configuration in
order to have a backup member.
Linecard Role
A member that functions in the linecard role:
Can detect certain error conditions (such as an unplugged cable) on any interfaces
that have been configured on it through the master.
A Virtual Chassis configuration must have at least three members in order to include
a linecard member.
In a configuration that is not preprovisioned, the members that are not selected
as master or backup function as linecard members of the Virtual Chassis
137
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Mastership Priority
In a configuration that is not preprovisioned, you can designate the role (master,
backup, or linecard) that a member switch performs within the Virtual Chassis
configuration by configuring its mastership priority (from 1 to 255). The mastership
priority value is the factor with the highest precedence for selecting the master of
the Virtual Chassis configuration.
The default value for mastership priority is 128. When an EX 4200 switch is powered
on, it receives the default mastership priority value. Because it is the only member
of the Virtual Chassis configuration, it is also the master. When you interconnect a
standalone switch to an existing Virtual Chassis configuration (which implicitly
includes its own master), we recommend that you explicitly configure the mastership
priority of the members that you want to function as the master and backup.
We recommend that you specify the same mastership priority value for both the
master and backup members.
138
NOTE: Configuring the same mastership priority value for both the master and backup
helps to ensure a smooth transition from master to backup in case the master
becomes unavailable. It prevents the old master from preempting control from the
backup in situations where the backup has taken control of the Virtual Chassis
configuration due to the original master being unavailable.
We also recommend that you configure the highest possible mastership priority value
(255) for those two members, because that guarantees that these two members
continue to function as the master and backup when other members are added to
the Virtual Chassis configuration. Any other members of the Virtual Chassis
configuration (members with lower mastership priority) are considered linecard
members.
In a preprovisioned configuration, the mastership priority value is assigned by the
software, based on the specified role.
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206
139
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Choose the member with the highest user-configured mastership priority (255
is the highest possible value).
2.
Choose the member that was master the last time the Virtual Chassis
configuration booted.
3.
Choose the member that has been included in the Virtual Chassis configuration
for the longest period of time. (For this to be a deciding factor, there has to be
a minimum time lapse of one minute between the power-ons of the individual
interconnected member switches.)
4.
The variations among switch models, such as whether the switch has 48 or 24 ports,
do not impact the master election algorithm. To ensure that a specific member is
elected as the master:
Related Topics
1.
Power on only the switch that you want to configure as master of the Virtual
Chassis configuration.
2.
Configure the mastership priority of that member to have the highest possible
value (255).
3.
4.
140
141
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
If the master becomes unavailable, the console session is disconnected from the old
master and a new session is established with the newly elected master.
An out-of-band management Ethernet port is often referred to simply as a
management Ethernet port. It uses a dedicated management channel for device
maintenance and allows a system administrator to monitor and manage the switch
by remote control.
The Virtual Chassis configuration can be managed remotely through SSH or Telnet
using a global management interface called the virtual management Ethernet (VME)
interface. VME is a logical interface representing any and all of the out-of-band
management ports on the member switches. When you connect to the Virtual Chassis
configuration using the VME IP address, the connection is redirected to the master
member as shown in Figure 7 on page 142.
Figure 7: Management Ethernet Port Redirection to VME
142
Related Topics
If the master is not available, the backup switch takes on the role of the master
and its internal flash memory takes over as the alternate location for maintaining
nonvolatile configuration memory.
If a member switch is taken offline for repair, the master stores the configuration
of the member switch.
143
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
NOTE: The interfaces that are included within a LAG are sometimes referred to as
member interfaces. Do not confuse member interfaces and member switches. The
member switches are individual EX 4200 switches that have been interconnected
with their Virtual Chassis ports (VCPs) to operate as a single network entity. In a
Virtual Chassis configuration, you can create a LAG formed of member interfaces
that represent ports belonging to different member switches.
Related Topics
144
the Virtual Chassis configuration. When a switch is located too far away to be
interconnected with the dedicated Virtual Chassis ports, you can specify an uplink
as a Virtual Chassis port using the request virtual-chassis vc-port on page 1160 command.
The request virtual-chassis vc-port command must be executed on the standalone
switch, because it is not yet part of the Virtual Chassis configuration. Without an
uplink VCP, the standalone switch cannot be recognized by the master as belonging
to the Virtual Chassis configuration.
While an uplink port is set as a VCP interface, it cannot be used for any additional
purpose. If you want to use the uplink port for another purpose, you can delete the
VCP setting by using the request virtual-chassis vc-port on page 1160 command. You
can execute this command directly on the member whose uplink VCP setting you
want to delete or through the master of the Virtual Chassis configuration.
In addition, you may choose to create a preprovisioned configuration. This type of
configuration allows you to deterministically control the member ID and role assigned
to a member switch by associating the switch to its serial number. For an example
of a preprovisioned configuration, see Example: Configuring a Virtual Chassis with
a Preprovisioned Configuration File on page 184.
Related Topics
145
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
146
Chapter 16
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet
A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant
network accessibility with a basic two-member Virtual Chassis configuration and
later expand the Virtual Chassis configuration to provide additional access ports as
your office grows.
This example describes how to configure a Virtual Chassis with a master and backup
in a single wiring closet:
147
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
2.
3.
NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis.
148
Requirements
The Virtual Chassis configuration provides networking access for 50 onsite workers,
who are sitting within range of a single wiring closet. The workers all use personal
computers and VoIP phones. As the office grows, you can add more EX 4200 switches
to meet increased needs for access ports.
The topology for this example consists of two switches, one of which contains an
uplink module:
One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports
that support PoE
One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support PoE
One EX-UM-2XFP uplink module, with two 10Gigabit Ethernet ports, is installed
in the EX 4200-48P switch
Table 32 on page 149 shows the default configuration settings for the two-member
Virtual Chassis.
Table 32: Components of the Basic Virtual Chassis Access Switch Topology
Member Switch
Hardware
Member ID
SWA-0
EX 4200-48P switch
SWA-1
EX 4200-24T switch
Figure 8 on page 149 shows that SWA-0 and SWA-1 are interconnected with their
dedicated VCPs on the rear panel. The LCD on the front displays the Member ID and
Role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect
to a distribution switch.
Figure 8: Basic Virtual Chassis with Master and Backup
149
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Configuration
Configure a Virtual Chassis with a default master and backup in a single wiring closet:
Step-by-Step Procedure
Make sure the VCPs on the rear panel of the member switches are properly
cabled. See Virtual Chassis Cabling Configuration Examples.
2.
Power on SWA-0 (the member switch that you want to function as the master).
3.
Check the front-panel LCD to confirm that the switch has powered on correctly.
4.
5.
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
6.
Power on SWA-1.
Verification
To confirm that the Virtual Chassis configuration is operational, perform these tasks:
Action
Verify that the master, which has been selected by default, is the member switch
that you want to function in that role.
1.
Check the front-panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.
2.
Role
Master*
1 (FPC 1)
Backup
Prsnt
AK0207360281 ex4200-24t
150
Configuration
128
Neighbor List
ID Interface
1 vcp-0
1 vcp-1
0 vcp-0
0 vcp-1
Meaning
The show virtual-chassis status on page 250 command lists the member switches
interconnected in a Virtual Chassis configuration with the member IDs that have
been assigned by the master, the mastership priority values, and the roles. It also
displays the neighbor members with which each member is interconnected. The
output shows that SWA-0, member 0, has been assigned default mastership priority
128. Because SWA-0 is the first member to be powered on, it has the most seniority
and is therefore assigned the role of master. SWA-1 is powered on after member 0,
so it is assigned the role of backup. The member IDs are displayed on the front panel
of the switches. Check and confirm whether the default assignment is satisfactory.
Verifying That the VCPs Are Operational
Purpose
Action
Verify that the dedicated Virtual Chassis ports interconnecting the switches are
operational.
Display the Virtual Chassis ports of all the members:
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
Meaning
The show virtual-chassis vc-port on page 252 command lists the interfaces that are
enabled for the member switches of the Virtual Chassis configuration and shows the
status of the interfaces. The output in this example shows that two of the VCPs are
operational and two VCPs are not. A single cable has been used to interconnect vcp-0
of member ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the
switch to be operational. However, we recommend that you connect the second set
of VCPs for redundancy.
The master and backup roles are not assigned to the member switches that you want
to function in these roles.
151
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Solution
Solution
1.
Check to make sure that you have cabled the appropriate ports.
2.
You should generally cable and interconnect both of the VCPs on the member
switches, for redundancy and high availability.
Related Topics
152
Requirements
This example uses the following hardware and software components:
One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports
that support PoE
One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support
Power over Ethernet (PoE)
One EX 4200-24P switch (SWA-2) with 24 access ports, all of which support PoE
One uplink module with two 10-gigabit ports is installed in the EX 4200-48P
switch. These ports can be configured as trunk ports to connect to a distribution
switch or customer edge (CE) router or as Virtual Chassis ports (VCPs) to
Requirements
153
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interconnect with a member switch that is located too far for dedicated VCP
cabling. For information on configuring the uplink ports as trunk ports to a
distribution switch, see Configuring Gigabit Ethernet Interfaces (CLI
Procedure) on page 293 or Configuring Gigabit Ethernet Interfaces (J-Web
Procedure) on page 289. For information on configuring uplink ports as Virtual
Chassis ports, see Setting an Uplink Port as a Virtual Chassis Port (CLI
Procedure) on page 206.
Table 33 on page 154 shows the configuration settings for the expanded Virtual
Chassis.
Table 33: Components of the Expanded Virtual Chassis Access Switch
Member Switch
Hardware
Member ID
SWA-0
EX 4200-48P switch
SWA-1
EX 4200-24T switch
SWA-2
EX 4200-24P switch
Figure 9 on page 154 shows that the three member switches ( SWA-0, SWA-1 and
SWA-2) are interconnected with their dedicated VCPs on the rear panel. The LCD on
the front displays the member ID and role. SWA-0 also includes an uplink module.
Its uplink ports can be used to connect to a distribution switch.
Figure 9: Expanded Virtual Chassis in Single Wiring Closet
Configuration
To expand a Virtual Chassis configuration to include additional member switches
within a single wiring closet, perform these tasks:
154
Configuration
NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration
To maintain the master and backup roles of the existing members and ensure that
the new member switch functions in a linecard role, copy the following commands
and paste them into the terminal window:
[edit]
user@SWA-0# set virtual-chassis member 0 mastership-priority 255
user@SWA-1# set virtual-chassis member 1 mastership-priority 255
Step-by-Step Procedure
To ensure that the existing member switches retain their current roles and to add
another member switch in a linecard role:
1.
2.
3.
Interconnect the unpowered SWA-2 with SWA-0 and SWA-1 using the dedicated
VCPs on the rear panel. See Virtual Chassis Cabling Configuration Examples for
additional information.
4.
Power on SWA-2.
You do not need to configure or run EZ Setup on SWA-2. The identification
parameters that were set up for the master apply implicitly to all members of
the Virtual Chassis configuration. SWA-2 functions in a linecard role, since SWA-0
and SWA-1 have been configured to the highest mastership priority values.
Verification
To verify that the new switch has been added as a linecard and that its VCPs are
operational, perform these tasks:
Verifying That the New Switch Has Been Added as a Linecard on page 155
Verify that SWA-2 has been added in a linecard role to the Virtual Chassis
configuration.
Verification
155
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Use the show virtual-chassis status on page 250 command to list the member switches
with their member IDs, mastership priority values, and assigned roles.
user@SWA-0> show virtual-chassis status
Virtual Chassis ID: 0000.e255.00e0
Meaning
Mastership
Priority
Role
Neighbor List
ID Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
255
Master*
1 vcp-0
2 vcp-1
1 (FPC 1)
Prsnt
def456
ex4200-24t
255
Backup
2 vcp-0
0 vcp-1
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
0 vcp-0
1 vcp-1
The show virtual-chassis status command lists the member switches of the Virtual
Chassis configuration with the member IDs and mastership priority values. It also
displays the neighbor members with which each member is interconnected. This
output shows that SWA-2 has been assigned member ID 2 and has the default
mastership priority value 128. Because the mastership priority is lower than the
mastership priority of the other members, SWA-2 functions in the linecard role. You
can continue to add more member switches, following the same procedure. It is
possible to have multiple members in linecard roles with the same mastership priority
value.
Verifying That the VCPs Are Operational
Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches are operational.
List the VCP interfaces on the Virtual Chassis configuration.
user@SWA-0>show virtual-chassis vc-port all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
156
vcp-0
vcp-1
Meaning
Dedicated
Dedicated
Up
Up
The show virtual-chassis vc-port all-members command lists all the interfaces for the
Virtual Chassis configuration. In this case, no VCP uplinks have been configured.
However, the VCP interfaces are automatically configured and enabled when you
interconnect member switches using the dedicated Virtual Chassis ports. There are
two dedicated VCPs on the rear panel of each EX 4200 switch. It is recommended
that you interconnect the member switches using both VCPs for redundancy. The
VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same
as the member ID.
Troubleshooting
To troubleshoot the configuration of an expanded Virtual Chassis, perform these
tasks:
Troubleshooting Mastership Priority
Problem
Solution
Change the mastership priority value or values of the switches, designating the highest
mastership priority value for the switch that you want to be master.
1.
2.
Set the mastership priority of the member that you want to be the master to the
highest possible value (255):
[edit virtual-chassis]
user@SWA-2# set member 2 mastership-priority 255
Solution
Check the cable to make sure that it is properly and securely connected to the VCPs.
Related Topics
Troubleshooting
157
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
We recommend that you explicitly configure the mastership priority of the switches
to ensure that the switches continue to perform the desired roles when additional
switches are added or other changes occur. However, it is possible to use the default
configuration described in this example.
This example describes how to configure a multimember Virtual Chassis in a single
wiring closet, using the default role assignments:
Requirements
This example uses the following hardware and software components:
158
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration
Two EX 4200-48P switches (SWA-0 and SWA-1) with 48 access ports, all of which
support Power over Ethernet (PoE)
Four EX 4200-24P switches (SWA-2, SWA-3, SWA-4, and SWA-5) with 24 access
ports, all of which support PoE
Figure 10 on page 159 shows that all the member switches are interconnected with
the dedicated VCPs on the rear panel. The LCD on the front displays the member ID
and role.
Figure 10: Default Configuration of Multimember Virtual Chassis in a Single Wiring
Closet
Configuration
Configure a multimember Virtual Chassis access switch in a single wiring closet using
the factory defaults:
CLI Quick Configuration
By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. To determine which switch has been selected as
the master, check the LCD on the front panel. It should be the first switch that you
power on. The backup should be the second switch that you power on. The other
switches are all linecards. Wait at least one minute after powering on the master,
before continuing to power on the other switches.
Step-by-Step Procedure
Make sure the dedicated VCPs on the rear panel are properly cabled. See Virtual
Chassis Cabling Configuration Examples for additional information.
2.
Power on the switch that you want to function as the master (SWA-0). This
examples uses one of the larger switches (EX 4200-48P) as the master.
Configuration
159
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
Check the front panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.
4.
Run the EZ Setup program on SWA-0, the master, specifying the identification
parameters. See Connecting and Configuring the EX-series Switch (CLI
Procedure) on page 57 or Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58 for details.
5.
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
6.
After a lapse of at least one minute, power on SWA-1. This example uses the
second EX 4200-48P switch as the backup.
7.
Check the front panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.
8.
Power on SWA-2, and check the front panels to make sure that the switch is
operating correctly.
9.
Continue to power on the member switches one by one, checking the front
panels as you proceed.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Member IDs and Roles of the Member Switches on page 160
Action
Verify that all the interconnected member switches are included within the Virtual
Chassis configuration and that their roles are assigned appropriately.
Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status on page 250
Virtual Chassis ID: 0000.e255.00e0
160
Verification
Mastership
Priority
Role
Neighbor List
ID Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
128
Master*
1 vcp-0
5 vcp-1
1 (FPC 1)
Prsnt
def123
ex4200-48p
128
Backup
2 vcp-0
0 vcp-1
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
3 vcp-0
1 vcp-1
Meaning
3 (FPC 3)
Prsnt
cab123
ex4200-24p
128
Linecard
4 vcp-0
2 vcp-1
4 (FPC 4)
Prsnt
fed456
ex4200-24p
128
Linecard
5 vcp-0
3 vcp-1
5 (FPC 5)
Prsnt
jkl231
ex4200-24p
128
Linecard
0 vcp-0
4 vcp-1
The show virtual-chassis status command lists the member switches of the Virtual
Chassis configuration with the member IDs and mastership priority values. It also
displays the neighbor members with which each member is interconnected. The fpc
number is the same as the member ID.
Verifying That the VCPs Are Operational
Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches are operational.
Display the Virtual Chassis interfaces.
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status
161
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
or
PIC / Port
vcp-0
vcp-1
Dedicated
Dedicated
Up
Up
Type
Status
Dedicated
Dedicated
Up
Up
fpc5:
Interface
or
PIC / Port
vcp-0
vcp-1
Meaning
The show virtual-chassis vc-port all-members command lists the Virtual Chassis
interfaces that are enabled for the member switches of the Virtual Chassis
configuration and shows the status of the interfaces. In this case, no VCP uplinks
have been configured. However, the VCP interfaces are automatically configured
and enabled when you interconnect member switches using the dedicated VCPs.
There are two dedicated VCPs on the rear panel of each EX 4200 switch. The
dedicated VCP interfaces are identified simply as vcp-0 and vcp-1. They do not use
the standard interface address (in which the member ID is represented by the first
digit). The output in this example shows that all interfaces are operational. The fpc
number is the same as the member ID.
Troubleshooting
To troubleshoot the configuration of a multimember Virtual Chassis in a single wiring
closet, perform these tasks:
Troubleshooting Mastership Priority
Problem
You want to explicitly designate one member as the master and another as backup.
Solution
Change the mastership priority value of the member that you want to function as
master, designating the highest mastership priority value that member.
NOTE: These configuration changes are made through the current master, SWA-0.
1.
2.
Set the mastership priority of another member that you want to function as the
backup member as the same value:
[edit virtual-chassis]
user@SWA-0# set member 2 mastership-priority 255
162
Troubleshooting
Solution
Check the cable to make sure that it is properly and securely connected to the VCPs.
Related Topics
Requirements
This example uses the following hardware and software components:
163
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Before you interconnect the members of the Virtual Chassis configuration across
wiring closets, be sure you have:
1.
2.
Powered on, connected and run the EZ Setup program on SWA-0. Follow the
prompts to specify the host name and other identification, time zone, and
network properties. See Connecting and Configuring the EX-series Switch (CLI
Procedure) on page 57 or Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58 for details. SWA-0 is going to be configured in
the example to function as the master of the Virtual Chassis. Thus, the properties
that you specified for SWA-0 apply to the entire Virtual Chassis configuration,
including all the member switches that you later interconnect with the master.
3.
Configured SWA-0 with the virtual management Ethernet (VME) for remote,
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
4.
Interconnected SWA-0 and SWA-1 (the two member switches in wiring closet
A) using the dedicated VCPs on the rear panel. SWA-1 should not be powered
on at this time.
5.
Interconnected SWA-2 and SWA-3 (the two member switches in wiring closet
B) using the dedicated VCPs on the rear panel. SWA-2 and SWA-3 should not be
powered on at this time.
NOTE: Beginning with JUNOS Release 9.2 for EX-series switches, you can use either
a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps Ethernet uplink port
(EX-UM-4SFP) as a VCP interface. When an uplink port is set as a VCP interface, it
cannot be used for any other purpose. The EX-UM-2XP uplink module has two 10-Gbps
ports; the EX-UM-4SFP has four 1-Gbps ports. You can set one port as a VCP interface
and configure the other port in trunk mode as an uplink to a distribution switch.
164
VCPs on the rear panel. The redundancy of uplink VCPs provided in this example is
sufficient.
First, we will complete the Virtual Chassis configuration of the member switches in
wiring closet A.
We have decided that SWA-0 will function as the master, so we set its mastership
priority value to the highest possible value (255).
The switches (SWA-0 and SWA-1) in wiring closet A have been interconnected using
the dedicated Virtual Chassis ports (VCPs) . The interfaces for the rear panel, dedicated
VCPs are operational by default. They do not need to be configured.
However, the rear-panel Virtual Chassis cables that interconnect the VCPs of member
switches within a single wiring closet are not long enough to connect member switches
across wiring closets. Instead, you can use the fiber cable connections in the uplink
modules to interconnect the member switches in wiring closet A to the member
switch in wiring closet B. For redundancy, this example connects uplink ports from
the two member switches in wiring closet A to the two member switches in wiring
closet B.
After specifying the highest mastership priority value (255) for SWA-0, we power on
SWA-1. Because SWA-0 and SWA-1 are interconnected with the dedicated VCPs, the
master detects that SWA-1 is a member of its Virtual Chassis configuration and
assigns a member ID. We can now set the VCP uplinks for both SWA-0 and SWA-1
through the master in preparation for interconnecting them with the member switches
in wiring closet B.
However, in order for the master to recognize the existence of SWA-2, you must first
set one of the SWA-2 uplinks as a VCP. You cannot set the SWA-2 uplink through the
master of the Virtual Chassis configuration, because SWA-2 is not yet interconnected
as a member switch.
We will power on and configure SWA-2 prior to powering on SWA-3.
When you power on SWA-2, its member ID is 0, its default mastership priority is
128, and it is functioning in the master role.
You can configure SWA-2 without running EZ Setup by directly connecting to the
console port. If you wish, you can run EZ Setup and specify identification parameters.
Later, when you interconnect SWA-2 with the master of the Virtual Chassis
configuration, the master overwrites any conflicting parameters.
We want to use SWA-2 as the backup of the Virtual Chassis configuration. If a problem
occurs in wiring closet A, SWA-2 would take control of the Virtual Chassis configuration
and maintain the network connections. We configure the same mastership priority
value for SWA-2 (255) that we configured for the master. Because SWA-0 has already
been powered on prior to SWA-2, it has additional prioritization properties that allow
it to retain mastership of the Virtual Chassis configuration. See Understanding How
the Master in a Virtual Chassis Configuration Is Elected on page 140. We recommend
setting identical mastership priority values for the master and backup members for
high availability and smooth transition of mastership in case the original master
becomes unavailable. (Setting identical mastership priority values for the master and
165
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
backup members prevents the previous master from pre-empting the master role
from the new master when the previous master comes back online.)
After SWA-2 has been configured and its uplink port has been set as a VCP interface,
interconnect its VCP uplink port with the VCP uplink of SWA-0 in wiring closet A.
SWA-2 reboots and joins the Virtual Chassis configuration as member 2 and as backup
of the expanded Virtual Chassis configuration.
Now, power on SWA-3. Because SWA-3 is interconnected with SWA-2 using the
dedicated VCPs on the rear panel, the master detects that SWA-3 is part of the
expanded Virtual Chassis configuration and assigns it member ID 3. For redundancy,
configure a VCP uplink on member 3 through the master and interconnect this uplink
with the VCP uplink of SWA-1 in wiring closet A.
The topology for this example consists of:
Table 34 on page 166 shows the Virtual Chassis configuration settings for a Virtual
Chassis composed of member switches in different wiring closets.
Table 34: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch
Member ID
Uplinks
Connecting
Member Switches
Hardware
Location
SWA-0
master;
mastership priority
255
xe-0/1/0
EX 4200-48P and
EX-UM-2XFP
uplink module
Wiring closet A
SWA-1
linecard;
mastership priority
128
xe-1/1/0
EX 4200-24T and
EX-UM-2XFP
uplink module
Wiring closet A
SWA-2
backup;
mastership priority
255
xe-0/1/0
EX 4200-48P and
EX-UM-2XFP
uplink module
Wiring closet B
SWA-3
linecard;
mastership priority
128
xe-3/1/0
EX 4200-24T and
EX-UM-2XFP
uplink module
Wiring closet B
Figure 11 on page 167 shows the different types of interconnections used for this
Virtual Chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink ports that have been set as VCP interfaces and
interconnected across the wiring closets. The uplink ports that are not used as VCPs
can be configured as trunk ports to connect to a distribution switch.
166
Configuration
To configure the Virtual Chassis across multiple wiring closets, perform these tasks:
NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis.
CLI Quick Configuration
Configuration
167
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
2.
Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
1:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member
1
NOTE:
For redundancy, this example configures an uplink VCP in both SWA-0 and
SWA-1.
3.
NOTE: SWA-2 is configured with the same mastership priority value that we
configured for SWA-0. However, the longer uptime of SWA-0 ensures that it functions
as the master and that SWA-2 functions as the backup.
4.
168
Configuration
Specify one uplink port in SWA-2 as a VCP interface. Its member ID is 0, because
it is not yet interconnected with the other members of the Virtual Chassis
configuration. Its member ID will change when it is interconnected with the
Virtual Chassis configuration.
NOTE: The setting of the VCP interface remains intact when SWA-2 reboots and joins
the Virtual Chassis configuration as member 2.
This example omits the specification of the member member-id option. The
command applies by default to the switch where it is executed.
5.
After you have set the uplink VCP in SWA-2, you should physically interconnect
SWA-0 and SWA-2 across wiring closets using their uplink VCPs. Although SWA-0
and SWA-2 have the same mastership priority value (255), SWA-0 was powered
on first and thus has longer uptime. This results in SWA-0 retaining mastership
while SWA-2 reboots and joins the now expanded Virtual Chassis configuration
as a backup with member ID 2.
6.
Power on SWA-3, which is interconnected with SWA-2 using the dedicated VCPs
on the rear panel. It joins the expanded Virtual Chassis configuration as member
3.
7.
8.
Results
After you have configured the uplink VCP of SWA-3, you should physically
interconnect SWA-3 and SWA-1 across wiring closets using their uplink VCPs.
Both SWA-1 and SWA-3 have the default mastership priority value (128) and
function in a linecard role.
Configuration
169
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
member 3 {
mastership-priority 128;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Member IDs and Roles of the Member Switches on page 170
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 171
Action
Verify that all the interconnected member switches are included within the Virtual
Chassis configuration and that their roles are assigned appropriately.
Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status on page 250
Virtual Chassis ID: 0000.e255.00e0
Mastership
Member ID
Status
Serial No
Model
0 (FPC 0)
1 vcp-0
Prsnt
abc123
ex4200-48p
Priority
255
Neighbor List
Role
ID Interface
Master*
1 vcp-1
2 1/0
1 (FPC 1)
Prsnt
def456
ex4200-24t
128
Linecard
0 vcp-0
0 vcp-1
3 1/0
2 (FPC 2)
Prsnt
ghi789
ex4200-48p
255
Backup
3 vcp-0
3 vcp-1
0 1/0
3 (FPC 3)
Meaning
170
Verification
Prsnt
jkl012
ex4200-24t
128
Linecard
2 vcp-0
2 vcp-1
1 1/0
The show virtual-chassis status on page 250 command lists the member switches
interconnected as a Virtual Chassis configuration with the member IDs that have
been assigned by the master, the mastership priority values, and the roles. It also
displays the neighbor members with which each member is interconnected.
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches in wiring closet
A and the uplink VCPs interconnecting the member switches between wiring closets
are operational.
Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
Meaning
The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks configured as
VCPs are displayed as 1/0. The fpc number is the same as the member ID.
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
171
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Troubleshooting
To troubleshoot a Virtual Chassis configuration that is interconnected across wiring
closets, perform these tasks:
Troubleshooting Nonoperational VCPs
Problem
Solution
Check the cable to make sure that it is properly and securely connected to the
ports.
If the VCP is an uplink port, make sure that the uplink port has been explicitly
set as a VCP.
If the VCP is an uplink port, make sure that you have specified the options
(pic-slot, port-number, member-id) correctly.
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206
Related Topics
Requirements
This example uses the following software and hardware components:
172
Troubleshooting
Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.
If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.
The topology used in this example consists of one virtual chassis access switch and
one virtual chassis distribution switch. The access switch is composed of two
EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN.
The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second
LAG connection (ae1) to SWD-1. LAG ae1, which is used for another VLAN.
173
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Figure 12: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch
Hostname and
VCID
Base Hardware
Uplink Module
Member ID
Trunk Port
SWA-0
Host-A Access
switch
EX 4200-48P
switch
One EX-UM-2XFP
uplink module
xe-0/1/0 to SWD-0
xe-0/1/1 to SWD-1
VCID 1
SWA-1
Host-A Access
switch
EX 4200-48P
switch
One EX-UM-2XFP
uplink module
xe-1/1/0 to SWD-0
xe-1/1/1 to SWD-1
VCID 1
174
Table 35: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch (continued)
SWD-0
Host-D
Distribution switch
EX-series EX 4200
L-24F switch
One EX-UM-2XFP
uplink module
xe-0/1/0 to SWA-0
xe-0/1/1 to SWA-1
VCID 4
SWD-1
Host-D
Distribution switch
EX-series EX 4200
L-24F switch
One EX-UM-2XFP
uplink module
xe-1/1/0 to SWA-0
xe-1/1/1 to SWA-1
VCID 4
Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual
chassis distribution switch:
CLI Quick Configuration
Step-by-Step Procedure
2.
Specify the number of links that need to be present for the ae0 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options minimum-links 2
3.
Specify the number of links that need to be present for the ae1 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae1 aggregated-ether-options minimum-links 2
Configuration
175
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
4.
5.
6.
7.
8.
Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9.
Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
user@Host-A# set ae1 unit 1 family inet address 192.0.2.128/25
Results
176
Configuration
}
}
}
ae1 {
aggregated-ether-options {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe0/1/0 {
ether-options {
802.ad ae0;
}
}
xe1/1/0 {
ether-options {
802.ad ae0;
}
}
xe0/1/1 {
ether-options {
802.ad ae1;
}
}
xe1/1/1 {
ether-options {
802.ad ae1;
}
}
}
Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:
Admin
up
up
Link Proto
up
up
inet
Local
Remote
10.10.10.2/24
Verification
177
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.
Verifying That LAG ae1 Has Been Created
Purpose
Action
Meaning
Local
Remote
Troubleshooting
Troubleshooting a LAG That Is Down
Problem
The show interfaces terse command shows that the LAG is down:
Solution
Related Topics
Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet
(Layer 3 LAG).
Verify that the LAG member is connected to the correct LAG at the other end.
Verify that the LAG members belong to the same switch (or the same virtual
chassis).
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual
Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches
178
allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172:
Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 180
Requirements
This example uses the following software and hardware components:
Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 147.
Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.
Requirements
179
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
CLI Quick Configuration
To quickly configure LACP for the access switch LAGs, copy the following commands
and paste them into the switch terminal window:
set interfaces ae0 aggregated-ether-options lacp active periodic fast
set interfaces ae1 aggregated-ether-options lacp active periodic fast
Step-by-Step Procedure
Results
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the virtual chassis access switch to
the virtual chassis distribution switch, perform these tasks:
CLI Quick Configuration
To quickly configure LACP for the distribution switch LAGs, copy the following
commands and paste them into the switch terminal window:
[edit interfaces]
set ae0 aggregated-ether-options lacp passive periodic fast
set ae1 aggregated-ether-options lacp passive periodic fast
180
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
Step-by-Step Procedure
Results
Verification
To verify that LACP packets are being exchanged, perform these tasks:
Verifying That the LACP Packets Are Being Exchanged on page 182
Role
Def
Dist
Col
Syn
Aggr
Timeout
Activity
xe-0/1/0
Actor
No
Yes
No
No
No
Yes
Fast
Active
xe-0/1/0
Partner
No
Yes
No
No
No
Yes
Fast
Passive
LACP protocol:
xe-0/1/0
Meaning
Exp
Receive State
Defaulted
Transmit State
Mux State
Fast periodic
Detached
The output indicates that the LACP has been set up correctly and is active at one
end.
Verification
181
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting:
Troubleshooting Nonworking LACP Link
Problem
Solution
Related Topics
182
Remove the LACP configuration and verify whether the static LAG is up.
Verify whether LACP protocol data units are being exchanged by running the
monitor traffic-interface lag-member detail command.
183
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: When you use a preprovisioned configuration, you cannot modify the
mastership priority or member ID of member switches through the user interfaces.
This example describes how to configure a Virtual Chassis across multiple wiring
closets using a preprovisioned configuration file:
Requirements
This example uses the following hardware and software components:
184
Before you create the preprovisioned configuration of the Virtual Chassis and
interconnect the members across the wiring closets, be sure you have:
1.
Made a list of the serial numbers of all the switches to be connected as a Virtual
Chassis configuration.
2.
Noted the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role , it is not eligible to
become a master or backup.
3.
4.
Interconnected the member switches within each wiring closet using the
dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis
Cable to an EX-series Switch.
5.
Powered on the switch that you plan to use as the master switch (SWA-0).
6.
7.
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
185
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
configuration file. The master detects the connection of the members through the
dedicated VCPs and applies the parameters specified in the preprovisioned
configuration file.
However, the Virtual Chassis cables that interconnect the VCPs of member switches
within a single wiring closet are not long enough to connect member switches across
wiring closets. Instead, you can use the fiber cable connections in the EX-UM-2XFP
or EX-UM-4SFP uplink modules to interconnect the member switches in wiring closet
A to the member switch in wiring closet B. For redundancy, this example connects
uplink ports from two member switches in wiring closet A (SWA0 and SWA2) to
two member switches (SWA-5 and SWA-7) in wiring closet B.
NOTE: You can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps
Ethernet uplink port (EX_UM-4SFP) as a VCP interface. When an uplink port is set
as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink
module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set
one port as a VCP interface and configure the other port in trunk mode as an uplink
to a distribution switch.
Because this particular preprovisioned configuration is for a Virtual Chassis that is
interconnected across wiring closets, we will bring up the Virtual Chassis configuration
in stages. First, we power on SWA-0 (without powering on any other switches) and
create the preprovisioned configuration file. Then we power on the remaining switches
in wiring closet A. If we check the status of the Virtual Chassis configuration at this
point by using the show virtual-chassis status command, it will display only member
0 through member 4. The members that have not yet been interconnected will not
be listed.
Next power on SWA-5 without powering on the remaining switches (SWA-6 through
SWA-9) in wiring closet B. Bring up SWA-5 as a standalone switch and set one of its
uplinks as a VCP interface prior to interconnecting it with the Virtual Chassis
configuration in wiring closet A. Without this setting, SWA-5 cannot be detected as
a member switch by the master of the Virtual Chassis configuration.
You can set the uplink VCP of SWA5 without running the EZ Setup program by
directly connecting to the console port. If you wish, you can run EZ Setup program
and specify identification parameters. When you interconnect SWA-5 with the master
of the Virtual Chassis configuration, the master overwrites any conflicting parameters.
After setting the VCP uplink in SWA-5, connect this VCP uplink with the VCP uplink
of SWA-0 in wiring closet A. SWA-5 (serial number pqr678) is specified as a
routing-engine in the preprovisioned configuration file.
This example uses SWA-5 as the backup of the Virtual Chassis configuration. If a
problem occurs in wiring closet A, SWA-5 would take control of the Virtual Chassis
configuration and maintain the network connections. Specify both SWA-0 and SWA-5
as routing-engine. Because SWA-0 is powered on prior to SWA-5, it has additional
prioritization properties that cause it to be elected as master of the Virtual Chassis
configuration.
After being physically interconnected with SWA-0, SWA-5 reboots and comes up as
member 5 and as the backup of the Virtual Chassis configuration.
186
Power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. The
master can now detect that all members are present. Finally, for redundancy,
configure an additional VCP uplink on SWA-7 through the master.
The topology for this example consists of:
Four EX-UM-2XFP uplink modules. Two are installed in wiring closet A and two
are installed in wiring closet B.
Table 36 on page 187 shows the Virtual Chassis configuration settings for a
preprovisioned Virtual Chassis composed of member switches in different wiring
closets.
Table 36: Components of a Preprovisioned Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch
Serial number
Member ID
Role
Uplink Ports
Hardware
Location
SWA-0
abc123
routing-engine
xe-0/1/0
EX 4200-48P
and
EX-UM-2XFP
uplink module
Wiring closet A
SWA-1
def456
linecard
EX 4200-24T
Wiring closet A
SWA-2
ghi789
linecard
EX 4200-48P
Wiring closet A
SWA-3
jkl012
linecard
EX 4200-24T
Wiring closet A
SWA-4
mno345
linecard
EX 4200-48P
Wiring closet A
SWA-5
pqr678
routing-engine
EX 4200-48P
and
EX-UM-2XFP
uplink module
Wiring closet B
EX 4200-24T
Wiring closet B
EX 4200-24T
Wiring closet B
xe-2/1/0
xe-0/1/0
NOTE: The
member ID of
SWA-5 is 0 at
the time that its
uplink port is
configured as a
VCP.
SWA-6
stu901
linecard
SWA-7
vwx234
linecard
SWA-8
yza567
linecard
EX 4200-24T
Wiring closet B
SWA-9
bcd890
linecard
EX 4200-48P
Wiring closet B
xe-7/1/0
187
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Figure 13 on page 188 shows the different types of interconnections used for this
Virtual Chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink ports that have been set as VCPs and interconnected
across the wiring closets. The uplink ports that are not set as VCPs can be configured
as trunk ports to connect to a distribution switch.
NOTE: The interconnections shown in this figure are the same as they would be for
a configuration that was not preprovisioned across wiring closets.
Figure 13: Maximum Size Virtual Chassis Interconnected Across Wiring Closets
188
Configuration
To configure the Virtual Chassis across multiple wiring closets using a preprovisioned
configuration, perform these tasks:
NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration
Step-by-Step Procedure
preprovisioned
member 0 serial-number
member 1 serial-number
member 2 serial-number
member 3 serial-number
member 4 serial-number
member 5 serial-number
member 6 serial-number
member 7 serial-number
member 8 serial-number
member 9 serial-number
abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890
role
role
role
role
role
role
role
role
role
role
routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard
2.
Specify all the members that will be included in the Virtual Chassis configuration,
listing each switch's serial number with the desired member ID and the desired
role:
[edit virtual-chassis]
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA-0# set member
user@SWA0# set member
0
1
2
3
4
5
6
7
8
9
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890
role
role
role
role
role
role
role
role
role
role
routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard
3.
4.
Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
2:
user@SWA-0> request virtual-chassis vc-port on page 1160 set pic-slot 1 port 0
Configuration
189
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE:
For redundancy, this example sets an uplink VCP interface in both SWA-0 and
SWA-2.
This example omits the specification of the member0 in setting the uplink for
SWA-0. The command applies by default to the switch where it is executed.
5.
6.
Set the first uplink of SWA-5 to function as a VCP interface. Because SWA-5 has
been powered on as a separate switch and is still operating independently at
this point, its member ID is 0.
user@SWA-5>request virtual-chassis vc-port set pic-slot 1 port 0
NOTE: This example omits the specification of the member0 in configuring the uplink
for SWA-5 (at this point the member ID of SWA-5 is still 0). The command applies
by default to the switch where it is executed.
7.
Power off SWA-5 and connect the fiber cable from SWA-5 uplink port xe-0/1/0
to the uplink port xe-0/1/0 on SWA-0.
8.
Power on SWA-5.
9.
Now that SWA-5 has been brought up as member 5 of the Virtual Chassis
configuration, power on the remaining switches (SWA-6 through SWA-9) in
wiring closet B. They are interconnected with SWA-5 using the dedicated VCPs
on the rear panel and are therefore detected by the master as interconnected
members. If you check the status of the Virtual Chassis configuration at this
point, all the members that were specified in the preprovisioned configuration
file should be displayed as present. Additional configuration for member switches
can now be done through the master switch.
10.
190
Configuration
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the Member IDs and Roles of the Member Switches on page 192
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 193
Verification
191
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Verify that the member IDs and roles are all set as expected.
Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status on page 250
Preprovisioned Virtual Chassis
Virtual Chassis ID: 0000.e255.0000
Mastership
Member ID Status
Serial No
Model
Priority Role
Meaning
192
0 (FPC 0)
Prsnt
abc123
ex4200-48p
129
1 (FPC 1)
Prsnt
def456
ex4200-24t
2 (FPC 2)
Prsnt
ghi789
3 (FPC 3)
Prsnt
4 (FPC 4)
Neighbor List
ID Interface
Master*
1
4
5
vcp-0
vcp-1
1/0
Linecard
2
0
vcp-0
vcp1
ex4200-48p
Linecard
3
1
7
vcp-0
vcp-1
1/0
jkl012
ex4200-24t
Linecard
4
2
vcp-0
vcp-1
Prsnt
mno345
ex4200-48p
Linecard
0
3
vcp-0
vcp-1
FPC 5)
Prsnt
pqr678
ex4200-48p
129
Backup
6
9
0
vcp-0
vcp-1
1/0
6 (FPC 6)
Prsnt
stu901
ex4200-24t
Linecard
7
5
vcp-0
vcp-1
7 (FPC 7)
Prsnt
vwx234
ex4200-24t
Linecard
8
6
2
vcp-0
vcp-1
1/0
8 (FPC 8)
Prsnt
yza567
ex4200-24t
Linecard
9
7
vcp-0
vcp-1
9 (FPC 9)
Prsnt
bc7890
ex4200-48p
Linecard
5
8
vcp-0
vcp-1
The output shows that all members listed in the preprovisioned configuration file are
connected to the Virtual Chassis configuration. It confirms that SWA-0 (member 0)
is functioning as the master of the Virtual Chassis configuration, which was the
intention of the configuration procedure. The other configured routing-engine (SWA-5)
is functioning as the backup. The Neighbor List displays the interconnections of the
member VCPs.
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose
Action
Verify that the dedicated VCPs interconnecting the member switches within each
wiring closet and the uplink VCPs interconnecting the member switches across wiring
closets are operational.
Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc5:
Interface
or
PIC / Port
vcp-0
vcp-1
1/0
Type
Status
Dedicated
Dedicated
Configured
Up
Up
Up
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
193
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
fpc6:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc7:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc8:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc9:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
Meaning
The dedicated VCPs interconnecting the member switches within wiring closets are
displayed as vcp-0 and vcp-1. The uplink VCP ports interconnecting member switches
(members 0, 2, 5 and 7) across wiring closets are displayed as 1/0 and 1/1 and
identified as Configured.
Troubleshooting
To troubleshoot a preprovisioned Virtual Chassis configuration that is interconnected
across wiring closets, perform these tasks:
Troubleshooting Nonoperational VCPs
Problem
Solution
Check the cable to make sure that it is properly and securely connected to the ports.
Related Topics
194
Troubleshooting
195
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
196
Chapter 17
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206
Configuring the Timer for the Backup Member to Start Using Its Own MAC
Address, as Master of Virtual Chassis (CLI Procedure) on page 210
NOTE: The Virtual Chassis option is not available for EX 3200 switches.
2.
197
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The second section displays the operational status of the Virtual Chassis
configuration, member details, and the dedicated and configured Virtual Chassis
ports (VCPs).
3.
4.
Click one:
5.
6.
To delete an uplink VCP from a member, select the member in the Virtual Chassis
members list and select Action > Delete Uplink Port as VCP.
Function
Your Action
Member ID
Priority
Disable
Management VLAN
Refresh
Member Details
Related Topics
198
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis. This ensures that the configuration changes are saved in
both Routing Engines.
A Virtual Chassis can be configured with either:
Make a list of the serial numbers of all the switches to be connected in a Virtual
Chassis configuration.
2.
Note the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role, it is not eligible to
become a master or backup.
3.
Interconnect the member switches using the dedicated VCPs on the rear panel
of switches. See Connecting a Virtual Chassis Cable to an EX-series Switch.
NOTE: Arrange the switches in sequence, either from top to bottom or from bottom
to top (09).
4.
Power on only the switch that you plan to use as the master switch (SWA-0). Do
not power on the other switches at this time.
199
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
5.
NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis
configuration, including all the member listed in the preprovisioned configuration
file.
6.
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
7.
8.
Specify all the members that you want to included in the Virtual Chassis
configuration, listing each switchs serial number with the desired member ID
and the desired role:
[edit virtual-chassis]
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA-0# set member
user@SWA0# set member
9.
0
1
2
3
4
5
6
7
8
9
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890
role
role
role
role
role
role
role
role
role
role
routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard
NOTE: You cannot modify the mastership-priority when you are using a preprovisioned
configuration. The mastership priority values are generated automatically and
controlled by the role that is assigned to the member switch in the configuration file.
The two routing engines are assigned the same mastership priority value. However,
the member that was powered on first has higher prioritization according to the
master election algorithm. See Understanding How the Master in a Virtual Chassis
Configuration Is Elected on page 140.
200
1.
Interconnect the member switches using the dedicated VCPs on the rear panel
of switches. See Connecting a Virtual Chassis Cable to an EX-series Switch.
NOTE: Arrange the switches in sequence, either from top to bottom or from bottom
to top (09).
2.
Power on only the switch that you plan to use as the master switch (SWA-0). Do
not power on the other switches at this time.
3.
NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis
configuration, including all the members interconnected through VCPs..
4.
Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
5.
Configure mastership priority for the master, backup, and other members, if
desired:
[edit virtual-chassis]
user@SWA0# set member 0 mastership-priority 255
user@SWA0# set member 5 mastership-priority 255
6.
NOTE: If you do not edit the Virtual Chassis configuration file, a nonprovisioned
configuration is generated by default. The mastership priority value for each member
switch is 128. The master role is selected by default. You can change the role that
is performed by the members by modifying the mastership-priority. See Configuring
Mastership of the Virtual Chassis (CLI Procedure) on page 204. We recommend that
you specify the same mastership priority value for the desired master and backup
members. We have assigned the highest possible mastership priority to two members.
However, the member that was powered on first has higher prioritization according
to the master election algorithm. See Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 140. We have allowed the other members
to use the default mastership priority, which qualifies them to function in the role of
linecard.
201
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: If you want to change the member ID that the master has assigned to a
member switch, use the request virtual-chassis renumber on page 245 command.
Related Topics
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis
Configuration on page 203
To add a new member switch to an existing Virtual Chassis configuration within the
same wiring closet:
202
1.
If the new member switch has been previously configured, reverted that switchs
configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX-series Switch.
2.
Interconnect the unpowered new switch to at least one member of the existing
Virtual Chassis configuration, using the dedicated Virtual Chassis ports (VCPs).
3.
4.
Confirm that the new member switch is now included within the Virtual Chassis
configuration by checking the front-panel display for the member ID. It should
display a member ID that is higher than 0 ( 1 through 9), because there is already
at least one member of the Virtual Chassis configuration.
If the new member switch has been previously configured, reverted to factory
defaults. See Reverting to the Default Factory Configuration for the EX-series
Switch.
Prepared an existing member for interconnecting with the new switch through
an uplink port by configuring an uplink port as a VCP on the existing member.
To add a new member switch that is going to be interconnected with the existing
Virtual Chassis configuration across wiring closets:
1.
2.
Connect a laptop or terminal to the console port of the switch, or use EZ Setup
on the standalone switch to specify temporary identification parameters. (When
Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration
203
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
you interconnect the new member switch with the existing Virtual Chassis
configuration, the master will overwrite and disable any specified parameters
that conflict with the Virtual Chassis parameters or assigned member
configuration.)
3.
Use the CLI or the J-Web interface to set the uplink ports as VCP interfaces.
NOTE: If you are using a nonprovisioned configuration, you may wish to configure
the new member switch with a mastership priority value that is less than that of the
existing member switches. Doing so ensures that the new member switch will function
in a linecard role when it is included within the Virtual Chassis configuration.
4.
5.
Interconnect the new member switch to at least one member of the existing
Virtual Chassis configuration, using the uplink ports that have been configured
as VCPs.
6.
7.
Confirm that the new member switch is now included within the Virtual Chassis
configuration by checking the front-panel display for the member ID. It should
display a member ID that is higher than 0 (1 through 9), because there is already
at least one member of the Virtual Chassis configuration.
Related Topics
204
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis. This ensures that the configuration changes are saved in
both Routing Engines.
This topic describes:
Note the serial numbers of the switches that you want to function in the master
role and backup role.
2.
Power on only the switch (SWA-0) that you want to function in the master role.
3.
4.
List the serial numbers of the member switches that you want to function as
master and backup, specifying their role as routing-engine:
[edit]
user@SWA-0# set virtual-chassis member 0 serial-number abc123 role
routing-engine
user@SWA-0# set virtual-chassis member 2 serial-number def456 role
routing-engine
NOTE: You cannot directly modify the mastership priority value when you are using
a preprovisioned configuration. The mastership priority values are generated
automatically and controlled by the role that is assigned to the member switch in
the configuration file. The two members assigned the routing-engine role are assigned
the same mastership priority value (128). However, the member that was powered
on first has higher prioritization according to the master election algorithm. See
Understanding How the Master in a Virtual Chassis Configuration Is
Elected on page 140. Only two members can be specified with the routing-engine
role.
5.
List the serial numbers of any other member switches that you want to include
in the Virtual Chassis configuration. You may also specify their role as linecard,
if desired.
205
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Power on only the switch that you want to function in the master role (SWA-0).
2.
Configure the highest possible mastership priority value (255) for the member
that you want to function in the master role:
[edit virtual-chassis]
user@SWA-0# set member 0 mastership-priority 255
3.
Configure the same mastership priority value (continue to edit the Virtual Chassis
configuration on the master) for the member that you want to be the backup
(SWA-1):
[edit virtual-chassis]
user@SWA-0# set member 1 mastership-priority 255
NOTE: We recommend that the master and backup have the same mastership
priority value to prevent the master and backup status from switching back and forth
between master and backup members in failover conditions.
Related Topics
4.
Use the default mastership priority value (128) for the remaining member
switches or configure the mastership priority to a value that is lower than the
value specified for members functioning in the master and backup roles.
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216
206
connecting the uplink ports. To use the uplink ports for interconnecting member
switches, you must explicitly set the uplink ports as VCPs.
NOTE: You can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps
Ethernet uplink port (EX_UM-4SFP) as a VCP interface. When an uplink port is set
as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink
module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set
one port as a VCP interface and configure the other port in trunk mode as an uplink
to a distribution switch.
Before you set an uplink as a VCP:
1.
2.
Power on and connect to the switch that you plan to designate as the master of
the Virtual Chassis configuration.
3.
Run EZ Setup on the switch that you are configuring to be the master. Follow
the prompts to specify the host name and other identification, time zone, and
network properties. See Connecting and Configuring the EX-series Switch (CLI
Procedure) on page 57 or Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58 for details. The properties that you specify for
the master apply to the entire Virtual Chassis configuration, including all the
member switches that you later interconnect with the master.
4.
If you want to configure and manage the Virtual Chassis configuration remotely,
specify the VME global management interface. You can configure the VME global
management interface when you are setting up the master or you can do it after
completing the other configuration steps for the Virtual Chassis. See Configuring
the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure) on page 210.
5.
NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis configuration. This ensures that the configuration changes
are saved in both Routing Engines.
To interconnect a Virtual Chassis configuration across longer distances, such as wiring
closets, you need to:
207
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Prepare the potential member switch for interconnecting with the existing Virtual
Chassis configuration by setting at least one uplink VCP on the standalone switch.
NOTE: We recommend that you set two uplink VCPs within each wiring closet for
redundancy.
This topic describes:
1. Setting an Uplink VCP on the Master or on an Existing Member on page 208
2. Setting an Uplink VCP on a Standalone Switch on page 208
Set one uplink port of member 0 (the master) as a VCP interface. You do not
need to specify the member member-id option, because the command applies by
default on the member where it is executed.
user@SWA-0> request virtual-chassis vc-port on page 1160 set pic-slot 1 port 0
2.
208
To set one uplink VCP on the potential member (SWA-2), which is currently operating
as a standalone switch:
1.
2.
Set one uplink port as a VCP interface. You do not need to specify the member
member-id option, because the command applies by default on the member
where it is executed.
user@SWA-2> request virtual-chassis vc-port on page 1160 set pic-slot 1 port 0
NOTE: If you do specify the member member-id option, use member ID 0. Because
the switch is not yet interconnected with the other members of the Virtual Chassis
configuration, its current member ID is 0. Its member ID will change when it is
interconnected with the Virtual Chassis configuration. It does not impact the
functioning of the uplink VCP that its VCP interface is set with 0 as the member ID.
The VCP interface has significance only on the local switch.
3.
After you have set the uplink VCP on the standalone switch, physically
interconnect its uplink port with the VCP uplink ports of the members in the
existing Virtual Chassis configuration.
4.
The new member switch reboots and joins the now expanded Virtual Chassis
configuration with a different member ID.
NOTE: Its setting for the uplink VCP remains intact and is not affected by the change
of member ID.
Related Topics
5.
If you have additional members in the second wiring closet, set a redundant VCP
uplink on another member switch by issuing the command through the master
of the Virtual Chassis configuration.
209
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure)
If you want to configure and manage a Virtual Chassis remotely through SSH or
Telnet, configure the virtual management Ethernet (VME) interface on the master of
the Virtual Chassis. You can configure and manage all members of the Virtual Chassis
through this single global interface.
1.
2.
Check the front-panel LCD to confirm that the switch has powered on correctly.
3.
Run the EZ Setup program on the switch, specifying the identification parameters.
See Connecting and Configuring the EX-series Switch (CLI Procedure) on page
57 or Connecting and Configuring the EX-series Switch (J-Web
Procedure) on page 58 for details.
Related Topics
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as
Master of Virtual Chassis (CLI Procedure)
When a backup member takes control of a Virtual Chassis configuration because of
a reset or other temporary failure, the backup uses the MAC address of the old master.
This helps to ensure a smooth transition of mastership with no disruption to network
connectivity.
The MAC persistence timer is used in situations when the master is no longer a
member of the Virtual Chassis configuration, because it has been physically
disconnected or removed. If the old master does not rejoin the Virtual Chassis
configuration before the timer elapses, the new master starts using its own MAC
address.
The default timer value is 10 minutes. There are no minimum or maximum limits.
Before you begin configuring the timer, ensure that you have at least two member
switches in the Virtual Chassis configuration. To configure or modify the MAC
persistence timer, use the following command:
[edit virtual-chassis]
user@switch# set mac-persistence-timer 30
This command modifies the MAC persistence timer value to specify a timer value of
30 minutes rather than the default timer value of 10 minutes.
Related Topics
210
Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure)
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI
Procedure)
211
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
212
Procedure)
Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI
Chapter 18
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216
Verifying That the Virtual Chassis Ports Are Operational on page 217
213
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration
Commands Available for
Command Forwarding
Purpose
all-members
member-member-id
show version
show chassis
environment
show configuration
(excluding any
SECRET-DATA)
show system
virtual-memory
214
Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Commands Available for
Command Forwarding
Purpose
all-members
member-member-id
Display systemwide
protocol-related statistics.
215
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Commands Available for
Command Forwarding
Purpose
all-members
member-member-id
Table 39 on page 216 shows a list of commands that are relevant only to the master.
Do not use the options all-members or member-member-id with these commands.
Table 39: Commands Relevant Only to the Master
Commands Relevant Only to the
Master
Purpose
set date
Display information about the buffer pool that the Routing Engine uses for local traffic.
Local traffic is the routing and management traffic that is exchanged between the Routing
Engine and the Packet Forwarding Engine within the switch, as well as the routing and
management traffic from IP (that is, from OSPF, BGP, SNMP, ping operations, and so on).
Display information about the active IP sockets on the Routing Engine. Use this command
to verify which servers are active on a system and which connections are currently in
progress.
Display information about software processes that are running on the switch and that have
controlling terminals.
Related Topics
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis
Member
Purpose
216
You can designate the role that a member performs within a Virtual Chassis
configuration or you can allow the role to be assigned by default. You can designate
the member ID that is assigned to a specific switch by creating a permanent
association between the switchs serial number and a member ID, using a
preprovisioned configuration. Or you can let the member ID be assigned by the
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member
master, based on the sequence in which the member switch is powered on and on
which member IDs are currently available.
The role and member ID of the member switch are displayed on the front-panel LCD.
Each member switch can be cabled to one or two other member switches, using
either the dedicated Virtual Chassis ports (VCPs) on the rear panel or an uplink port
that has been set as a VCP. The members that are cabled together are considered
neighbor members.
Action
To display the role and member ID assignments using the CLI, use the show
virtual-chassis status command:
user@SWA-0> show virtual-chassis status on page 250
Virtual Chassis ID: 0000.e255.00e0
Meaning
Mastership
Priority
Role
Neighbor List
ID, Interface
Member ID
Status
Serial No
Model
0 (FPC 0)
Prsnt
abc123
ex4200-48p
255
Master*
1 vcp-0
2 vcp-1
1 (FPC 1)
Prsnt
def456
ex4200-24t
255
Backup
2 vcp-0
0 vcp-1
2 (FPC 2)
Prsnt
abd231
ex4200-24p
128
Linecard
0 vcp-0
1 vcp-1
This output verifies that three EX 4200 switches have been interconnected as a Virtual
Chassis configuration using their dedicated VCPs . The display shows which of the
VCPs is connected to which neighbor. The first port (vcp-0) of member 0 is connected
to member 1 and the second port of member 0 (vcp-1) is connected to member 2.
The FPC slots for EX-series switches are the same as the member IDs.
The Mastership Priority values indicate that the master and backup members have
been explicitly configured, because they are not using the default value (128).
Related Topics
Use the show virtual-chassis vc-port on page 252 command to display the status of
Virtual Chassis ports (VCPs).
217
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: The interfaces for VCPs are not displayed when you issue the show
interfaces on page 332 command.
Action
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
Meaning
Related Topics
218
The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks set as VCPs are
displayed as 1/0. The FPC slots for EX-series switches are the same as the member
IDs.
Action
Use the monitoring functionality to view the following information about Virtual
Chassis members and ports:
Member details and how members are connected with each other.
To view Virtual Chassis monitoring details in the J-Web interface, select Monitor >
Virtual Chassis.
To view member details for all members in the CLI, enter the following command:
show virtual-chassis status
To view Virtual Chassis port traffic statistics for a specific member in the CLI, enter
the following command:
show virtual-chassis vc-port statistics member member-id
Meaning
In the J-Web interface the top half of the screen displays details of the Virtual Chassis
configuration, such as:
Member ID
Priority
Role
Interface
In the bottom half of the screen, select a member ID to view input and output rates.
Select the interval at which the charts must be refreshed. Click the Stop button to
stop fetching values from the switch, and click the Start button to start plotting data
again from the point where it was stopped.
For details about the output from CLI commands, refer to show virtual-chassis
status on page 250 and show virtual-chassis vc-port statistics on page 255.
Related Topics
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216
219
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
the member switch and apply it to a new member switch, or you can free up the
member ID and make it available for assignment to a new member switch.
To replace a member switch, use the procedure that matches what you need to
accomplish:
Remove a Member Switch, Replace with a Different Switch, and Reapply the
Old Configuration on page 220
Remove a Member Switch and Make Its Member ID Available for Reassignment
to a Different Switch on page 221
2.
Repair, as necessary.
3.
NOTE: If you have used a preprovisioned configuration, use the replace command
to change the serial number in the Virtual Chassis configuration file. Substitute the
serial number of the replacement member switch (on the back of the switch) for the
serial number of the member switch that was removed.
220
1.
2.
If the replacement member switch has been previously configured, revert that
switchs configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX-series Switch.
3.
4.
5.
Use the request virtual-chassis renumber on page 245 command to change the
member switchs current member ID to the member ID that belonged to the
member switch that was removed from the Virtual Chassis configuration).
NOTE: When you add or delete members in a Virtual Chassis configuration, internal
routing changes might cause temporary traffic loss for a few seconds.
Related Topics
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch
221
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
222
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch
Chapter 19
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment on page 223
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment
Problem
You disconnected an EX 4200 from the Virtual Chassis configuration, but the
disconnected switchs member ID is still displayed in the status output. You cannot
reassign that member ID to another switch.
Solution
When you disconnect a member of a Virtual Chassis configuration, the master retains
the member ID and member configuration in its configuration database. The show
virtual-chassis status on page 250 command continues to display the member ID of
the disconnected member with a status of NotPrsnt.
If want to permanently disconnect the member switch, you can free up the member
ID by using the request virtual-chassis recycle on page 1160 command. This will also
clear the status of that member.
Solution
The load factory default command is not supported on a multimember Virtual Chassis
configuration. For information on how to revert to factory default settings, see
Reverting to the Default Factory Configuration for the EX-series Switch.
Gigabit Ethernet interfaces retain their previous slot numbers when a member switch
is disconnected from the Virtual Chassis configuration.
223
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Solution
2.
Related Topics
224
For more information about the replace command, see JUNOS Software CLI User
Guide at http://www.juniper.net/techpubs/software/junos/junos90/
Chapter 20
225
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
mac-persistence-timer minutes;
[edit virtual-chassis]
Default
Required Privilege Level
Related Topics
226
10 minutes
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Configuring the Timer for the Backup Member to Start Using Its Own MAC
Address, as Master of Virtual Chassis (CLI Procedure) on page 210
mastership-priority
Syntax
Hierarchy Level
Release Information
Description
mastership-priority number ;
[edit virtual-chassis member member-id]
Default
128
Options
mastership-priority
227
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
member
Syntax
Hierarchy Level
Release Information
Description
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
[edit virtual-chassis]
Default
Options
Range: 0 through 9
The remaining statements are explained separately.
Required Privilege Level
Related Topics
228
member
no-management-vlan
Syntax
Hierarchy Level
Release Information
Description
no-management-vlan;
[edit virtual-chassis member member-id]
You cannot configure the IP address for a local management Ethernet port using the
CLI or the J-Web interface. To do this, you need to use the shell ifconfig command.
Required Privilege Level
Related Topics
no-management-vlan
229
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
preprovisioned
Syntax
Hierarchy Level
Release Information
Description
preprovisioned;
[edit virtual-chassis]
230
preprovisioned
role
Syntax
Hierarchy Level
Release Information
Description
Options
the Virtual Chassis configuration. The master manages all the members of the
Virtual Chassis configuration and runs the chassis management processes and
control protocols. The backup synchronizes with the master in terms of protocol
states, forwarding tables, and so forth, so that it is prepared to preserve routing
information and maintain network connectivity without disruption in case the
master is unavailable.
Specify two and only two members as routing-engine. The software determines
which of the two members assigned the routing-engine role functions as master,
based on the master election algorithm. See Understanding How the Master in
a Virtual Chassis Configuration Is Elected on page 140.
line-cardEnables the member to be eligible to function only in the linecard role.
Any member of the Virtual Chassis configuration other than the master or backup
functions in the linecard role and runs only a subset of JUNOS software for
EX-series switches. A member functioning in the linecard role does not run the
chassis control protocols. A Virtual Chassis configuration must have at least three
members in order to include a member that functions in the linecard role.
When you use a preprovisioned configuration, you cannot modify the mastership
priority or member ID of member switches through the user interfaces. The
mastership priority value is generated by the software, based on the assigned
role:
role
231
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
serial-number
Syntax
Hierarchy Level
Release Information
serial-number serial-number;
[edit virtual-chassis preprovisioned member member-id]
Description
Options
of the switch.
Required Privilege Level
Related Topics
232
serial-number
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
[edit virtual-chassis]
Default
Options
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
file number(Optional) Maximum number of trace files. When a trace file named
include multiple flag statements. You can include the following flags:
traceoptions
233
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the filesoption.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics
234
traceoptions
Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216
Verifying That the Virtual Chassis Ports Are Operational on page 217
virtual-chassis
Syntax
Hierarchy Level
Release Information
Description
virtual-chassis {
mac-persistence-timer seconds;
preprovisioned;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
}
[edit]
Default
virtual-chassis
235
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
236
virtual-chassis
Chapter 21
237
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Options
238
clear
maintenance
member
239
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Options
member-id member-idSpecify the member id that you want to make available for
maintenance
request virtual-chassis
recycle member-id 3
240
Release Information
Description
Options
request
request
request
request
virtual-chassis
virtual-chassis
virtual-chassis
virtual-chassis
vc-port
vc-port
vc-port
vc-port
request virtual-chassis
vc-port set pic-slot 1
port 0
request virtual-chassis
vc-port set pic-slot 1
port 0 all-members
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
241
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
request virtual-chassis
vc-port set pic-slot 1
port 1 member 3
request virtual-chassis
vc-port delete pic-slot 1
port 1 member 3
242
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
user@host>request virtual-chassis vc-port delete pic-slot 1 port 1 member 3
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
Release Information
Description
Options
request virtual-chassis
vc-port set interface
vcp-0 disable
request virtual-chassis
vc-port set interface
vcp-0 all-members
disable
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
243
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
request virtual-chassis
vc-port set interface
vcp-0 member 3 disable
request virtual-chassis
vc-port set interface
vcp-1 all-members
244
To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
user@host>request virtual-chassis vc-port set interface vcp-1 all-members
9).
Required Privilege Level
Related Topics
maintenance
245
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Options
Chassis, Virtual Chassis software, and routing protocols have been running for
all the member switches of the Virtual Chassis configuration.
member member-idDisplay the current time and information about how long the
Virtual Chassis, Virtual Chassis software, and routing protocols have been running
for the specific member of the Virtual Chassis configuration.
Required Privilege Level
Related Topics
view
virtual-chassis
For more information about show system uptime, see the JUNOS Software System
Basics Services and Command Reference at
http://www.juniper.net/techpubs/software/junos/junos91/index.html.
Field Description
Current time
System booted
Date and time when the switch was last booted and how
long it has been running.
Protocols started
Date and time when the routing protocols were last started
and how long they have been running.
Last configured
Time and up
Current time, in the local time zone, and how long the
switch has been operational.
Users
246
Level of Output
Field Description
Load averages
Level of Output
247
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Display the active topology of the Virtual Chassis configuration with reachability
information.
Options
noneDisplay the active topology of the member switch where the command is
issued.
all-membersDisplay the active topology of all members of the Virtual Chassis
configuration.
member member-idDisplay the active topology of a specified member of the Virtual
Chassis configuration.
Required Privilege Level
Related Topics
view
Field Description
Destination ID
Next-hop
Specifies the member ID and VCP of the next-hop to which packets for the destination ID are
forwarded.
show virtual-chassis
active-topology
248
1(vcp-1)
1(vcp-1)
1(vcp-1)
8(vcp-0)
8(vcp-0)
8(vcp-0)
8(vcp-0)
1(vcp-1)
249
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
configuration.
Required Privilege Level
Related Topics
Output Fields
view
Table 42 on page 1160 lists the output fields for the show virtual-chassis command.
Output fields are listed in the approximate order in which they appear.
Field Description
Virtual Chassis ID
Member ID
Status
configuration
NotPrsnt for a member ID that has been assigned but is not currently
connected
For a preprovisioned configuration:
Model
Mastership Priority
Role
Neighbor List
250
show virtual-chassis
status
Status
Prsnt
Mastership
Serial No
Model
priority
AK0207360276 ex4200-24t
249
Role
Master*
1 (FPC 1)
Prsnt
AK0207360281 ex4200-24t
248
Backup
2 (FPC 2)
Prsnt
AJ0207391130 ex4200-48p
247
Linecard
3 (FPC 3)
Prsnt
AK0207360280 ex4200-24t
246
Linecard
4 (FPC 4)
Prsnt
AJ0207391113 ex4200-48p
245
Linecard
5 (FPC 5)
Prsnt
BP0207452204 ex4200-48t
244
Linecard
6 (FPC 6)
Prsnt
BP0207452222 ex4200-48t
243
Linecard
7 (FPC 7)
Prsnt
BR0207432028 ex4200-24f
242
Linecard
8 (FPC 8)
Prsnt
BR0207431996 ex4200-24f
241
Linecard
Neighbor List
ID Interface
8 vcp-0
1 vcp-1
0 vcp-0
2 vcp-1
1 vcp-0
3 vcp-1
2 vcp-0
4 vcp-1
3 vcp-0
5 vcp-1
4 vcp-0
6 vcp-1
5 vcp-0
7 vcp-1
6 vcp-0
8 vcp-1
7 vcp-0
0 vcp-1
251
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Display the status of the Virtual Chassis ports (VCPs), including both the dedicated
VCPs and the uplinks set as VCPs.
Options
noneDisplay the operational status of all the Virtual Chassis ports of the member
view
Field Description
fpcnumber
Interface or PIC/Port
VCP interface name. Unlike network interfaces, a VCP interface name does
not include a slot number (member ID).
The dedicated VCP interfaces are vcp-0 and vcp-1.
The uplink ports set as a VCP interfaces are named 1/0 and 1/1,
representing the PIC number and port number.
Type of VCP:
Type
Status
252
show virtual-chassis
vc-port
show virtual-chassis
vc-port all-members
Type
Status
Dedicated
Dedicated
Configured
Configured
Up
Up
Down
Up
Type
Status
253
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vcp-0
vcp-1
Dedicated
Dedicated
Up
Up
fpc6:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc7:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc8:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
254
Options
view
Field Description
Member ID
Port
show virtual-chassis
vc-port statistics
member 0
Member ID: 0
Port: internal-0/27
RX
Total octets:
0
Total packets:
0
Port: internal-1/25
RX
Total octets:
0
Total packets:
0
TX
0
0
Member ID: 0
TX
0
0
255
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Member ID: 0
Port: internal-1/26
RX
Total octets:
0
Total packets:
0
Member ID: 0
Port: vcp-0
Total octets:
Total packets:
Member ID: 0
RX
586511032
2927355
TX
210691704
1987210
RX
0
0
TX
0
0
Port: vcp-1
Total octets:
Total packets:
256
TX
0
0
Part 7
Interfaces
Interfaces
257
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
258
Interfaces
Chapter 22
Understanding Interfaces
Network Interfaces
Network interfaces connect to the network and carry network traffic. EX-series
switches support the following types of network interfaces:
Power over Ethernet (PoE) interfaces EX-series switches provide PoE network
ports with the various switch models providing either 8, 24, or 48 PoE ports.
These ports can be used to connect VoIP telephones, wireless access points,
video cameras, and point-of-sale devices to safely receive power from the same
259
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
access ports that are used to connect personal computers to the network. PoE
interfaces are enabled by default in the factory configuration.
Special Interfaces
Special interfaces include:
260
Virtual chassis port (VCP) interfacesEach EX 4200 switch has two dedicated
virtual chassis ports (VCPs) on its rear panel. These ports can be used to
interconnect two to ten EX 4200 switches as a virtual chassis, which functions
as a single network entity. See Understanding the High-Speed Interconnection
of the Virtual Chassis Members on page 143. When you power on EX-series
switches that are interconnected in this manner, the software automatically
configures the VCP interfaces for the dedicated ports that have been
interconnected. These VCP interfaces, which are called vcp-0 and vcp-1, are not
configurable or modifiable. It is also possible to interconnect EX 4200 switches
across wider distances (up to 40 km) by using the EX-UM-2XFP uplink module
ports. To use an EX-UM-2XFP uplink module port as a virtual chassis port, you
must explicitly set the uplink VCP interface using the request virtual-chassis
vc-port on page 1160 command.
Console portEach EX-series switch has a serial port, labeled console, for
connecting tty-type terminals to the switch using standard PC-type tty cables.
The console port does not have a physical address or IP address associated with
it. However, it is an interface in the sense that it provide access to the switch.
On EX 4200 switches that are configured as a virtual chassis, you can access the
master and configure all members of the virtual chassis through any member's
console port. For more information on the console port in a virtual chassis, see
Understanding Global Management of a Virtual Chassis
Configuration on page 141.
Related Topics
xe10 Gigabit Ethernet interface (These are the ports on the EX-UM-2XFP
uplink module.)
EX 3200 switches have only one FPC slot for the network ports. It is slot
number 0.
An individual, standalone EX 4200 switch has only one FPC slot number. It
is slot number 0.
261
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Use the number 0 to specify the PIC for any network port on the switch
itself.
If you are configuring a port on an uplink module, use the number 1 as the
PIC.
The network ports are on the front panel of the switch and are labeled from left
to right starting with 0 followed by the remaining even numbered ports in the
top row and 1 followed by the remaining odd numbered ports in the bottom
row. (On the partial PoE switches, port numbers 0 through 7 have a label that
is a different color from the labels on the remaining ports to indicate that these
first eight ports are PoE ports.)
Figure 14 on page 262 shows the network ports on a 24port EX-series switch.
Figure 14: Network Ports on the 24Port EX-series Switch
LCD panel Menu button
LEDs
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
ALM
SYS
MST
Network ports
Uplink module
g020054
EX 3200
0
Enter button
Figure 15 on page 262 shows the network ports on a 48port EX-series switch.
Figure 15: Network Ports on the 48-Port EX-series Switch
262
with a default VLAN, the resulting display shows the logical interfaces associated
with the VLAN:
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/10.0
State
down
down
down
VLAN members
remote-analyzer
default
default
Blocking
unblocked
unblocked
unblocked
When you configure aggregated Ethernet interfaces, you configure a logical interface
that is called a bundle or a LAG. Each LAG can include up to eight Ethernet interfaces.
The ports on either side of the link must be set to the same speed.
263
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: The interfaces that are included within a bundle or LAG are sometimes referred
to as member interfaces. Do not confused this term with member switches, which
refers to EX 4200 switches that are interconnected as a virtual chassis. It is possible
to create a LAG that is composed of member interfaces that are located in different
member switches of a virtual chassis.
A typical deployment for LAG would be to aggregate trunk links between an access
switch and a distribution switch or customer edge (CE) router. LAG is not supported
on virtual chassis port links. LAG can only be used for a point-to-point connection.
When LACP is not enabled, a local LAG might attempt to transmit packets to a
remote single interface, which causes the communication to fail.
When LACP is enabled, a local LAG cannot transmit packets unless a LAG with
LACP is also configured on the remote end of the link.
By default, Ethernet links do not exchange protocol data units (PDUs), which contain
information about the state of the link. You can configure Ethernet links to actively
transmit PDUs, or you can configure the links to passively transmit them, sending
out LACP PDUs only when they receive them from another link. The transmitting
link is known as the actor and the receiving link is known as the partner.
Related Topics
264
265
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
266
Chapter 23
Requirements
This example uses the following software and hardware components:
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch
267
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.
If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.
The topology used in this example consists of one virtual chassis access switch and
one virtual chassis distribution switch. The access switch is composed of two
EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN.
The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second
LAG connection (ae1) to SWD-1. LAG ae1, which is used for another VLAN.
268
Figure 16: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch
Hostname and
VCID
Base Hardware
Uplink Module
Member ID
Trunk Port
SWA-0
Host-A Access
switch
EX 4200-48P
switch
One EX-UM-2XFP
uplink module
xe-0/1/0 to SWD-0
xe-0/1/1 to SWD-1
VCID 1
SWA-1
Host-A Access
switch
EX 4200-48P
switch
One EX-UM-2XFP
uplink module
xe-1/1/0 to SWD-0
xe-1/1/1 to SWD-1
VCID 1
269
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 45: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch (continued)
SWD-0
Host-D
Distribution switch
EX-series EX 4200
L-24F switch
One EX-UM-2XFP
uplink module
xe-0/1/0 to SWA-0
xe-0/1/1 to SWA-1
VCID 4
SWD-1
Host-D
Distribution switch
EX-series EX 4200
L-24F switch
One EX-UM-2XFP
uplink module
xe-1/1/0 to SWA-0
xe-1/1/1 to SWA-1
VCID 4
Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual
chassis distribution switch:
CLI Quick Configuration
Step-by-Step Procedure
2.
Specify the number of links that need to be present for the ae0 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options minimum-links 2
3.
Specify the number of links that need to be present for the ae1 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae1 aggregated-ether-options minimum-links 2
270
Configuration
4.
5.
6.
7.
8.
Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9.
Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
user@Host-A# set ae1 unit 1 family inet address 192.0.2.128/25
Results
Configuration
271
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
}
ae1 {
aggregated-ether-options {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe0/1/0 {
ether-options {
802.ad ae0;
}
}
xe1/1/0 {
ether-options {
802.ad ae0;
}
}
xe0/1/1 {
ether-options {
802.ad ae1;
}
}
xe1/1/1 {
ether-options {
802.ad ae1;
}
}
}
Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:
272
Verification
Admin
up
up
Link Proto
up
up
inet
Local
10.10.10.2/24
Remote
Meaning
The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.
Meaning
Local
Remote
Troubleshooting
Troubleshooting a LAG That Is Down
Problem
The show interfaces terse command shows that the LAG is down:
Solution
Related Topics
Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet
(Layer 3 LAG).
Verify that the LAG member is connected to the correct LAG at the other end.
Verify that the LAG members belong to the same switch (or the same virtual
chassis).
273
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172:
Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 275
Requirements
This example uses the following software and hardware components:
Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 147.
Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.
274
Requirements
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
CLI Quick Configuration
To quickly configure LACP for the access switch LAGs, copy the following commands
and paste them into the switch terminal window:
set interfaces ae0 aggregated-ether-options lacp active periodic fast
set interfaces ae1 aggregated-ether-options lacp active periodic fast
Step-by-Step Procedure
Results
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the virtual chassis access switch to
the virtual chassis distribution switch, perform these tasks:
CLI Quick Configuration
To quickly configure LACP for the distribution switch LAGs, copy the following
commands and paste them into the switch terminal window:
[edit interfaces]
set ae0 aggregated-ether-options lacp passive periodic fast
set ae1 aggregated-ether-options lacp passive periodic fast
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
275
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
Results
Verification
To verify that LACP packets are being exchanged, perform these tasks:
Verifying That the LACP Packets Are Being Exchanged on page 277
Role
Verification
Dist
Col
Syn
Aggr
Timeout
Activity
Actor
No
Yes
No
No
No
Yes
Fast
Active
xe-0/1/0
Partner
No
Yes
No
No
No
Yes
Fast
Passive
xe-0/1/0
276
Def
xe-0/1/0
LACP protocol:
Meaning
Exp
Receive State
Defaulted
Transmit State
Mux State
Fast periodic
Detached
The output indicates that the LACP has been set up correctly and is active at one
end.
Meaning
The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting:
Solution
Related Topics
Remove the LACP configuration and verify whether the static LAG is up.
Verify whether LACP protocol data units are being exchanged by running the
monitor traffic-interface lag-member detail command.
277
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
278
Requirements
This example uses the following hardware and software components:
For the distribution switch, one EX 4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1-Gigabit
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit
Ethernet XFP ports.
For the access switch, any Layer 2 switch that supports 802.1Q VLAN tags.
Configured the necessary VLANs. See Configuring VLANs for EX-series Switches
(CLI Procedure) on page 409 or Configuring VLANs for EX-series Switches (J-Web
Procedure) on page 407.
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch
279
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 46 on page 280 lists the settings for the example topology.
Table 46: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution
Switch
Property
Settings
Any Layer 2 switch with multiple 1-Gigabit Ethernet ports and at least one 1-Gigabit
Ethernet uplink module
EX 4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one
2-port 10-Gigabit Ethernet XFP uplink module (EX-UM-4SFP)
VLAN subnets
Port interfaces
To quickly create and configure subinterfaces on the access switch, copy the following
commands and paste them into the switch terminal window:
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
280
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
vlan-tagging
unit 0 vlan-id
unit 1 vlan-id
unit 2 vlan-id
unit 3 vlan-id
unit 4 vlan-id
101
102
103
104
105
family
family
family
family
family
inet
inet
inet
inet
inet
address
address
address
address
address
1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24
Step-by-Step Procedure
Step-by-Step Procedure
2.
3.
4.
5.
6.
7.
8.
9.
10.
Step-by-Step Procedure
281
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
11.
Results
282
To quickly create and configure subinterfaces on the distribution switch, copy the
following commands and paste them into the switch terminal window:
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
Step-by-Step Procedure
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
vlan-tagging
unit 0 vlan-id
unit 1 vlan-id
unit 2 vlan-id
unit 3 vlan-id
unit 4 vlan-id
101
102
103
104
105
family
family
family
family
family
inet
inet
inet
inet
inet
address
address
address
address
address
1.1.1.2/24
2.1.1.2/24
3.1.1.2/24
4.1.1.2/24
5.1.1.2/24
2.
3.
4.
5.
6.
7.
8.
9.
283
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
10.
11.
Results
284
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
Verify that the subinterfaces were properly created on the access switch and
distribution switch.
1.
2.
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
Local
inet
inet
inet
inet
inet
1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24
Remote
Meaning
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
Local
inet
inet
inet
inet
inet
1.1.1.2/24
2.1.1.2/24
3.1.1.2/24
4.1.1.2/24
5.1.1.2/24
Remote
Verify that the distribution switch is correctly routing traffic from one VLAN to another.
Verification
285
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Ping from the access switch to the distribution switch on each subinterface.
1.
From the access switch, ping the address of the vlan1 subinterface on the
distribution switch:
user@access-switch> ping 1.1.1.2 count 4
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=64
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64
time=0.333
time=0.113
time=0.112
time=0.158
ms
ms
ms
ms
--- 1.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.112/0.179/0.333/0.091 ms
2.
From the access switch, ping the address of the vlan2 subinterface on the
distribution switch:
user@access-switch> ping 2.1.1.2 count 4
PING 2.1.1.2 (2.1.1.2): 56 data bytes
64 bytes from 2.1.1.2: icmp_seq=0 ttl=64
64 bytes from 2.1.1.2: icmp_seq=1 ttl=64
64 bytes from 2.1.1.2: icmp_seq=2 ttl=64
64 bytes from 2.1.1.2: icmp_seq=3 ttl=64
time=0.241
time=0.113
time=0.162
time=0.167
ms
ms
ms
ms
--- 2.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.113/0.171/0.241/0.046 ms
3.
From the access switch, ping the address of the vlan3 subinterface on the
distribution switch:
user@access-switch> ping 3.1.1.2 count 4
PING 3.1.1.2 (3.1.1.2): 56 data bytes
64 bytes from 3.1.1.2: icmp_seq=0 ttl=64
64 bytes from 3.1.1.2: icmp_seq=1 ttl=64
64 bytes from 3.1.1.2: icmp_seq=2 ttl=64
64 bytes from 3.1.1.2: icmp_seq=3 ttl=64
time=0.341
time=0.162
time=0.112
time=0.208
ms
ms
ms
ms
--- 3.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.112/0.206/0.341/0.085 ms
4.
From the access switch, ping the address of the vlan4 subinterface on the
distribution switch:
user@access-switch> ping 4.1.1.2 count 4
PING 4.1.1.2 (4.1.1.2): 56 data bytes
64 bytes from 4.1.1.2: icmp_seq=0 ttl=64
64 bytes from 4.1.1.2: icmp_seq=1 ttl=64
64 bytes from 4.1.1.2: icmp_seq=2 ttl=64
64 bytes from 4.1.1.2: icmp_seq=3 ttl=64
286
time=0.226
time=0.166
time=0.107
time=0.221
ms
ms
ms
ms
--- 4.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.107/0.180/0.226/0.048 ms
5.
From the access switch, ping the address of the vlan5 subinterface on the
distribution switch:
user@access-switch> ping 5.1.1.2 count 4
PING 5.1.1.2 (5.1.1.2): 56 data bytes
64 bytes from 5.1.1.2: icmp_seq=0 ttl=64
64 bytes from 5.1.1.2: icmp_seq=1 ttl=64
64 bytes from 5.1.1.2: icmp_seq=2 ttl=64
64 bytes from 5.1.1.2: icmp_seq=3 ttl=64
time=0.224
time=0.104
time=0.102
time=0.170
ms
ms
ms
ms
--- 5.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.102/0.150/0.224/0.051 ms
Meaning
Related Topics
If all the ping packets are transmitted and are received by the destination address,
the subinterfaces are up and working.
287
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
288
Chapter 24
Configuring Interfaces
2.
Select the option Ports. The page lists all the Gigabit Ethernet and 10Gigabit
Ethernet interfaces and their link status. When you select a particular interface,
the interface details are displayed.
The properties you can configure on the interface are displayed.
3.
NOTE: When you select multiple interfaces at the same time, you cannot modify the
IP address and enable or disable the administrative status of the selected interfaces.
4.
289
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Desktop
Port Role
Port Role
290
Routed Uplink
Specify the IP address and the
subnet mask.
Layer 2 Uplink
For this port role you can associate
a native VLAN. To create a
redundant trunk group, specify the
group name and select the
secondary interface.
Function
Your Action
VLAN Options
Port Mode
1.
2.
3.
1.
2.
3.
Click OK.
Link Options
MTU (bytes)
Speed
Duplex
Description
IP Options
291
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Enable IP Address
1.
2.
3.
4.
Click OK.
Recommended Settings
Forwarding Classes
Schedulers
Scheduler maps
When a desktop and phone, routed uplink, or layer 2 uplink roles are applied on interfaces, the
forwarding classes and schedulers are mapped using the scheduler map.
ieee-802.1 classifier
Imports the default ieee-802.1 classifier configuration, and sets loss-priority to low for the code
point 101 for the voice forwarding class.
dscp classifier
Imports the default dscp classifier configuration, and sets loss-priority to low for the code points
101110 for the voice forwarding class.
Related Topics
292
Specifies Spanning Tree Protocol (STP) and Link Layer Discovery Protocol (LLDP)
The speed for Gigabit Ethernet interfaces is set to auto, allowing the interface to
operate at 10m, 100m or 1g. The link operates at the highest possible speed,
depending on the capabilities of the remote end.
293
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The flow control for Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces
is set to enabled.
The link mode is set to auto, allowing the interface to operate as either full duplex
or half duplex. The link operates as full duplex unless this mode is not supported
at the remote end.
The 10-Gigabit Ethernet interfaces (for the EX-UM-2XFP uplink module) default
to no auto-negotiation. The default speed is 10g and the default link mode is full
duplex.
Related Topics
294
NOTE: An interface with an already configured IP address cannot form part of the
aggregation group.
To configure aggregated Ethernet interfaces, using the CLI:
1.
2.
device-count
Specify the minimum number of links for the aggregated Ethernet interface (aex),
that is, the defined bundle, to be labeled up:
NOTE: By default only one link must be up for the bundle to be labeled up.
[edit interfaces]
user@switch#set ae0
3.
aggregated-ether-options
minimum-links 2
4.
5.
295
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
For information about adding LACP to a LAG, see Configuring Aggregated Ethernet
LACP (CLI Procedure) on page 297.
Related Topics
NOTE: Interfaces that are already configured with MTU, speed, duplex,
auto-negotiation, flow-control, and logical interfaces are not available for aggregation.
To configure link aggregation:
1.
2.
Click one:
Add a description for the aggregation. Click >> or << to move interfaces
between the Available Interfaces and Member Interfaces columns. Click
Activate Aggregated Link to activate the link.
Edit > VLAN OptionsSpecifies VLAN options for the aggregation. See
DeleteDeletes an aggregation.
296
Function
Your Action
Port Mode
1.
2.
3.
Related Topics
1.
2.
3.
Click OK.
When LACP is enabled, the local and remote sides of the aggregated Ethernet links
exchange protocol data units (PDUs), containing information about the state of the
link. You can configure Ethernet links to actively transmit PDUs, or you can configure
the links to passively transmit them, sending out LACP PDUs only when they receive
them from another link. One side of the link must be configured as active in order
for the link to be up.
297
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To configure LACP:
1.
298
Chapter 25
Verifying Interfaces
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets on page 300
Action
Meaning
To view interface status for all the interfaces, enter show interfaces on page 342.
To view status and statistics for a specific interface, enter show interfaces on page
342 interface-name.
To view status and traffic statistics for all interfaces, enter either show
interfaces on page 342 detail or show interfaces on page 342 extensive.
To clear the statistics in the J-Web Interface monitoring page, click Clear Statistics.
299
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
For details about output from the CLI commands, see show interfaces on page 332
(Gigabit Ethernet) or show interfaces on page 342 (10-Gigabit Ethernet).
Related Topics
Meaning
Related Topics
Admin
Link
ae0
up
up
ae0.0
up
up
Proto
inet
Local
Remote
10.10.10.2/24
The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets
To verify that LACP has been set up correctly and that the bundle members are
transmitting LACP protocol packets.
1. Verifying the LACP Setup on page 300
2. Verifying That the LACP Packets Are Being Exchanged on page 301
300
LACP state:
Role
Def
Dist
Col
Syn
Aggr
Timeout
Activity
xe-0/1/0
Actor
No
Yes
No
No
No
Yes
Fast
Active
xe-0/1/0
Partner
No
Yes
No
No
No
Yes
Fast
Passive
LACP protocol:
xe-0/1/0
Meaning
Exp
Receive State
Defaulted
Transmit State
Mux State
Fast periodic
Detached
This example shows that LACP has been configured with one side as active and the
other as passive. When LACP is enabled, one side must be set as active in order for
the bundled link to be up.
Meaning
Related Topics
The output here shows that the link is down and that no PDUs are being exchanged
(when there is no other traffic flowing on the link).
301
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
After configuring Layer 3 subinterfaces, verify they are set up properly and
transmitting data.
1.
Use the show interfaces command to determine if you successfully created the
subinterfaces and the links are up:
user@switch> show interfaces ge-chassis/slot/port terse
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/0.1
ge-0/0/0.2
ge-0/0/0.3
ge-0/0/0.4
ge-0/0/0.32767
2.
Admin
up
up
up
up
up
up
up
Link
up
up
up
up
up
up
up
Proto
Local
inet
inet
inet
inet
inet
1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24
Remote
Use the ping command from a device on one subnet to an address on another
subnet to determine if packets were transmitted correctly on the subinterface
VLANs:
user@switch> ping ip-address
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.157 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.238 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.255 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.128 ms
--- 1.1.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
Meaning
Related Topics
302
The output confirms that the subinterfaces are created and the links are up.
Chapter 26
Troubleshooting Interfaces
Port Role Configuration with the J-Web InterfaceCLI Reference on page 304
The show interfaces terse command shows that the LAG is down.
Solution
Related Topics
Verify that the LAG member is connected to the correct LAG at the other end.
Verify that the LAG members belong to the same switch (or the same virtual
chassis).
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module
(EX-UM-4SFP) installed on page 304
303
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP)
installed
Problem
One of the last four base ports (ge-0/0/20 through ge-0/0/23 on 24 port models or
ge-0/0/44 through ge-0/0/47 on 48 port models) of an EX 3200 switch is disabled.
The 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) is installed.
When you check status with the show interfaces on page 332 command or with the
J-Web user interface, the disabled port is not listed.
Cause
Solution
Related Topics
The last four base ports use the same ASIC as the 4-port Gigabit Ethernet uplink
module. Therefore, if you insert a transceiver in a 4-port Gigabit Ethernet uplink
module installed in an EX 3200 switch, a corresponding base port from the last four
base ports is disabled.
If you need to use the disabled base port, you should remove the transceiver from
the 4port Gigabit Ethernet uplink module. You can install the 2port 10Gigabit
Ethernet uplink module (EX-UM-2XFP) instead. There is no ASIC conflict with the
EX-UM-2XFP uplink module.
NOTE: If there is an existing port role configuration, it is cleared before the new port
role configuration is applied.
CLI Commands
304
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) installed
CLI Commands
305
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
CLI Commands
SCHEDULER_MAP=juniper-port-profile-map
IEEE_CLASSIFIER=juniper-ieee-classifier
DSCP_CLASSIFIER=juniper-dscp-classifier
DSCP_CLASSIFIER=juniper-dscp-classifier
306
CLI Commands
SCHEDULER_MAP=juniper-port-profile-map
IEEE_CLASSIFIER=juniper_ieee_classifier
DSCP_CLASSIFIER=juniper_dscp_classifier
Table 51 on page 307 lists the CLI commands for the recommended CoS settings that
are committed when the CoS configuration is set.
Table 51: Recommended CoS Settings for Port Roles
CoS Parameter
CLI Command
Forwarding Classes
voice
expedited-forwarding
assured-forwarding
best-effort
Schedulers
307
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
CLI Command
strict-priority-scheduler
expedited-scheduler
assured-scheduler
best-effort-scheduler
Classifiers
Related Topics
308
You encounter errors when you attempt to configure an interface on the switch, or
the interface is exhibiting connectivity problems.
Solution
Use the port troubleshooter feature in the J-Web interface to identify and rectify port
configuration and connectivity related problems.
To use the J-Web interface port troubleshooter:
1.
2.
Click Troubleshoot Port. The Port Troubleshooting wizard is displayed. Click Next.
3.
4.
Select the test cases to be executed on the selected port. Click Next.
When the selected test cases are executed, the final result and the recommended
action is displayed.
If there is a cable fault, the port troubleshooter displays details and the recommended
action. For example, the cable must be replaced.
If the port configuration needs to be modified, the port troubleshooter displays details
and the recommended action.
Related Topics
309
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
310
Chapter 27
aggregated-ether-options {
lacp mode {
periodic interval;
}
}
}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
mtu bytes;
unit logical-unit-number {
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
vlan-id vlan-id-number;
311
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
vlan-tagging;
}
}
Related Topics
802.3ad aex;
[edit interfaces interface-name ether-options]
312
auto-negotiation
Syntax
Hierarchy Level
Release Information
Description
(auto-negotiation | no-auto-negotiation);
[edit interfaces interface-name ether-options]
auto-negotiationEnable autonegotiation.
auto-negotiation
313
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
description
Syntax
Hierarchy Level
Release Information
Description
description text;
[edit interfaces ge-chassis/slot/port]
Default
Options
textText to describe the interface. If the text includes spaces, enclose the entire
text in straight quotation marks.
314
description
ether-options
Syntax
Hierarchy Level
Release Information
Description
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed
}
[edit interfaces interface-name]
Default
Required Privilege Level
Related Topics
Enabled.
interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.
ether-options
315
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
family
Syntax
Hierarchy Level
Release Information
Description
family ethernet-switching {
filter input filter-name
filter output filter-name
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id;
port-mode mode;
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
}
[edit interfaces ge-chassis/slot/port unit logical-unit-number]
Default
You must configure a logical interface to be able to use the physical device.
Options
316
family
filter
Syntax
Hierarchy Level
Release Information
Description
Default
All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.
Options
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
filter
317
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
flow-control
Syntax
Hierarchy Level
Release Information
Description
(flow-control | no-flow-control);
[edit interfacesinterface-name ether-options]
Ethernet switch.
Default
Required Privilege Level
Related Topics
l3-interface
Syntax
Hierarchy Level
Release Information
Description
Default
Options
318
l3-interface interface-name-logical-unit-number;
flow-control
lacp
Syntax
Hierarchy Level
Release Information
Description
lacp mode {
periodic interval;
}
[edit interfaces ae-chassis/slot/port aggregated-ether-options]
Default
Options
modeLACP mode:
lacp
319
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
link-mode
Syntax
Hierarchy Level
Release Information
Description
link-mode mode;
[edit interfaces interface-name ether-options]
Default
Options
modeLink characteristic:
320
link-mode
members
Syntax
Hierarchy Level
Release Information
Description
Options
members
321
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
mtu
Syntax
Hierarchy Level
Release Information
Description
mtu bytes;
[edit interfaces interface-name]
Default
1514 bytes
Options
bytesMTU size.
native-vlan-id
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics
native-vlan-id vlan-id;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
322
mtu
periodic
Syntax
Hierarchy Level
Release Information
Description
periodic interval;
[edit interfaces ae-chassis/slot/port aggregated-ether-options lacp]
Default
fast
Options
periodic
323
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
port-mode
Syntax
Hierarchy Level
Release Information
Description
port-mode mode;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
Default
Options
accessHave the interface operate in access mode. In this mode, the interface can
in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.
Required Privilege Level
Related Topics
324
port-mode
speed
Syntax
Hierarchy Level
Release Information
Description
Default
Options
specify a specific value. This value sets the speed that is used on the link. If the
auto-negotiation statement is enabled, you might want to configure a specific
speed value to advertise the desired speed to the remote end.
10m10 Mbps
100m100 Mbps
1g1 Gbps
other end of the link. This option is available only when the auto-negotiation
statement at the [edit interfaces interface-name ether-options] hierarchy level is
enabled.
Required Privilege Level
Related Topics
speed
325
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
translate
Syntax
Hierarchy Level
Release Information
Description
Options
326
translate
unit
Syntax
Hierarchy Level
Release Information
Description
unit logical-unit-number {
family ethernet-switching {
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id;
port-mode mode;
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
}
vlan-id vlan-id-number;
}
[edit interfaces ge-chassis/slot/port]
Default
You must configure a logical interface to be able to use the physical device.
Options
unit
327
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan
Syntax
Hierarchy Level
Release Information
Description
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
328
vlan
vlan-id
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics
vlan-id vlan-id-number;
[edit interfaces ge-chassis/slot/port unit logical-unit-number]
vlan-tagging
vlan-id
329
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan-tagging
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
vlan-tagging;
[edit interfaces ge-chassis/pic/port ]
vlan-id
330
vlan-tagging
Chapter 28
331
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show interfaces
Syntax
Release Information
Description
Options
interface.
brief | detail | extensive | terse(Optional) Display the specified level of output.
descriptions(Optional) Display interface description strings.
media(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index(Optional) Display information for the specified SNMP index
of the interface.
statistics(Optional) Display static interface statistics.
Required Privilege Level
Related Topics
view
Output Fields
show
show
show
show
interfaces
interfaces
interfaces
interfaces
Table 52 on page 332 lists the output fields for the show interfaces command. Output
fields are listed in the approximate order in which they appear.
Field Description
Level of Output
Physical interface
All levels
Enabled
All levels
Physical Interface
332
show interfaces
Field Description
Level of Output
Interface index
Index number of the physical interface, which reflects its initialization sequence.
SNMP ifIndex
Generation
detail extensive
Description
Link-level type
All levels
MTU
All levels
Speed
All levels
Loopback
All levels
Source filtering
All levels
Flow control
All levels
Auto-negotiation
All levels
Remote-fault
All levels
Device flags
All levels
Interface flags
All levels
Link flags
All levels
CoS queues
Hold-times
detail extensive
Current address
Hardware address
Last flapped
Date, time, and how long ago the interface went from down to up. The format
is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second
ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago).
Statistics last
cleared
Time when the statistics for the interface were last set to zero.
detail extensive
show interfaces
333
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Traffic statistics
Number and rate of bytes and packets received and transmitted on the physical
interface.
detail extensive
Input errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:
ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.
checksum (FCS).
RuntsNumber of frames received that are smaller than the runt threshold.
failed Layer 3 sanity checks of the headers. For example, a frame with
less than 20 bytes of available IP header is discarded.
L2 channel errorsNumber of times the software did not find a valid logical
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.
334
show interfaces
extensive
Field Description
Level of Output
Output errors
Output errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:
extensive
when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.
so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.
interface.
Egress queues
detail extensive
Queue counters
(Egress )
CoS queue number and its associated user-configured forwarding class name.
detail extensive
mechanism.
Active alarms and
Active defects
Ethernet-specific defects that can prevent the interface from passing packets.
When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the switch configuration, an alarm can ring the red or yellow alarm
bell on the switch, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.
LinkInterface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.
show interfaces
335
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
MAC statistics
extensive
Total octets and total packetsTotal number of octets and packets. For
(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).
FIFO errorNumber of FIFO errors that are reported by the ASIC on the
code.
(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.
in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.
VLAN tagged framesNumber of frames that are VLAN tagged. The system
Receive and Transmit statistics reported by the PIC's MAC address filter
subsystem.
336
show interfaces
extensive
Field Description
Level of Output
Autonegotiation
information
extensive
Negotiation status:
Link partner:
receive).
receive).
extensive
Logical Interface
Logical interface
All levels
Index
Index number of the logical interface, which reflects its initialization sequence.
SNMP ifIndex
Generation
detail extensive
Flags
All levels
show interfaces
337
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Encapsulation
All levels
Protocol
Protocol family.
MTU
Generation
detail extensive
Route Table
Route table in which the logical interface address is located. For example, 0
refers to the routing table inet.0.
Flags
detail extensive
Protocol family configured on the logical interface. If the protocol is inet, the
IP address of the interface is also displayed.
brief
Flags
Destination
Local
Broadcast
Generation
detail extensive
338
show interfaces
Flags: SNMP-Traps
Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol eth-switch, MTU: 0
Flags: None
5760782572
1 assured-forw
5 expedited-fo
7 network-cont
Active alarms : None
Active defects : None
Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes :
60
Output bytes :
0
Input packets:
1
Output packets:
0
show interfaces
339
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Local statistics:
Input bytes :
60
Output bytes :
0
Input packets:
1
Output packets:
0
Transit statistics:
Input bytes :
0
0
Output bytes :
0
0
Input packets:
0
0
Output packets:
0
0
Protocol eth-switch, MTU: 0, Generation: 143, Route table:
Flags: Is-Primary
show interfaces
extensive (Gigabit
Ethernet)
bps
bps
pps
pps
0
340
show interfaces
show interfaces
341
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show interfaces
Syntax
Release Information
Description
Options
interface.
brief | detail | extensive | terse(Optional) Display the specified level of output.
descriptions(Optional) Display interface description strings.
media(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index(Optional) Display information for the specified SNMP index
of the interface.
statistics(Optional) Display static interface statistics.
Required Privilege Level
Related Topics
view
Output Fields
show
show
show
show
interfaces
interfaces
interfaces
interfaces
Table 53 on page 342 lists the output fields for the show interfaces command. Output
fields are listed in the approximate order in which they appear.
Field Description
Level of Output
All levels
Physical Interface
Physical interface
342
show interfaces
Field Description
Level of Output
Enabled
All levels
Interface index
Index number of the physical interface, which reflects its initialization sequence.
SNMP ifIndex
Generation
detail extensive
Link-level type
All levels
MTU
All levels
Speed
All levels
Loopback
All levels
Source filtering
All levels
LAN-PHY mode
All levels
Unidirectional
All levels
Flow control
All levels
Auto-negotiation
All levels
Remote-fault
All levels
Device flags
All levels
Interface flags
All levels
Link flags
All levels
Wavelength
All levels
Frequency
All levels
CoS queues
Schedulers
extensive
Hold-times
detail extensive
Current address
Hardware address
show interfaces
343
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Last flapped
Date, time, and how long ago the interface went from down to up. The format
is Last flapped: year-month-day hour: :minute:second:timezone ( hour:minute:second
ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago).
Input Rate
Input rate in bits per second (bps) and packets per second (pps).
None specified
Output Rate
None specified
Statistics last
cleared
Time when the statistics for the interface were last set to zero.
detail extensive
Traffic statistics
Number and rate of bytes and packets received and transmitted on the physical
interface.
detail extensive
Input errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:
ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.
checksum (FCS).
RuntsNumber of frames received that are smaller than the runt threshold.
failed Layer 3 sanity checks of the header. For example, a frame with less
than 20 bytes of available IP header is discarded. L3 incomplete errors
can be ignored by if you configure the ignore-l3-incompletes statement.
L2 channel errorsNumber of times the software did not find a valid logical
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.
344
show interfaces
extensive
Field Description
Level of Output
Output errors
Output errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:
extensive
when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.
so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.
interface.
Egress queues
detail extensive
Queue counters
(Egress)
CoS queue number and its associated user-configured forwarding class name.
detail extensive
mechanism.
Ingress queues
extensive
Queue counters
(Ingress)
CoS queue number and its associated user-configured forwarding class name.
extensive
mechanism.
show interfaces
345
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Ethernet-specific defects that can prevent the interface from passing packets.
When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the router configuration, an alarm can ring the red or yellow alarm
bell on the router, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.
LinkInterface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.
PCS statistics
Physical Coding Sublayer (PCS) fault conditions from the LAN PHY device.
detail extensive
MAC statistics
extensive
Total octets and total packetsTotal number of octets and packets. For
(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).
FIFO errorNumber of FIFO errors that are reported by the ASIC on the
code.
(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.
in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.
VLAN tagged framesNumber of frames that are VLAN tagged. The system
Receive and Transmit statistics reported by the PIC's MAC address filter
subsystem.
346
show interfaces
extensive
Field Description
Level of Output
Autonegotiation
information
extensive
Negotiation status:
Link partner:
receive).
show interfaces
347
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Packet Forwarding
Engine
configuration
extensive
All levels
Index
Index number of the logical interface, which reflects its initialization sequence.
SNMP ifIndex
Generation
detail extensive
Flags
All levels
Encapsulation
All levels
Protocol
Protocol family.
MTU
Generation
detail extensive
Route Table
Route table in which the logical interface address is located. For example, 0
refers to the routing table inet.0.
Flags
detail extensive
348
show interfaces
Field Description
Level of Output
protocol-family
Protocol family configured on the logical interface. If the protocol is inet, the
IP address of the interface is also displayed.
brief
Flags
Destination
Local
Broadcast
Generation
detail extensive
show interfaces
(10-Gigabit Ethernet)
show interfaces
349
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99
Last flapped
: 2008-02-25 05:28:08 UTC (00:16:29 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Egress queues: 8 supported, 0 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont
show interfaces
extensive (10-Gigabit
Ethernet)
350
show interfaces
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 0 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
1 assured-forw
5 expedited-fo
7 network-cont
Transmit
0
0
0
0
0
0
0
0
0
0
0
0
Buffer Priority
usec
0
low
low
show interfaces
351
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
none
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Protocol eth-switch, MTU: 0, Generation: 166, Route table: 0
Flags: None
352
show interfaces
Options
Required Privilege Level
Related Topics
view
Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields
Field Name
Field Description
Physical interface
Magnitude of the laser bias power setting current, in milliamperes. The laser bias provides direct
modulation of laser diodes and modulates currents.
Laser output power, in milliwatts (mW) and decibels, referenced to 1.0 mW (dBm). This is a software
equivalent to the LsPOWMON pin in hardware.
Module temperature
Laser rx power
353
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Field Name
Field Description
Module temperature
high alarm
Module temperature
high warning
Module not ready alarm. When on, indicates the module has an operational fault. Displays on or off.
Module power down alarm. When on, module is in a limited power mode, low for normal operation.
Displays on or off.
Any condition leading to invalid data on the transmit path. Displays on or off.
Any condition leading to invalid data on the transmit path. Displays on or off.
Transmit clock and data recovery (CDR) loss of lock. Loss of lock on the transmit side of the CDR.
Displays on or off.
Any condition leading to invalid data on the receive path. Displays on or off.
354
Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Field Name
Field Description
Receive Loss of Signal alarm. When on, indicates insufficient optical input power to the module.
Displays on or off.
Receive CDR loss of lock. Loss of lock on the receive side of the CDR. Displays on or off.
Vendor-specified threshold for the laser bias current high alarm: 130.000 mA.
Vendor-specified threshold for the laser bias current low alarm: 10.000 mA.
Vendor-specified threshold for the laser bias current high warning: 120.000 mA.
Vendor-specified threshold for the laser bias current low warning: 12.000 mA.
Vendor-specified threshold for the laser output power high alarm: 0.8910 mW or -0.50 dBm.
Vendor-specified threshold for the laser output power low alarm: 0.2230 mW or -6.52 dBm.
Vendor-specified threshold for the laser output power high warning: 0.7940 mW or -100 dBm.
Vendor-specified threshold for the laser output power low warning: 0.2510 mW or -600 dBm.
Module temperature
high alarm threshold
Module temperature
high warning threshold
Vendor-specified threshold for the laser Rx power high alarm: 1.2589 mW or 1.00 dBm.
Vendor-specified threshold for the laser Rx power low alarm: 0.0323 mW or -14.91 dBm.
Vendor-specified threshold for the laser Rx power high warning: 1.1220 mW or 0.50 dBm.
Vendor-specified threshold for the laser Rx power low warning: 0.0363 mW or -14.40 dBm.
355
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show interfaces
diagnostics optics
(XFP Optics)
356
xe-2/1/0
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
52.060 mA
0.5640 mW / -2.49 dBm
31 degrees C / 88 degrees F
0.0844 mW / -10.74 dBm
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
130.000 mA
10.000 mA
120.000 mA
12.000 mA
0.8910 mW / -0.50 dBm
0.2230 mW / -6.52 dBm
0.7940 mW / -1.00 dBm
0.2510 mW / -6.00 dBm
90 degrees C / 194 degrees F
-5 degrees C / 23 degrees F
85 degrees C / 185 degrees F
0 degrees C / 32 degrees F
1.2589 mW / 1.00 dBm
0.0323 mW / -14.91 dBm
1.1220 mW / 0.50 dBm
0.0363 mW / -14.40 dBm
Part 8
Configuration Statements for Bridging, VLANs, and Spanning Trees on page 483
357
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
358
Chapter 29
359
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
A characteristic of Ethernet is that nodes on a LAN can transmit data frames at any
time. However, the physical connecting cable between the nodeseither coaxial,
copper-based (Category 5), or optical cablecan carry only a single stream of data
at a time. One result of this design is that when two nodes transmit at the same time,
their frames can collide on the cable and generate an error. Ethernet uses a protocol
called carrier-sense multiple access with collision detection (CSMA/CD) to detect
frame collisions. If a node receives a collision error message, it stops transmitting
immediately and waits for a period of time before trying to send the frame again. If
the node continues to detect collisions, it progressively increases the time between
retransmissions in an attempt to find a time when no other data is being transmitted
on the LAN. The node uses a backoff algorithm to calculate the increasing
retransmission time intervals.
Ethernet LANs were originally implemented for small, simple networks that carried
primarily text. Over time, LANs have become larger and more complex; the type of
data they carry has grown to include voice, graphics, and video; and the increased
speed of Ethernet interfaces on LANs has resulted in exponential increases in traffic
on the network.
The IEEE 802.1D-2004 standard addresses some of the problems caused by the
increase in LAN and complexity. This standard defines transparent bridging (generally
called simply bridging). Bridging divides a single physical LAN (a single broadcast
domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network
nodes that are grouped together to form separate broadcast domains. On an Ethernet
network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On
VLANs, frames whose origin and destination are in the same VLAN are forwarded
only within the local VLAN. Frames that are not destined for the local VLAN are the
only ones forwarded to other broadcast domains. VLANs thus limit the amount of
traffic flowing across the entire LAN, reducing the possible number of collisions and
packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same
network. On VLANs, the physical location of the nodes is not important, so you can
group network devices in any way that makes sense for your organization, such as
by department or business function, types of network nodes, or even physical location.
Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q
encapsulation (discussed below).
360
Learning
Forwarding
Flooding
Filtering
Aging
361
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
362
By interface (port) on the switch. You specify that all traffic received on a
particular interface on the switch is assigned to a specific VLAN. If you use the
default factory switch settings, all traffic received on an access interface is
untagged. This traffic is part of a default VLAN, but it is not tagged with an 802.1Q
tag. When configuring the switch, you specify which VLAN to assign the traffic
to. You configure the VLAN either by using a VLAN number (called a VLAN ID)
or by using a name, which the switch translates into a numeric VLAN ID.
By MAC address. You can specify that all traffic received from a specific MAC
address be forwarded to a specific egress interface (next hop) on the switch. This
method is administratively cumbersome to configure manually, but it can be
useful when you are using automated databases to manage the switches on your
network.
GVRP
The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic
Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard.
GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding
trunk port to the VLAN if the advertised VLAN is preconfigured on the switch.
The VLAN registration information sent by GVRP includes the current VLANs
membershipthat is, which switches are members of which VLANsand which
switch ports are in which VLAN. GVRP shares all VLAN information configured
manually on a local switch.
As part of ensuring that VLAN membership information is current, GVRP removes
switches and ports from the VLAN information when they become unavailable.
Pruning VLAN information:
363
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to
interested devices only.
364
365
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Figure 18 on page 366 illustrates how the redundant trunk link topology works when
the primary link goes down.
Figure 18: Redundant Trunk Group, Link 2 Active
366
Link 1 is down between Switch 3 and Switch 1. Link 2 takes over as the active link.
Traffic between the access layer and the distribution layer is automatically switched
to Link 2 between Switch 1 and Switch 2.
Related Topics
Example: Configuring Redundant Trunk Links for Faster Recovery on page 400
redundant-trunk-group
367
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
368
Chapter 30
Example: Configuring Redundant Trunk Links for Faster Recovery on page 400
Requirements
This example uses the following software and hardware components:
369
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Settings
Switch hardware
VLAN name
default
ge-0/0/0
370
Configuration
CLI Quick Configuration
By default, after you perform the initial configuration on the EX 4200 switch, switching
is enabled on all interfaces, a VLAN named default is created, and all interfaces are
placed into this VLAN. You do not need to perform any other configuration on the
switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP
phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs,
file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and
ge-0/0/17 through ge-0/0/20.
Step-by-Step Procedure
Results
1.
2.
3.
Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.
4.
5.
6.
Configuration
371
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
372
Configuration
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/20 {
unit 0 {
Configuration
373
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
}
protocols {
lldp {
interface all;
}
rstp;
}
poe {
374
Configuration
interface all;
}
Verification
To verify that switching is operational and that a VLAN has been created, perform
these tasks:
Verifying That Interfaces Are Associated with the Proper VLANs on page 375
Action
Verify that the VLAN named default has been created on the switch.
List all VLANs configured on the switch:
user@switch> show vlans on page 570
Name
default
Tag
Interfaces
ge-0/0/0.0*,
ge-0/0/4.0,
ge-0/0/8.0*,
ge-0/0/12.0,
ge-0/0/16.0,
ge-0/0/20.0,
ge-0/1/0.0*,
mgmt
me0.0*
Meaning
The show vlans command lists the VLANs configured on the switch. This output shows
that the VLAN default has been created.
Action
Verify that Ethernet switching is enabled on switch interfaces and that all interfaces
are included in the VLAN.
List all interfaces on which switching is enabled:
user@switch> show ethernet-switching interfaces on page 545
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/9.0
ge-0/0/10.0
State
up
down
down
down
down
down
down
down
up
down
down
VLAN members
default
default
default
default
default
default
default
default
default
default
default
Blocking
unblocked
blocked blocked blocked blocked blocked blocked blocked unblocked
blocked blocked -
blocked
blocked
blocked
blocked
blocked
blocked
blocked
by
by
by
by
by
by
by
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
blocked by STP/RTG
blocked by STP/RTG
Verification
375
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0
ge-0/0/16.0
ge-0/0/17.0
ge-0/0/18.0
ge-0/0/19.0
ge-0/0/20.0
ge-0/0/21.0
ge-0/0/22.0
ge-0/0/23.0
ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0
me0.0
Meaning
Related Topics
up
down
down
down
down
down
down
down
up
down
down
down
down
up
up
up
up
up
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
mgmt
unblocked
blocked blocked blocked blocked blocked blocked blocked unblocked
blocked blocked blocked blocked unblocked
unblocked
unblocked
unblocked
unblocked
blocked
blocked
blocked
blocked
blocked
blocked
blocked
by
by
by
by
by
by
by
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
blocked
blocked
blocked
blocked
by
by
by
by
STP/RTG
STP/RTG
STP/RTG
STP/RTG
The show ethernet-switching interfaces command lists all interfaces on which switching
is enabled (in the Interfaces column), along with the VLANs that are active on the
interfaces (in the VLAN members column). The output in this example shows all the
connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20
and that they are all part of VLAN default. Notice that the interfaces listed are the
logical interfaces, not the physical interfaces. For example, the output shows
ge-0/0/0.0 instead of ge-0/0/0. This is because JUNOS software creates VLANs on
logical interfaces, not directly on physical interfaces.
376
Requirements
This example uses the following hardware and software components:
Installed the EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Settings
Switch hardware
VLAN subnets
Requirements
377
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Unused interfaces
This configuration example creates two IP subnets, one for the sales VLAN and the
second for the support VLAN. The switch bridges traffic within a VLAN. For traffic
passing between two VLANs, the switch routes the traffic using a Layer 3 routing
interface on which you have configured the address of the IP subnet.
To keep the example simple, the configuration steps show only a few devices in each
of the VLANs. Use the same configuration procedure to add more LAN devices.
Configuration
Configure Layer 2 switching for two VLANs:
CLI Quick Configuration
To quickly configure Layer 2 switching for the two VLANs (sales and support) and to
quickly configure Layer 3 routing of traffic between the two VLANs, copy the following
commands and paste them into the switch terminal window:
[edit]
set interfaces ge-0/0/0 unit 0 description Sales wireless access point port
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/3 unit 0 description Sales phone port
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/22 unit 0 description Sales printer port
set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/20 unit 0 description Sales file server port
set interfaces ge-0/0/20 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/24 unit 0 description Support wireless access point port
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/26 unit 0 description Support phone port
set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/44 unit 0 description Support printer port
set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/46 unit 0 description Support file server port
set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support
set interfaces vlan unit 0 family inet address 192.0.2.0/25
set interfaces vlan unit 1 family inet address 192.0.2.128/25
set vlans sales l3interface vlan.0
set vlans sales vlan-id 100
set vlans support vlan-id 200
set vlans support l3-interface vlan.1
378
Configuration
Step-by-Step Procedure
Configure the switch interfaces and the VLANs to which they belong. By default, all
interfaces are in access mode, so you do not have to configure the port mode.
1.
Configure the interface for the wireless access point in the sales VLAN:
[edit interfaces ge-0/0/0 unit 0]
user@switch# set description Sales wireless access point port
user@switch# set family ethernet-switching vlan members sales
2.
Configure the interface for the Avaya IP phone in the sales VLAN:
[edit interfaces ge-0/0/3 unit 0]
user@switch# set description Sales phone port
user@switch# set family ethernet-switching vlan members sales
3.
4.
Configure the interface for the file server in the sales VLAN:
[edit interfaces ge-0/0/20 unit 0]
user@switch# set description Sales file server port
user@switch# set family ethernet-switching vlan members sales
5.
Configure the interface for the wireless access point in the support VLAN:
[edit interfaces ge-0/0/24 unit 0]
user@switch# set description Support wireless access point port
user@switch# set family ethernet-switching vlan members support
6.
Configure the interface for the Avaya IP phone in the support VLAN:
[edit interfaces ge-0/0/26 unit 0]
user@switch# set description Support phone port
user@switch# set family ethernet-switching vlan members support
7.
8.
Configure the interface for the file server in the support VLAN:
[edit interfaces ge-0/0/46 unit 0]
user@switch# set description Support file server port
user@switch# set family ethernet-switching vlan members support
9.
Configuration
379
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit interfaces]
user@switch# set vlan unit 0 family inet address 192.0.2.1/25
10.
11.
Configure the VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@switch# set sales vlan-id 100
user@switch# set support vlan-id 200
12.
To route traffic between the sales and support VLANs, define the interfaces that
are members of each VLAN and associate a Layer 3 interface:
[edit vlans]
user@switch# set sales l3-interface vlan.0
user@switch# set support l3-interface vlan.1
380
Configuration
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {
description Support wireless access point port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/26 {
unit 0 {
description Support phone port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/44 {
unit 0 {
description Support printer port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/46 {
unit 0 {
description Support file server port;
family ethernet-switching {
vlan members support;
}
}
vlans {
unit 0 {
family inet address 192.0.2.0/25;
}
unit 1 {
family inet address 192.0.2.128/25;
}
}
}
}
vlans {
sales {
vlan-id 100;
interface ge-0/0/0.0:
interface ge-0/0/3/0;
interface ge-0/0/20.0;
interface ge-0/0/22.0;
l3-interface vlan 0;
}
support {
Configuration
381
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan-id 200;
interface ge-0/0/24.0:
interface ge-0/0/26.0;
interface ge-0/0/44.0;
interface ge-0/0/46.0;
l3-interface vlan 1;
}
}
Tip
To quickly configure the sales and support VLAN interfaces, issue the load merge
terminal command, then copy the hierarchy and paste it into the switch terminal
window.
Verification
Verify that the sales and support VLANs have been created and are operating
properly, perform these tasks:
Verifying That the VLANs Have Been Created and Associated to the Correct
Interfaces on page 382
Verifying That Traffic Is Being Routed Between the Two VLANs on page 383
Verifying That Traffic Is Being Switched Between the Two VLANs on page 383
Verifying That the VLANs Have Been Created and Associated to the Correct
Interfaces
Purpose
Action
Verify that the VLANs sales and support have been created on the switch and that
all connected interfaces on the switch are members of the correct VLAN.
List all VLANs configured on the switch:
Use the operational mode commands:
user@switch> show vlans on page 570
Name
Tag
Interfaces
default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0,
ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0*,
ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0,
ge-0/0/18.0, ge-0/0/19.0, ge-0/0/21.0, ge-0/0/23.0*,
ge-0/0/25.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0,
ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0,
ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0,
ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0,
ge-0/0/42.0, ge-0/0/43.0, ge-0/0/45.0, ge-0/0/47.0,
ge-0/1/0.0*, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
sales
100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0
support
200
ge-0/0/0.24, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0*
mgmt
me0.0*
382
Verification
Meaning
The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. This command output shows that the sales and support
VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with
interfaces ge-0/0/0.0, ge-0/0/3.0, ge-0/0/20.0, and ge-0/0/22.0. VLAN support has
a tag ID of 200 and is associated with interfaces ge-0/0/24.0, ge-0/0/26.0,
ge-0/0/44.0, and ge-0/0/46.0.
Meaning
Name
192.0.2.3
192.0.2.11
Flags
vlan.0
vlan.1
None
None
Verify that learned entries are being added to the Ethernet switching table.
List the contents of the Ethernet switching table:
user@switch> show ethernet-switching table
Ethernet-switching table: 8 entries, 5 learned
VLAN
MAC address
Type
default
*
Flood
default
00:00:05:00:00:01 Learn
default
00:00:5e:00:01:09 Learn
default
00:19:e2:50:63:e0 Learn
sales
*
Flood
sales
00:00:5e:00:07:09 Learn
support
*
Flood
support
00:00:5e:00:01:01 Learn
Meaning
Age
Interfaces
All-members
ge-0/0/10.0
ge-0/0/13.0
ge-0/0/23.0
All-members
ge-0/0/0.0
Allmembers
ge-0/0/46.0
The output shows that learned entries for the sales and support VLANs have been
added to the Ethernet switching table, and are associated with interfaces ge-0/0/0.0
and ge-0/0/46.0. Even though the VLANs were associated with more than one
interface in the configuration, these interfaces are the only ones that are currently
operating.
383
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Requirements
This example uses the following hardware and software components:
For the distribution switch, one EX 4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1-Gigabit
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit
Ethernet XFP ports.
For the access switch, one EX 3200-24P, which has twenty-four 1-Gigabit Ethernet
ports, all of which support Power over Ethernet (PoE), and an uplink module
with four 1-Gigabit Ethernet ports.
Before you connect an access switch to a distribution switch, be sure you have:
Installed the two switches. See Installing and Connecting an EX-series Switch.
384
In the topology, the LAN is segmented into two VLANs, one for the sales department
and the second for the support team. One 1-Gigabit Ethernet port on the access
switch's uplink module connects to the distribution switch, to one 1-Gigabit Ethernet
port on the distribution switch.
Table 57 on page 385 explains the components of the example topology.
Table 57: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property
Settings
VLAN subnets
To quickly configure the access switch, copy the following commands and paste
them into the switch terminal window:
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
385
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk
port that connects to the distribution switch:
[edit interfaces ge-0/1/0 unit 0]
user@access-switch# set description Uplink module port connection to
distribution switch
user@access-switch# set ethernet-switching port-mode trunk
2.
3.
members
Configure the VLAN ID to use for packets that are received with no dot1q tag
(untagged packets):
[edit interfaces ge-0/1/0 unit 0]
user@access-switch# set ethernet-switching native-vlan-id 1
4.
386
[ sales support
5.
6.
7.
8.
9.
387
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
10.
Configure descriptions and VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@access-switch#
user@access-switch#
user@access-switch#
user@access-switch#
11.
set
set
set
set
To route traffic between the sales and support VLANs and associate a Layer 3
interface with each VLAN:
[edit vlans]
user@switch# set sales l3-interface vlan.0
user@switch# set support l3-interface vlan.1
Results
388
389
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan-id 200;
vlan-description Support VLAN;
l3-interface vlan.1;
}
}
Tip
To quickly configure the distribution switch, issue the load merge terminal command,
then copy the hierarchy and paste it into the switch terminal window.
To quickly configure the distribution switch, copy the following commands and paste
them into the switch terminal window:
set
set
set
set
set
set
set
set
set
set
set
set
Step-by-Step Procedure
Configure the interface on the switch to be the trunk port that connects to the
access switch:
[edit interfaces ge-0/0/0 unit 0]
user@distribution-switch# set description Connection to access switch
user@distribution-switch# set ethernet-switching port-mode trunk
2.
3.
members
[ sales
Configure the VLAN ID to use for packets that are received with no dot1q tag
(untagged packets):
[edit interfaces]
user@distribution-switch# set ge-0/0/0 ethernet-switching native-vlan-id
4.
390
5.
6.
7.
Results
391
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To quickly configure the distribution switch, issue the load merge terminal command,
then copy the hierarchy and paste it into the switch terminal window.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the VLAN Members and Interfaces on the Access Switch on page 392
Verifying the VLAN Members and Interfaces on the Distribution Switch on page 392
Action
Verify that the sales and support have been created on the switch.
List all VLANs configured on the switch:
user@switch> show vlans on page 570
Name
default
Tag
Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0*, ge-0/0/9.0,
ge-0/0/10.0,
ge-0/0/14.0,
ge-0/0/18.0,
ge-0/0/25.0,
ge-0/0/30.0,
ge-0/0/34.0,
ge-0/0/38.0,
ge-0/0/42.0,
ge-0/1/1.0*,
sales
100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0,
ge-0/1/0.0*,
support
200
ge-0/0/24.0*, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0,
mgmt
me0.0*
Meaning
The output shows the sales and support VLANs and the interfaces associated with
them.
392
Verification
Verify that the sales and support have been created on the switch.
Action
Tag
Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0*, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0,
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0*, ge-0/0/23.0, ge-0/1/1.0*,
ge-0/1/2.0*, ge-0/1/3.0*
sales
100
ge-0/0/0.0*
support
200
ge-0/0/0.0*
mgmt
me0.0*
Meaning
Related Topics
The output shows the sales and support VLANs associated to interface ge-0/0/0.0.
Interface ge-0/0/0.0 is the trunk interface connected to the access switch.
393
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
This example describes how to statically configure VLANs on a single switch, then
enable GVRP on another switch to dynamically propagate the configuration:
Requirements
This example uses the following hardware and software components:
Before you configure the GVRP network on the access switch and the distribution
switch, be sure you have:
Installed the access switch and the distribution switch. See Installing and
Connecting an EX-series Switch.
Topology
The topology for this example consists of a GVRP network configured on one access
switch and one distribution switch.
Table 58: Components of the GVRP Network Topology
Property
Settings
Switch hardware
394
Requirements
voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
analyzer-vlan, tag 999
Step-by-Step Procedure
To configure the VLANs and VLAN tag identifiers, then configure the VLANs on
interface ge-0/0/0, enable GVRP on all interfaces, and set the GVRP timers (optional):
1.
2.
set
set
set
set
set
voice-vlan vlan-id 10
employee-vlan vlan-id 20
guest-vlan vlan-id 30
camera-vlan vlan-id 40
analyzer-vlan vlan-id 999
395
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
4.
Set the join-timer to specify the maximum number of milliseconds the interfaces
wait before sending VLAN advertisements:
[edit protocols gvrp]
user@switch# set join-timer 40
5.
6.
Set the leaveall-timer to configure the interval at which Leave All messages are
sent on interfaces. Leave All messages help to maintain current GVRP VLAN
membership information in the network.:
[edit protocols gvrp]
user@switch# set leaveall-timer 2000
NOTE: Default values are associated with each timer: 200 ms for the join-timer, 600
ms for the leave-timer, and 1000 ms for the leaveall-timer. Modifying timers to
inappropriate values may cause and imbalance in the operation of GVRP. Refer to
IEEE 802.1D [2004] Clause 12 for more information.
7.
Results
396
}
}
}
protocols {
gvrp {
enable {
join-timer 40;
leave-timer 120;
leaveall-timer 2000;
interface all;
}
}
}
vlans {
analyzer-vlan {
vlan-id 999;
}
camera-vlan {
vlan-id 40;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
voice-vlan {
vlan-id 10;
}
}
To quickly enable GVRP on Switch 2, copy the following commands and paste them
into the switch terminal window:
[edit]
set protocols
set protocols
set protocols
set protocols
Step-by-Step Procedure
gvrp
gvrp
gvrp
gvrp
enable join-timer 40
enable leave-timer 120
enable leaveall-timer 2000
interface all enable
Enable GVRP networking on all interfaces on Switch 2 and set the GVRP timers:
1.
2.
Set the join-timer to specify the maximum number of milliseconds the interfaces
wait before sending VLAN advertisements:
[edit protocols gvrp]
397
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
4.
Set the leaveall-timer to configure the interval at which Leave All messages are
sent on interfaces. Leave All messages help to maintain current GVRP VLAN
membership information in the network:
[edit protocols gvrp]
user@switch# set leaveall-timer 2000
5.
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
398
Verification
Interfaces
ge-0/0/0.0
cameravlan
40
ge-0/0/0.0
default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0,
ge-0/0/13.0*,ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0 ge-0/0/23.0*, ge-0/0/0.24,
ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0, ge-0/0/28.0,
ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0,
ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0,
ge-0/0/37.0, ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0,
ge-0/0/41.0, ge-0/0/42.0, ge-0/0/43.0, ge-0/0/45.0,
ge-0/0/44.0, ge-0/0/46.0*, ge-0/0/47.0, ge-0/1/0.0*
ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
employeevlan
20
guestvlan
30
voicevlan
10
ge-0/0/0.0
ge-0/0/0.0
ge-0/0/0.0
mgmt
me0.0*
user@switch1> show gvrp on page 555
Global GVRP configuration
GVRP status
: Enabled
GVRP timers (ms)
Join
: 40
Leave
: 120
Leaveall
: 2000
Interface based configuration:
Interface GVRP status
---------- ----------ge-0/0/0.0 Enabled
Meaning
The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. The show gvrp command shows that GVRP is enabled
on the switch.
399
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Join
Leave
Leaveall
: 40
: 120
: 2000
Meaning
Related Topics
The show gvrp command shows that GVRP is enabled on the switch.
Requirements
This example uses the following hardware and software components:
Before you configure the redundant trunk links network on the access and distribution
switches, be sure you have:
400
Installed the access switch. See Installing and Connecting an EX-series Switch.
Installed the two distribution switches. See Installing and Connecting an EX-series
Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
If the old, active link was configured as the primary link, then it resumes the role
of active link and the other link is blocked. An interface configured as primary
continues to carry with it the primary role whenever it becomes active.
If no primary link was configured, and the active link was calculated by the
software when the redundant group was formed, then the old, active link will
not preempt the other interface (new active).
NOTE: The JUNOS software for EX-series switches does not allow an interface to be
in a redundant trunk group and in an STP topology at the same time.
Figure 19 on page 402 displays an example topology containing three switches.
Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the
access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2).
Table 59 on page 402 lists the components used in this redundant trunk group.
401
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Settings
Switch hardware
group1
This configuration example creates a redundant trunk group called group1 on Switch 3.
The trunk ports ge-0/0/9.0 and ge-0/0/10.0 are the two links in group1. The trunk
port ge-0/0/9.0 will be configured administratively as the primary link. The trunk
port ge-0/0/10.0 will be the secondary link.
Configuration
CLI Quick Configuration
To quickly configure the redundant trunk group group1 on Switch 3, copy the following
commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options redundant-trunk-group group-name group1
set ethernet-switching-options redundant-trunk-group group-name group1 interface
ge-0/0/9.0 primary
402
Configuration
Step-by-Step Procedure
Configure the redundant trunk group group1 on Switch 3 and specify the primary
and secondary links.
1.
2.
Configure the trunk port ge-0/0/9.0 as the primary link and ge-0/0/10 as the
secondary link:
[edit ethernet-switching-options]
user@switch# set redundant-trunk-group group-name group1 interface ge-0/0/9.0
primary
user@switch# set redundant-trunk-group group-name group1 interface
ge-0/0/10.0
Results
Verification
Verify that the redundant trunk group group1 has been created and is operating
properly:
Verifying That the Redundant Group Has Been Created on page 403
Action
Verify that the redundant trunk group group1 has been created on the switch and
that trunk ports are members of the redundant trunk group.
List all redundant trunk groups configured on the switch:
user@switch> show redundant-trunk-group on page 559 group1
Redundant-trunk-group: group1
Interfaces
: ge-0/0/9.0 (P) , DOWN
: ge-0/0/10.0 (A) , UP
Bandwidth
: 1000 Mbps, 1000 Mbps
Verification
403
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
Related Topics
The show redundant-trunk-group command lists all redundant trunk groups configured
on the switch and which trunk links are members of the group. For this configuration
example, the output shows that the redundant trunk group group1 is configured on
the switch. The (P) beside trunk port ge-0/0/9.0 indicates that it is configured as the
primary link. The (A) beside the ge-0/0/10.0 trunk port indicates that it is the active
link.
Requirements
This example uses the following hardware and software components:
404
NOTE: If you do not specify the level, the default level will be applied. The default
level is 80.
Storm control monitors the incoming broadcast traffic or unknown unicast traffic or
both and compares it with the level that you specify. If broadcast traffic or unknown
unicast traffic or both exceed the specified level, packets for the controlled traffic
types are dropped.
The topology used in this example consists of one EX 3200 switch with 24 ports.
The switch is connected to various network devices. In this example, storm control
is configured to rate limit both broadcast and unknown unicast traffic on port interface
ge-0/0/0. The rate limit level is set to 40. Therefore, if broadcast traffic or unknown
unicast traffic or both exceed 40 (plus or minus two) percent of the total available
bandwidth of the port, packets for the controlled traffic types are dropped to prevent
network outage.
NOTE: When you configure storm control on an interface, both broadcast traffic and
unknown unicast traffic are rate limited, by default. You can exempt either type of
traffic from rate limiting by using the no-broadcast or no-unknown-unicast statement.
Configuration
CLI Quick Configuration
To quickly configure storm control, copy the following commands and paste them
into the switch terminal window:
[edit]
set ethernet-switching-options storm-control interface ge-0/0/0 level 40
Step-by-Step Procedure
Enable storm control on the interface and specify the level of allowed broadcast
traffic and unknown unicast traffic:
[edit ethernet-switching-options]
user@switch# set storm-control interface ge-0/0/0 level 40
Results
Related Topics
Configuration
405
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
406
Configuration
Chapter 31
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 415
2.
Click one:
NOTE: If you delete a VLAN, the VLAN configuration for all the associated interfaces
is also deleted.
407
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
VLAN Name
Enter a name.
VLAN Id/Range
Select one:
General tab
VLAN Description
Filter Input
Filter Output
Click one:
IP Address
Subnet Mask
Filter Input
Filter Output
ARP/MAC Details
VoIP tab
408
Function
Your Action
Ports
Click one:
Related Topics
2.
3.
4.
address
ip-address
or
[edit vlans]
user@switch# set vlan-name vlan-range vlan-id-low-vlan-id-high
409
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
5.
To specify the maximum time that an entry can remain in the forwarding table
before it ages out:
[edit vlans]
user@switch# set vlan-name mac-table-aging-time time
6.
Related Topics
2.
Assign an interface to the VLAN by specifying the logical interface (with the unit
statement) and specifying the VLAN name as the member:
[edit]
user@switch# set interfaces ge-0/0/18 unit 0 family ethernet-switching
vlan members support
3.
4.
410
[edit]
user@switch# set vlans support l3-interface vlan.111
NOTE: Layer 3 interfaces on trunk ports allow the interface to transfer traffic between
multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is
routed.
You can display the configuration settings:
user@switch> show interfaces vlan terse
regress@tp-robin# run show interfaces vlan terse
Interface
Admin Link Proto
Local
vlan
up
up
vlan.111
up
up
inet
111.111.111.1/24
Remote
Tag
employee-vlan
20
Interfaces
None
ge-1/0/0.0, ge-1/0/1.0, ge-1/0/2.0
hurricane-pubs 40
ge-1/0/10.0, ge-1/0/20.0, ge-1/0/30.0
support
111
ge-0/0/18.0
mgmt
bme0.32769, bme0.32771*
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 1 entries, 0 learned
VLAN
MAC address
Type
support
00:19:e2:50:95:a0 Static
Related Topics
Age Interfaces
- Router
411
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
412
Because an access interface can only support one VLAN member, access
interfaces also do not support this feature.
To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):
a.
Configure the series (here, a VLAN series from 120 through 130):
[edit]
user@switch# set vlans employee vlan-range 120-130
b.
NOTE: When a series of VLANs are created using the vlan-range command, the VLAN
names are prefixed and suffixed with a double underscore.
Related Topics
Verifying That a Series of Tagged VLANs Has Been Created on page 417
413
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Configure the port mode so that the interface is in multiple VLANs and can
multiplex traffic between different VLANs. Trunk interfaces typically connect to
other switches and to routers on the LAN. Configure the port mode as trunk:
[edit interfaces ge-0/0/3 unit 0 family ethernet-switching]
user@switch# set port-mode trunk
2.
Related Topics
414
Related Topics
415
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
416
Chapter 32
Verifying That a Series of Tagged VLANs Has Been Created on page 417
Action
Interfaces
ge-0/0/22.0*
__employee_121__
121
__employee_122__
122
__employee_123__
123
__employee_124__
124
__employee_125__
125
__employee_126__
126
__employee_127__
127
__employee_128__
128
__employee_129__
129
__employee_130__
130
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
Tag
Interfaces
__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
417
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*
Display the VLANs by specifying the VLAN-range name (here, the VLAN-range name
is employee):
user@switch> show vlans on page 570 employee
Name
Tag
Interfaces
__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*
Meaning
The sample output shows the VLANs configured on the switch. The series of tagged
VLANs is displayed: __employee__120__ through __employee_130__. Each of the
tagged VLANs is configured on the trunk interface ge-0/0/22.0. The asterisk (*)
beside the interface name indicates that the interface is UP.
When a series of VLANs is created using the vlan-range statement, the VLAN names
are prefixed and suffixed with a double underscore.
Related Topics
418
Chapter 33
419
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
420
A designated port, indicating that the switch is the designated bridge for the other
switch connecting to this port.
421
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). BPDU protection can help prevent STP misconfigurations that can lead to
network outages.
A loop-free network is supported through the exchange of a special type of frame
called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in
an STP, RSTP, or MSTP topology, however, can lead to network outages. Enable
BPDU protection on those interfaces to prevent these outages.
Peer STP applications running on the switch interfaces use BPDUs to communicate.
Ultimately, the exchange of BPDUs determines which interfaces block traffic and
which interfaces become root ports and forward traffic.
However, a user bridge application running on a PC can also generate BPDUs. If
these BPDUs are picked up by STP applications running on the switch, they can
trigger STP miscalculations, and those miscalculations can lead to network outages.
Enable BPDU protection on switch interfaces connected to user devices or on
interfaces on which no BPDUs are expected, such as edge ports. If BPDUs are received
on a protected interface, the interface is disabled and stops forwarding frames.
Not only can you configure BPDU protection on a switch with a spanning tree, but
also on a switch without a spanning tree. This type of topology typically consists of
a non-STP switch connected to an STP switch through a trunk interface.
422
Disabling the BPDU protection configuration does not unblock the interface.
Related Topics
Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by
preventing ports from moving into a forwarding state that would result in a loop
opening up in the network.
A loop-free network in spanning-tree topologies is supported through the exchange
of a special type of frame called bridge protocol data unit (BPDU). Peer STP
applications running on the switch interfaces use BPDUs to communicate. Ultimately,
the exchange of BPDUs determines which interfaces block traffic (preventing loops)
and which interfaces become root ports and forward traffic.
However, a blocking interface can transition to the forwarding state in error if the
interface stops receiving BPDUs from its designated port on the segment. Such a
transition error can occur when there is a hardware error on the switch or software
configuration error between the switch and its neighbor.
When loop protection is enabled, the spanning-tree topology detects root ports and
blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled
interface stops receiving BPDUs from its designated port, it reacts as it would react
Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches
423
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
to a problem with the physical connection on this interface. It doesn't transition the
interface to a forwarding state, but instead transitions it to a loop-inconsistent state.
The interface recovers and then it transitions back to the spanning-tree blocking state
as soon as it receives a BPDU.
We recommend that you enable loop protection on all switch interfaces that have a
chance of becoming root or designated ports. Loop protection is most effective when
enabled in the entire switched network. When you enable loop protection, you must
configure at least one action (alarm, block, or both).
An interface can be configured for either loop protection or root protection, but not
for both.
Related Topics
Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). A loop-free network is supported through the exchange of a special type of
frame called bridge protocol data unit (BPDU). Peer STP applications running on the
switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs
determines which interfaces block traffic and which interfaces become root ports
and forward traffic.
However, a root port elected through this process has the possibility of being wrongly
elected. A user bridge application running on a PC can generate BPDUs, too, and
interfere with root port election. Root protection allows network administrators to
manually enforce the root bridge placement in the network.
Enable root protection on interfaces that should not receive superior BPDUs from
the root bridge and should not be elected as the root port. These interfaces become
designated ports and are typically located on an administrative boundary. If the
bridge receives superior STP BPDUs on a port that has root protection enabled, that
port transitions to a root-prevented STP state (inconsistency state) and the interface
is blocked. This blocking prevents a bridge that should not be the root bridge from
being elected the root bridge. After the bridge stops receiving superior STP BPDUs
on the interface with root protection, the interface returns to a listening state, followed
by a learning state, and ultimately back to a forwarding state. Recovery back to the
forwarding state is automatic.
424
Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
When root protection is enabled on an interface, it is enabled for all the STP instances
on that interface. The interface is blocked only for instances for which it receives
superior BPDUs. Otherwise, it participates in the spanning-tree topology.
An interface can be configured for either root protection or loop protection, but not
for both.
Related Topics
Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
425
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
426
Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
Chapter 34
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches
427
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
Before you configure the switches for RSTP, be sure you have:
Installed the four switches. See Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58.
Performed the initial software configuration on all switches. See Installing and
Connecting an EX-series Switch.
The interfaces shown in Table 61 on page 429 will be configured for RSTP.
428
Requirements
Table 61: Components of the Topology for Configuring RSTP on EX-series Switches
Property
Settings
Switch 1
Switch 2
Switch 3
Switch 4
voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
The root port is responsible for forwarding data to the root bridge.
The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.
The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.
NOTE: You also can create a loop-free topology between the aggregation layer and
the distribution layer using redundant trunk links. For more information about
configuring redundant trunk links, see Example: Configuring Redundant Trunk Links
for Faster Recovery on page 400.
429
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To quickly configure interfaces and RSTP on Switch 1, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/11 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 16k
set protocols rstp interface ge-0/0/13.0 cost 1000
set protocols rstp interface ge-0/0/13.0 mode point-to-point
set protocols rstp interface ge-0/0/9.0 cost 1000
set protocols rstp interface ge-0/0/9.0 mode point-to-point
set protocols rstp interface ge-0/0/11.0 cost 1000
set protocols rstp interface ge-0/0/11.0 mode point-to-point
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members
[10 20 30 40]
430
3.
4.
Results
bridge-priority 16k
interface ge-0/0/13.0 cost 1000
interface ge-0/0/13.0 mode point-to-point
interface ge-0/0/9.0 cost 1000
interface ge-0/0/9.0 mode point-to-point
interface ge-0/0/11.0 cost 1000
interface ge-0/0/11.0 mode point-to-point
431
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
protocols {
rstp {
bridge-priority 16k;
interface ge-0/0/13.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/9.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/11.0 {
cost 1000;
mode point-to-point;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
To quickly configure interfaces and RSTP on Switch 2, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30
40]
432
set
set
set
set
set
set
set
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members
[10 20 30 40]
3.
4.
Results
bridge-priority 32k
interface ge-0/0/14.0
interface ge-0/0/14.0
interface ge-0/0/18.0
interface ge-0/0/18.0
cost
mode
cost
mode
1000
point-to-point
1000
point-to-point
433
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
bridge-priority 32k;
interface ge-0/0/14.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/18.0 {
cost 1000;
mode point-to-point;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
434
To quickly configure interfaces and RSTP on Switch 3, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 8k
set protocols rstp interface ge-0/0/26.0 cost 1000
set protocols rstp interface ge-0/0/26.0 mode point-to-point
set protocols rstp interface ge-0/0/28.0 cost 1000
set protocols rstp interface ge-0/0/28.0 mode point-to-point
set protocols rstp interface ge-0/0/24.0 cost 1000
set protocols rstp interface ge-0/0/24.0 mode point-to-point
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members
[10 20 30 40]
3.
435
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
4.
Results
bridge-priority 8k
interface ge-0/0/26.0
interface ge-0/0/26.0
interface ge-0/0/28.0
interface ge-0/0/28.0
interface ge-0/0/24.0
interface ge-0/0/24.0
436
cost
mode
cost
mode
cost
mode
1000
point-to-point
1000
point-to-point
1000
point-to-point
bridge-priority 8k;
interface ge-0/0/26.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/28.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/24.0 {
cost 1000;
mode point-to-point;
}
}
bridge-priority 8k;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
To quickly configure interfaces and RSTP on Switch 4, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/23 unit 0 family ethernet-switching port-mode trunk
437
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
set
set
set
set
set
set
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members
[10 20 30 40]
3.
4.
Results
bridge-priority 16k
interface all cost 1000
interface ge-0/0/23.0 cost
interface ge-0/0/23.0 mode
interface ge-0/0/19.0 cost
interface ge-0/0/19.0 mode
438
1000
point-to-point
1000
point-to-point
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
bridge-priority 16k;
interface ge-0/0/23.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/19.0 {
cost 1000;
mode point-to-point;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verification
439
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Meaning
Port ID
128:527
128:529
128:531
Designated
port ID
128:525
128:513
128:513
Designated
bridge ID
16384.0019e25040e0
32768.0019e2503d20
8192.0019e25051e0
Port
Cost
1000
1000
1000
State
Role
BLK
BLK
FWD
ALT
ALT
ROOT
Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that ge-0/0/13.0 is in a forwarding state. The other
interfaces on Switch 1 are blocking.
Action
Meaning
Port ID
Designated
port ID
128:513
128:513
128:519
128:515
Designated
bridge ID
32768.0019e2503d20
8192.0019e25051e0
Action
440
Role
DESG
ROOT
Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that ge-0/0/18.0 is in a forwarding state and the root
port. The other interface on Switch 2 is blocking.
Port
State
Cost
1000 BLK
1000 FWD
Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0
Meaning
Port ID
Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517
Designated
bridge ID
8192.0019e25051e0
8192.0019e25051e0
8192.0019e25051e0
Port
State
Cost
1000 FWD
1000 FWD
1000 FWD
Role
DESG
DESG
DESG
Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that no interface is the root interface.
Action
ge-0/0/23.0
ge-0/0/19.0
Meaning
Related Topics
Port ID
128:523
128:525
Designated
port ID
128:517
128:525
Designated
bridge ID
8192.0019e25051e0
16384.0019e25040e0
Port
Cost
1000
1000
State
Role
FWD
FWD
ROOT
DESG
Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that interface ge-0/0/23.0 is the root interface and
forwarding.
Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches
Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in
networks using multiple spanning tree regions, each region containing multiple
spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs.
This functionality facilitates better load sharing across redundant links.
MSTP supports up to 64 regions, each one capable of supporting 4094 MSTIs.
This example describes how to configure MSTP on four EX-series switches:
441
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
Before you configure the switches for MSTP, be sure you have:
Installed the four switches. See Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58.
Performed the initial software configuration on all switches. See Installing and
Connecting an EX-series Switch.
442
Requirements
The interfaces shown in Table 62 on page 443 will be configured for MSTP.
Table 62: Components of the Topology for Configuring MSTP on EX-series Switches
Property
Settings
Switch 1
Switch 2
443
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 62: Components of the Topology for Configuring MSTP on EX-series Switches (continued)
Property
Settings
Switch 3
Switch 4
voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
MSTIs
1
2
The topology in Figure 21 on page 443 shows a Common Internal Spanning Tree
(CIST). The CIST is a single spanning tree connecting all devices in the network. The
switch with the highest priority is elected as the root bridge of the CIST.
Also in an MSTP topology are ports that have specific roles:
The root port is responsible for forwarding data to the root bridge.
The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.
The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.
In this example, one MSTP region, region1, contains Switch 1, Switch 2, Switch 3,
and Switch 4. Within the region, four VLANs are created:
The voice-vlan supports voice traffic and has a VLAN tag identifier of 10.
employee-vlan supports data traffic and has a VLAN tag identifier of 20.
The guest-vlan supports guest VLAN traffic (for supplicants that fail 802-1X
authentication) and has a VLAN tag identifier of 30.
The camera-vlan supports video traffic and has a VLAN tag identifier of 40.
The VLANs are associated with specific interfaces on each of the four switches. Two
MSTIs, 1 and 2, are then associated with the VLAN tag identifiers, and some MSTP
parameters, such as cost, are configured on each switch.
444
To quickly configure interfaces and MSTP on Switch 1, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/11 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface ge-0/0/13.0 cost 1000
set protocols mstp interface ge-0/0/13.0 mode point-to-point
set protocols mstp interface ge-0/0/9.0 cost 1000
set protocols mstp interface ge-0/0/9.0 mode point-to-point
set protocols mstp interface ge-0/0/11.0 cost 1000
set protocols mstp interface ge-0/0/11.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 1 interface ge-0/0/11.0 cost 4000
set protocols mstp msti 2 bridge-priority 8k
set protocols mstp msti 2 vlan [30 40]
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
445
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
4.
Results
configuration-name region1
bridge-priority 16k
interface ge-0/0/13.0 cost 1000
interface ge-0/0/13.0 mode point-to-point
interface ge-0/0/9.0 cost 1000
interface ge-0/0/9.0 mode point-to-point
interface ge-0/0/11.0 cost 4000
interface ge-0/0/11.0 mode point-to-point
msti 1 bridge-priority 16k
msti 1 vlan [10 20]
msti 1 interface ge-0/0/11.0 cost 4000
msti 2 bridge-priority 8k
msti 2 vlan [30 40]
446
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 16k;
interface ge-0/0/13.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/9.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/11.0 {
cost 4000;
mode point-to-point;
}
msti 1 {
bridge-priority 16k;
vlan [ 10 20 ];
interface ge-0/0/11.0 {
cost 4000;
}
}
msti 2 {
bridge-priority 8k;
vlan [ 30 40 ];
}
}
vlans {
voice-vlan {
vlan-id 10;
}
447
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
To quickly configure interfaces and MSTP on Switch 2, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge0/0/14 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 32k
set protocols mstp interface ge-0/0/14.0 cost 1000
set protocols mstp interface ge-0/0/14.0 mode point-to-point
set protocols mstp interface ge-0/0/18.0 cost 1000
set protocols mstp interface ge-0/0/18.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 32k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 4k
set protocols mstp msti 2 vlan [30 40]
448
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members
[10 20 30 40]
3.
4.
Results
configuration-name region1
bridge-priority 32k
interface ge-0/0/14.0 cost
interface ge-0/0/14.0 mode
interface ge-0/0/18.0 cost
interface ge-0/0/18.0 mode
interface all cost 1000
msti 1 bridge-priority 32k
msti 1 vlan [10 20]
msti 2 bridge-priority 4k
msti 2 vlan [30 40]
1000
point-to-point
1000
point-to-point
449
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
members
members
members
members
10;
20;
30;
40;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 32k;
interface ge-0/0/14.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/18.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 32k;
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 4k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
450
}
}
To quickly configure interfaces and MSTP on Switch 3, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlanid 40
set interfaces ge0/0/26 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/28 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/24 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 8k
set protocols mstp interface ge-0/0/26.0 cost 1000
set protocols mstp interface ge-0/0/26.0 mode point-to-point
set protocols mstp interface ge-0/0/28.0 cost 1000
set protocols mstp interface ge-0/0/28.0 mode point-to-point
set protocols mstp interface ge-0/0/24.0 cost 1000
set protocols mstp interface ge-0/0/24.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 4k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 16k
set protocols mstp msti 2 vlan [30 40]
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
451
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit interfaces]
user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members
[10 20 30 40]
3.
4.
Results
configuration-name region1
bridge-priority 8k
interface ge-0/0/26.0 cost
interface ge-0/0/26.0 mode
interface ge-0/0/28.0 cost
interface ge-0/0/28.0 mode
interface ge-0/0/24.0 cost
interface ge-0/0/24.0 mode
interface all cost 1000
msti 1 bridge-priority 4k
msti 1 vlan [10 20]
msti 2 bridge-priority 16k
msti 2 vlan [30 40]
452
1000
point-to-point
1000
point-to-point
1000
point-to-point
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 8k;
interface ge-0/0/26.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/28.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/24.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 4k;
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 16k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
453
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
To quickly configure interfaces and MSTP on Switch 4, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voicevlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employeevlan description Employee VLAN
set vlans employeevlan vlanid 20
set vlans guestvlan description Guest VLAN
set vlans guestvlan vlanid 30
set vlans cameravlan description Camera VLAN
set vlans cameravlan vlanid 40
set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/23 unit 0 family ethernet-switching port-mode trunk
set interfaces ge0/0/19 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface ge0/0/23.0 cost 1000
set protocols mstp interface ge0/0/23.0 mode point-to-point
set protocols mstp interface ge0/0/19.0 cost 1000
set protocols mstp interface ge0/0/19.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 32k
set protocols mstp msti 2 vlan [30 40]
454
Step-by-Step Procedure
2.
set
set
set
set
set
set
set
set
Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members
[10 20 30 40]
3.
4.
Results
configuration-name region1
bridge-priority 16k
interface all cost 1000
interface ge0/0/23.0 cost
interface ge0/0/23.0 mode
interface ge0/0/19.0 cost
interface ge0/0/19.0 mode
msti 1 bridge-priority 16k
msti 1 vlan [10 20]
msti 2 bridge-priority 32k
msti 2 vlan [30 40]
1000
point-to-point
1000
point-to-point
455
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
members
members
members
members
10;
20;
30;
40;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 16k;
interface ge-0/0/23.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/19.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 16k;
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 32k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
456
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
Port ID
128:527
128:529
128:531
Designated
port ID
128:525
128:513
128:513
Designated
bridge ID
16384.0019e25040e0
32768.0019e2503d20
8192.0019e25051e0
Port
Cost
1000
1000
4000
State
Role
FWD
BLK
BLK
ROOT
ALT
ALT
Port
Cost
1000
1000
4000
State
Role
FWD
BLK
BLK
ROOT
ALT
ALT
Port
Cost
1000
1000
1000
State
Role
FWD
FWD
FWD
DESG
ROOT
DESG
Port ID
128:527
128:529
128:531
Designated
port ID
128:525
128:513
128:513
Designated
bridge ID
16385.0019e25040e0
32769.0019e2503d20
4097.0019e25051e0
Port ID
128:527
128:529
128:531
Designated
port ID
128:527
128:513
128:531
Designated
bridge ID
8194.0019e25044e0
4098.0019e2503d20
8194.0019e25044e0
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/13.0
8192.00:19:e2:50:51:e0
2000
2 seconds
20 seconds
Verification
457
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Forward delay
Hop count
Message age
Number of topology changes
Time since last topology change
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 1
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 2
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID
Meaning
:
:
:
:
:
15 seconds
18
0
3
921 seconds
: 16384.00:19:e2:50:44:e0
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
2000
ge-0/0/13.0
2 seconds
20 seconds
15 seconds
18
: 16385.00:19:e2:50:44:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
1000
ge-0/0/9.0
2 seconds
20 seconds
15 seconds
19
: 8194.00:19:e2:50:44:e0
: 0
: 2
Action
458
Port ID
Designated
port ID
128:513
128:513
Designated
bridge ID
32768.0019e2503d20
Port
State
Cost
1000 FWD
Role
DESG
ge-0/0/18.0
128:519
128:515
8192.0019e25051e0
1000
FWD
ROOT
Port ID
Designated
port ID
128:513
128:513
128:519
128:515
Designated
bridge ID
32769.0019e2503d20
4097.0019e25051e0
Port
State
Cost
1000 FWD
1000 FWD
Role
Port
State
Cost
1000 FWD
Role
DESG
ROOT
Port ID
ge-0/0/14.0
Designated
port ID
128:513
128:513
Designated
bridge ID
4098.0019e2503d20
ge-0/0/18.0
128:519
4098.0019e2503d20
128:519
1000
DESG
FWD
DESG
:
:
:
:
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/18.0
8192.00:19:e2:50:51:e0
1000
2 seconds
20 seconds
15 seconds
19
0
1
782 seconds
: 32768.00:19:e2:50:3d:20
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
1000
ge-0/0/18.0
2 seconds
20 seconds
15 seconds
19
: 32769.00:19:e2:50:3d:20
: 0
: 1
:
:
:
:
4098.00:19:e2:50:3d:20
2 seconds
20 seconds
15 seconds
: 4098.00:19:e2:50:3d:20
459
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Extended system ID
Internal instance ID
Meaning
: 0
: 2
Action
Port ID
Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517
Designated
bridge ID
8192.0019e25051e0
8192.0019e25051e0
8192.0019e25051e0
Port
State
Cost
1000 FWD
1000 FWD
1000 FWD
Role
Port
State
Cost
1000 FWD
1000 FWD
1000 FWD
Role
Port
State
Cost
1000 BLK
1000 FWD
1000 FWD
Role
DESG
DESG
DESG
Port ID
Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517
Designated
bridge ID
4097.0019e25051e0
4097.0019e25051e0
4097.0019e25051e0
DESG
DESG
DESG
Port ID
Designated
port ID
128:513
128:531
128:515
128:519
128:517
128:517
Designated
bridge ID
8194.0019e25044e0
4098.0019e2503d20
16386.0019e25051e0
460
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
8192.00:19:e2:50:51:e0
0
2 seconds
20 seconds
15 seconds
3
843 seconds
ALT
ROOT
DESG
Bridge ID
Extended system ID
Internal instance ID
: 8192.00:19:e2:50:51:e0
: 0
: 0
Meaning
:
:
:
:
4097.00:19:e2:50:51:e0
2 seconds
20 seconds
15 seconds
: 4097.00:19:e2:50:51:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
1000
ge-0/0/28.0
2 seconds
20 seconds
15 seconds
19
: 16386.00:19:e2:50:51:e0
: 0
: 2
Action
ge-0/0/23.0
ge-0/0/19.0
Port ID
128:523
128:525
Designated
port ID
128:517
128:525
Designated
bridge ID
8192.0019e25051e0
16384.0019e25040e0
Port
Cost
1000
1000
State
Role
FWD
FWD
ROOT
DESG
State
Role
FWD
FWD
ROOT
DESG
Port ID
128:523
128:525
Designated
port ID
128:517
128:525
Designated
bridge ID
4097.0019e25051e0
16385.0019e25040e0
Port
Cost
1000
1000
461
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Interface
ge-0/0/23.0
ge-0/0/19.0
Port ID
128:523
128:525
Designated
port ID
128:517
128:527
Designated
bridge ID
16386.0019e25051e0
8194.0019e25044e0
Port
Cost
1000
1000
State
Role
BLK
FWD
ALT
ROOT
Meaning
462
:
:
:
:
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/23.0
8192.00:19:e2:50:51:e0
1000
2 seconds
20 seconds
15 seconds
19
0
4
887 seconds
: 16384.00:19:e2:50:40:e0
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
1000
ge-0/0/23.0
2 seconds
20 seconds
15 seconds
19
: 16385.00:19:e2:50:40:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
2000
ge-0/0/19.0
2 seconds
20 seconds
15 seconds
18
: 32770.00:19:e2:50:40:e0
: 0
: 2
The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.
Related Topics
Requirements
This example uses the following hardware and software components:
Before you configure the interfaces on Switch 2 for BPDU protection, be sure you
have:
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches
463
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 63 on page 469 shows the components that will be configured for BPDU
protection.
Table 63: Components of the Topology for Configuring BPDU Protection on EX-series Switches
Property
Settings
464
Table 63: Components of the Topology for Configuring BPDU Protection on EX-series Switches (continued)
Property
Settings
ge-0/0/5
ge-0/0/6
This configuration example is using an RSTP topology. You also can configure BPDU
protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.
Configuration
To configure BPDU protection on two access interfaces:
CLI Quick Configuration
Step-by-Step Procedure
2.
Results
Configuration
465
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Verification
To confirm that the configuration is working properly:
Displaying the Interface State Before BPDU Protection Is Triggered on page 466
Action
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and
interface ge-0/0/6, confirm the interface state.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:519
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
FWD
FWD
DIS
DIS
DIS
DESG
DESG
DESG
DESG
The output from the operational mode command show spanning-tree interface shows
that ge-0/0/5.0 and interface ge-0/0/6.0 are designated ports in a forwarding state.
Action
In this example, the PCs connected to Switch 2 start sending BPDUs to interface
ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is configured on
the interfaces.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
(BpduIncon)
ge-0/0/6.0
(BpduIncon)
ge-0/0/7.0
466
Verification
Port ID
128:513
128:514
128:515
128:516
128:517
128:518
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
BLK
DIS
DIS
DIS
DESG
DESG
DIS
128:519
128:519
32768.0019e2503f00
20000
BLK
DIS
128:520
128:1
16384.00aabbcc0348
20000
FWD
ROOT
ge-0/0/8.0
128:521
[output truncated]
Meaning
128:521
32768.0019e2503f00
20000
FWD
DESG
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0
on Switch 2, the output from the operational mode command show spanning-tree
interface shows that the interfaces have transitioned to a BPDU inconsistent state.
The BPDU inconsistent state makes the interfaces block and prevents them from
forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the
interface. If the disable-timeout statement has been included in the BPDU
configuration, the interface automatically returns to service after the timer expires.
Otherwise, use the operational mode command clear ethernet-switching
bpdu-error on page 542 to unblock the interface.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection
is triggered once more and the interfaces transition back to the BPDU inconsistent
state. In such cases, you need to find and repair the misconfiguration on the PCs
that is triggering BPDUs being sent to Switch 2.
Related Topics
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches
467
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
Before you configure the interface for BPDU protection, be sure you have:
468
Requirements
Table 63 on page 469 shows the components that will be configured for BPDU
protection.
Table 64: Components of the Topology for Configuring BPDU Protection on EX-series Switches
Property
Settings
Switch 2 has RSTP disabled and has these access ports that require BPDU
protection:
ge-0/0/5
ge-0/0/6
469
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Configuration
To configure BPDU protection on the interfaces:
CLI Quick Configuration
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Displaying the Interface State Before BPDU Protection Is Triggered on page 470
Action
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and
interface ge-0/0/6, confirm the interface state.
Use the operational mode command:
user@switch> show ethernet-switching interfaces on page 545
Interface
State
ge-0/0/0.0 down
ge-0/0/1.0 down
ge-0/0/2.0 down
ge-0/0/3.0 up
ge-0/0/4.0 up
ge-0/0/5.0 up
ge-0/0/6.0 up
[output truncated]
470
Configuration
VLAN members
default
default
default
default
v1
v1
default
Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
Meaning
The output from the operational mode command show ethernet-switching interfaces
shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.
Action
In this example, the PCs connected to Switch 2 start sending BPDUs to interface
ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is configured on
the interfaces.
Use the operational mode command:
user@switch> show ethernet-switching interfaces on page 545
Interface
State
ge-0/0/0.0 down
ge-0/0/1.0 down
ge-0/0/2.0 down
ge-0/0/3.0 up
ge-0/0/4.0 up
ge-0/0/5.0 up
ge-0/0/6.0 up
[output truncated]
Meaning
VLAN members
default
default
default
default
v1
v1
default
Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
blocked - blocked by bpdu-control
blocked - blocked by bpdu-control
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0
on Switch 2, the output from the operational mode command show spanning-tree
interface shows that the interfaces have transitioned to a BPDU inconsistent state.
The BPDU inconsistent state makes the interfaces block and prevents them from
forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the
interface. If the disable-timeout statement has been included in the BPDU
configuration, the interface automatically returns to service after the timer expires.
Otherwise, use the operational mode command clear ethernet-switching
bpdu-error on page 542 to unblock the interface.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection
is triggered once more and the interfaces transition back to the BPDU inconsistent
state. In such cases, you need to find and repair the misconfiguration on the PCs
that is triggering BPDUs being sent to Switch 2.
Related Topics
471
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
Before you configure the interface for loop protection, be sure you have:
472
Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning
Tree on EX-series Switches
CAUTION: An interface can be configured for either loop protection or root protection,
but not for both.
Three EX-series switches are displayed in Figure 24 on page 473. In this example,
they are configured for RSTP and create a loop-free topology. Interface ge-0/0/6 is
blocking traffic between Switch 3 and Switch 1; thus, traffic is forwarded through
interface ge-0/0/7 on Switch 2. BPDUs are being sent from the root bridge on Switch
1 to both of these interfaces.
This example shows how to configure loop protection on interface ge-0/0/6 to prevent
it from transitioning from a blocking state to a forwarding state and creating a loop
in the spanning-tree topology.
Figure 24: Network Topology for Loop Protection
Table 65 on page 473 shows the components that will be configured for loop
protection.
Table 65: Components of the Topology for Configuring Loop Protection on EX-series Switches
Property
Settings
Switch 1
Switch 2
Switch 3
473
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The root port is responsible for forwarding data to the root bridge.
The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.
This configuration example uses an RSTP topology. However, you also can configure
loop protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.
Configuration
To configure loop protection on an interface:
CLI Quick Configuration
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Displaying the Interface State Before Loop Protection Is Triggered on page 474
Action
474
Configuration
Before loop protection is triggered on interface ge-0/0/6, confirm that the interface
is blocking.
Use the operational mode command:
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:2
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
Port
Cost
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
FWD
BLK
DIS
DIS
DIS
DESG
DESG
DESG
ALT
The output from the operational mode command show spanning-tree interface shows
that ge-0/0/6.0 is the alternate port and in a blocking state.
Action
Verify the loop protection configuration on interface ge-0/0/6. RSTP has been disabled
on interface ge-0/0/4 on Switch 1. This will stop BPDUs from being sent to interface
ge-0/0/6 and trigger loop protection on the interface.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
(Loop-Incon)
[output truncated]
Meaning
Related Topics
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:519
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
FWD
BLK
DIS
DIS
DIS
DESG
DESG
DESG
DIS
The operational mode command show spanning-tree interface shows that interface
ge-0/0/6.0 has detected that BPDUs are no longer being forwarded to it and has
moved into a loop-inconsistent state. The loop-inconsistent state prevents the interface
from transitioning to a forwarding state. The interface recovers and transitions back
to its original state as soon as it receives BPDUs.
475
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
Before you configure the interface for root protection, be sure you have:
476
Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches
port. These interfaces are typically located on an administrative boundary and are
designated ports.
When root protection is enabled on an interface:
The interface is blocked only for instances for which it receives superior BPDUs.
Otherwise, it participates in the spanning-tree topology.
CAUTION: An interface can be configured for either root protection or loop protection,
but not for both.
Four EX-series switches are displayed in Figure 25 on page 478. In this example, they
are configured for RSTP and create a loop-free topology. Interface ge-0/0/7 on Switch
1 is a designated port on an administrative boundary. It connects to Switch 4. Switch
3 is the root bridge. Interface ge-0/0/6 on Switch 1 is the root port.
This example shows how to configure root protection on interface ge-0/0/7 to prevent
it from transitioning to become the root port.
477
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 66 on page 478 shows the components that will be configured for root protection.
Table 66: Components of the Topology for Configuring Root Protection on EX-series Switches
Property
Settings
Switch 1
Switch 2
Switch 2 is connected to Switch 1 and Switch 3. Interface ge-0/0/4 is the alternate port in the
RSTP topology.
Switch 3
Switch 4
478
The root port is responsible for forwarding data to the root bridge.
The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.
This configuration example uses an RSTP topology. However, you also can configure
root protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.
Configuration
To configure root protection on an interface:
CLI Quick Configuration
Step-by-Step Procedure
Results
Verification
To confirm that the configuration is working properly:
Displaying the Interface State Before Root Protection Is Triggered on page 479
Action
Before root protection is triggered on interface ge-0/0/7, confirm the interface state.
Use the operational mode command:
Configuration
479
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
ge-0/0/7.0
128:520
[output truncated]
Meaning
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:2
128:1
128:520
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
16384.00aabbcc0348
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
BLK
FWD
FWD
DIS
DIS
DIS
DESG
DESG
ALT
ROOT
DESG
The output from the operational mode command show spanning-tree interface shows
that ge-0/0/7.0 is a designated port in a forwarding state.
Action
Port ID
ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
ge-0/0/7.0
128:520
(RootIncon)
[output truncated]
Meaning
480
Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:2
128:1
128:520
Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
16384.00aabbcc0348
32768.0019e2503f00
Port
Cost
20000
20000
20000
20000
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
FWD
FWD
BLK
FWD
BLK
DIS
DIS
DIS
DESG
DESG
ALT
ROOT
DIS
The operational mode command show spanning-tree interface on page 564 shows that
interface ge-0/0/7.0 has transitioned to a loop inconsistent state. The loop
inconsistent state makes the interface block and prevents the interface from becoming
a candidate for the root port. When the root bridge no longer receives superior STP
BPDUs from the interface, the interface will recover and transition back to a
forwarding state. Recovery is automatic.
Related Topics
481
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
482
Chapter 35
aggregated-ether-options {
lacp mode {
periodic interval;
483
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
mtu bytes;
unit logical-unit-number {
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
vlan-id vlan-id-number;
}
vlan-tagging;
}
}
Related Topics
484
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
485
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
486
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
Related Topics
487
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
alarm
Syntax
Hierarchy Level
Release Information
Description
488
alarm
alarm;
[edit protocols mstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols rstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols stp interface (all | interface-name) bpdu-timeout-action]
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
block
Syntax
Hierarchy Level
Release Information
Description
Required Privilege Level
Related Topics
block;
[edit protocols mstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols rstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols stp interface (all | interface-name) bpdu-timeout-action]
block
489
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
bpdu-block
Syntax
Hierarchy Level
Release Information
Description
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
[edit ethernet-switching-options]
490
bpdu-block
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 415
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
bpdu-block-on-edge
Syntax
Hierarchy Level
Release Information
Description
Required Privilege Level
Related Topics
bpdu-block-on-edge;
[edit protocols mstp],
[edit protocols rstp]
bpdu-block-on-edge
491
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
bpdu-timeout-action
Syntax
Hierarchy Level
Release Information
Description
bpdu-timeout-action {
block;
alarm;
}
[edit protocols mstp interface (all | interface-name)],
[edit protocols rstp interface (all | interface-name)],
[edit protocols stp interface (all | interface-name)]
492
bpdu-timeout-action
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
bridge-priority
Syntax
Hierarchy Level
Release Information
Description
bridge-priority priority;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp],
mstp msti msti-id],
rstp],
stp]
Default
32,768
Options
bridge-priority
493
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
configuration-name
Syntax
Hierarchy Level
Release Information
Description
494
configuration-name configuration-name;
[edit protocols mstp]
configuration-name
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
cost
Syntax
Hierarchy Level
Release Information
Description
cost cost;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
Default
Options
cost
495
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
description
Syntax
Hierarchy Level
Release Information
description text-description;
[edit vlans vlan-name]
Description
Provide a textual description of the VLAN. The text has no effect on the operation of
the VLAN or switch.
Options
hyphens (-) and can be up to 255 characters long. If the text includes spaces,
enclose the entire text in quotation marks.
Required Privilege Level
Related Topics
disable
Syntax
Hierarchy Level
Release Information
Description
Default
496
description
disable;
[edit protocols gvrp],
[edit protocols gvrp interface (all | [interface-name])
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
disable
Syntax
Hierarchy Level
Release Information
Description
Required Privilege Level
Related Topics
disable;
[edit protocols mstp],
[edit protocols mstp interface interface-name],
[ edit protocols mstp msti msti-id vlan (vlan-id | vlan-name) interface interface-name,
[edit protocols rstp],
[edit protocols rstp interface interface-name],
[edit protocols stp]
[edit protocols stp interface interface-name]
disable
497
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
disable-timeout
Syntax
Hierarchy Level
Release Information
Description
disable-timeout timeout;
[edit ethernet-switching-options bpdu-block]
Default
Options
Once the timeout expires, the interface is brought back into service.
Range: 10 through 3600 seconds
Required Privilege Level
Related Topics
498
disable-timeout
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
edge
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
edge;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
edge
499
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ethernet-switching-options
Syntax
500
ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
ethernet-switching-options
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Hierarchy Level
Release Information
Description
[edit]
ethernet-switching-options
501
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
filter
Syntax
Hierarchy Level
Release Information
Description
filter
Options
Related Topics
Default
502
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
forward-delay
Syntax
Hierarchy Level
Release Information
Description
forward-delay seconds;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]
Default
15 seconds
Options
secondsNumber of seconds the bridge interface remains in the listening and learning
states.
Range: 4 through 30 seconds
Default: 15 seconds
Required Privilege Level
Related Topics
forward-delay
503
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
group-name
Syntax
Hierarchy Level
Release Information
Description
Options
group-name name {
interface interface-name <primary>;
interface interface-name;
}
[edit ethernet-switching-options redundant-trunk-group]
504
group-name
Example: Configuring Redundant Trunk Links for Faster Recovery on page 400
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
gvrp
Syntax
Hierarchy Level
Release Information
Description
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer milliseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
[edit protocols]
Default
Required Privilege Level
Related Topics
gvrp
505
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
hello-time
Syntax
Hierarchy Level
Release Information
Description
hello-time seconds;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]
Default
2 seconds
Options
506
hello-time
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
interface
Syntax
Hierarchy Level
Release Information
Description
Options
interface
507
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface
Syntax
Hierarchy Level
Release Information
Description
Default
Options
allAll interfaces.
interface-nameThe list of interfaces to be configured for GVRP.
508
interface
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
interface
Syntax
Hierarchy Level
Release Information
Description
Options
multiple ports.
primary(Optional) Specify one of the interfaces in the redundant group as the
primary link. The interface without this option is the secondary link in the
redundant group. If a link is not specified as primary, the software compares the
two links and selects the link with the highest port number as the active link.
For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software
assigns ge-0/1/1 as the active link.
Required Privilege Level
Related Topics
Example: Configuring Redundant Trunk Links for Faster Recovery on page 400
interface
509
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface
Syntax
Hierarchy Level
Release Information
Description
Default
Options
510
interface
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
interface
Syntax
Hierarchy Level
Release Information
Description
Options
interface interface-name {
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
mstp],
mstp msti],
rstp],
stp]
interface
511
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
join-timer
Syntax
Hierarchy Level
Release Information
Description
join-timer milliseconds;
[edit protocols gvrp]
Default
20 centiseconds
Options
millisecondsNumber of milliseconds.
Default: 20 centiseconds
Required Privilege Level
Related Topics
l3-interface
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
Default
512
l3-interface vlan.logical-interface-number;
join-timer
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
leaveall-timer
Syntax
Hierarchy Level
Release Information
Description
leaveall-timer milliseconds;
[edit protocols gvrp]
Default
1000 centiseconds
Options
millisecondsNumber of milliseconds.
Range: 5 times leave-timer value
leaveall-timer
513
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
leave-timer
Syntax
Hierarchy Level
Release Information
Description
leave-timer milliseconds;
[edit protocols gvrp]
Default
60 centiseconds
Options
514
leave-timer
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
level
Syntax
Hierarchy Level
Release Information
Description
level level;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
Default
When storm control is enabled on an interface, the storm control level is 80%.
Options
level
515
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
mac-limit
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
Default
516
mac-limit number;
mac-limit
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
mac-table-aging-time
Syntax
Hierarchy Level
Release Information
Description
mac-table-aging-time seconds;
[edit vlans vlan-name]
Default
300 seconds
Options
secondsTime that entries remain in the Ethernet switching table before being
removed.
Default300 seconds.
mac-table-aging-time
517
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
max-age
Syntax
Hierarchy Level
Release Information
Description
max-age seconds;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]
Default
20 seconds
Options
518
max-age
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
max-hops
Syntax
Hierarchy Level
Release Information
Description
max-hops hops;
[edit protocols mstp]
Default
20 hops
Options
max-hops
519
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
members
Syntax
Hierarchy Level
Release Information
Description
Options
520
members
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
mode
Syntax
Hierarchy Level
Release Information
Description
mode mode;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
Default
For a full-duplex link, the default link mode is point-to-point. For a half-duplex link,
the default link mode is shared.
Options
modeLink mode:
mode
521
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
msti
Syntax
Hierarchy Level
Release Information
Description
msti msti-id {
vlan[vlan-id ];
interface interface-name {
disable;
cost cost;
priority priority;
}
}
[edit protocols mstp]
Default
MSTI is disabled.
Options
msti-idMSTI identifer.
Range: 1 through 4094. The Common Instance Spanning Tree (CIST) is always
MSTI 0.
The remaining statements are explained separately.
Required Privilege Level
Related Topics
522
msti
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
mstp
Syntax
Hierarchy Level
Release Information
Description
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface ( all | interface-name {
bpdu-timeout-action {
block;
alarm;
}
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
priority priority;
}
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
revision-level revision-level;
}
[edit protocols]
Default
Required Privilege Level
MSTP is disabled.
routingTo view this statement in the configuration.
mstp
523
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
native-vlan-id
Syntax
native-vlan-id vlan-id;
Hierarchy Level
Release Information
Description
Options
Configure the VLAN identifier to associate with untagged packets received on the
interface.
vlan-idNumeric identifier of the VLAN.
524
native-vlan-id
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
no-broadcast
Syntax
Hierarchy Level
Release Information
Description
Default
no-broadcast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-broadcast
525
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
no-root-port
Syntax
Hierarchy Level
Release Information
Description
526
no-root-port
no-root-port;
[edit protocols mstp interface (all | interface-name)],
[edit protocols rstp interface (all | interface-name)],
[edit protocols stp interface (all | interface-name)]
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
no-unknown-unicast
Syntax
Hierarchy Level
Release Information
Description
Default
no-unknown-unicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]
no-unknown-unicast
527
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
port-mode
Syntax
Hierarchy Level
Release Information
Description
port-mode mode;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
Default
Options
accessHave the interface operate in access mode. In this mode, the interface can
in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.
Required Privilege Level
Related Topics
528
port-mode
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
priority
Syntax
Hierarchy Level
Release Information
Description
priority priority;
[edit
[edit
[edit
[edit
protocols
protocols
protocols
protocols
Default
Options
priority
529
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
redundant-trunk-group
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics
530
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
[edit ethernet-switching-options]
Example: Configuring Redundant Trunk Links for Faster Recovery on page 400
redundant-trunk-group
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
rstp
Syntax
Hierarchy Level
Release Information
Description
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
bpdu-timeout-action {
block;
alarm;
}
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
[edit protocols]
Default
Required Privilege Level
Related Topics
rstp
531
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
storm-control
Syntax
Hierarchy Level
Release Information
Description
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
[edit ethernet-switching-options]
Default
Required Privilege Level
Related Topics
532
storm-control
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
stp
Syntax
Hierarchy Level
Release Information
Description
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
[edit protocols]
Default
Required Privilege Level
Related Topics
stp
533
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file name <replace> <size size> <files number> <no-stamp>
<(world-readable | no-world-readable)>;
flag flag <flag-modifier> <disable>;
}
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]
Default
Traceoptions is disabled.
Options
disable(Optional) Disable the tracing operation. One use of this option is to disable
a single operation when you have defined a broad group of tracing operations,
such as all.
file nameName of the file to receive the output of the tracing operation. Enclose
the name in quotation marks. We recommend that you place STP tracing output
in the file /var/log/stp-log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum number of trace files is reached. Then, the oldest
trace file is overwritten.
If you specify a maximum number of files, you must also specify a maximum file
size with the size option.
Range: 2 through 1000 files
Default: 1 trace file only
flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. These are the STP-specific tracing options:
534
traceoptions
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
Default: If you do not specify this option, only unusual or abnormal operations
are traced.
traceoptions
535
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
until the maximum number of trace files is reached. Then the oldest trace file
is overwritten.
If you specify a maximum file size, you must also specify a maximum number of
trace files with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through the maximum file size supported on your system
Default: 1 MB
world-readable(Optional) Allow any user to read the log file.
Required Privilege Level
Related Topics
536
traceoptions
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
translate
Syntax
Hierarchy Level
Release Information
Description
Options
translate
537
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan
Syntax
Hierarchy Level
Release Information
Description
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
vlan
Syntax
Hierarchy Level
Release Information
Description
Default
not enabled
Options
538
vlan
Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees
vlan-id
Syntax
Hierarchy Level
Release Information
Description
vlan-id number;
[edit vlans vlan-name]
Default
If you use the default factory configuration, all traffic originating on the VLAN is
untagged and has a VLAN identifier of 0.
Options
vlan-range
Syntax
Hierarchy Level
Release Information
Description
vlan-range vlan-id-low-vlan-id-high;
[edit vlans vlan-name]
Default
None.
Options
vlan-id-low-vlan-id-highSpecify the first and last VLAN ID number for the group of
VLANs.
Required Privilege Level
Related Topics
vlan-id
539
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlans
Syntax
Hierarchy Level
Release Information
Description
vlans {
vlan-name {
description text-description;
filter input filter-name;
filter output filter-name;
interface interface-name;
l3-interface vlan.logical-interface-number;
mac-limit number;
mac-table-aging-time seconds;
vlan-id number;
vlan-range vlan-id-low-vlan-id-high;
}
}
[edit]
Default
If you use the default factory configuration, all switch interfaces become part of the
VLAN default.
Options
vlan-nameName of the VLAN. The name can contain letters, numbers, and hyphens
540
vlans
Chapter 36
541
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Options
Required Privilege Level
Related Topics
542
clear
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
543
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
reset.
logical-unit-number(Optional) The logical unit number of the interface.
Required Privilege Level
Related Topics
544
clear
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Release Information
Description
Options
specific interface.
Required Privilege Level
view
show
show
show
show
show
Output Fields
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
Table 67 on page 545 lists the output fields for the show ethernet-switching interfaces
command. Output fields are listed in the approximate order in which they appear.
Field Description
Level of Output
Interface
All levels
State
VLAN members
Name of a VLAN.
Blocking
summary
Index
detail
untagged | tagged
detail
show ethernet-switching
interfaces
545
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/9.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0
ge-0/0/16.0
ge-0/0/17.0
ge-0/0/18.0
ge-0/0/19.0
ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0
State
up
down
down
down
down
down
down
down
down
up
down
down
down
down
down
down
down
down
down
up
down
down
down
down
VLAN members
T1122
default
default
default
default
default
default
default
default
T111
default
default
default
default
default
default
default
default
default
T111
default
default
default
default
Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
show ethernet-switching
interfaces summary
show ethernet-switching
interfaces brief
show ethernet-switching
interfaces detail
546
unblocked
unblocked
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show ethernet-switching
interfaces ge-0/0/0.0
unblocked
unblocked
unblocked
unblocked
547
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Timestamp when the MAC address was added or deleted from the log.
VLAN-IDX
VLAN index. An internal value assigned by the JUNOS software for each VLAN .
MAC
Deleted | Added
Blocking
show ethernet-switching
mac-learning-log
548
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
549
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
Output Fields
view
show
show
show
show
show
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
Table 69 on page 550 lists the output fields for the show ethernet-switching table
command. Output fields are listed in the approximate order in which they appear.
Field Description
Level of Output
VLAN
All levels
MAC address
All levels
Type
All levels
MAC address.
The time remaining before the entry ages out and is removed from the Ethernet
switching table.
Age
550
All levels
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Field Description
Level of Output
Interfaces
All levels
Learned
For learned entries, the time which the entry was added to the
Ethernet-switching table.
detail, extensive
show ethernet-switching
table
show ethernet-switching
table brief
Age
0
0
0
0
0
0
0
0
0
0
Interfaces
All-members
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Age
0
0
0
0
-
Interfaces
All-members
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
551
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
T10
T10
T10
T10
T111
T111
T111
T111
T2
T2
T2
T2
T3
T3
T3
T3
T4
T4
T4
[output truncated]
show ethernet-switching
table detail
*
00:00:5e:00:01:09
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
00:19:e2:50:ac:00
*
00:00:5e:00:01:01
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:02
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:03
00:19:e2:50:63:e0
Flood
Static
Learn
Static
Flood
Learn
Static
Learn
Flood
Static
Learn
Static
Flood
Static
Learn
Static
Flood
Static
Learn
552
0
0
0
0
0
0
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show ethernet-switching
table extensive
553
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
T1, 00:00:5e:00:01:00
Interface(s): Router
Type: Static
T1, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T10, *
Interface(s): ge-0/0/46.0
Type: Flood
T10, 00:00:5e:00:01:09
Interface(s): Router
Type: Static
T10, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:08
T10, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T111, *
Interface(s): ge-0/0/15.0
Type: Flood
[output truncated]
show ethernet-switching
table interface ge-0/0/1
554
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show gvrp
Syntax
Release Information
Description
Options
show gvrp
only.
Required Privilege Level
Related Topics
view
Field Description
Global GVRP
Configuration
JoinThe maximum number of milliseconds the interfaces must wait before sending VLAN
advertisements.
Leave The number of milliseconds an interface must wait after receiving a Leave message
LeaveallThe interval at which Leave All messages are sent on interfaces. Leave all messages
show gvrp
show gvrp
555
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
556
show gvrp
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Field Description
Join In received
Empty received
Leave In received
Join Empty
transmitted
Join In transmitted
Empty transmitted
Leave In transmitted
Leave Empty
transmitted
557
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
GVRP statistics
Join Empty received
Join In received
Empty received
Leave In received
Leave Empty received
Leave All received
Join Empty transmitted
Join In transmitted
Empty transmitted
Leave In transmitted
Leave Empty transmitted
Leave All transmitted
558
:
:
:
:
:
:
:
:
:
:
:
:
0
12
0
0
0
0
0
48
4
0
0
4
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show redundant-trunk-group
Syntax
Release Information
Description
Options
group.
Required Privilege Level
Related Topics
view
Example: Configuring Redundant Trunk Links for Faster Recovery on page 400
Field Description
Group Name
Interface
State
Date and time at which the advertised link became unavailable, and then, available again.
# Flaps
show
redundant-trunk-group
group-name Group1
State
UP
UP
# Flaps
0
0
show redundant-trunk-group
559
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
Instances (MSTIs).
brief | detail(Optional) Display the specified level of output.
msti msti-id(Optional) Display STP bridge information for the specified MSTP instance
ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a
value from 1 through 4094 for an MSTI.
vlan vlan-id(Optional) Display STP bridge information for the specified VLAN. Specify
a VLAN tag identifier from 1 through 4094.
Required Privilege Level
Related Topics
Output Fields
view
560
Field Name
Field Description
Routing instance
name
Name of the routing instance under which the bridging domain is configured.
Context ID
Enabled protocol
Root ID
Bridge ID of the elected spanning tree root bridge. The bridge ID consists of a
configurable bridge priority and the MAC address of the bridge.
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show spanning-tree
bridge
Field Name
Field Description
Root cost
Calculated cost to reach the root bridge from the bridge where the command
is entered.
Root port
Interface that is the current elected root port for this bridge.
Calculated cost to reach the regional root bridge from the bridge where the
command is entered.
Hello time
Maximum age
Forward delay
Configured time an STP bridge port remains in the listening and learning states
before transitioning to the forwarding state.
Hop count
Message age
Number of elapsed seconds since the most recent BPDU was received.
Number of topology
changes
Total number of STP topology changes detected since the switch last booted.
Bridge ID (Local)
Extended system ID
:
:
:
:
:
:
:
:
:
:
:
8192.00:19:e2:50:51:e0
0
ge-0/0/13.0
8192.00:19:e2:50:51:e0
2000
2 seconds
20 seconds
15 seconds
18
0
3
561
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
: 16384.00:19:e2:50:44:e0
: 0
: 0
:
:
:
:
:
:
:
4097.00:19:e2:50:51:e0
2000
ge-0/0/13.0
2 seconds
20 seconds
15 seconds
18
: 16385.00:19:e2:50:44:e0
: 0
: 1
:
:
:
:
:
:
:
4098.00:19:e2:50:3d:20
1000
ge-0/0/9.0
2 seconds
20 seconds
15 seconds
19
: 8194.00:19:e2:50:44:e0
: 0
: 2
show spanning-tree
bridge brief
show spanning-tree
bridge detail
562
: 921 seconds
:
:
:
:
:
:
:
:
0
RSTP
32768.00:19:e2:50:95:a0
2 seconds
20 seconds
15 seconds
0
0
: 32768.00:19:e2:50:95:a0
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Extended system ID
Internal instance ID
Hello time
Maximum age
Forward delay
Path cost method
:
:
:
:
:
:
0
0
2 seconds
20 seconds
15 seconds
32 bit
563
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
Output Fields
view
show
show
show
show
spanning-tree
spanning-tree
spanning-tree
spanning-tree
Table 74 on page 564 lists the output fields for the show spanning-tree Interface
command. Output fields are listed in the approximate order in which they appear.
Field Description
Interface name
Port ID
Designated port ID
Port ID of the designated port for the LAN segment this interface is attached to.
Designated bridge ID
Bridge ID of the designated bridge for the LAN segment this interface is attached to.
564
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Field Description
Port Cost
Port State
STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled.
Port Role
MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), or root.
Link type
MSTP or RSTP link type. Shared or point-to-point (pt-pt) and edge or non edge.
Alternate
Identifies the interface as an MSTP or RSTP alternate root port (yes) or nonalternate
root port (no).
Boundary Port
Identifies the interface as an MSTP regional boundary port (yes) or nonboundary port
(no).
show spanning-tree
interface
Port ID
128:513
128:515
128:517
128:536
Designated
port ID
128:513
128:515
128:517
128:536
Designated
bridge ID
8192.0019e2500340
8192.0019e2500340
8192.0019e2500340
8192.0019e2500340
Port
Cost
1000
1000
1000
1000
State
Role
FWD
BLK
FWD
FWD
DESG
DIS
DESG
DESG
Port
Cost
1000
1000
1000
1000
State
Role
FWD
BLK
FWD
FWD
DESG
DIS
DESG
DESG
Port
Cost
1000
4000
1000
1000
State
Role
FWD
BLK
BLK
FWD
ROOT
DIS
ALT
DESG
Port
Cost
20000
20000
20000
20000
State
Role
BLK
BLK
BLK
BLK
DIS
DIS
DIS
DIS
Port ID
128:513
128:515
128:517
128:536
Designated
port ID
128:513
128:515
128:517
128:536
Designated
bridge ID
8193.0019e2500340
8193.0019e2500340
8193.0019e2500340
8193.0019e2500340
show spanning-tree
interface brief
Port ID
128:513
128:515
128:517
128:536
Designated
port ID
128:1
128:515
128:1
128:536
Designated
bridge ID
8194.001b549fd000
32770.0019e2500340
16386.001b54013080
32770.0019e2500340
Port ID
128:625
128:626
128:627
128:635
Designated
port ID
128:625
128:626
128:627
128:635
Designated
bridge ID
32768.0019e25095a0
32768.0019e25095a0
32768.0019e25095a0
32768.0019e25095a0
565
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge-1/0/20.0
ge-1/0/30.0
show spanning-tree
interface detail
show spanning-tree
interface ge-1/0/0
128:645
128:655
32768.0019e25095a0
32768.0019e25095a0
20000
20000
BLK
BLK
DIS
DIS
State
Role
:
:
:
:
:
:
:
:
Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port
:
:
:
:
:
:
:
:
Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port
:
:
:
:
:
:
:
:
Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port
:
:
:
:
:
:
:
:
Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port
[output truncated]
:
:
:
:
:
:
:
:
ge-1/0/0.0
128.625
128.625
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/EDGE
: NA
ge-1/0/1.0
128.626
128.626
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
ge-1/0/2.0
128.627
128.627
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
ge-1/0/10.0
128.635
128.635
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
ge-1/0/20.0
128.645
128.645
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
566
128:645
128:655
Port ID
Designated
Designated
Port
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
ge-1/0/0.0
128:625
port ID
128:625
bridge ID
32768.0019e25095a0
Cost
20000
BLK
DIS
567
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
view
show spanning-tree mstp configuration on page 568
Table 75 on page 568 lists the output fields for the show spanning-tree mstp configuration
command. Output fields are listed in the approximate order in which they appear.
Field Description
Context identifier
Region name
Revision
Configuration digest
MSTI
Member VLANs
show spanning-tree
mstp configuration
MSTI
Member VLANs
0 0-100,105-4094
1 101-102
2 103-104
568
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Release Information
Description
Options
view
show spanning-tree statistics interface on page 569
Table 76 on page 569 lists the output fields for the show spanning-tree statistics
command. Output fields are listed in the approximate order in which they appear.
Field Description
BPDUs sent
BPDUs received
Interface
show spanning-tree
statistics interface
569
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show vlans
Syntax
Release Information
Description
show vlans
<brief | detail | extensive>
<sort-by (tag | name)>
<vlan-range-name>
NOTE: When a series of VLANs is created using the vlan-range statement, such VLAN
names are prefixed and suffixed with a double underscore. For example, a series of
VLANs using the VLAN range 13 and the base VLAN name marketing would be
displayed as __marketing_1__, __marketing_2__, and __marketing_3__.
Options
VLAN names.
vlan-range-name(Optional) Display VLANs in ascending order of VLAN-range names.
Required Privilege Level
Related Topics
570
show vlans
view
show
show
show
show
show
show
show
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
Table 77 on page 891 lists the output fields for the show vlans command. Output fields
are listed in the approximate order in which they appear.
Field Description
Level of Output
Name
Name of a VLAN.
none, brief
Tag
The 802.1Q tag applied to this VLAN. If none is displayed, no tag is applied.
All levels
Interfaces
All levels
Address
The IP address.
none, brief
The number of interfaces associated with a VLAN. The Active column indicates
interfaces that are UP, and the Total column indicates interfaces that are active
and inactive.
brief
VLAN
Name of a VLAN.
detail, extensive
Admin state
detail,extensive
enabledThe interface is turned on, and the physical link is operational and
detail,extensive
Primary IP
detail
Number of interfaces
The number of interfaces associated with a VLAN. Both the total number of
interfaces and the number of active interfaces associated with a VLAN are
displayed.
detail, extensive
STP
detail,extensive
RTG
detail,extensive
Tagged interfaces
detail,extensive
Untagged interfaces
detail. extensive
Interrnal Index
extensive
Origin
The manner in which the VLAN was created. Values are static or learn.
extensive
Protocol
extensive
IP addresses
extensive
Number of MAC
entries
extensive
show vlans
571
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show vlans
user@switch>
Name
default
show vlans
Tag
None
Interfaces
ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,
ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0,
ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0,
ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0,
ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0
v0001
v0002
v0003
v0004
v0005
Tag
None
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Address
Ports
Active/Total
0/23
0/4
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/2
0/0
0/0
0/0
0/0
0/0
0/0
572
show vlans
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
show vlans
573
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
574
show vlans
Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
None
__vlan-x_12__
12
__vlan-x_13__
13
__vlan-x_14__
14
__vlan-x_15__
15
__vlan-x_16__
16
__vlan-x_17__
17
__vlan-x_18__
18
__vlan-x_19__
19
__vlan-x_20__
20
None
None
None
None
None
None
None
None
None
Tag
Interfaces
__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*
Tag
Interfaces
__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
show vlans
575
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*
576
show vlans
Part 9
Layer 3 Protocols
Layer 3 Protocols
577
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
578
Layer 3 Protocols
Chapter 37
For information about configuring DHCP services with the CLI, see the JUNOS
Software System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.
579
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: Because DHCP/BOOTP messages are broadcast and are not directed to a
specific server, switch, or router, EX-series switches cannot function as both a DHCP
server and a DHCP/BOOTP relay agent at the same time. JUNOS software generates
a commit error if both options are configured at the same time, and the commit will
not succeed until one of the options is removed.
Related Topics
580
For information about configuring the switch as a DHCP/BOOTP relay agent, see
the JUNOS Software Policy Framework Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos91/index.html.
For IGMPv2, see RFC 2236, Internet Group Management Protocol, Version 2 at
http://www.faqs.org/rfcs/rfc2236.html
How IGMP Snooping Works with Routed VLAN Interfaces on page 582
581
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
582
A bridge multicast ID is assigned to direct Layer 3 interfaces and to RVIs. For VLANs
that include multicast receivers, the bridge multicast ID includes a sub-next-hop ID.
The sub-next-hop ID identifies the multicast Layer 2 interfaces in that VLAN that are
interested in receiving the multicast stream. The switch ultimately assigns a next-hop
after it does a route lookup. The next-hop includes all direct Layer 3 interfaces and
RVIs. The Packet Forwarding Engine then forwards multicast traffic to the bridge
multicast ID that includes all Layer 3 interfaces and RVIs that are multicast receivers
for a given multicast group.
Figure 27 on page 583 shows how multicast traffic is forwarded on a multilayer switch.
In this illustration, multicast traffic is coming in through the xe-0/1/0.0 interface. A
multicast group has been formed by the Layer 3 interface ge-0/0/2.0, vlan.0 and
vlan.1. The ge-2/0/0.0 interface is a common trunk interface that belongs to both
vlan.0 and vlan.1. The letter R next to an interface name in the illustration indicates
that a multicast receiver host is associated with that interface.
NOTE: Traffic sent to an access interface is untagged; traffic sent to a trunk interface
is tagged. For more information on VLAN tagging, see Understanding Bridging and
VLANs on EX-series Switches on page 359.
The following table shows the bridge multicast IDs and next-hops that are created.
The term subnh refers to a sub-next-hop. The Packet Forwarding Engine will forward
multicast traffic to bridge multicast ID9.
ID Number
Type of Next-Hop
Next Hop
Tag Information
ID1
RHN_UNICAST
ge-0/0/0.0
tag=off
583
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ID Number
Type of Next-Hop
Next Hop
Tag Information
ID2
RHN_UNICAST
ge-2/0/0.0
tag=on
ID3
RHN_FLOOD
[ID1, ID2]
ID4
RHN_UNICAST
ge-0/0/1.0
ID5
RHN_FLOOD
[ID4, ID2]
ID6
RHN_UNICAST
vlan.0
subnh=ID3
ID7
RHN_UNICAST
VLAN.1
subnh=ID5
ID8
RHN_UNICAST
ge-0/0/2.0
ID9
RHN_FLOOD
tag=off
584
Chapter 38
NOTE: When IGMP snooping is enabled on a VLAN, traffic for a given group is flooded
to all member ports until IGMP snooping discovers at least one member of the group
in the given VLAN.
This example describes how to configure IGMP snooping:
Requirements
This example uses the following software and hardware components:
585
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Settings
Switch hardware
VLAN name
employee-vlan, tag 20
Interfaces in employee-vlan
225.100.100.100
Configuration
To configure basic IGMP snooping on a switch:
CLI Quick Configuration
To quickly configure IGMP snooping, copy the following commands and paste them
into the switch terminal window:
[edit protocols]
set igmp-snooping vlan employee-vlan
set igmp-snooping vlan employee-vlan immediate-leave
set igmp-snooping vlan employee-vlan interface ge-0/0/3 static group
225.100.100.100
set igmp-snooping vlan employee-vlan interface ge-0/0/2 multicast-router-interface
set igmp-snooping vlan employee-vlan query-interval 60
586
Step-by-Step Procedure
2.
3.
4.
5.
6.
7.
8.
Change the number of timeout intervals the switch waits before timing out a
multicast group to 4:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan robust-count 4
Configuration
587
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Results
Related Topics
588
Configuration
Chapter 39
NOTE: To configure BGP sessions a license must be installed on the EX-series switch.
To configure a BGP peering session :
1.
2.
3.
Function
Your Action
Router Identification
Router Identifier
(required)
BGP
Enable BGP
589
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Autonomous System
Number
Peer Autonomous
System Number
Peer Address
Local Address
Related Topics
590
1.
Select Configure>Services>DHCP.
2.
To configure a DHCP pool for a subnet, click Add in the DHCP Pools box.
To configure a static binding for a DHCP client, click Add in the DHCP Static
Binding box.
To globally configure settings for existing DHCP pools and static bindings,
click Configure Global DHCP Parameters.
3.
4.
Function
Your Action
Exclude Addresses
Lease Time
Server Identifier
Domain Name
Domain Search
Server Information
591
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Gateway Routers
WINS Servers
Boot Options
Boot File
Boot Server
Fixed IP Addresses
(required)
Host Name
Client Identifier
Hexadecimal Client
Identifier
Related Topics
592
NOTE: When IGMP snooping is enabled on a VLAN, traffic for a given group is flooded
to all member ports until IGMP snooping discovers at least one member of the group
in the given VLAN.
To enable IGMP snooping and configure individual options as needed for your network
by using the CLI:
1.
2.
3.
4.
5.
593
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
6.
7.
8.
Change the number of timeout intervals the switch waits before timing out a
multicast group to 4:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan robust-count 4
Related Topics
2.
Enter information into the Configuration Routing page for OSPF, as described
in Table 81 on page 594.
3.
Function
Your Action
Router Identification
Router
Identifier
(required)
OSPF
594
Function
Your Action
Enable OSPF
OSPF Area ID
Area Type
OSPF-Enabled
Interfaces
Related Topics
Select the type of OSPF area you are creating from the list :
The first time you configure OSPF, the Logical Interfaces box displays a list of
all the logical interfaces configured on the switch. Do any of:
To enable OSPF on multiple interfaces at once, press Ctrl while you click
multiple interface names to highlight them. Then click the left arrow to add
the interfaces to the OSPF interfaces list.
To enable OSPF on all logical interfaces except the special me0 management
interface, select All Interfaces in the Logical Interfaces list and click the
left arrow.
To enable OSPF on all the interfaces displayed in the Logical Interfaces list,
click All to highlight every interface. Then click the left arrow to add the
interfaces to the OSPF interfaces list.
In the J-Web user interface, select Configure> Routing > RIP Routing.
2.
3.
595
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
RIP
Enable RIP
RIP-Enabled Interfaces
Related Topics
Select Configure>Services>SNMP.
2.
3.
Function
Identification
596
Your Action
Function
Your Action
Contact
Information
System
Description
Local Engine ID
System Override
Name
Communities
To add a community, click Add
Community
Name
Authorization
Traps
To add a trap group, click Add.
Trap Group
Name
597
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Categories
1.
2.
Click Add.
Targets
Health Monitoring
Enable Health
Monitoring
Interval
598
Function
Your Action
Rising Threshold
Related Topics
599
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
When the switch does not have a route to a destination that has a better (lower)
preference value. The preference is an arbitrary value in the range from 0 through
255 that the software uses to rank routes received from different protocols,
interfaces, or remote systems. The routing protocol process generally determines
the active route by selecting the route with the lowest preference value. In the
given range, 0 is the lowest and 255 is the highest.
To configure a static route and specify the next address to be used when routing
traffic to the static route:
[edit]
user@switch# set routing-options static route 20.0.0.0/24 next-hop
10.0.0.2.1
Related Topics
600
2.
Enter information into the routing page, as described in Table 84 on page 601.
3.
Function
Your Action
1.
2.
1.
2.
Click Add.
3.
Default Route
Default Route
Static Routes
Next-Hop Addresses
4.
Related Topics
601
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
602
Chapter 40
Meaning
Table 85 on page 603 summarizes key output fields in the BGP routing display.
Values
Additional Information
BGP Summary
Total
Groups
Total Peers
Down
Peers
Peer
InPkt
OutPkt
603
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
Additional Information
Flaps
Last
Up/Down
State
BGP Neighbors
Peer
Address
Autonomous
System
Type
State
to become complete.
Import
Number of
flaps
604
Related Topics
A switch can operate as a DHCP server. When it is a DHCP server, use the monitoring
functionality to view information about dynamic and static DHCP leases, conflicts,
pools, and statistics.
Action
To monitor the DHCP server in the J-Web interface, select Monitor>Services >DHCP.
To monitor the DHCP server in the CLI, enter the following CLI commands:
Meaning
Values
Additional Information
DHCP Leases
Allocated
Address
MAC
Address
Binding
Type
Lease
Expires
DHCP Conflicts
Detection
Time
Detection
Method
Address
DHCP Pools
Pool Name
605
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
Additional Information
Low
Address
High
Address
Excluded
Addresses
DHCP Statistics
Default
lease time
Minimum
lease time
Maximum
lease time
Packets
dropped
Messages
received
Messages
sent
Related Topics
606
Meaning
Table 87 on page 607 summarizes key output fields in the OSPF routing display.
Values
Additional Information
OSPF Neighbors
Address
Interface
Name
State
ID
ID of the neighbor.
Priority
OSPF Interfaces
Interface
State
Area
DR ID
BDR ID
Neighbors
Adjacency
Count
Stub Type
Passive
Mode
Authentication
Type
Interface
Address
Address
Mask
607
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
Additional Information
MTU
Interface
Cost
The path cost used to calculate the root path cost from
any given LAN segment is determined by the total cost
of each link in the path.
Hello
Interval
Dead
Interval
Retransmit
Interval
OSPF Statistics
Packet
Type
Packets
Sent
Packets
Received
Depth of
flood
Queue
Total
Retransmits
Total
Database
Summaries
Related Topics
608
Meaning
Table 88 on page 609 summarizes key output fields in the RIP routing display.
Values
Additional Information
RIP Statistics
RIP
Protocol
Name
RIP Port
Hold Down
Routes
Learned
Routes
Held Down
Requests
Dropped
Responses
Dropped
RIP Neighbors
Neighbor
State
Source
Address
Destination
Address
Destination address.
Send Mode
Receive
Mode
In Metric
Related Topics
609
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
Table 89 on page 610 summarizes key output fields in the routing information display.
Values
n
destinations
n routes
Additional Information
Protocol/
Preference
610
Values
Additional Information
Age
State
AS Path
I IGP.
E EGP.
Related Topics
611
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
612
Chapter 41
613
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
614
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
615
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
Related Topics
616
disable
Syntax
Hierarchy Level
Release Information
Description
disable {
interface interface-name
}
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
Default
If you do not specify an interface, all interfaces in the given VLAN are disabled.
Options
group
Syntax
Hierarchy Level
Release Information
Description
group ip-address;
[edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name static]
Default
None.
Options
disable
617
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
igmp-snooping
Syntax
Hierarchy Level
Release Information
Description
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
vlan vlan-id | vlan-name {
disable {
interface interface-name;
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
[edit protocols]
Default
Required Privilege Level
Related Topics
618
igmp-snooping
immediate-leave
Syntax
Hierarchy Level
Release Information
Description
immediate-leave;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
NOTE: When configuring this statement, ensure that the IGMP interface has only
one IGMP host connected. If more than one IGMPv2 host is connected to the switch
through the same interface and one of the hosts sends a leave message, the switch
removes all hosts on the interface from the multicast group. The switch loses contact
with the hosts in the multicast group that did not send a leave message until they
send join requests in response to the next general multicast listener query from the
router.
Default
Required Privilege Level
Related Topics
immediate-leave
619
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface
Syntax
Hierarchy Level
Release Information
Description
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
Default
None.
Options
multicast-router-interface
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
620
interface
multicast-router-interface;
[edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name]
query-interval
Syntax
Hierarchy Level
Release Information
Description
query-interval seconds;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
Default
125 seconds.
Options
query-last-member-interval
Syntax
Hierarchy Level
Release Information
Description
query-last-member-interval seconds;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
Default
1 second.
Options
query-interval
621
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
query-response-interval
Syntax
Hierarchy Level
Release Information
Description
query-response-interval seconds;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
Default
10 seconds.
Options
robust-count
Syntax
Hierarchy Level
Release Information
Description
robust-count number;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]
Default
Options
number Number of intervals the switch waits before timing out a multicast group.
Range: 2 through 10
Required Privilege Level
Related Topics
622
query-response-interval
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
[edit protocols igmp-snooping]
Default
Options
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum number of trace files is reached (xk to specify KB,
xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file
is overwritten. If you specify a maximum number of files, you also must specify
a maximum file size with the size option.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
traceoptions
623
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes
Range: 10 KB through 1 gigabytes
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics
624
traceoptions
vlan
Syntax
Hierarchy Level
Release Information
Description
Default
Options
Range: 0 through 4095. Tags 0 and 4095 are reserved by JUNOS software, and
you should not configure them.
vlan-nameName of a VLAN.
Required Privilege Level
Related Topics
vlan
625
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
626
vlan
Chapter 42
627
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
628
view
629
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
specified interface.
vlan vlan-id | vlan-number (Optional) Display IGMP snooping information for the
specified VLAN.
Required Privilege Level
Related Topics
List of Sample Output
Output Fields
view
Field Description
Level of Output
VLAN
All
Interfaces
All
Tag
detail
Router interfaces
detail
Group
All
Receiver count
detail
Flags
IGMP version of the host sending a join message. The IGMP version
can be V1-hosts, V2-hosts, or static.
detail
timeout
All
630
show igmp-snooping
membership
show igmp-snooping
membership detail
631
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
VLAN.
Required Privilege Level
Related Topics
view
Field Description
Table
VLAN
Group
Next-hop
show igmp-snooping
route
632
VLAN
v12
show igmp-snooping
route vlan v1
Group
Next-hop
224.1.1.3, *
534
Interfaces: ge-0/0/13.0, ge-0/0/0.0
633
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Bad length
Bad checksum
Invalid interface
Receive unknown
Timed out
IGMP Type
Received
Transmitted
Recv Errors
show igmp-snooping
statistics
634
Received
74295
18148423
0
0
Transmitted
0
0
0
0
Recv Errors
0
16333523
0
0
Release Information
Description
Options
VLAN.
Required Privilege Level
Related Topics
Output Fields
view
Field Description
Level of Output
VLAN
All levels
Interfaces
All levels
Groups
All levels
MRouters
All levels
Receivers
All levels
Tag
Detail
vlan-interface
Detail
Membership timeout
Detail
635
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Querier timeout
Detail
Interface
Detail
Reporters
Detail
show igmp-snooping
vlans
show igmp-snooping
vlans vlan v10
show igmp-snooping
vlans vlan v10 detail
636
Part 10
Configuration Statements for 802.1X, Port Security, and VoIP on page 795
Operational Mode Commands for 802.1X, Port Security, and VoIP on page 865
637
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
638
Chapter 43
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
Understanding IP Source Guard for Port Security on EX-series Switches on page 666
639
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
singleAuthenticates only the first supplicant. All other supplicants who connect
later to the port are allowed full access without any further authentication. They
effectively piggyback on the first supplicants authentication.
be authenticated individually.
Network access can be further defined using VLANs and Access Control Lists (ACLs).
VLANs and ACLs act as filters to separate and match groups of supplicants to the
areas of the LAN they require.
802.1X does not replace other security technologies. 802.1X works together with
port security features, such as DHCP snooping, Dynamic ARP Inspection (DAI), and
MAC limiting, to guard against DoS attacks and spoofing.
802.1X features on EX-series switches are:
Guest VLANProvides limited access to a LAN, typically just to the Internet, for
supplicants that fail 802.1X authentication.
640
Related Topics
641
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
EAP-MD5
EAP-TLS
EAP-TTLS
EAP-PEAP
A LAN network configured for 802.1X authentication contains three basic components:
SupplicantThe IEEE term for a host that requests to join the network. The host
can be responsive or nonresponsive. A responsive host is one on which 802.1X
is enabled and provides authentication credentials; specifically, a username and
password for EAP MD5, or a username and client certificates for EAP-TLS,
EAP-TTLS, and EAP-PEAP. A nonresponsive host is one on which 802.1X is not
enabled, but can be authenticated using a MAC-based authentication method.
Authenticator Port Access EntityThe IEEE term for the authenticator. The
EX-series switch is the authenticator and. It controls access by blocking all traffic
to and from supplicants until they are authenticated.
Figure 28 on page 643 illustrates the basic deployment topology for 802.1X on an
EX-series switch:
642
643
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The communication protocol between the supplicant and the EX-series switch is
Extensible Authentication Protocol Over LAN (EAPOL). EAPOL is a version of EAP
designed to work with Ethernet networks. The communication protocol between the
authentication server and the switch is RADIUS.
The authentication process requires multiple message exchanges between the
supplicant and the authentication server. The switch that is in between the supplicant
and the authentication server is the authenticator. It acts as an intermediary,
converting EAPOL messages to RADIUS messages and vice versa.
Figure 29 on page 644 illustrates the authentication process:
644
1.
2.
When the switch port (authenticator) detects a new supplicant connecting to the
LAN network, the port on the authenticator is enabled and set to the initialized
state. In this state, only 802.1X traffic is allowed. Other traffic, such as DHCP
and HTTP, is blocked at the data link layer.
3.
The authenticator sends a RADIUS access request message to the RADIUS server
to allow the supplicant access to the LAN.
4.
The authentication server accepts or rejects the access request. If it accepts the
request, the authentication server sends a RADIUS access challenge. If the
challenge is met by the supplicant, the authenticator sets the port to the
authorized state and normal traffic is then accepted to pass through the port. If
the authentication server rejects the RADIUS access request, the authenticator
sets the port to the unauthorized state, blocking all traffic.
5.
When the supplicant disconnects from the network, the supplicant sends an
EAP-logoff message to the authenticator. The authenticator then sets the port to
the unauthorized state, once again blocking all non-EAP traffic.
The 802.1X authentication feature on an EX-series switch is based upon the IEEE
802.1D standard Port-Based Network Access Control.
Related Topics
645
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The supplicant machine does not have supplicant software on it (for example,
the supplicant is a non-responsive host, such as a printer).
For non-responsive hosts, the guest VLAN could allow limited access to a server from
which the non-responsive host can download the supplicant software and attempt
authentication again.
Related Topics
646
A RADIUS accounting server listens for User Datagram Protocol (UDP) packets
on a specific port. For example, on FreeRADIUS, the default port is 1813.
2.
3.
4.
5.
If the switch does not receive a response from the server, it continues to send
accounting requests until an accounting response is returned from the accounting
server.
The statistics collected through this process can be displayed from the RADIUS server;
to see those statistics, the user accesses the log file configured to receive them.
Related Topics
647
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Port identifierThe port identification for the specified port in the local system.
System NameThe user configured name of the local system. The system name
software and current image running on the system. This information is not
configurable, but taken from the software.
capabilities that system supports are defined; for example, bridge or router. This
information is not configurable, but based on the model of the product.
Power via MDIA TLV that advertises MDI power support, PSE power pair, and
physical interface, such as autonegotiation status and support and MAU type.
The information is not configurable, but based on the physical interface structure.
648
Link AggregationA TLV that advertises if the port is aggregated and its aggregated
port ID.
Maximum Frame SizeA TLV that advertises the Maximum Transmission Unit
Port VlanA TLV that advertises the VLAN name configured on the interface.
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone sends an
ARP request to the DHCP server and references the VLAN ID for the VLAN on which
it is a member. If the VLAN ID is incorrect, the IP phones request for an IP address
is denied. To bypass this issue, configure the voip statement on the interface. With
the interface designated as a VoIP interface, the switch can forward the VLAN name
and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the
voice VLAN (that is, it references the voice VLANs ID) to make an ARP request and
receive an IP address.
LLDP MED CapabilitiesA TLV that advertises the primary function of the port.
0 Capabilities
1 Network Policy
2 Location Identification
4 Inventory
515 Reserved
1 Class 1 Device.
2 Class 2 Device.
3 Class 3 Device.
5255 Reserved.
Network PolicyA TLV that advertises the port VLAN configuration and associated
Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application
types, such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p
priority bits and Diffserv code points.
649
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Endpoint Location A TLV that advertises the physical location of the endpoint.
Extended Power via MDI A TLV that advertises the power type, power source,
power priority, and power value of the port. It is the responsibility of the PSE
device (network connectivity device) to advertise the power priority on a port.
Related Topics
650
Related Topics
651
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
If an 802.1X-compatible IP telephone does not have an 802.1X host but has another
802.1X-compatible device connected to its data port, you can connect the phone to
an interface in single-supplicant mode. In single-supplicant mode, the 802.1X process
authenticates only the first supplicant. All other supplicants who connect later to the
interface are allowed full access without any further authentication. They effectively
652
If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X
and LLDP-MED and have the packets forwarded to a VoIP VLAN,.
Related Topics
653
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
654
Related Topics
MAC move limitingDetects MAC movement and MAC spoofing on access ports.
Prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network. You enable this feature on VLANs.
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
Understanding IP Source Guard for Port Security on EX-series Switches on page 666
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
655
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
656
Understanding How to Protect Access Ports on EX-series Switches from Common Attacks
the attacker can create various types of mischief, including sniffing the packets that
were meant for another host and perpetrating man-in-the middle attacks. (In a
man-in-the-middle attack, the attacker intercepts messages between two hosts, reads
them, and perhaps alters them, all without the original hosts knowing that their
communications have been compromised. )
To protect against ARP spoofing on your switch, enable both DHCP snooping and
dynamic ARP inspection (DAI). DHCP snooping builds and maintains the DHCP
snooping table. That table contains the MAC addresses, IP addresses, lease times,
binding types, VLAN information, and interface information for the untrusted
interfaces on the switch. DAI uses the information in the DHCP snooping table to
validate ARP packets. Invalid ARP packets are blocked.
See Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725.
Understanding How to Protect Access Ports on EX-series Switches from Common Attacks
657
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
658
You configure DHCP snooping for each VLAN, not for each interface (port). By default,
DHCP snooping is disabled for all VLANs.
If you move a network device from one VLAN to another, typically the device has to
acquire a new IP address, so its entry in the database, including the VLAN ID, is
updated.
The Ethernet switching process, ESWD, maintains the timeout (lease time) value for
each IP-MAC binding in its database. The lease time is assigned by the DHCP server.
The software reads the DHCP messages to obtain the lease time and deletes the
associated entry from the database when the lease time expires.
If the switch is rebooted, DHCP bindings are lost. The DHCP clients (the network
devices, or hosts) must reacquire the bindings.
For general information about the messages that the DHCP client and DHCP server
exchange during the assignment of an IP address for the client, see the JUNOS Software
System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos92/index.html.
659
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The server is directly connected to the same switch as the one connected to the
DHCP clients (the hosts, or network devices, that are requesting IP addresses
from the server). You must configure the port that connects the server to the
switch as a trusted port.
In both scenarios, the server and clients are members of the same VLAN.
Figure 34 on page 660 shows the DHCP server connected directly to the switch.
Figure 34: DHCP Server Connected to Switch
660
Lease (seconds)
600
653
720
Type
dynamic
dynamic
dynamic
VLAN
employee
employee
employee
Interface
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
NOTE: If DHCP leases are sent from a DHCP server that is local (on the switch itself)
or on a VLAN other than the one the DHCP client is on, those entries in the DHCP
snooping table will be incorrect. They might display the interface as unknown (shown
as unknown in the Interface column) or show the lease as unknown or unleased
(both are represented by a dash, , in the Lease column).
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
661
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ARP Spoofing
ARP spoofing (also known as ARP poisoning or ARP cache poisoning) is one way to
initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the
MAC address of another device on the LAN. Instead of the switch sending traffic to
the proper network device, it sends it to the device with the spoofed address that is
impersonating the proper device. If the impersonating device is the attacker's
machine, the attacker receives all the traffic from the switch that should have gone
to another device. The result is that trafic from the switch is misdirected and cannot
reach its proper destination.
One type of ARP spoofing is gratuitous ARP, which is when a network device sends
an ARP request to resolve its own IP address. In normal LAN operation, gratuitous
ARP messages indicate that two devices have the same MAC address. They are also
broadcast when a network interface card (NIC) in a device is changed and the device
is rebooted, so that other devices on the LAN update their ARP caches. In malicious
situations, an attacker can poison the ARP cache of a network device by sending an
ARP response to the device that directs all packets destined for a certain IP address
to go to a different MAC address instead.
662
To prevent MAC spoofing through gratuitous ARP and through other types of spoofing,
EX-series switches examine ARP responses through DAI.
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
663
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series
Switches
MAC limiting protects against flooding of the Ethernet switching table (also known
as the MAC forwarding table or Layer 2 forwarding table). You enable this feature
on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing
on access interfaces. It prevents hosts whose MAC addresses have not been learned
by the switch from accessing the network. You enable this feature on VLANs.
Actions for MAC Limiting and MAC Move Limiting on page 665
MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 665
MAC Limiting
MAC limiting sets a limit on the number of MAC addresses that can be learned on a
single Layer 2 access interface. JUNOS software provides two MAC limiting methods:
Allowed MACYou configure specific allowed MAC addresses for the access
interface. Any MAC address that is not in the list of configured addresses is not
learned. Allowed MAC binds MAC addresses to a VLAN so that the address does
not get registered outside the VLAN. If an allowed MAC setting conflicts with a
dynamic MAC setting, the allowed MAC setting takes precedence.
664
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches
dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
noneTake no action.
If you do not set an action, then the action is none. You can also explicitly set none
as the action.
See results of these various action settings in Verifying That MAC Limiting Is Working
Correctly on page 790.
If you set a MAC limit to apply to all interfaces on the switch, you can override that
setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI
Procedure) on page 780.
MAC Addresses That Exceed the MAC Limit or MAC Move Limit
If you view log messages that indicate the MAC limit or MAC move limit is exceeded,
you can view the offending MAC addresses that have exceeded the limit. See
Troubleshooting Port Security for details.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches
665
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Typical Uses of Other JUNOS Software Features with IP Source Guard on page 667
IP Address Spoofing
Hosts on access interfaces can spoof source IP addresses and/or source MAC addresses
by flooding the switch with packets containing invalid addresses. Such attacks
combined with other techniques such as TCP SYN flood attacks can result in
denial-of-service (DoS) attacks. With source IP address or source MAC address
spoofing, the system administrator cannot identify the source of the attack. The
attacker can spoof addresses on the same subnet or on a different subnet.
666
VLAN
ge-0/0/12.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
10.10.10.9
00:30:48:8D:01:3D
vlan100
ge0/0/13.0
100
voice
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.
667
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: The 802.1X user authentication is applied in one of three modes: single
supplicant, single-secure supplicant, or multiple supplicant. Single supplicant mode
works with IP source guard, but single-secure and multiple supplicant modes do not.
Related Topics
668
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
Chapter 44
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
669
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
One EX 4200 switch acting as an authenticator port access entity (PAE). The
ports on the authenticator PAE form a control gate that blocks all traffic to and
from supplicants until they are authenticated.
Before you connect the server to the switch, be sure you have:
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
670
Figure 35 on page 672 shows one EX 4200 switch that is connected to the devices
listed in Table 94 on page 673.
671
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
672
Settings
Switch hardware
EX 4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through
ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name
default
In this example, connect the RADIUS server to access port ge-0/0/10 on the EX 4200
switch. The switch acts as the authenticator and forwards credentials from the
supplicant to the user database on the RADIUS server. You must configure connectivity
between the EX 4200 and the RADIUS server by specifying the address of the server
and configuring the secret password. This information is configured in an access
profile on the switch.
Configuration
CLI Quick Configuration
To quickly connect the RADIUS server to the switch, copy the following commands
and paste them into the switch terminal window:
[edit]
set access radius-server 10.0.0.100 secret juniper
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.0.0.100 10.2.14.200
Step-by-Step Procedure
Define the address of the server, and configure the secret password. The secret
password on the switch must match the secret password on the server:
[edit access]
user@switch# set radius-server 10.0.0.100 secret juniper
2.
Configuration
673
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify That the Switch and RADIUS Server are Properly Connected on page 674
Verify That the Switch and RADIUS Server are Properly Connected
Purpose
Action
Verify that the RADIUS server is connected to the switch on the specified port.
Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes
64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms
64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms
Meaning
Related Topics
674
Verification
ICMP echo request packets are sent from the switch to the target server at 10.0.0.100
to test whether it is reachable across the IP network. ICMP echo responses are being
returned from the server, verifying that the switch and the server are connected.
Requirements
This example uses the following hardware and software components:
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch
675
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
is used to provide Internet access to visitors to a corporate site. However, you can
also use the guest VLAN feature to provide supplicants that fail 802.1X authentication
to a corporate LAN with access to a VLAN with limited resources.
Figure 36 on page 677 shows the conference room connected to the switch at interface
ge-0/0/1.
676
677
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Settings
Switch hardware
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference
room. Configure this access interface to provide LAN connectivity to visitors in the
conference room who are not authenticated by the corporate VLAN.
To quickly configure a guest VLAN, with 802.1X authentication, copy the following
commands and paste them into the switch terminal window:
[edit]
set vlans guest-vlan vlan-id 300
set protocols dot1x authenticator interface all guest-vlan guest-vlan
Step-by-Step Procedure
2.
Results
678
guest-vlan;
}
}
}
}
}
}
vlans {
guest-vlan {
vlan-id 300;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
Verify that the guest VLAN is created and that an interface has failed authentication
and been moved to the guest VLAN.
Use the operational mode commands:
user@switch> show vlans on page 570
Name
default
Tag
dynamic
40
guest
30
guestvlan
300
Interfaces
ge-0/0/3.0*
None
None
ge-0/0/1.0*
vlan_dyn
None
user@switch> show dot1x on page 873 interface ge-0/0/1.0 detail
ge-0/0/1.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Guest VLAN membership: guest-vlan
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user1, 00:00:00:00:13:23
Operational state: Authenticated
Reauthentication due in 3307 seconds
Meaning
The output from the show vlans command shows guest-vlan as the the name of the
VLAN and the VLAN ID as 300.
Verification
679
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The output from the show dot1x interface ge-0/0/1.0 detail command displays the
Guest VLAN membership field, indicating that a supplicant at this interface failed
802.1X authentication and was passed through to the guest-vlan.
Related Topics
Requirements
This example uses the following hardware and software components:
One EX 4200 switch acting as an authenticator port access entity (PAE). The
ports on the authenticator PAE form a control gate that blocks all traffic to and
from supplicants until they are authenticated.
One RADIUS authentication server. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have
permission to connect to the network.
680
Configured basic access between the EX-series switch and the RADIUS server.
See Connecting and Configuring the EX-series Switch (J-Web
Procedure) on page 58.
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
681
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The interfaces shown in Table 96 on page 683 will be configured for static MAC
authentication.
682
Settings
Switch hardware
VLAN name
default
The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface
ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected
to access interface ge-0/0/20. Both printers will be added to the static list and bypass
802.1X authentication.
Configuration
To configure static MAC authentication, perform these tasks:
To quickly configure static MAC authentication, copy the following commands and
paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator authenticaton-profile-name profile1
set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
set protocols dot1x interface all supplicant multiple
Step-by-Step Procedure
Configure the authentication profile name (access profile name) to use for
authentication:
[edit protocols]
user@switch# set dot1x authenticator authentication-profile-name profile1
2.
3.
Configuration
683
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
Verify that the MAC address for both printers is configured and associated with the
correct interfaces.
Use the operational mode command:
user@switch> show dot1x static-mac-address on page 877
MAC address
00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f
Meaning
684
Verification
VLAN-Assignment
default
default
Interface
ge-0/0/19.0
ge-0/0/20.0
The output field MAC address shows the MAC addresses of the two printers.
The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect
to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f
can connect to the LAN through interface ge-0/0/20.0.
Related Topics
Authenticate the first host (supplicant) on an authenticator port, and allow all
others also connecting to have access.
This example configures an EX-series 4200 switch to use IEEE 802.1X to authenticate
supplicants that use three different administrative modes:
Requirements
This example uses the following hardware and software components:
One EX-series 4200 switch acting as an authenticator port access entity (PAE).
The ports on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.
Before you configure the ports for 802.1X authentciation, be sure you have:
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch
685
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
686
687
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Settings
Switch hardware
Configure access port ge-0/0/9 for single secure supplicant mode authentication.
Single supplicant mode authenticates only the first supplicant that connects to an
authenticator port. All other supplicants connecting to the authenticator port after
the first supplicant has connected successfully, whether they are 802.1X-enabled or
not, are permitted free access to the port without further authentication. If the first
authenticated supplicant logs out, all other supplicants are locked out until a supplicant
authenticates.
Single-secure supplicant mode authenticates only one supplicant to connect to an
authenticator port. No other supplicant can connect to the authenticator port until
the first supplicant logs out.
Multiple supplicant mode authenticates multiple supplicants individually on one
authenticator port. If you configure a maximum number of devices that can be
connected to a port through port security, the lesser of the configured values is used
to determine the maximum number of supplicants allowed per port.
To quickly configure the ports with different 802.1X authentication modes, copy the
following commands and paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator interface ge-0/0/8 supplicant single
set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/11 supplicant multiple
Step-by-Step Procedure
688
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single
2.
3.
Results
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
Verification
689
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
Related Topics
690
The Supplicant mode output field displays the configured administrative mode for
each interface. Interface ge-0/0/8.0 displays Single supplicant mode. Interface
ge-0/0/9.0 displays Single Secure supplicant mode. Interface ge-0/0/11.0 displays
Multiple supplicant mode.
Requirements
This example uses the following hardware and software components:
One EX 4200 switch acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch on page 670.
Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information
about configuring PoE, see Configuring PoE (CLI Procedure) on page 1099.
NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power
adapter.
691
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
692
In this example, you configure VoIP parameters and specify the forwarding class
assured-forward for voice traffic to provide the highest quality of service.
Table 98 on page 693 describes the components used in this VoIP configuration
example.
Table 98: Components of the VoIP Configuration Topology
Property
Settings
693
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
EX 4200 switch
VLAN names
data-vlan
voice-vlan
ge-0/0/2
Configuration
To configure VoIP, LLDP-MED, and 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
set protocols lldp-med interface ge-0/0/2.0
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
694
Configuration
Step-by-Step Procedure
2.
3.
4.
5.
6.
NOTE: If you do not want to authenticate any device, skip the 802.1X configuration
on this interface.
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Results
Configuration
695
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
family ethernet-switching {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2.0;
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
supplicant multiple;
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
interface ge-0/0/2.0 {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
696
Verification
Action
Interface
all
ge-0/0/2.0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/11.0
ge-0/0/23.0
LLDP
Enabled
VLAN-id
0
0
0
99
0
0
0
20
0
0
: Enabled
: 3 Packet(s)
LLDP-MED
Enabled
Neighbor count
0
0
VLAN-name
default
employee-vlan
data-vlan
voice-vlan
employee-vlan
employee-vlan
default
employee-vlan
__juniper-vlan_internal__
default
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Action
Display the 802.1X configuration to confirm that the VoIP interface has access to
the LAN.
user@switch> show dot1x on page 873 interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
697
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
addresses of the supplicants currently connected are displayed at the bottom of the
output.
Action
Meaning
Related Topics
The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.
698
networks. VoIP transmits voice calls using a network connection instead of an analog
phone line.
To configure VoIP on an EX-series switch to support an IP phone that does not support
802.1X authentication, you must add the MAC address of the phone as a static entry
in the authenticator database.
This example describes how to configure VoIP on an EX-series switch without 802.1X
authentication:
Requirements
This example uses the following hardware and software components:
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch on page 670.
Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information
about configuring PoE, see Configuring PoE (CLI Procedure) on page 1099.
NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power
adapter.
Overview
Instead of using a regular telephone, you connect an IP telephone directly to the
switch. An IP phone has all the hardware and software needed to handle VoIP. You
also can power an IP telephone by connecting it to one of the Power over Ethernet
(PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX 4200 switch is connected
to a non-802.1X IP phone.
Requirements
699
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To configure VoIP on an EX-series switch to support an IP phone that does not support
802.1X authentication, add the MAC address of the phone as a static entry in the
authenticator database and set the supplicant mode to multiple.
Configuration
To configure VoIP without 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, copy the following commands and paste them into the
switch terminal window:
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set ethernetswitchingoptions voip interface ge-0/0/2.0 vlan voice-vlan
set ethernetswitchingoptions voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
set protocols lldpmed interface ge-0/0/2.0
set protocols dot1x authenticator authentication-profile-name auth-profile
set protocols dot1x authenticator static 00:04:f2:11:aa:a7
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Step-by-Step Procedure
2.
3.
4.
5.
700
Configuration
[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0
6.
7.
8.
Results
Configuration
701
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
interface ge-0/0/2.0 {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Action
Interface
all
ge-0/0/2.0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
702
Verification
LLDP
Enabled
VLAN-id
0
0
0
: Enabled
: 3 Packet(s)
LLDP-MED
Enabled
Neighbor count
0
0
VLAN-name
default
employee-vlan
data-vlan
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/11.0
ge-0/0/23.0
99
0
0
0
20
0
0
voice-vlan
employee-vlan
employee-vlan
default
employee-vlan
__juniper-vlan_internal__
default
Meaning
The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Action
Meaning
Display the 802.1X configuration for the desktop PC connected to the VoIP interface
through the IP phone.
user@switch> show dot1x on page 873 interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 3588 seconds
The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
addresses of the supplicants currently connected are displayed at the bottom of the
output.
703
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Meaning
Related Topics
The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.
NOTE: Because this configuration without LLDP-MED requires you to set the port
mode to trunk, 802.1X authentication cannot be enabled.
This example describes how to configure VoIP on an EX-series switch without
LLDP-MED and without 802.1X:
704
Requirements
This example uses the following hardware and software components:
One EX 4200 switch acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.
A non-LLDP-MED IP phone.
Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.
Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.
Configured interface ge-0/0/2 for Power over Ethernet (PoE). See Configuring
PoE (CLI Procedure) on page 1099.
NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power
adapter.
Overview
Instead of using a regular telephone, you connect an IP telephone directly to the
switch. An IP phone has all the hardware and software needed to handle VoIP. You
also can power an IP telephone by connecting it to one of the Power over Ethernet
(PoE) interfaces on the switch.
To configure VoIP on an EX-series switch to support an IP phone that does not support
LLDP-MED, set the mode of the port (to which you want to connect the IP phone) to
trunk, add the port as a member of the voice VLAN, and configure the data VLAN as
the native VLAN on the EX-series switch. This configuration ensures that the voice
traffic and data traffic do not affect each other.
In this example, the trunk interface ge-0/0/2 on the EX 4200 switch is connected to
a non-LLDP-MED IP phone.
Configuration
To configure VoIP without LLDP-MED or 802.1X authentication:
CLI Quick Configuration
To quickly configure VoIP, copy the following commands and paste them into the
switch terminal window:
Requirements
705
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan
Step-by-Step Procedure
Configure VoIP:
1.
2.
3.
4.
5.
Results
706
Configuration
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
Verification
To confirm that the configuration is working properly, perform the following task:
Action
Meaning
Related Topics
The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.
Verification
707
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and
MAC Move Limiting, on an EX-series Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting,
and MAC move limiting on the access ports of EX-series switches to protect the switch
and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS)
attacks. You can also configure a trusted DHCP server and specific (allowed) MAC
addresses for the switch interfaces.
This example describes how to configure basic port security featuresDHCP snooping,
DAI, MAC limiting, and MAC move limiting, as well as a trusted DHCP server and
allowed MAC addresseson a switch. The DHCP server and its clients are all members
of a single VLAN on the switch.
Requirements
This example uses the following hardware and software components:
Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:
708
Switch
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series
The components of the topology for this example are shown in Table 99 on page 730.
Table 99: Components of the Port Security Topology
Properties
Settings
Switch hardware
employee-vlan, tag 20
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
Interfaces in employee-vlan
ge-0/0/8
In this example, the switch is initially configured with the default port security setup.
In the default configuration on the switch:
The switch does not drop any packets, which is the default setting.
709
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
All access ports are untrusted and all trunk ports are trusted for DHCP snooping,
which is the default setting.
In the configuration tasks for this example, you set the DHCP server first as untrusted
and then as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a
VLAN; you modify the value for MAC limit; and you configure some specific (allowed)
MAC addresses on an interface.
Configuration
To configure basic port security on a switch whose DHCP server and client ports are
in a single VLAN:
CLI Quick Configuration
To quickly configure basic port security on the switch, copy the following commands
and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
set interface ge-0/0/2 mac-limit 4 action drop
set interface ge-0/0/8 dhcp-trusted
set vlan employeevlan arp-inspection
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-move-limit 5 action drop
Step-by-Step Procedure
2.
Specify the interface (port) from which DHCP responses are allowed:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/8 dhcp-trusted
3.
4.
Configure the MAC limit of 4 and specify that packets with new addresses be
dropped if the limit has been exceeded on the interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 4 action drop
user@switch# set interface ge-0/0/2 mac-limit 4 action drop
710
Configuration
5.
Configure a MAC move limit of 5 and specify that packets with new addresses
be dropped if the limit has been exceeded on the VLAN:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan mac-move-limit 5 action drop
6.
Results
Verification
To confirm that the configuration is working properly:
Verifying That DHCP Snooping Is Working Correctly on the Switch on page 711
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on
the Switch on page 713
Verification
711
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address
Lease
Type
--------------------------------00:05:85:3A:82:77
192.0.2.17
600
dynamic
00:05:85:3A:82:79
192.0.2.18
653
dynamic
00:05:85:3A:82:80
192.0.2.19
720
dynamic
00:05:85:3A:82:81
192.0.2.20
932
dynamic
00:05:85:3A:82:83
192.0.2.21
1230
dynamic
00:05:85:27:32:88
192.0.2.22
3200
dynamic
Meaning
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash in the Lease column).
712
ge-0/0/2.0
ge-0/0/3.0
Meaning
10
12
10
12
0
0
The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly
on the Switch
Purpose
Action
Verify that MAC limiting and MAC move limiting are working on the switch.
Suppose that two DHCP requests have been sent from hosts on ge-0/0/1 and five
DHCP requests from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4
with the action drop.
Display the MAC addresses learned:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 6 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
Flood
Learn
Learn
Learn
Learn
Learn
Learn
Age
Interfaces
0
0
0
0
0
0
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Note that one of the MAC addresses on ge-0/0/2 was not learned because the limit
of 4 MAC addresses for that interface had been exceeded.
Now suppose that DHCP requests have been sent from two of the hosts on ge-0/0/2
after they have been moved to other interfaces more than 5 times in 1 second, with
employee-vlan set to a MAC move limit of 5 with the action drop.
Display the MAC addresses in the table:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 4 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
*
*
Flood
Learn
Learn
Learn
Learn
Flood
Flood
Age
Interfaces
0
0
0
0
-
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on the Switch
713
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
The first sample output shows that with a MAC limit of 4 for each interface, the DHCP
request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit. The second sample output shows that DHCP requests for two of the hosts
on ge-/0/0/2 were dropped when the hosts had been moved back and forth from
various interfaces more than 5 times in one second.
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose
Action
Meaning
Related Topics
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*
Age
Interfaces
0
0
0
0
-
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Learn
Learn
Learn
Learn
Flood
Because the MAC limit value for this interface has been set to 4, only 4 of the 5
configured allowed addresses are learned.
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses,
to Protect the Switch from Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests
from new MAC addresses that the Ethernet switching table fills up and then overflows,
forcing the switch to broadcast all messages.
714
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
This example describes how to configure MAC limiting and allowed MAC addresses,
two port security features, to protect the switch from Ethernet switching table attacks:
Requirements
This example uses the following hardware and software components:
Requirements
715
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The components of the topology for this example are shown in Table 99 on page 730.
Table 100: Components of the Port Security Topology
Properties
Settings
Switch hardware
employee-vlan, tag 20
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
Interfaces in employee-vlan
ge-0/0/8
In this example, use the MAC limit feature to control the total number of MAC
addresses that can be added to the Ethernet switching table for the specified interface.
Use the allowed MAC addresses feature to ensure that the addresses of network
devices whose network access is critical are guaranteed to be included in the Ethernet
switching table.
In this example, the switch has already been configured as follows:
716
Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch
against Ethernet switching table overflow attacks:
CLI Quick Configuration
To quickly configure MAC limiting and some allowed MAC addresses, copy the
following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
Step-by-Step Procedure
Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with
different addresses be dropped once the limit is exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 4 action drop
2.
Results
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch on page 718
Configuration
717
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Meaning
Related Topics
00:05:85:3A:82:71
00:05:85:3A:82:74
00:05:85:3A:82:77
00:05:85:3A:82:79
*
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*
Learn
Learn
Learn
Learn
Flood
Learn
Learn
Learn
Learn
Flood
Age
Interfaces
0
0
0
0
0
0
0
0
0
-
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The sample output shows that with a MAC limit of 4 for the interface, the DHCP
request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the
MAC limit and that only the specified allowed MAC addresses have been learned on
the ge-0/0/2 interface.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
718
Requirements
This example uses the following hardware and software components:
Before you configure an untrusted DHCP server interface to mitigate rogue DHCP
server attacks, be sure you have:
The components of the topology for this example are shown in Table 99 on page 730.
Requirements
719
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Settings
Switch hardware
employee-vlan, tag 20
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is the subnet's broadcast address
Interfaces in employee-vlan
ge-0/0/8
The interface (port) where the rogue DHCP server has connected to the switch
is currently trusted.
Configuration
To configure the DHCP server interface as untrusted because the interface is being
used by a rogue DHCP server:
CLI Quick Configuration
To quickly set the rogue DHCP server interface as untrusted, copy the following
command and paste it into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/8 no-dhcp-trusted
Step-by-Step Procedure
Results
To set the DHCP server interface as untrusted:Specify the interface (port) from which
DHCP responses are not allowed:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/8 nodhcp-trusted
Verification
To confirm that the configuration is working properly:
720
Configuration
Action
Verify that DHCP snooping is working on the switch. See what happens when the
DHCP server is untrusted.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is not trusted. The following output results when requests are
sent from the MAC addresses but no server has provided IP addresses and leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address Lease
Type
-------------------------- -------00:05:85:3A:82:77
0.0.0.0
dynamic
00:05:85:3A:82:79
0.0.0.0
dynamic
00:05:85:3A:82:80
0.0.0.0
dynamic
00:05:85:3A:82:81
0.0.0.0
dynamic
00:05:85:3A:82:83
0.0.0.0
dynamic
00:05:85:27:32:88
0.0.0.0
dynamic
Meaning
Related Topics
VLAN
Interface
-----------employee-vlan
ge-0/0/1.0
employee-vlan
ge-0/0/1.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
In the sample output from the database, the clients' MAC addresses are shown with
no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and
no leases (the lease time is shown as a dash in the Lease column).
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses. The switch's trusted DHCP server or
servers cannot keep up with the requests and can no longer assign IP addresses and
lease times to legitimate DHCP clients on the switch. Requests from those clients
are either dropped or directed to a rogue DHCP server set up by the attacker.
This example describes how to configure MAC limiting, a port security feature, to
protect the switch against DHCP starvation attacks:
721
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Requirements
This example uses the following hardware and software components:
Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation
attacks, be sure you have:
722
Requirements
The components of the topology for this example are shown in Table 99 on page 730.
Table 102: Components of the Port Security Topology
Properties
Settings
Switch hardware
default
Interfaces in employee-vlan
ge-0/0/8
723
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Configuration
To configure the MAC limiting port security feature to protect the switch against
DHCP starvation attacks:
CLI Quick Configuration
To quickly configure MAC limiting, copy the following commands and paste them
into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 3 action drop
set interface ge-0/0/2 mac-limit 3 action drop
Step-by-Step Procedure
Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/1 mac-limit 3 action drop
2.
Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 mac-limit 3 action drop
Results
Verification
To confirm that the configuration is working properly:
Verifying That MAC Limiting Is Working Correctly on the Switch on page 724
Action
724
Configuration
Display the MAC addresses learned when DHCP requests are sent from hosts on
ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3
with the action drop:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 6 learned
VLAN
MAC address
Type
default
default
default
default
default
default
default
Meaning
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
Age
Interfaces
0
0
0
0
0
0
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Flood
Learn
Learn
Learn
Learn
Learn
Learn
The sample output shows that with a MAC limit of 3 for each interface, the DHCP
request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit.
Because only 3 MAC addresses can be learned on each of the two interfaces,
attempted DHCP starvation attacks will fail.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks
In an ARP spoofing attack, the attacker associates its own MAC address with the IP
address of a network device connected to the switch. Traffic intended for that IP
address is now sent to the attacker instead of being sent to the intended destination.
The attacker can send faked, or spoofed, ARP messages on the LAN.
This example describes how to configure DHCP snooping and dynamic ARP inspection
(DAI), two port security features, to protect the switch against ARP spoofing attacks:
Requirements
This example uses the following hardware and software components:
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
725
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Before you configure DHCP snooping and DAI, two port security features, to mitigate
ARP spoofing attacks, be sure you have:
The components of the topology for this example are shown in Table 99 on page 730.
726
Settings
Switch hardware
employee-vlan, tag 20
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
Interfaces in employee-vlan
ge-0/0/8
Configuration
To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch
against ARP attacks:
CLI Quick Configuration
To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the
following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan examine-dhcp
set vlan employee-vlan arp-inspection
Step-by-Step Procedure
Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN:
1.
2.
3.
Configuration
727
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Results
Verification
To confirm that the configuration is working properly:
Verifying That DHCP Snooping Is Working Correctly on the Switch on page 728
Action
Meaning
VLAN
---employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.
Action
728
Verification
Meaning
Related Topics
The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks
In one type of attack on the DHCP snooping database, an intruder introduces a DHCP
client on an untrusted access interface with a MAC address identical to that of a client
on another untrusted interface. The intruder then acquires the DHCP lease of that
other client, thus changing the entries in the DHCP snooping table. Subsequently,
what would have been valid ARP requests from the legitimate client are blocked.
This example describes how to configure allowed MAC addresses, a port security
feature, to protect the switch from DHCP snooping database alteration attacks:
Requirements
This example uses the following hardware and software components:
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks
729
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The components of the topology for this example are shown in Table 99 on page 730.
Table 104: Components of the Port Security Topology
Properties
Settings
Switch hardware
730
employee-vlan, tag 20
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
Interfaces in employee-vlan
ge-0/0/8
Configuration
To configure allowed MAC addresses to protect the switch against DHCP snooping
database alteration attacks:
CLI Quick Configuration
To quickly configure some allowed MAC addresses on an interface, copy the following
commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
Step-by-Step Procedure
Results
Configuration
731
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Verification
To confirm that the configuration is working properly:
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose
Action
Meaning
Related Topics
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
00:05:85:3A:82:88
*
Age
Interfaces
0
0
0
0
0
-
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Learn
Learn
Learn
Learn
Learn
Flood
The output shows that the five MAC addresses configured as allowed MAC addresses
have been learned and are displayed in the MAC cache. The last MAC address in the
list, one that had not been configured as allowed, has not been added to the list of
learned addresses.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
732
Verification
This example describes how to configure port security features on an EX-series switch
whose hosts obtain IP addresses and lease times from a DHCP server attached to a
second switch:
Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 on page 735
Requirements
This example uses the following hardware and software components:
A DHCP server connected to Switch 2. You will use the server to provide IP
addresses to network devices connected to Switch 1.
At least two network devices (hosts) that you will connect to access interfaces
on Switch 1. These devices will be DHCP clients.
Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:
MAC limiting to constrain the number of MAC addresses the switch adds to its
MAC address cache
This example shows how to configure these port security features on an EX 3200
switch, which is Switch 1 in this example. (You could also use an EX 4200 switch for
this example.) Switch 1 is attached to a switch that is not configured with port security
features. That second switch (Switch 2) is connected to a DHCP server. (See
Figure 46 on page 734. ) Network devices (hosts) that are connected to Switch 1 will
send requests for IP addresses (that is, the devices will be DHCP clients). Those
requests will be transmitted from Switch 1 to Switch 2 and then to the DHCP server
Requirements
733
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
connected to Switch 2. Responses to the requests will be transmitted along the reverse
path from the one followed by the requests.
The setup for this example includes the VLAN employee-vlan on both switches.
Figure 46 on page 734 shows the network topology for the example.
Figure 46: Network Topology for Port Security Setup with Two Switches on Same
VLAN
The components of the topology for this example are shown in Table 105 on page 734.
Table 105: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2
Properties
Settings
Switch hardware
employee-vlan, tag 20
VLAN subnets
192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
ge-0/0/11
ge-0/0/1
ge-0/0/1 on Switch 2
734
Switch 1 is initially configured with the default port security setup. In the default
configuration on the switch:
The switch does not drop any packets, which is the default setting.
DHCP snooping and dynamic ARP inspection (DAI) are disabled on all VLANs.
All access interfaces are untrusted and trunk interfaces are trusted; these are the
default settings.
In the configuration tasks for this example, you configure a VLAN on both switches.
In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In this
example, you'll also enable DAI and a MAC limit of 5 on Switch 1.
Because the interface that connects Switch 2 to Switch 1 is a trunk interface, you do
not have to configure this interface to be trusted. As noted above, trunk interfaces
are automatically trusted, so DHCP messages coming from the DHCP server to Switch
2 and then on to Switch 1 are trusted.
To quickly configure a VLAN, interfaces, and port security features, copy the following
commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/1 maclimit 5
action drop
set ethernet-switching-options secure-access-port vlan employee-vlan arpinspection
set ethernet-switching-options secure-access-port vlan employee-vlan examinedhcp
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 20
set vlans employeevlan vlan-id 20
Step-by-Step Procedure
To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAI and
DHCP on the VLAN :
1.
2.
735
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
Associate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11:
[edit interfaces]
user@switch1# set
20
user@switch1# set
20
user@switch1# set
20
user@switch1# set
20
4.
5.
6.
Configure a MAC limit of 5 on ge-0/0/1 and specify that the address be dropped
if the limit has been exceeded:
[edit ethernet-switching-options secure-access-port]
user@switch1# set interface ge-0/0/1 mac-limit 5 action drop
Results
736
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members 20;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}
To quickly configure the VLAN and interfaces on Switch 2, copy the following
commands and paste them into the switch terminal window:
[edit]
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set vlans employee-vlan vlan-id 20
Step-by-Step Procedure
737
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit interfaces]
user@switch2# set ge-0/0/11 unit 0 ethernet-switching port-mode trunk
2.
Results
Verification
To confirm that the configuration is working properly:
738
Verification
Action
Meaning
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
The output shows, for each MAC address, the assigned IP address and lease timethat
is, the time, in seconds, remaining before the lease expires.
Action
Meaning
The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.
Action
739
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
Related Topics
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
*
Age
Interfaces
0
0
0
0
0
-
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
Learn
Learn
Learn
Learn
Learn
Flood
The sample output shows that five MAC addresses have been learned for interface
ge-0/0/1, which corresponds to the MAC limit of 5 set in the configuration. The last
line of the output shows that a sixth MAC address request was dropped, as indicated
by the asterisk (*) in the MAC address column.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
740
Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
Requirements
This example uses the following hardware and software components:
Before you configure IP source guard for the data VLANs, be sure you have:
Connected the RADIUS server to the switch and configured user authentication
on the server. See Example: Connecting a RADIUS Server for 802.1X to an
EX-series Switch on page 670.
Configured the VLANs. See Example: Setting Up Bridging with Multiple VLANs
for EX-series Switches on page 376 for detailed information about configuring
VLANs.
NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode do not
work with IP source guard. For more information about 802.1X authentication, see
Understanding 802.1X Authentication on EX-series Switches on page 641.
Requirements
741
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Tip
You can set the ip-source-guard flag in the traceoptions statement for debugging
purposes.
This example shows how to configure a static IP address to be added to the DHCP
snooping database.
Configuration
CLI Quick Configuration
To quickly configure IP source guard on a data VLAN, copy the following commands
and paste them into the switch terminal window:
set ethernet-switching-options voip interface ge-0/0/14.0 vlan voice
set ethernet-switching-options secure-access-port interface ge-0/0/24.0
dhcp-trusted
set ethernet-switching-options secure-access-port interface ge-0/0/14 static-ip
11.1.1.1 mac 00:11:11:11:11:11 vlan data
set ethernet-switching-options secure-access-port vlan data examine-dhcp
set ethernet-switching-options secure-access-port vlan data ip-source-guard
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data
set vlans voice vlan-id 100
set protocols lldp-med interface ge-0/0/14.0
set protocols dot1x authenticator authentication-profile-name profile52
set protocols dot1x authenticator interface ge-0/0/14.0 supplicant single
Step-by-Step Procedure
2.
Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the data VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24.0 dhcp-trusted
[edit interfaces]
user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members
data
3.
4.
5.
742
Configuration
[edit protocols]
user@switch# set lldp-med interface ge-0/0/14.0
user@switch# set dot1x authenticator authentication-profile-name profile52
user@switch# set dot1x authenticator interface ge-0/0/14.0 supplicant single
6.
Results
Configuration
743
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
dot1x {
authenticator {
authentication-profile-name profile52;
interface {
ge-0/0/14.0 {
supplicant single;
}
}
}
}
Tip
If you wanted to configure IP source guard on the voice VLAN as well as on the data
VLAN, you would configure DHCP snooping and IP source guard exactly as you did
for the data VLAN. The configuration result for the voice VLAN under
secure-access-port would look like this:
secure-access-port {
vlan voice {
examine-dhcp;
ip-source-guard;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That 802.1X User Authentication Is Working on the Interface on page 744
Verifying That DHCP Snooping and IP Source Guard Are Working on the Data
VLAN on page 745
Action
744
Verification
Meaning
The Supplicant mode output field displays the configured administrative mode for
each interface. Interface ge-0/0/14.0 displays Single supplicant mode.
Action
Meaning
The field VLAN members shows that the ge-0/0/14.0 interface supports both the data
VLAN and the voice VLAN. The State field shows that the interface is up.
Verifying That DHCP Snooping and IP Source Guard Are Working on the
Data VLAN
Purpose
Action
Verify that DHCP snooping and IP source guard are enabled and working on the data
VLAN.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC address
IP address Lease (seconds) Type
VLAN
Interface
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:30:48:92:A5:9D
00:30:48:8D:01:3D
00:30:48:8D:01:5D
00:11:11:11:11:11
employee
employee
employee
employee
vlan100
data
voice
data
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/14.0
ge-0/0/14.0
192.0.2.17
192.0.2.18
192.0.2.19
192.0.2.20
10.10.10.7
10.10.10.9
10.10.10.8
11.1.1.1
600
653
720
932
720
720
1230
dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
static
745
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
00:05:85:27:32:88
00:05:85:27:32:89
00:05:85:27:32:90
192.0.2.22
192.0.2.23
192.0.2.27
static
static
static
employee
employee
employee
ge-0/0/17.0
ge-0/0/17.0
ge-0/0/17.0
Meaning
VLAN
ge-0/0/13.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/14.0
ge-0/0/14.0
0
0
10.10.10.9
11.1.1.1
00:30:48:8D:01:3D
00:11:11:11:11:11
data
data
ge0/0/13.0
100
voice
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see the preceding sample output for show dhcp snooping binding)
shows, for each MAC address, the assigned IP address and lease timethat is, the
time, in seconds, remaining before the lease expires. Static IP addresses have no
assigned lease time. Statically configured entries never expire.
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
746
Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on
Untrusted Access Interfaces
You can use IP source guard in combination with other EX-series switch features to
mitigate address-spoofing attacks on untrusted access interfaces. This example shows
two configuration scenarios:
Requirements
This example uses the following hardware and software components:
An EX 4200-24P switch
Before you configure IP source guard for these scenarios, be sure you have:
Connected the RADIUS server and configured user authentication on the RADIUS
server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch on page 670.
Configured the VLANs on the switch. See Example: Setting Up Bridging with
Multiple VLANs for EX-series Switches on page 376 for detailed information about
configuring VLANs.
Requirements
747
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode do not
work with IP source guard. For more information about 802.1X authentication, see
Understanding 802.1X Authentication on EX-series Switches on page 641.
In the first example configuration, two clients (network devices) are connected to
an access switch. You configure IP source guard and 802.1X user authentication, in
combination with access port security features DHCP snooping and dynamic ARP
inspection (DAI). This setup is designed to protect the switch from IP attacks such
as ping of death attacks, DHCP starvation, and ARP spoofing.
In the second example configuration, the switch is configured for 802.1X user
authentication. If the client fails authentication, the switch redirects the client to a
guest VLAN that allows this client to access a set of restricted network features. You
configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.
You can set the ip-source-guard flag in the traceoptions statement for debugging
purposes.
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic
ARP Inspection
CLI Quick Configuration
To quickly configure IP source guard with 802.1X authentication and with other
access port security features, copy the following commands and paste them into the
switch terminal window:
set
set
set
set
set
set
set
set
set
set
set
set
748
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
Step-by-Step Procedure
To configure IP source guard with 802.1X authentication and various port security
features:
1.
Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the data VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan
members data
2.
3.
Configure 802.1X user authentication and LLDP-MED on the two interfaces that
you associated with the data VLAN:
[edit protocols]
user@switch# set lldp-med interface ge-0/0/0.0
user@switch# set dot1x authenticator authentication-profile-name profile52
user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single
user@switch# set lldp-med interface ge-0/0/1.0
user@switch# set dot1x authenticator interface ge-0/0/1.0 supplicant single
4.
Configure access port security features DHCP snooping, dynamic ARP inspection
(DAI), and IP source guard on the data VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port vlan data examine-dhcp
user@switch# set secure-access-port vlan data arp-inspection
user@switch# set secure-access-port vlan data ip-source-guard
Results
Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection
749
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
[edit protocols]
lldp-med {
interface ge-0/0/14.0;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
dot1x {
authenticator {
authentication-profile-name profile52;
}
interface {
ge-0/0/0.0 {
supplicant single;
}
ge-0/0/1.0 {
supplicant single;
}
ge-0/0/14.0 {
supplicant single;
}
}
}
750
To quickly configure IP source guard on a guest VLAN, copy the following commands
and paste them into the switch terminal window:
Step-by-Step Procedure
Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the employee VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members
employee
2.
3.
4.
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/1 static-ip 11.1.1.2
mac 00:22:22:22:22:22 vlan employee
5.
751
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
user@switch# set
2
6.
Results
752
port-mode access;
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
vlan {
members employee;
}
}
}
}
[edit ethernet-switching-options]
secure-access-port {
interface ge-0/0/0.0 {
static-ip 11.1.1.1 vlan employee mac 00:11:11:11:11:11;
}
interface ge-0/0/1.0 {
static-ip 11.1.1.2 vlan employee mac 00:22:22:22:22:22;
}
interface ge-0/0/24.0 {
dhcp-trusted;
}
vlan employee {
examine-dhcp;
ip-source-guard;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That 802.1X User Authentication Is Working on the Interface on page 753
Verifying That DHCP Snooping and IP Source Guard Are Working on the
VLAN on page 754
Action
Meaning
Verification
753
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
Use the show ethernet-switching interfaces on page 545 command to view the Ethernet
switching table entries.
Meaning
The field VLAN members shows the associations between VLANs and interfaces. The
State field shows whether the interfaces are up or down.
For the guest VLAN configuration, the interface is associated with the guest VLAN if
and when the supplicant fails 802.1X user authentication.
Verifying That DHCP Snooping and IP Source Guard Are Working on the
VLAN
Purpose
Action
Verify that DHCP snooping and IP source guard are enabled and working on the
VLAN.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Use the show dhcp snooping binding on page 872 command to display the DHCP
snooping information when the interface on which the DHCP server connects to the
switch is trusted. View the MAC addresses from which requests were sent and the
IP addresses and leases provided by the server.
Use the show ip-source-guard on page 1160 command to view IP source guard information
for the VLAN.
Meaning
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output shows, for each MAC address, the assigned IP address and
lease timethat is, the time, in seconds, remaining before the lease expires. Static
IP addresses have no assigned lease time. Statically configured entries never expire.
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields.
Related Topics
754
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN
Chapter 45
Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure) on page 780
755
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Specify the 802.1X exclusion list, used to specify which supplicants can bypass
802.1X authentication and be automatically connected to the LAN.
Define the address of the server, the RADIUS server authentication port number,
and the secret password. The secret password on the switch must match the
secret password on the server:
[edit access ]
user@switch# set radius-server 10.0.0.100 port 1812 secret abc
2.
3.
756
2.
3.
interface
ge-0/0/5
2.
Enable reauthentication:
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5/0 reauthentication interval
5
3.
Configure the port timeout value for the response from the supplicant:
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5 supplicant-timeout 5
4.
Configure the timeout for the interface before it resends an authentication request
to the RADIUS server:
757
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
5.
Configure how long the interface waits before retransmitting the initial EAPOL
PDUs to the supplicant:
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5 transmit-period 5
Related Topics
2.
758
Click one:
Function
Your Action
IP Address
Password
Confirm Password
Source Address
Retry Attempts
Timeout
Function
Your Action
MAC Address
Exclude if connected
through the port
Function
Your Action
Supplicant Mode
759
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Supplicant Mode
Authentication
Enable
re-authentication
1.
2.
Action on
authentication
failure
Select one:
Timeouts
Related Topics
760
Specify the accounting servers to which the switch will forward accounting
statistics:
[edit access]
user@switch# set profile profile1 radius accounting-server [122.69.1.250
122.69.1.252]
2.
3.
4.
Configure the RADIUS servers to use while sending accounting messages and
updates:
[edit access]
user@switch# set profile profile1 accounting order radius none
5.
6.
7.
Open an accounting log on the RADIUS accounting server using the server's
address, and view accounting statistics:
761
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[root@freeradius]# cd /usr/local/var/log/radius/radacct/122.69.1.250
[root@freeradius 122.69.1.250]# ls
detail-20071214
Related Topics
Thu Feb
7 01:01:00 2008
User-Name = "md5user01"
NAS-Port = 4325376
Acct-Status-Type = Start
Acct-Session-Id = "8O2.1x80101b"
NAS-Identifier = "sys-java97"
NAS-Port-Type = Virtual
NAS-IP-Address = 10.93.15.197
Client-IP-Address = 10.93.15.197
Acct-Unique-Session-Id = "b0a382acdc4387a5"
Timestamp = 1202374860
Thu Feb
7 02:34:47 2008
User-Name = "md5user01"
NAS-Port = 4325376
Acct-Status-Type = Stop
Acct-Session-Id = "8O2.1x8011b"
Acct-Input-Octets = 0
Acct-Output-Octets = 72
Acct-Session-Time = 1202349593
Acct-Input-Packets = 0
Acct-Output-Packets = 1
Acct-Terminate-Cause = Lost-Carrier
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
NAS-Identifier = "sys-java97"
NAS-Port-Type = Virtual
NAS-IP-Address = 10.93.15.197
Client-IP-Address = 10.93.15.197
Acct-Unique-Session-Id = "eb4e171ae562daf5"
Timestamp = 1202380487
762
# dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
# VENDOR
Juniper
2636
BEGIN-VENDOR
Juniper
ATTRIBUTE
Juniper-Local-User-Name
1
string
ATTRIBUTE
Juniper-Allow-Commands
2
string
ATTRIBUTE
Juniper-Deny-Commands
3
string
ATTRIBUTE
Juniper-Allow-Configuration
4
string
ATTRIBUTE
Juniper-Deny-Configuration
5
string
ATTRIBUTE
Juniper-Firewall-Filter
44
string
ATTRIBUTE
Juniper-Switching-Filter
48
string
<
2.
# dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
# VENDOR
Juniper
2636
BEGIN-VENDOR
Juniper
ATTRIBUTE
Juniper-Local-User-Name
1
string
ATTRIBUTE
Juniper-Allow-Commands
2
string
ATTRIBUTE
Juniper-Deny-Commands
3
string
ATTRIBUTE
Juniper-Allow-Configuration
4
string
ATTRIBUTE
Juniper-Deny-Configuration
5
string
ATTRIBUTE
Juniper-Firewall-Filter
44
string
copy and paste the entire string here
<
763
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
2.
Configure the frequency in seconds at which LLDP advertisements are sent from
the switch in the first second after it has detected an LLDP-capable device:
[edit protocols lldp]
user@switch# set fast-start 8
3.
4.
5.
6.
764
Related Topics
From the Configure menu, select the option Switching > LLDP.
The LLDP Configuration page displays LLDP Global Settings and Port Settings.
The second half of the screen displays operational details for the selected port.
2.
3.
Function
Your Action
Advertising interval
Transmit delay
Hold multiplier
765
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
LLDP Status
LLDP-MED Status
Related Topics
Configure the frequency at which LLDP-MED advertisements are sent from the
switch in the first second after it has detected an LLDP-MED device:
[edit protocols lldp-med]
user@switch# set fast-start 6
2.
3.
Configure the location information that is advertised from the switch to the
LLDP-MED device. You can specify a civic-based location (geographic location)
or a location based on an elin (emergency location identification string):
766
You can display the configuration settings using the show lldp command:
[edit protocols lldp-med]
user@switch> show lldp on page 881
LLDP
Advertisement interval
Transmit delay
Hold timer
Config Trap Interval
Connection Hold timer
:
:
:
:
:
:
LLDP MED
MED fast start count
: Enabled
: 6 Packets
Interface
all
ge-0/0/2.0
Related Topics
LLDP
Enabled
-
Enabled
30 seconds
2 seconds
2 seconds
60 seconds
300 seconds
LLDP-MED
Enabled
767
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan default examine-dhcp
On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all examine-dhcp
2.
Enable DAI:
On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all arp-inspection
3.
Limit the number of dynamic MAC addresses and specify the action to take if
the limit is exceededfor example, set a MAC limit of 5 with an action of drop:
On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all maclimit 5 action drop
4.
768
On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all allowed-mac 00:05:85:3A:82:80
user@switch# set interface all allowed-mac 00:05:85:3A:82:81
user@switch# set interface all allowed-mac 00:05:85:3A:82:83
5.
Limit the number of times a MAC address can move from its original interface
in one secondfor example, set a MAC move limit of 5 with an action of drop
if the limit is exceeded:
On all VLANs:
[edit ethernet-switching-options secure-access-port]
set vlan all macmove-limit 5 action drop
6.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
From the Configure menu select the option Security > Port Security.
The first part of the screen displays a VLAN list with the VLAN name, VLAN
identifier, port members, and port security VLAN features.
769
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The second part of the screen displays a list of all ports and whether security
features have been enabled on the ports.
2.
Click one:
Edit Click this option to modify the security features for the selected port
or VLAN.
Enter information as specified in Table 111 on page 770 to modify Port
Security settings on VLANs.
Enter information as specified in Table 112 on page 770 to modify Port
Security settings on interfaces.
switch.
Function
Your Action
DHCP Snooping
ARP Inspection
MAC Movement
MAC Movement
Action
Select one:
Function
Your Action
Trust DHCP
770
Function
Your Action
MAC Limit
Select one:
Related Topics
1.
Click Add.
2.
3.
Click OK.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all examine-dhcp
771
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
2.
3.
Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
4.
Select the Enable DHCP Snooping on VLAN check box and then click OK.
5.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics
772
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
2.
3.
Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
773
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
4.
Select the Trust DHCP check box and then click OK.
5.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all arp-inspection
Related Topics
774
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
2.
3.
Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
4.
Select the Enable ARP Inspection on VLAN check box and then click OK.
5.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
775
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned.
You configure MAC limiting for each interface, not for each VLAN. In the default
configuration, the limit for dynamically learned MAC addresses for each interface is
5 and the action that the switch will take if that limit is exceeded is none.
To configure MAC limiting on a specific interface or on all interfaces, using the CLI:
1.
For limiting the number of dynamic MAC addresses, set a MAC limit of 5 with
an action of drop if the limit is exceeded:
On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all maclimit 5 action drop
2.
On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all allowed-mac 00:05:85:3A:82:80
user@switch# set interface all allowed-mac 00:05:85:3A:82:81
user@switch# set interface all allowed-mac 00:05:85:3A:82:83
Related Topics
776
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure) on page 780
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned.
You configure MAC limiting for each interface, not for each VLAN. In the default
configuration, the limit for dynamically learned MAC addresses for each interface is
5 and the action that the switch will take if that limit is exceeded is none.
To enable MAC limiting on one or more interfaces using the J-Web interface:
1.
2.
3.
Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
4.
5.
1.
2.
Select an action from the MAC Limit Action box. The switch takes this action
when the limit is exceeded.
Click Add.
2.
777
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
6.
7.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics
778
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure) on page 780
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
On all VLANs:
[edit ethernet-switching-options secure-access-port]
set vlan all macmove-limit 5 action drop
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
2.
3.
Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
4.
779
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
5.
1.
2.
Select an action from the MAC Movement Action box. The switch takes this
action when the limit is exceeded.
3.
Click OK.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664
Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure)
If you set a MAC limit in your port security settings to apply to all interfaces on the
EX-series switch, you can override that setting for a particular interface by specifying
action none.
To use the none action to override a MAC limit setting:
1.
2.
Then change the action for one interface (here, ge-0/0/2) with this command.
You don't need to specify a limit value.
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/2 mac-limit action none
Related Topics
780
Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
NOTE: IP source guard applies only to access interfaces and only to untrusted
interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or
an interface set to dhcp-trusted, the CLI shows an error when you try to commit the
configuration.
Before you configure IP source guard, be sure that you have:
Enabled DHCP snooping on the VLAN or VLANs on which you will configure IP source
guard. See Enabling DHCP Snooping (CLI Procedure) on page 771.
781
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To enable IP source guard on a VLAN, all VLANs, or a VLAN range (a series of tagged
VLANs) by using the CLI:
NOTE: Replace values displayed in italics with values for your configuration.
On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch#set vlan default ip-source-guard
On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all ip-source-guard
On a VLAN range:
a.
b.
c.
NOTE: You can use the no-ip-source-guard statement to disable IP source guard for a
specific VLAN after you have enabled the feature for all VLANs.
To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.
Related Topics
782
Understanding IP Source Guard for Port Security on EX-series Switches on page 666
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the
DHCP snooping database. These bindings are labeled as static in the database,
while those bindings that have been added through the process of DHCP snooping
are labeled dynamic.
To configure a static IP address/MAC address binding in the DHCP snooping database,
by using the CLI:
NOTE: Replace values displayed in italics with values for your configuration.
To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.
Related Topics
Understanding DHCP Snooping for Port Security on EX-series Switches on page 658
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
783
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
784
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
Chapter 46
Use the monitoring feature to display details of authenticated users and users who
have failed authentication.
Action
To display authentication details in the J-Web interface, select Monitoring > Security
> 802.1X.
To display authentication details in the CLI, enter the following commands:
Meaning
You can also specify an interface for which the details must be displayed.
Related Topics
785
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Action
To monitor port security in the J-Web interface, select Monitor > Security > Port
Security.
To monitor and manipulate the DHCP snooping database and ARP inspection statistics
in the CLI, enter the following commands:
clear dhcp snooping bindingIn addition to clearing the whole database, you can
Meaning
DHCP SnoopingDisplays the DHCP snooping database for all the VLANs for
which DHCP snooping is enabled. To view the DHCP snooping database for a
specific VLAN, select the specific VLAN from the list.
ARP InspectionDisplays the ARP inspection details for all interfaces. The
information includes details of the number of packets that passed ARP inspection
and the number of packets that failed the inspection. The pie chart graphically
represents these statistics when you select an interface. To view ARP inspection
statistics for a specific interface, select the interface from the list.
Clear ALLClears the DHCP snooping database, either for all VLANs if the option
ALL has been selected in the Select VLANs list or for the specific VLAN that has
been selected in that list.
To clear ARP statistics on the page, click Clear All in the ARP Statistics section.
Use the CLI commands to show and clear DHCP snooping database and ARP
inspection statistics details.
Related Topics
786
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Action
Verify that DHCP snooping is working on the switch and that the DHCP snooping
database is correctly populated with both dynamic and static bindings.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
Meaning
VLAN
Interface
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:27:32:88
employee
employee
employee
employee
employee
data
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/4.0
192.0.2.17
192.0.2.18
192.0.2.19
192.0.2.20
192.0.2.21
192.0.2.22
600
653
720
932
1230
dynamic
dynamic
dynamic
dynamic
dynamic
static
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires. Static IP addresses have no assigned lease time. The statically
configured entry never expires.
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC address
IP address Lease (seconds) Type
VLAN
Interface
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:27:32:88
employee
employee
employee
employee
employee
data
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/4.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
192.0.2.22
dynamic
dynamic
dynamic
dynamic
dynamic
static
In the preceding output sample, IP addresses and lease times are not assigned to the
dynamically learned bindings because the DHCP clients do not have a trusted server
to which they can send requests. In the database, the clients' MAC addresses are
shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address
column) and no leases (the lease time is shown as a dash in the Lease column).
Related Topics
787
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Action
Verify that a DHCP trusted server is working on the switch. See what happens when
the DHCP server is trusted and then untrusted.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address
Lease
Type
--------------------------------00:05:85:3A:82:77
192.0.2.17
600
dynamic
00:05:85:3A:82:79
192.0.2.18
653
dynamic
00:05:85:3A:82:80
192.0.2.19
720
dynamic
00:05:85:3A:82:81
192.0.2.20
932
dynamic
00:05:85:3A:82:83
192.0.2.21
1230
dynamic
00:05:85:27:32:88
192.0.2.22
3200
dynamic
Meaning
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-
788
Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash in the Lease column).
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Meaning
Related Topics
The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
789
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned.
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Purpose
Action
Verify that MAC limiting for dynamic MAC addresses is working on the switch.
Display the MAC addresses that have been learned. The following sample output
shows the results when two DHCP requests were sent from hosts on ge-0/0/1 and
five DHCP requests were sent from hosts on ge-0/0/2, with both interfaces set to a
MAC limit of 4 with the action drop:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 6 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
Flood
Learn
Learn
Learn
Learn
Learn
Learn
Age
Interfaces
0
0
0
0
0
0
ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The sample output shows that with a MAC limit of 4 for each interface, the DHCP
request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit. The address was not learned, and thus an asterisk (*) rather than an
address appears in the MAC address column in the first line of the sample output.
790
Action
Display the MAC cache information after allowed MAC addresses have been configured
on an interface. The following sample shows the MAC cache after 5 allowed MAC
addresses had been configured on interface ge/0/0/2. In this instance, the interface
was also set to a dynamic MAC limit of 4 with action drop.
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 5 entries, 4 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*
Learn
Learn
Learn
Learn
Flood
Age
Interfaces
0
0
0
0
-
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
Because the MAC limit value for this interface had been set to 4, only four of the five
configured allowed addresses were learned and thus added to the MAC cache. Because
that fifth address was not learned, an asterisk (*) rather than an address appears in
the MAC address column in the last line of the sample output.
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
Purpose
Action
Verify the results provided by the various action settings for MAC limitsdrop, log,
and shutdownwhen the limits are exceeded.
Display the results of the various action settings.
NOTE: You can view log messages by using the show log messages command. You
can also have the log messages displayed by configuring the monitor start messages
with the monitor start messages command.
drop actionFor MAC limiting configured with a drop action and with the MAC
limit set to 5:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 6 entries, 5 learned
VLAN
MAC address
Type
Age
Interfaces
employeevlan
Flood
ge-0/0/2.0
employeevlan
00:05:85:3A:82:80
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:81
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:83
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:85
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:88
Learn
ge-0/0/2.0
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
791
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
log actionFor MAC limiting configured with a log action and with MAC limit
set to 5:
user@switch> show ethernet-switching table
Ethernet-switching table: 74 entries, 73 learned
VLAN
MAC address
Type
Age
Interfaces
employeevlan
Flood
ge-0/0/2.0
employeevlan
00:05:85:3A:82:80
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:81
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:82
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:83
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:84
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:85
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:87
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:88
Learn
ge-0/0/2.0
. . .
shutdown actionFor MAC limiting configured with a shutdown action and with
MAC limit set to 3:
user@switch> show ethernet-switching table
Ethernet-switching table: 4 entries, 3 learned
VLAN
MAC address
Type
Meaning
Age
Interfaces
employeevlan
Flood
ge-0/0/2.0
employeevlan
00:05:85:3A:82:82
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:84
Learn
ge-0/0/2.0
employeevlan
00:05:85:3A:82:87
Learn
ge-0/0/2.0
For the drop action resultsThe sixth MAC address exceeded the MAC limit. The
request packet for that address was dropped. Only five MAC addresses have been
learned on ge-0/0/2.
For the log action resultsThe sixth MAC address exceeded the MAC limit. No MAC
addresses were blocked.
For the shutdown action resultsThe fourth MAC address exceeded the MAC limit.
The request packet for that address was dropped. Only three MAC addresses have
been learned on ge-0/0/2. Data traffic on ge-0/0/2 is blocked.
792
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
NOTE: With action set to shutdown, the show ethernet-switching interfaces on page
545 detail command shows the interface as blocked.
If you set a MAC limit to apply to all interfaces on the switch, you can override that
setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI
Procedure) on page 780.
Customizing the Ethernet Switching Table Display to View Information for a Specific
Interface
Purpose
Action
You can use the show ethernet-switching table on page 550 interface command to view
information for a specific interface.
For example, to view information for just the ge-0/0/2 interface, type:
user@switch> show ethernet-switching table interface ge-0/0/2.0
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
Action
00:05:85:3A:82:77
Learn
Age
Interfaces
ge-0/0/1.0
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
793
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
Meaning
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
*
*
Learn
Learn
Learn
Flood
Flood
0
0
0
-
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
The last two lines of the sample output show that DHCP requests for two hosts on
ge-/0/0/2 were dropped when the hosts had been moved back and forth from the
original interfaces more than five times in 1 second. The MAC addresses for those
hosts were not learned.
NOTE: For descriptions of the results of the various action settingsdrop, log, and
shutdownsee Verifying That MAC Limiting Is Working Correctly on page 790
Related Topics
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Action
Meaning
Related Topics
794
Verify that IP source guard is enabled and is mitigating the effects of any source IP
spoofing attacks on the EX-series switch.
Display the IP source guard database.
user@switch> show ip-source-guard
IP source guard information:
Interface
Tag IP Address
MAC Address
VLAN
ge-0/0/12.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
10.10.10.9
00:30:48:8D:01:3D
vlan100
ge0/0/13.0
100
voice
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.
Chapter 47
795
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
interface (all | interface-name) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
796
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
797
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
798
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
799
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
800
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
access
Syntax
Hierarchy Level
Release Information
Description
access {
profile profile-name {
authentication-order [ldap radius | none];
accounting {
order [radius | none];
stop-on-access-deny;
stop-on-failure;
}
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
}
[edit]
Default
Required Privilege Level
Related Topics
Not enabled
adminTo view this statement in the configuration.
admin-controlTo add this statement to the configuration.
access
801
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
accounting
Syntax
Hierarchy Level
Release Information
Description
accounting {
order radius | none;
stop-on-access-deny;
stop-on-failure;
}
}
[edit access profile profile-name]
Default
Not enabled
Options
802
accounting
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
accounting-server
Syntax
Hierarchy Level
Release Information
Description
accounting-server [server-addresses];
[edit access profile profile-name radius]
Default
Not enabled
Options
accounting-server
803
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
advertisement-interval
Syntax
Hierarchy Level
Release Information
Description
advertisement-interval seconds;
[edit protocols lldp]
Default
Disabled.
Options
804
advertisement-interval
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
allowed-mac
Syntax
Hierarchy Level
Release Information
Description
allowed-mac {
mac-address-list;
}
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]
Default
Allowed MAC addresses take precedence over dynamic MAC values that have been
applied with the mac-limit statement.
Options
mac-limit
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
allowed-mac
805
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
arp-inspection
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
806
arp-inspection
(arp-inspection | no-arp-inspection);
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
authentication-order
Syntax
Hierarchy Level
Release Information
Description
Default
Not enabled
Options
authentication-order
807
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
authenticator
Syntax
Hierarchy Level
Release Information
Description
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
}
[edit protocols dot1x]
Default
Required Privilege Level
Related Topics
808
authenticator
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
authentication-profile-name
Syntax
Hierarchy Level
Release Information
Description
authentication-profile-name access-profile-name;
[edit protocols dot1x authenticator]
Default
Options
authentication-profile-name
809
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
authentication-server
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
Default
810
authentication-server [server-addresses];
authentication-server
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
ca-type
Syntax
Hierarchy Level
Release Information
Description
ca-type {
number {
ca-value value;
}
}
[edit protocols lldp-med interface (all | interface-name location civic-based)]
Default
Disabled.
Options
valueCivic address elements that represent the civic or postal address. Values are:
ca-type
811
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ca-value
Syntax
Hierarchy Level
Release Information
Description
Options
valueSpecify a value that correlates to the ca-type. See ca-type for a list of codes
and suggested values.
Related Topics
Default
812
ca-value value;
ca-value
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
civic-based
Syntax
Hierarchy Level
Release Information
Description
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
[edit protocols lldp-med interface (all | interface-name) location]
Default
Required Privilege Level
Related Topics
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
civic-based
813
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
country-code
Syntax
Hierarchy Level
Release Information
Description
country-code code;
[edit protocols lldp-med interface (all | interface-name)]
Default
Disabled.
Options
codeTwo-letter ISO 3166 country code in capital ASCII letters; for example, US or
DE.
Required Privilege Level
Related Topics
814
country-code
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
dhcp-trusted
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
(dhcp-trusted | no-dhcp-trusted);
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
dhcp-trusted
815
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
disable
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
816
disable
disable;
[edit protocols dot1x authenticator interface (all | [interface-names])]
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
disable
Syntax
Hierarchy Level
Release Information
Description
Default
disable;
[edit protocols lldp],
[edit protocols interface lldp]
disable
Syntax
Hierarchy Level
Release Information
Description
Default
disable;
[edit protocols lldp-med],
[edit protocols lldp-med interface]
disable
817
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
dot1x
Syntax
Hierarchy Level
Release Information
Description
dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name );
interface interface-names;
}
}
interface (all | [ interface-names ]) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests number;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
[edit protocols]
Default
Required Privilege Level
Related Topics
818
dot1x
802.1X is disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
elin
Syntax
Hierarchy Level
Release Information
Description
elin number;
[edit protocols lldp-med interface (all | interface-name location)]
Default
Disabled.
Options
elin
819
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ethernet-switching-options
Syntax
820
ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
ethernet-switching-options
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Hierarchy Level
Release Information
Description
[edit]
ethernet-switching-options
821
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
examine-dhcp
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
822
examine-dhcp
(examine-dhcp | no-examine-dhcp);
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
fast-start
Syntax
Hierarchy Level
Release Information
Description
Options
fast-start seconds;
[edit protocols lldp-med]
Range: 1 through 10
Default: 3
Required Privilege Level
Related Topics
fast-start
823
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
forwarding-class
Syntax
Hierarchy Level
Release Information
Description
Default
Disabled.
Options
classForwarding class:
can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with
three drop probabilities: low, medium, and high.
best-effortProvides no service profile. For the best effort forwarding class, loss
priority is typically not carried in a class-of-service (CoS) value, and random early
detection (RED) drop profiles are more aggressive.
control.
Required Privilege Level
Related Topics
824
forwarding-class
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
guest-vlan
Syntax
Hierarchy Level
Release Information
Description
Default
None
Options
guest-vlan
825
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
hold-multiplier
Syntax
Hierarchy Level
Release Information
Description
hold-multiplier number;
[edit protocols lldp]
Default
Disabled.
Options
Range: 2 through 10
Default: 4 (or 120 seconds)
Required Privilege Level
Related Topics
826
hold-multiplier
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
interface
Syntax
Hierarchy Level
Release Information
Description
Options
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
interface
827
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface
Syntax
Hierarchy Level
Release Information
Description
Default
Not enabled
Options
828
interface
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
interface
Syntax
Hierarchy Level
Release Information
Description
Default
None
Options
interface
829
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface
Syntax
Hierarchy Level
Release Information
Description
Options
830
interface
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
interface
Syntax
Hierarchy Level
Release Information
Description
Options
interface
831
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ip-source-guard
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
832
ip-source-guard
(ip-source-guard | no-ip-source-guard);
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
lldp
Syntax
Hierarchy Level
Release Information
Description
lldp {
disable;
advertisement-interval seconds;
fast-start number;
hold-multiplier number;
interface (all | [interface-name]) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
[edit protocols]
Default
Required Privilege Level
Related Topics
LLDP is enabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
lldp
833
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
lldp-med
lldp-med {
disable;
Syntax
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
Hierarchy Level
Release Information
Description
[edit protocols]
Default
Required Privilege Level
Related Topics
834
lldp-med
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
location
Syntax
Hierarchy Level
Release Information
Description
location {
elin number;
civic-based {
what number;
country-code code;
ca-type{
number {
ca-value value;
}
}
}
}
[edit protocols lldp-med interface (all | interface-name)]
Default
Required Privilege Level
Related Topics
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
location
835
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
mac
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics
836
mac
mac mac-address;
[edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip
ip-address vlan vlan-name]
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
mac-limit
Syntax
Hierarchy Level
Release Information
Description
mac-limit;
limit action action;
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]
Default
The default limit is 5 MAC addresses for each interface (port). The default action is
no action (none).
Options
dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry .
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
allowed-mac
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
mac-limit
837
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
mac-move-limit
Syntax
Hierarchy Level
Release Information
Description
mac-move-limit;
limit action action;
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Default
The default move limit is unlimited. The default action is no action (none).
Options
dropDrop the packet and generate an alarm, an SNMP trap, or a system log
entry.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
838
mac-move-limit
mac-limit
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
maximum-requests
Syntax
Hierarchy Level
Release Information
Description
maximum-requests number;
[edit protocols dot1x authenticator interface (all | [interface-names])]
Default
Options
Range: 1 through 10
Default: 2
Required Privilege Level
Related Topics
no-reauthentication
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
no-reauthentication;
[edit protocols dot1x authenticator interface (all | [interface-names])]
maximum-requests
839
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
order
Syntax
Hierarchy Level
Release Information
Description
Default
Not enabled
Options
subscribers.
[ radius | none ] Use multiple types of accounting in the order specified. RADIUS
840
order
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
profile
Syntax
Hierarchy Level
Release Information
Description
profile profile-name {
accounting {
order [radius | none];
stop-on-access-deny;
stop-on-failure;
}
authentication-order [authentication-method];
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
[edit access]
Default
Not enabled
Options
profile
841
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
quiet-period
Syntax
Hierarchy Level
Release Information
Description
quiet-period seconds;
[edit protocols dot1x authenticator interface (all | [interface-names])]
Default
60 seconds
Options
842
quiet-period
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
radius
Syntax
Hierarchy Level
Release Information
Description
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
[edit access profile profile-name]
radius
843
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
reauthentication
Syntax
Hierarchy Level
Release Information
Description
reauthentication {
interval seconds;
}
[edit protocols dot1x authenticator interface (all | [interface-names])]
Default
3600 seconds.
Options
844
reauthentication
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
retries
Syntax
Hierarchy Level
Release Information
Description
retries number;
[edit protocols dot1x authenticator interface (all | [interface-names])]
Default
3 retries
Options
numberNumber of retries.
Range: 1 through 10
Default: 3
Required Privilege Level
Related Topics
retries
845
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
secure-access-port
Syntax
Hierarchy Level
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
[edit ethernet-switching-options]
Release Information
Description
Configure port security features, including MAC limiting and whether interfaces can
receive DHCP responses, and apply dynamic ARP inspection, DHCP snooping, and
MAC move limiting to no VLANs, specific VLANs, or all VLANs.
The statements are explained separately.
846
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721
secure-access-port
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
server-timeout
Syntax
Hierarchy Level
Release Information
Description
server-timeout seconds;
[edit protocols dot1x authenticator interface (all | [interface-name])
Default
30 seconds
Options
secondsNumber of seconds.
server-timeout
847
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
static
Syntax
Hierarchy Level
Release Information
Description
static {
mac-address {
vlan-assignment (vlan-id |vlan-name );
interface interface-names;
}
}
[edit protocols dot1x authenticator authentication-profile-name]
Options
mac-addressThe MAC address of the device for which 802.1X authentication should
848
static
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
static-ip
Syntax
Hierarchy Level
Release Information
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
[edit ethernet-switching-options secure-access-port interface (all |interface-name)]
Description
Static (fixed) IP address and static MAC address, with an associated VLAN, added to
the DHCP snooping database.
Options
stop-on-access-deny
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
stop-on-access-deny;
[edit access profile profile-name accounting]
static-ip
849
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
stop-on-failure
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics
850
stop-on-failure
stop-on-failure;
[edit access profile profile-name accounting]
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
supplicant
Syntax
Hierarchy Level
Release Information
Description
Default
Single.
Options
All other supplicants connecting to the authenticator port after the first supplicant,
regardless if they are 802.1X-enabled or not, are permitted free access to the
port without further authentication. If the first authenticated supplicant logs out,
all other supplicants are locked out until a supplicant authenticates again.
single-secureAuthenticates only one supplicant to connect to an authenticator port.
No other supplicants can connect to the authenticator port until the first supplicant
logs out.
multipleAuthenticates multiple supplicants individually on one authenticator port.
You can configure the number of supplicants per port. If you configure a
maximum number of devices that can be connected to a port through port
security settings, the lower of the configured values is used to determine the
maximum number of supplicants allowed per port.
Required Privilege Level
Related Topics
supplicant-timeout
supplicant
851
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
supplicant-timeout
Syntax
Hierarchy Level
Release Information
Description
supplicant-timeout seconds;
[edit protocols dot1x authenticator interface (all | [interface-name])
Default
30 seconds
Options
secondsNumber of seconds.
852
supplicant
supplicant-timeout
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
[edit protocols dot1x]
Default
Options
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
file number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
gigabytes number of trace files is reached. Then the oldest trace file is overwritten.
If you specify a maximum number of files, you also must specify a maximum
file size with the sizeoption.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
traceoptions
853
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabyte
Range: 10 KB through 1gigabyte
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics
854
traceoptions
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
[edit protocols lldp]
Default
Options
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
GB number of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the size option.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
match regex(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable(Optional) Restrict file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
traceoptions
855
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics
856
traceoptions
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
traceoptions
Syntax
Hierarchy Level
Release Information
Description
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
[edit ethernet-switching-options]
Default
Options
disable(Optional) Disable the tracing operation. You can use this option to disable
a single operation when you have defined a broad group of tracing operations,
such as all.
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum number of trace files is reached (xk to specify KB,
xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file
is overwritten. If you specify a maximum number of files, you also must specify
a maximum file size with the size option.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
traceoptions
857
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Default: If you omit this option, timestamp information is placed at the beginning
of each line of the tracing output.
no-world-readable(Optional) Restrict file access to the user who created the file.
replace(Optional) Replace an existing trace file if there is one rather than appending
to it.
Default: If you do not include this option, tracing output is appended to an
existing trace file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes
Range: 10 KB through 1 gigabyte
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics
858
traceoptions
Understanding IP Source Guard for Port Security on EX-series Switches on page 666
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
transmit-delay
Syntax
Hierarchy Level
Release Information
Description
transmit-delay seconds;
[edit protocols lldp]
Default
Disabled.
Options
transmit-period
Syntax
Hierarchy Level
Release Information
Description
transmit-period seconds;
[edit protocols dot1x authenticator interface (all | [interface-name])
Default
30 seconds
Options
secondsNumber of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant.
Range: 1 through 65,535 seconds
Default: 30 seconds
transmit-delay
859
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan
Syntax
Hierarchy Level
Release Information
Description
Options
allApply DHCP snooping, DAI, IP source guard, and MAC move limiting to all
VLANs.
vlan-nameApply DHCP snooping, DAI, IP source guard, and MAC move limiting to
860
vlan
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
vlan
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics
vlan vlan-name;
[edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip
ip-address]
vlan-assignment
Syntax
Hierarchy Level
Release Information
Description
Options
vlan
861
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
voip
Syntax
Hierarchy Level
Release Information
Description
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name );
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
[edit ethernet-switching-options]
862
voip
Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP
what
Syntax
Hierarchy Level
Release Information
Description
what number;
[edit protocols lldp-med interface (all | interface-name) location civic-based]
Default
Options
numberLocation:
what
863
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
864
what
Chapter 48
865
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
866
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Release Information
Description
Options
clear
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
867
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
clear dot1x
Syntax
Release Information
Description
clear dot1x
(interface (all | [interface-names]) | mac-address [mac-addresses])
Options
connected to the specified ports (when the port is an authenticator) or for itself
(when the port is a supplicant).
mac-address mac-addressesResets the authentication state only for the specified
MAC addresses.
Required Privilege Level
Related Topics
868
clear dot1x
view
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Release Information
Description
Options
view
869
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
870
view
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Field Description
Level of Output
Interface
All levels
Packets received
All levels
All levels
All levels
Packets received
----------------0
0
0
0
0
0
0
703
871
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708
Field Description
Level of Output
MAC Address
All levels
IP Address
All levels
Lease
All levels
Type
All levels
VLAN
All levels
Interface
All levels
872
Lease
----640
720
800
Type
------dynamic
dynamic
dynamic
VLAN
---guest
guest
guest
Interface
--------ge-0/0/12.0
ge-0/0/12.0
ge-0/0/13.0
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
show dot1x
Syntax
Release Information
Description
Options
show dot1x
<brief | detail>
<interface [interface-names]>
connected supplicants.
Required Privilege Level
Related Topics
view
Field Description
Level of Output
interface
Name of a port.
All levels
MAC address
All levels
Role
brief, detail
show dot1x
873
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
State
brief
HeldAn action has been triggered through server fail fallback during a
detail
result. (Default)
Supplicant
detail
connect later to the port are allowed full access without any further
authentication. They effectively piggyback on the first supplicants
authentication.
The number of seconds the port remains in the wait state following a failed
authentication exchange with the supplicant before reattempting the
authentication. The default value is 60 seconds. The range is 0 through 65,535
seconds.
detail
Transmit period
The number of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant. The default value is 30 seconds. The range is 1 through
65,535 seconds.
detail
Reauthentication
detail
The number of seconds the port waits for a response when relaying a request
from the authentication server to the supplicant before resending the request.
The default value is 30 seconds. The range is 1 through 60 seconds.
detail
Server timeout
The number of seconds the port waits for a reply when relaying a response
from the supplicant to the authentication server before timing out. The default
value is 30 seconds. The range is 1 through 60 seconds.
detail
874
show dot1x
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Field Description
Level of Output
Maximum EAPOL
requests
detail
Number of clients
bypassed because of
authentication
detail
Number of connected
supplicants
detail
MAC address
-----------------00:a0:d2:18:1a:c8
00:a0:e5:32:97:af
00:a6:55:f2:94:ae
show dot1x
875
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
view
Field Description
Level of Output
Interface
all
MAC address
all
User
The user that is configured on the RADIUS server and that has failed 802.1X
authentication.
all
show dot1x
authentication-failed-users
876
MAC address
00:00:00:10:00:02
User
md5user02
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Options
interface.
Required Privilege Level
Related Topics
view
Field Description
Level of Output
MAC address
all
VLAN-Assignment
all
Interface
The name of the interface on which authentication is bypassed for a given MAC
address.
all
show dot1x
static-mac-address
show dot1x
static-mac-address
interface ge-0/0/0.1
VLAN-Assignment
facilities
Interface
ge-0/0/3.0
ge-0/0/1.0
VLAN-Assignment
Interface
877
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
00:00:00:12:24:12
00:00:00:72:30:58
878
support
support
ge-0/0/1.0
ge-0/0/1.0
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
show ip-source-guard
Syntax
Release Information
Description
Required Privilege Level
Related Topics
show ip-source-guard
Field Description
VLAN
Interface
Tag
1 4093
IP Address
MAC Address
show ip-source-guard
VLAN
ge-0/0/12.0
10.10.10.7
00:30:48:92:A5:9D
vlan100
ge-0/0/13.0
10.10.10.9
00:30:48:8D:01:3D
vlan100
show ip-source-guard
879
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge0/0/13.0
880
show ip-source-guard
100
voice
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
show lldp
Syntax
Release Information
Description
Options
show lldp
<detail >
view
Field Description
Level of Output
LLDP
All levels
Advertisement Interval
The frequency, in seconds, at which LLDP advertisements are sent. The default
value is 30 seconds.
All levels
Transmit Delay
The delay between two successive LLDP advertisements. The default value is
2 seconds.
All levels
Hold Timer
All levels
LLDP-MED
All levels
All levels
show lldp
881
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
All Levels
Vlan-idThe VLAN tag associated with the interface sending LLDP frames.
detail
NotificationEnabled
RReceived .
TTransmitted .
Port identifierThe port identification for the specified port in the local
system.
System NameThe user configured name of the local system. The system
the software and current image running on the system. This information
is not configurable, but taken from the software.
882
show lldp
detail
detail
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Field Description
Level of Output
detail
Power via MDIA TLV that advertises MDI power support, PSE power pair,
Port VlanA TLV that advertises the VLAN name configured on the
interface.
LLDP-MED TLVs Enabled
detail
LLDP MED CapabilitiesA TLV that advertises the primary function of the
0 Capabilities
1 Network Policy
2 Location Identification
4 Inventory
515 Reserved
1 Class 1 Device.
2 Class 2 Device.
3 Class 3 Device.
5255 Reserved.
Network PolicyA TLV that advertises the port VLAN configuration and
endpoint.
Extended Power via MDI A TLV that advertises the power type, power
source, power priority, and power value of the port. It is the responsibility
of the PSE device (network connectivity device) to advertise the power
priority on a port.
show lldp
: Enabled
: 30 seconds
show lldp
883
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Transmit Delay
Hold timer
: 2 seconds
: 120 seconds
LLDP-MED
: Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:
Port
LLDP
LLDP-MED
----------------All
Enabled
Disabled
ge-0/1/0.0 Enabled
Enabled
ge-0/1/1.0 Enabled
Enabled
ge-0/1/2.0 Enabled
Disabled
ge-0/1/3.0 Enabled
Disabled
ge-0/1/4.0 Enabled
Disabled
ge-0/1/5.0 Enabled
Disabled
ge-0/1/5.0 Enabled
Disabled
ge-0/1/7.0 Disabled Disabled
:
:
:
:
Enabled
30 seconds
2 seconds
120 seconds
LLDP-MED
: Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:
Port
LLDP
LLDP-MED
Neighbor count
-----------------------------All
Enabled
Disabled
11
ge-0/1/0.0 Enabled
Enabled
1
ge-0/1/1.0 Enabled
Enabled
2
ge-0/1/2.0 Enabled
Disabled
2
ge-0/1/3.0 Enabled
Disabled
2
ge-0/1/4.0 Enabled
Disabled
2
ge-0/1/5.0 Enabled
Disabled
1
ge-0/1/6.0 Enabled
Disabled
1
ge-0/1/7.0 Disabled Disabled
0
884
show lldp
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Maximum Frame Size, Port Vlan, Port and Protocol Vlan ID,
Protocol Identity.
LLDP-MED TLVs Enabled:
--------------------LLDP MED Capabilities, Network Policy, Endpoint Location,
Extended Power Via MDI.
show lldp
885
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Options
Required Privilege Level
Related Topics
view
Field Description
Level of Output
All levels
Interface IDThe port component of the MAC Service Access Point (MSAP)
hierarchy level.
886
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Interface Name
-------------ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
Interface ID
-----------18
27
13
Interface Descr
--------------Avaya Port
Port for Hub
887
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
interface or device.
Required Privilege Level
Related Topics
view
Field Description
Level of Output
All levels
LLDP agent.
interface level
Time to Live
The age of the information propagated in LLDP frames. Time to live (TTL) value
is between 0 and 65,535 seconds.
interface level
Time mark
interface level
888
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Field Description
Level of Output
Chassis type
The value used to identify a chassis. For an EX-series switch, this is the MAC
address. However, this value is vendor-specific. The value for chassis type is
used by LLDP to identify a device.
interface level
Port type
interface level
System descr
The system description containing information about the software and current
image running on the system. This information is not configurable, but taken
from the software.
interface level
System capabilities
The primary function performed by the system. The capabilities that the system
supports are defined; for example, bridge. This information is not configurable,
but based on the model of the product.
interface level
Remote Management
Address
interface level
802 media.
MED Information
Detail
interface level
classes:
Capabilities.
running on a port.
Media Policy Priority The media policy priority, defined in the VLAN tag,
advertised.
Media Policy Tagged Set based on the VLAN (tagged or untagged) used
by an application type.
ChassisId
--------10.209.192.12
10.209.192.12
10.209.192.13
PortInfo
SysName
--------------00 19 bb 20 de 80 AVA4C357D
00 19 bb 20 de 80 AVA4C357D
00 19 bb 20 de 81 AVA4C357E
889
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge-0/0/3.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
00
00
00
00
00
00
19
19
19
19
19
19
bb
bb
bb
bb
bb
bb
20
20
20
20
20
20
de
de
de
de
de
de
79
80
79
80
81
82
5
3
5
3
ge-0/0/3
ge-0/0/4
apg-hp1
apg-hp1
apg-hp1
apg-hp1
Ball1
Ball2
: bridge, router
: bridge
Index 7 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port
: ge-0/0/4.0
ChassisType
: mac-address
ChassisId
: 00 19 bb 20 de 79
PortType
: local
PortId
: 5
SysName
: apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr
: 3
.
.
.
System Capabilities Supported
System Capabilities Enabled
Remote Management Address
Type
: ipv4
Address : 10.204.34.35
890
: bridge, router
: bridge
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
Release Information
Description
Options
view
show lldp statistics on page 891
show lldp statistics interface ge-0/1/1.0 on page 891
Table 77 on page 891 lists the output fields for the show lldp statistics command.
Output fields are listed in the approximate order in which they appear.
Field Description
Level of Output
Interface
Name of an interface.
All levels
Received
All levels
Transmitted
All levels
Unknown-TLVs
All levels
With-Errors
All levels
Discarded
All levels
Received
-------544
540
544
544
544
544
0
Transmitted
---------540
500
540
540
540
540
0
Unknown-TLVs
-----------0
0
0
0
0
0
0
With-Errors
----------0
0
0
0
0
0
0
Discarded
--------0
0
0
0
0
0
0
891
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Interface
--------ge-0/1/1.0
892
Received
-------544
Transmitted
---------540
Unknown-TLVs
-----------0
With-Errors
----------0
Discarded
--------0
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
accounting-server
stop-on-access-deny
Field Description
Requests received
The number of accounting-request packets sent from a switch to a RADIUS accounting server.
Accounting Response
failures
The number of accounting-response failure packets sent from the RADIUS accounting server to the
switch.
Accounting Response
Success
The number of accounting-response success packets sent from the RADIUS accounting server to the
switch.
Requests timedout
The number of requests-timedout packets sent from the RADIUS accounting server to the switch.
show network-access
aaa statistics
accounting
893
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
authentication-server
Field Description
Requests received
Accepts
Rejects
Challenges
show network-access
aaa statistics
authentication
894
Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP
authentication-server
Field Description
Requests received
Processed
successfully
Errors during
processing
The number of errors that occurred while the RADIUS server was processing the dynamic request.
Silently dropped
show network-access
aaa statistics
authentication
895
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
896
Part 11
Packet Filtering
Packet Filtering
897
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
898
Packet Filtering
Chapter 49
Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 903
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Port (Layer 2) firewall filterPort firewall filters apply to Layer 2 switch ports.
You can apply port firewall filters only in the ingress direction on a physical port.
VLAN firewall filterVLAN firewall filters provide access control for packets that
enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN
899
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
firewall filters in both ingress and egress directions on a VLAN. VLAN firewall
filters are applied to all packets that are forwarded to or forwarded from the
VLAN.
Router (Layer 3) firewall filterYou can apply a router firewall filter in both
ingress and egress directions on Layer 3 (routed) interfaces and routed VLAN
interfaces (RVI). You can also apply a router firewall filter in ingress direction on
the loopback interface.
2.
Match conditionsSpecifies the values or fields that the packet must contain.
You can define various match conditions, including the IP source address field,
IP destination address field, Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source port field, IP protocol field, Internet Control
Message Protocol (ICMP) packet type, TCP flags, and interfaces.
900
Related Topics
Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 903
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
2.
Determine the packet header fields that the packet must contain for a match.
Possible fields include:
901
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
b.
3.
Determine the port, VLAN, or router interface on which the packet was
received.
4.
5.
If all the packets entering a port need to be exposed to filtering, then use
port firewall filters.
If all the packets that are bridged need filtering, then use VLAN firewall filters.
If all the packets that are routed need filtering, then use router firewall filters.
Before you choose the interface at which to apply a firewall filter, understand
how that placement can impact traffic flow to other interfaces. In general, apply
a firewall filter that filters on source and destination IP addresses, IP protocols,
or protocol informationsuch as ICMP message types, and TCP and UDP port
numbersnearest to the source devices. However, typically apply a firewall filter
that filters only on a source IP address nearest to the destination devices. When
applied too close to the source device, a firewall filter that filters only on a source
IP address could potentially prevent that source device from accessing other
services that are available on the network.
NOTE: Egress firewall filters do not affect the flow of locally generated control packets
from the Routing Engine.
6.
Related Topics
902
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches
EX-series switches are multilayered switches that provide Layer 2 switching and
Layer 3 routing. You apply firewall filters at multiple processing points in the packet
forwarding path on EX-series switches. At each processing point, the action to be
taken on a packet is determined based on the results of the lookup in the switch's
forwarding table. A table lookup determines which exit port on the switch to use to
forward the packet.
For both bridged unicast packets and routed unicast packets, firewall filters are
evaluated and applied hierarchically. First, a packet is checked against the port firewall
filter, if present. If the packet is permitted, it is then checked against the VLAN firewall
filter, if present. If the packet is permitted, it is then checked against the router
firewall filter, if present. The packet must be permitted by the router firewall filter
before it is processed.
Figure 47 on page 904 shows the various firewall filter processing points in the packet
forwarding path in a multilayered switching platform.
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches
903
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Figure 47: Firewall Filter Processing Points in the Packet Forwarding Path
For a multicast packet that results in replications, an egress firewall filter is applied
to each copy of the packet based on its corresponding egress VLAN.
For Layer 2 (bridged) unicast packets, the following firewall filter processing points
apply:
For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall
filter processing points apply:
Related Topics
904
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Ingress firewall filters affect the flow of data packets that are received by the
switch's interfaces. The Packet Forwarding Engine (PFE) handles this flow. When
a switch receives a data packet on an interface, the switch determines where to
forward the packet by looking in the forwarding table for the best route (Layer 2
switching, Layer 3 routing) to a destination. Data packets are forwarded to their
destination through an outgoing interface. Locally destined packets are forwarded
to the Routing Engine.
Egress firewall filters affect the flow of data packets that are transmitted from
the switch's interfaces but do not affect the flow of locally generated control
packets from the Routing Engine. The Packet Forwarding Engine handles the
flow of data packets that are transmitted from the switch, and egress firewall
filters are applied here. The Packet Forwarding Engine also handles the flow of
control packets from the Routing Engine.
Figure 48 on page 906 illustrates the application of ingress and egress firewall filters
to control the flow of packets through the switch.
905
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
1.
Ingress firewall filter applied to control locally destined packets that are received
on the switch's interfaces and are destined for the Routing Engine.
2.
3.
Egress firewall filter applied to control packets that are transiting the switch's
interfaces.
Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 903
906
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches
Match Condition
Description
Direction/Interface
destination-address
ip-address
destination-mac-address mac-address
destination-port number
907
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
Description
Direction/Interface
908
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
Description
Direction/Interface
dot1q-user-priority number
background (1)Background
reserved traffic
dscp number
video (5)Video
voice (6)Voice
909
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
Description
Direction/Interface
Egress VLANs.
(0x8100)
0x0800)
(0x8847)
fragment-flags [
is-fragment |
more-fragment |
dont-fragment]
IP fragmentation flags.
910
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
Description
Direction/Interface
icmp-code number
icmp-type number
parameter-problemip-header-bad (0),
required-option-missing (1)
redirectredirect-for-host (1),
redirect-for-network (0),
redirect-for-tos-and-host (3),
redirect-for-tos-and-net (2)
time-exceededttl-eq-zero-during-reassembly
(1), ttl-eq-zero-during-transit (0)
unreachablecommunication-prohibited-by-filtering
(13), destination-host-prohibited (10),
destination-host-unknown (7),
destination-network-prohibited (9),
destination-network-unknown (6),
fragmentation-needed (4),
host-precedence-violation (14),
host-unreachable (1),
host-unreachable-for-TOS (12),
network-unreachable (0),
network-unreachable-for-TOS (11),
port-unreachable (3),
precedence-cutoff-in-effect (15),
protocol-unreachable (2),
source-host-isolated (8),
source-route-failed (5)
911
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
Description
Direction/Interface
interface interface-name
packet-length bytes
precedence precedence
critical-ecp (5)
flash (3)
flash-override (4)
immediate (2)
internet-control (6)
net-control (7)
priority (1)
routine (0)
source-mac-address mac-address
source-port number
912
Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition
Description
Direction/Interface
packet-length bytes
text synonymtcp-initial
tcp-initial
Some of the numeric range and bit-field match conditions allow you to specify a text
synonym. For a list of all the synonyms for a match condition, do any of the following:
If you are using the J-Web Configuration page, select the synonym from the
appropriate list.
If you are using the CLI, type a question mark (?) after the from statement.
To specify the bit-field value to match, you must enclose the values in quotations
marks (" "). For example, a match occurs if the RST bit in the TCP flags field is set:
tcp-flags "rst;
For information about logical operators and how to use bit-field logical operations
to create expressions that are evaluated for matches, see Understanding Firewall
Filter Match Conditions on page 917.
913
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
When you define one or more terms that specify the filtering criteria, you also define
the action to take if the packet matches all criteria. Table 127 on page 914 shows the
actions that you can specify in a term.
Table 127: Actions for Firewall Filters
Action
Description
accept
Accept a packet.
discard
In addition to the actions, you can specify action modifiers. Table 128 on page 914
shows the action modifers that you can specify in a term.
Table 128: Action Modifiers for Firewall Filters
Action Modifier
Description
analyzer analyzer-name
count counter-name
Count the number of packets that pass this filter, term, or policer.
forwarding-class class
assured-forwarding
best-effort
expedited-forwarding
network-control
policer policer-name
Related Topics
914
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
If the packet matches all the conditions, the action in the then statement is taken.
If the packet matches all the conditions, and no action is specified in the then
statement, the default action accept is taken.
When a firewall filter consists of more than one term, the firewall filter is evaluated
sequentially:
1.
The packet is evaluated against the conditions in the from statement in the first
term.
2.
If the packet matches all the conditions in the term, the action in the then
statement is taken and the evaluation ends. Subsequent terms in the filter are
not evaluated.
3.
If the packet does not match all the conditions in the term, the packet is evaluated
against the conditions in the from statement in the second term.
This process continues until either the packet matches the conditions in the from
statement in one of the subsequent terms or there are no more terms in the
filter.
4.
If a packet passes through all the terms in the filter without a match, the packet
is discarded.
Figure 49 on page 916 shows how an EX-series switch evaluates the terms within a
firewall filter.
915
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
If a term does not contain a from statement, the packet is considered to match and
the action in the then statement of the term is taken.
If a term does not contain a then statement, or if an action has not been configured
in the then statement, and the packet matches the conditions in the from statement
of the term, the packet is accepted.
Every firewall filter contains an implicit deny statement at the end of the filter, which
is equivalent to the following explicit filter term:
term implicit-rule {
then discard;
}
Consequently, if a packet passes through all the terms in a filter without matching
any conditions, the packet is discarded. If you configure a firewall filter that has no
terms, all packets that pass through the filter are discarded.
NOTE: Firewall filtering is supported on packets that are at least 48 bytes long.
Related Topics
916
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Single numberA match occurs if the value of the field matches the number.
For example:
source-port 25;
Text synonym for a single number A match occurs if the value of the field
matches the number that corresponds to the synonym. For example:
source-port http;
917
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To specify more than one value in a filter term, you enter each value in its own match
statement. For example, a match occurs in the following term if the value of vlan
field is 10 or 30.
[edit firewall family family-name filter filter-name term term-name from]
vlan 10;
vlan 30;
You cannot exclude a specific value in a numeric filter match condition. For
example, you cannot specify a condition that would match only if the match
condition was not equal to a given value.
Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter
that is applied to a router interface can specify the logical unit number in the interface
filter match condition, for example:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set interface ge-0/1/0.0
You can include the * wildcard as part of the interface name, for example:
[edit firewall
user@host# set
user@host# set
user@host# set
918
Each prefix contains an implicit 0/0 except statement, which means that any prefix
that does not match the prefix that is specified is explicitly considered not to match.
To specify the address prefix, use the notation prefix/prefix-length. If you omit
prefix-length, it defaults to /32. For example:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set destination-address 10
[edit firewall family family-name filter filter-name term term-name from]
user@host# show
destination-address {
10.0.0.0/32;
}
To specify more than one IP address in a filter term, you enter each address in its
own match statement. For example, a match occurs in the following term if the value
of the source-address field matches either of the following source-address prefixes:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set source-address 10.0.0.0/8
user@host# set source-address 10.1.0.0/16
To specify more than one MAC address in a filter term, you enter each MAC address
in its own match statement. For example, a match occurs in the following term if
the value of the source-mac-address field matches either of the following addresses.
[edit firewall family family-name filter filter-name term term-name from]
user@host# set source-mac-address 00:11:22:33:44:55
user@host# set source-mac-address 00:11:22:33:20:15
919
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To specify the bit-field value to match, enclose the value in double quotation marks.
For example, a match occurs if the RST bit in the TCP flags field is set:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "rst"
Typically, you specify the bits to be tested by using keywords. Bit-field match
keywords always map to a single bit value. You also can specify bit fields as
hexadecimal or decimal numbers.
To match multiple bit-field values, use the logical operators, which are described in
Table 129 on page 920. The operators are listed in order from highest precedence to
lowest precedence. Operations are left-associative.
Table 129: Actions for Firewall Filters
Logical Operators
Description
Negation.
& or +
Logical AND.
To negate a match, precede the value with an exclamation point. For example, a
match occurs only if the RST bit in the TCP flags field is not set:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "!rst"
In the following example of a logical AND operation, a match occurs if the packet is
the initial packet on a TCP session:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "syn" & "!ack"
You can use text synonyms to specify some common bit-field matches. You specify
these matches as a single keyword. In the following example of a text synonym, a
match occurs if the packet is the initial packet on a TCP session:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags tcp-initial
Logical OR operations are not supported; however you can specify the equivalent
OR functionality by specifying two of the same match conditions in a single term or
in two consecutive terms. For example, in the following term, a match occurs if the
packet in a TCP session is urgent or has priority :
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "urgent"
user@host# set tcp-flags "push"
920
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
If you do not specify the protocol when using the preceding fields, design your filters
carefully to ensure that they perform the expected matches. For example, if you
specify a match of destination-port ssh, the switch deterministically matches any
packets that have a value of 22 in the two-byte field that is two bytes beyond the
end of the IP header without ever checking the IP protocol field.
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Maximum burst sizeThe maximum size permitted for bursts of data that exceed
the given bandwidth limit.
921
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
922
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Chapter 50
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series
Switches
This example shows how to configure and apply firewall filters to control traffic that
is entering or exiting a port on the switch, a VLAN on the network, and a Layer 3
interface on the switch. Firewall filters define the rules that determine whether to
forward or deny packets at specific processing points in the packet flow.
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit
TCP and ICMP Traffic on page 927
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic
on the Employee VLAN on page 935
Requirements
This example uses the following software and hardware components:
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches
923
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Before you configure and apply the firewall filters in this example, be sure you have:
Installed the uplink module in the distribution switch. See Installing an Uplink
Module in an EX-series Switch.
Overview
This configuration example show how to configure and apply firewall filters to provide
rules to evaluate the contents of packets and determine when to discard, forward,
classify, count, and analyze packets that are destined for or originating from the
EX-series switches that handle all voice-vlan, employee-vlan, and guest-vlan traffic.
Table 130 on page 924 shows the firewall filters that are configured for the EX-series
switches in this example.
Table 130: Configuration Components: Firewall Filters
Component
Purpose/Description
ingress-port-voip-class-limit-tcp-icmp
Assigns priority queueing to packets with a source MAC address that matches the
phone MAC addresses. The forwarding class expedited-forwarding provides low loss,
low delay, low jitter, assured bandwidth, and end-to-end service for all voice-vlan
traffic.
Performs rate limiting on packets that enter the ports for employee-vlan. The traffic
rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000
bytes.
Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device that
manages call registration, admission, and call status for VoIP calls. Only TCP or UDP
ports should be used; and only the gatekeeper uses HTTP. That is, all voice-vlan traffic on
TCP ports should be destined for the gatekeeper device. This firewall filter applies to all
phones on voice-vlan, including communication between any two phones on the VLAN
and all communication between the gatekeeper device and VLAN phones.
This firewall filter is applied to VLAN interfaces on the access switch.
Accepts employee-vlan traffic destined for the corporate subnet, but does not monitor this
traffic. Employee traffic destined for the Web is counted and analyzed.
This firewall filter is applied to vlan interfaces on the access switch.
924
Overview
Figure 50 on page 925 shows the application of port, VLAN, and Layer 3 routed firewall
filters on the switch.
Figure 50: Application of Port, VLAN, and Layer 3 Routed Firewall Filters
Network Topology
The topology for this configuration example consists of one EX-3200-48T switch at
the access layer, and one EX-3200-48T switch at the distribution layer. The distribution
switch's uplink module is configured to support a Layer 3 connection to a J-series
router.
The EX-series switches are configured to support VLAN membership.
Table 131 on page 925 shows the VLAN configuration components for the VLANs.
Table 131: Configuration Components: VLANs
VLAN Name
VLAN ID
VLAN Description
voice-vlan
10
192.0.2.0/28 192.0.2.1
through 192.0.2.14
192.0.2.15 is subnets
broadcast address
Network Topology
925
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
VLAN ID
VLAN Description
employee-vlan
20
192.0.2.16/28 192.0.2.17
through 192.0.2.30
192.0.2.31 is subnets
broadcast address
guest-vlan
30
192.0.2.32/28 192.0.2.33
through 192.0.2.46
192.0.2.47 is subnets
broadcast address
camera-vlan
40
192.0.2.48/28 192.0.2.49
through 192.0.2.62
192.0.2.63 is subnets
broadcast address
Ports on the EX-series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports.
Table 132 on page 926 shows the switch ports that are assigned to the VLANs and
the IP and MAC addresses for devices connected to the switch ports:
Table 132: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Switch and Port Number
VLAN Membership
Port Devices
ge-0/0/0, ge-0/0/1
voice-vlan, employee-vlan
IP addresses: 192.0.2.1
through 192.0.2.2
MAC addresses:
00.05.85.00.00.01,
00.05.85.0000.02
ge-0/0/2, ge-0/0/3
926
Network Topology
employee-vlan
192.0.2.17 through
192.0.2.18
Table 132: Configuration Components: Switch Ports on a 48-Port All-PoE Switch (continued)
Switch and Port Number
VLAN Membership
Port Devices
ge-0/0/4, ge-0/0/5
guest-vlan
192.0.2.34 through
192.0.2.35
ge-0/0/6, ge-0/0/7
camera-vlan
192.0.2.49 through
192.0.2.50
ge-0/0/9
voice-vlan
IP address: 192.0.2.14
MAC
address:00.05.85.00.00.0E
ge-0/1/0
IP address: 192.0.2.65
Layer 3 connection to a
router; note that this is a port
on the switchs uplink module
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP
and ICMP Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration
To quickly configure and apply a port firewall filter to prioritize voice traffic and
rate-limit packets that are destined for the employee-vlan subnet, copy the following
commands and paste them into the switch terminal window:
[edit]
set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer tcp-connection-policer then discard
set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer icmp-connection-policer then discard
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.01
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.02
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from protocol udp
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high then forwarding-class
expedited-forwarding
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high then loss-priority low
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term network-control from precedence
net-control
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
927
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
928
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
Step-by-Step Procedure
To configure and apply a port firewall filter to prioritize voice traffic and rate-limit
packets that are destined for the employee-vlan subnet:
1.
2.
3.
4.
5.
Define the term tcp-connection to configure rate limits for TCP traffic:
[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term tcp-connection from destination-address 192.0.2.16/28
user@switch# set term tcp-connection from protocol tcp
user@switch# set term tcp-connection then policer tcp-connection-policer
user@switch# set term tcp-connection then count tcp-counter
user@switch# set term tcp-connection then forwarding-class best-effort
user@switch# set term tcp-connection then loss-priority high
6.
Define the term icmp-connection to configure rate limits for ICMP traffic:
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
929
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
7.
Define the term best-effort with no match conditions for an implicit match on
all packets that did not match any other term in the firewall filter:
[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term best-effort then forwarding-class best-effort
user@switch# set term best-effort then loss-priority high
8.
9.
icmp
input
icmp
input
Configure the parameters that are desired for the different schedulers.
NOTE: When you configure parameters for the schedulers, define the numbers to
match your network traffic patterns.
[edit class-of-service]
user@switch# set schedulers voice-high buffer-size percent 15
user@switch# set schedulers voice-high priority high
user@switch# set schedulers networkcontrol buffer-size percent 10
user@switch# set schedulers networkcontrol priority high
user@switch# set schedulers best-effort buffer-size percent 75
user@switch# set schedulers best-effort priority low
10.
930
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
11.
Results
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
931
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
from {
destination-address 192.0.2.16/28;
protocol tcp;
}
then {
policer tcp-connection-policer;
count tcp-counter;
forwarding-class best-effort;
loss-priority high;
}
}
term icmp-connection
from {
protocol icmp;
}
then {
policer icmp-connection-policer;
count icmp-counter;
forwarding-class best-effort;
loss-priority high;
}
}
term best-effort {
then {
forwarding-class best-effort;
loss-priority high;
}
}
}
}
}
interfaces {
ge-0/0/0 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
family ethernet-switching {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
ge-0/0/1 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
family ethernet-switching {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
}
scheduler-maps {
932
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic
ethernet-diffsrv-cos-map {
forwarding-class expedited-forwarding scheduler voice-high;
forwarding-class network-control scheduler net-control;
forwarding-class best-effort scheduler best-effort;
}
}
interfaces {
ge/0/1/0 {
scheduler-map ethernet-diffsrv-cos-map;
}
}
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP
Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration
To quickly configure a VLAN firewall filter on voice-vlan to prevent rogue devices from
using HTTP sessions to mimic the gatekeeper device that manages VoIP traffic, copy
the following commands and paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper from destination-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper from destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper then accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block
from-gatekeeper from source-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block
from-gatekeeper from source-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block
from-gatekeeper then accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block
not-gatekeeper from destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block
not-gatekeeper then count rogue-counter
set firewall family ethernet-switching filter ingress-vlan-rogue-block
not-gatekeeper then discard
set vlans voice-vlan description "block rogue devices on voice-vlan"
set vlans voice-vlan filter input ingress-vlan-rogue-block
Step-by-Step Procedure
term
term
term
term
term
term
term
term
term
To configure and apply a VLAN firewall filter on voice-vlan to prevent rogue devices
from using HTTP to mimic the gatekeeper device that manages VoIP traffic:
1.
2.
Define the term to-gatekeeper to accept packets that match the destination IP
address of the gatekeeper:
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
933
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
Define the term from-gatekeeper to accept packets that match the source IP
address of the gatekeeper:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term
4.
Define the term not-gatekeeper to ensure all voice-vlan traffic on TCP ports is
destined for the gatekeeper device:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term
5.
Results
934
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
}
term not-gatekeeper {
from {
destination-port 80;
}
then {
count rogue-counter;
discard;
}
}
}
vlans {
voice-vlan {
description "block rogue devices on voice-vlan";
filter {
input ingress-vlan-rogue-block;
}
}
}
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the
Employee VLAN
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
935
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
To configure and apply an egress port firewall filter to count and analyze
employee-vlan traffic that is destined for the Web:
1.
2.
Define the term employee-to-corp to accept but not monitor all employee-vlan
traffic destined for the corporate subnet:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]
user@switch# set term employee-to-corp from destination-address
192.0.2.16/28
user@switch# set term employee-to-corp then accept
3.
Define the term employee-to-web to count and monitor all employee-vlan traffic
destined for the Web:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]
user@switch# set term employee-to-web from destination-port 80
user@switch# set term employee-to-web then count employee-web-counter
user@switch# set term employee-to-web then analyzer employee-monitor
NOTE: See Example: Configuring Port Mirroring for Local Monitoring of Employee
Resource Use on EX-series Switches on page 1127 for information about configuring
the employee-monitor analyzer.
4.
Results
936
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
}
}
term employee-to-web {
from {
destination-port 80;
}
then {
count employee-web-counter:
analyzer employee-monitor;
}
}
}
}
}
vlans {
employee-vlan {
description "filter at egress VLAN to count and analyze employee to Web traffic";
filter {
output egress-vlan-watch-employee;
}
}
}
In the following example, the first filter term permits guests to talk with other guests
but not employees on employee-vlan. The second filter term allows guests Web access
but prevents them from using peer-to-peer applications on guest-vlan.
To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking
guests from talking with employees or employee hosts on employee-vlan or attempting
to use peer-to-peer applications on guest-vlan, copy the following commands and
paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
guest-to-guest from destination-address 192.0.2.33/28
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
guest-to-guest then accept
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
no-guest-employee-no-peer-to-peer then accept
set vlans guest-vlan description "restrict guest-to-employee traffic and
peer-to-peer applications on guest VLAN"
set vlans guest-vlan filter input ingress-vlan-limit-guest
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
937
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
To configure and apply a VLAN firewall filter to restrict guest-to-employee traffic and
peer-to-peer applications on guest-vlan:
1.
2.
Define the term guest-to-guest to permit guests on the guest-vlan to talk with
other guests but not employees on the employee-vlan:
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]
user@switch# set term guest-to-guest from destination-address 192.0.2.33/28
user@switch# set term guest-to-guest then accept
3.
NOTE: The destination-mac-address is the default gateway, which for any host in a
VLAN is the next-hop router.
4.
Results
938
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
from {
destination-mac-address 00.05.85.00.00.DF;
}
then {
accept;
}
}
}
}
}
vlans {
guest-vlan {
description "restrict guest-to-employee traffic and peer-to-peer applications on
guest VLAN";
filter {
input ingress-vlan-limit-guest;
}
}
}
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the
Corporate Subnet
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration
To quickly configure a firewall filter for a routed port (Layer 3 uplink module) to filter
employee-vlan traffic, giving highest forwarding-class priority to traffic destined for
the corporate subnet, copy the following commands and paste them into the switch
terminal window:
[edit]
set firewall family inet filter egress-router-corp-class term corp-expedite from
destination-address 192.0.2.16/28
set firewall family inet filter egress-router-corp-class term corp-expedite then
forwarding-class expedited-forwarding
set firewall family inet filter egress-router-corp-class term corp-expedite then
loss-priority low
set firewall family inet filter egress-router-corp-class term not-to-corp then
accept
set interfaces ge-0/1/0 description "filter at egress router to expedite destined
for corporate network"
set ge-0/1/0 unit 0 family inet source-address 103.104.105.1
set interfaces ge-0/1/0 unit 0 family inet filter output egress-router-corp-class
Step-by-Step Procedure
To configure and apply a firewall filter to a routed port (Layer 3 uplink module) to
give highest priority to employee-vlan traffic destined for the corporate subnet:
1.
2.
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
939
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit firewall]
user@switch# set family inet filter egress-router-corp-class term
corp-expedite from destination-address 192.0.2.16/28
user@switch# set family inet filter egress-router-corp-class term
corp-expedite then forwarding-class expedited-forwarding
user@switch# set family inet filter egress-router-corp-class term
corp-expedite then loss-priority low
3.
4.
Apply the firewall filter egress-router-corp-class as an output filter for the port
on the switch's uplink module, which provides a Layer 3 connection to a router:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter at egress router to expedite
employee traffic destined for corporate network"
user@switch# set ge-0/1/0 unit 0 family inet source-address 103.104.105.1
user@switch# set ge-0/1/0 unit 0 family inet filter output
egress-router-corp-class
Results
940
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet
source-address 103.104.105.1
filter {
output egress-router-corp-class;
}
}
}
}
}
Verification
To confirm that the firewall filters are working properly, perform the following tasks:
Verifying that Firewall Filters and Policers are Operational on page 941
Action
Verify the operational state of the firewall filters and policers that are configured on
the switch.
Use the operational mode command:
user@switch> show firewall on page 1160
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
tcp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Packets
0
0
Packets
0
0
Filter: ingress-vlan-rogue-block
Filter: egress-vlan-watch-employee
Counters:
Name
employee-webcounter
Meaning
Packets
0
The show firewall command displays the names of the firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for all configured counters and the packet count for all policers.
Verification
941
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
best-effort, Index: 20
none, Buffer size: 95 percent,
Name
default-drop-profile
default-drop-profile
default-drop-profile
default-drop-profile
Meaning
Related Topics
942
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
943
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
944
Chapter 51
945
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1.
For a firewall filter that is applied to a port or VLAN, specify the family
address type ethernet-switching (or bridge) to filter Layer 2 (Ethernet) packets
and Layer 3 (IP) packets, for example:
[edit firewall]
user@switch# set family ethernet-switching
For a firewall filter that is applied to a Layer 3 (routed) interface, specify the
family address type inet to filter IPv4 packets, for example:
[edit firewall]
user@switch# set family inet
2.
The filter name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long. Each filter name must be unique.
3.
The term name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long.
A firewall filter can contain one or more terms. Each term name must be unique
within a filter.
NOTE: For EX-series switches, the number of terms allowed per firewall filter cannot
exceed 2048. If you attempt to configure a firewall filter that exceeds this limit, the
switch returns the following message after the commit operation:
Number of filter terms 2048 exceeded: Only 2048 terms can be defined.
4.
In each firewall filter term, specify the match conditions to use to match
components of a packet.
To specify match conditions to match on packets that contain a specific
source-address and source-portfor example:
[edit firewall family ethernet-switching filter ingress-port-filter term
term-one]
946
You can specify one or more match conditions in a single from statement. For
a match to occur, the packet must match all the conditions in the term.
The from statement is optional, but if included in a term, the from statement
cannot be empty. If you omit the from statement, all packets are considered to
match.
5.
In each firewall filter term, specify the actions to take if the packet matches all
the conditions in that term.
You can specify an action and/or action modifiers:
To specify a filter action, for example, to discard packets that match the
conditions of the filter term:
[edit firewall family ethernet-switching filter ingress-port-filter term
term-one]
user@switch# set then discard
You can specify no more than one action (accept or discard) per filter term.
You can specify any of the following action modifiers in a then statement:
term.
NOTE: We recommend that you configure a counter for each term in a firewall filter,
so that you can monitor the number of packets that match the conditions specified
in each filter term.
947
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
If you omit the then statement or do not specify an action, packets that match
all the conditions in the from statement are accepted. However, you should always
explicitly configure an action and/or action modifier in the then statement. You
can include no more than one action statement, but any combination of action
modifiers. For an action or action modifier to take effect, all conditions in the
from statement must match.
NOTE: Implicit discard is also applicable to a firewall filter applied to the loopback
interface, lo0.
Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter
at trunk port for employee-vlan and voice-vlan"
2.
Specify the unit number and family address type for the interface:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching
For firewall filters that are applied to ports, the family address type must be
ethernet-switching (or bridge).
3.
You cannot apply a firewall filter to filter packets that are exiting ports.
NOTE: You can apply no more than one firewall filter per ingress port.
948
Specify the VLAN name and VLAN ID and provide a meaningful description of
the firewall filter and the VLAN to which the filter is applied:
[edit vlans]
user@switch# set employeevlan vlan 20 vlan-description "filter to rate
limit traffic on employee-vlan"
2.
Apply firewall filters to filter packets that are entering or exiting a VLAN:
To apply a firewall filter to filter packets that are entering the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter input ingress-vlan-filter
To apply a firewall filter to filter packets that are exiting the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter
NOTE: You can apply no more than one firewall filter per VLAN, per direction.
Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter to count and monitor
employeevlan traffic on layer 3 interface"
2.
Specify the unit number, family address type, and address for the interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
For firewall filters applied to Layer 3 routed interfaces, the family address type
must be inet.
3.
You can apply firewall filters to filter packets that are entering or exiting a Layer 3
routed interface:
To apply a firewall filter to filter packets that are entering a Layer 3 interface:
949
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
filter input ingress-router-filter
To apply a firewall filter to filter packets that are exiting a Layer 3 interface,
include the filter input statement, for example:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
filter output egress-router-filter
NOTE: You can apply no more than one firewall filter per Layer 3 interface, per
direction.
NOTE: Ingress firewall filters applied to the loopback interface, lo0, affect all inbound
traffic destined for the CPU.
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
2.
950
Click one:
Term UpSelect this option to move a term up in the filter term list.
Term DownSelect this option to move a term down in the filter term list.
Function
Your Action
Filter type
Filter name
Enter a name.
1.
Click Add.
2.
3.
4.
Click OK.
1.
Click Add.
2.
3.
4.
Click OK.
Filter tab
Association tab
Port Associations
VLAN Associations
Function
Your Action
Term Name
Enter a name.
Protocols
1.
Click Add.
2.
3.
Click OK.
951
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Source/Destination
More
Select one:
Accept
Discard
Function
Your Action
ICMP Type
Specifies the ICMP packet type field. Typically, you specify this match
in conjunction with the protocol match to determine which protocol
is being used on the port.
ICMP Code
Select one:
Fragment Flags
TCP Flags
IP Precedence
Parameter-problem
Redirect
Time-exceeded
Unreachable
952
Function
Your Action
Ether Type
Select one:
Arp
Dot 1q
dot1q-tag
Specifies the tag field in the Ethernet header. Values can be from 1
through 4095.
In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed)
background (1)Background
video (5)Video
voice (6)Voice
Select VLAN
Enter a value.
Enter a value.
Specifies the count of the number of packets that pass this filter, term,
or policer.
Enter a value.
953
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Forwarding Class
Loss Priority
assured-forwarding
best-effort
expedited-forwarding
network-control
user-defined
Related Topics
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
A maximum of 512 policers can be configured for VLAN and Layer 3 firewall
filters.
If the policer configuration exceeds these limits, the switch returns the following
message after the commit operation:
Cannot assign policers: Max policer limit reached
954
Configuring Policers
To configure a policer:
1.
The policer name can contain letters, numbers, and hyphens (-) and can be up
to 64 characters long.
2.
Specify the bandwidth limit in bits per second (bps) to control the traffic rate
on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
Specify the maximum allowed burst size to control the amount of traffic
bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of
the interface on which the filter is applied by the amount of time to allow a
burst of traffic at that bandwidth to occur:
burst size = bandwidth * allowable time for burst traffic
The range for the burst-size limit is 1 through 2,147,450,880 bytes.
3.
Specify the policer action discard to discard packets that exceed the rate limits:
[edit firewall policer]
user@switch# set policer-one then discard
Configuring Policers
955
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: You can include policer actions on ingress firewall filters only.
Related Topics
956
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Forwarding class
Queue
best-effort
assured-forwarding
expedited-forwarding
network-control
Configure the family name and filter name for the filter at the [edit firewall]
hierarchy level, for example:
[edit firewall]
user@switch# set family ethernet-switching
user@switch# set family ethernet-switching filter ingress-filter
2.
Configure the terms of the filter, including the forwarding-class and loss-priority
action modifiers as appropriate. When you specify a forwarding class you must
also specify the packet loss priority. For example, each of the following terms
examines different packet header fields and assigns an appropriate classifier
and the packet loss priority:
The term voice-traffic matches packets on the voice-vlan and assigns the
forwarding class expedited-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term voice-traffic from vlan-id voice-vlan
user@switch# set term voice-traffic then forwarding-class
expedited-forwarding
user@switch# set term voice-traffic then loss-priority low
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
957
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The last term accept-traffic matches any packets that did not match on any
of the preceding terms and assigns the forwarding class best-effort and packet
loss priority low:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term
Related Topics
958
3.
Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information
about applying the filter, see Configuring Firewall Filters (CLI
Procedure) on page 945.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
Chapter 52
After you configure and apply firewall filters to ports, VLANs, or Layer 3 interfaces,
you can perform the following task to verify that the firewall filters configured on
EX-series switches are working properly.
Action
Use the operational mode command to verify that the firewall filters on the switch
are working properly:
user@switch> show firewall on page 1160
Filter: egress-vlan-watch-employee
Counters:
Name
counter-employee-web
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
Filter: ingress-vlan-limit-guest
Meaning
Related Topics
Bytes
0
Packets
0
Bytes
0
Packets
0
Packets
0
0
The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. For each counter that is specified in a
filter configuration, the output field shows the byte count and packet count for the
term in which the counter is specified. For each policer that is specified in a filter
configuration, the output field shows the packet count for packets that exceed the
specified rate limits.
959
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Action
After you configure policers and include them in firewall filter configurations, you
can perform the following tasks to verify that the policers configured on EX-series
switches are working properly.
Use the operational mode command to verify that the policers on the switch are
working properly:
user@switch> show policer on page 1160
Filter: egress-vlan-watch-employee
Filter: ingress-port-filter
Filter: ingress-port-voip-class-limit-tcp-icmp
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
Filter: ingress-vlan-limit-guest
Meaning
Related Topics
Packets
0
0
The show policer command displays the names of all firewall filters and policers that
are configured on the switch. For each policer that is specified in a filter configuration,
the output field shows the current packet count for all packets that exceed the
specified rate limits.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
960
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on
the Switch on page 961
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
Purpose
Action
Perform the following task to monitor the number of packets and bytes that matched
the firewall filters and monitor the number of packets that exceeded policer rate
limits:
Use the operational mode command:
user@switch> show firewall on page 1160
Filter: egress-vlan-watch-employee
Counters:
Name
counter-employee-web
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
Filter: ingress-vlan-limit-guest
Meaning
Bytes
3348
Packets
27
Bytes
4100
Packets
49
Packets
0
0
The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for counters and packet count for policers.
Action
Perform the following task to monitor the number of packets and bytes that matched
a firewall filter and monitor the number of packets that exceeded the policer rate
limits.
Use the operational mode command:
user@switch> show firewall filter ingress-vlan-rogue-block
Filter: ingress-vlan-rogue-block
Counters:
Name
Bytes
rogue-counter
2308
Meaning
Packets
20
The show firewall filter filter-name command displays the name of the firewall filter,
the packet and byte count for all counters configured with the filter, and the packet
count for all policers configured with the filter.
Action
Perform the following task to monitor the number of packets that exceeded policer
rate limits:
Use the operational mode command:
user@switch> show policer on page 1160 tcp-connection-policer
Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
961
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Filter: ingress-port-voip-class-limit-tcp-icmp
Policers:
Name
tcp-connection-policer
Meaning
Related Topics
962
Packets
0
The show policer policer-name command displays the name of the firewall filter that
specifies the policer-action and displays the number of packets that exceeded rate
limits for the specified filter.
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Chapter 53
When a firewall filter configuration exceeds the amount of available TCAM space,
the switch returns the following syslogd message:
No space available in tcam.
Rules for filter filter-name will not be installed.
The switch returns this message during the commit operation if the firewall filter
that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of
available TCAM space. However, the commit operation for the firewall filter
configuration is completed in the CLI module.
Solution
When a firewall filter configuration exceeds the amount of available TCAM table
space, you must configure a new firewall filter with fewer filter terms so that the
space requirements for the filter do not exceed the available space in the TCAM table.
You can perform either of the following procedures to correct the problem:
To delete the firewall filter and its bind points and apply the new smaller firewall
filter to the same bind points:
1.
Delete the firewall filter configuration and the bind points to ports, VLANs, or
Layer 3 interfacesfor example:
[edit]
user@switch# delete firewall family ethernet-switching filter
filter-ingress-vlan
user@switch# delete vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# delete vlans voice-vlan filter input mini-filteringress-vlan
2.
963
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
[edit]
user@switch# commit
3.
Configure a smaller filter with fewer terms that does not exceed the amount of
available TCAM space on the switchfor example:
[edit]
user@switch# set firewall family ethernet-switching filter
newfilter-ingress-vlan ...
4.
Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interfacefor
example:
[edit]
user@switch# set vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filteringress-vlan
5.
To apply a new firewall filter and overwrite the existing bind points:
1.
Configure a firewall filter with fewer terms than the original filter:
[edit]
user@switch# set firewall family ethernet-switching filter
new-filter-ingress-vlan...
2.
Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the
bind points of the original filterfor example:
[edit]
user@switch# set vlans voice-vlan description "smaller filter to block
rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan
3.
Only the original bind points, and not the original firewall filter itself, are deleted.
Related Topics
964
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
965
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
966
Chapter 54
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
967
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Description
The family-name option specifies the version or type of
addressing protocol:
filter filter-name {
}
term term-name {
}
from {
match-conditions;
}
The from statement is optional. If you omit it, all packets are
considered to match.
then {
action;
action-modifiers;
}
policer policer-name {
}
968
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
Description
if-exceeding {
bandwidth-limit bps
burst-size-limit bytes
}
k (thousand)
m (million)
JUNOS software for EX-series switches does not support some of the firewall filter
statements that are supported by other JUNOS software packages. Table 137 on page
970 shows the firewall filter statements that are not supported by JUNOS Software
for EX-series switches.
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
969
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 137: Firewall Filter Statements That Are Not Supported byJUNOS Software for EX-series switches
Statements not supported
interface-set interface-set-name {
}
load-balance-group group-name {
}
three-color-policer name {
}
logical-interface-policer;
single-rate {
}
two-rate {
}
prefix-action name {
}
prefix-policer {
}
service-filter filter-name {
}
simple-filter simple-filter-name {
}
accounting-profile name;
interface-specific;
filter-specific;
logical-bandwidth-policer;
logical-interface-policer;
970
bandwidth-percent number;
Related Topics
[edit firewall]
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
bandwidth-limit
Syntax
Hierarchy Level
Release Information
Description
Options
bandwidth-limit bps;
[edit firewall policer policer-name if-exceeding]
k (thousand)
m (million)
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
burst-size-limit
Syntax
Hierarchy Level
Release Information
Description
Options
burst-size-limit bytes;
[edit firewall policer policer-name if-exceeding]
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
bandwidth-limit
971
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
family
Syntax
Hierarchy Level
Release Information
Description
Options
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
[edit firewall]
972
family
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
filter
Syntax
Hierarchy Level
Release Information
Description
Options
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
[edit firewall family family-name]
and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
The remaining statements are explained separately.
Required Privilege Level
Related Topics
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
filter
973
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
filter
Syntax
Hierarchy Level
Release Information
Description
Default
All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.
Options
974
filter
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
from
Syntax
Hierarchy Level
Release Information
Description
Options
from {
match-conditions;
}
[edit firewall family family-name filter filter-name term term-name]
outgoing packets must contain for a match. You can specify one or more match
conditions. If you specify more than one, they all must match for a match to
occur and for the action in the then statement to be taken.
Required Privilege Level
Related Topics
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
from
975
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
if-exceeding
Syntax
Hierarchy Level
Release Information
Description
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
[edit firewall policer policer-name]
976
if-exceeding
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
policer
Syntax
Hierarchy Level
Release Information
policer policer-name {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
[edit firewall]
Description
Configure policer rate limits and actions. To activate a policer, you must include the
policer action modifier in the then statement in a firewall filter term. Each policer
that you configure includes an implicit counter. To ensure term-specific packet counts,
you configure a policer for each term in the filter that requires policing.
Options
policer-nameName that identifies the policer. The name can contain letters, numbers,
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
policer
977
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
term
Syntax
Hierarchy Level
Release Information
Description
Options
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
[edit firewall family family-name filter filter-name]
and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
The remaining statements are explained separately.
Required Privilege Level
Related Topics
978
term
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
then
Syntax
Hierarchy Level
Release Information
Description
Options
then {
action;
action-modifiers;
}
[edit firewall family family-name filter filter-name term term-name]
in a filter term.
action-modifiersAdditional actions to analyze, classify, count, or police packets that
Firewall Filter Match Conditions and Actions for EX-series Switches on page 906
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
then
979
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
then
Syntax
Hierarchy Level
Release Information
Description
Options
then {
policer-action;
}
[edit firewall policer policer-name]
980
then
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Chapter 55
981
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
clear firewall
Syntax
Release Information
Description
Options
clear firewall
<all>
<counter counter-name>
<filter filter-name>
filter.
Required Privilege Level
Related Topics
982
clear firewall
clear
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
show firewall
Syntax
Release Information
Description
Options
show firewall
<counter counter-name>
<filter filter-name>
counter.
filter filter-name(Optional) Display statistics about a particular firewall filter.
Required Privilege Level
Related Topics
Output Fields
view
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Field Description
Level of Output
Filter
Name of the filter that is configured with the filter statement at the [edit firewall]
hierarchy level.
All levels
Counters
All levels
NameName of a filter counter that has been configured with the counter
firewall filter action
BytesNumber of bytes that match the filter term where the counter
action was specified.
show firewall
983
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Field Description
Level of Output
Policers
All levels
NameName of policer.
PacketsNumber of packets that matched the filter term where the policer
action was specified. This is the number of packets that exceed the rate
limits that the policer specifies.
show firewall
984
show firewall
Bytes
0
Packets
0
Bytes
0
Packets
0
Bytes
0
Packets
0
Packets
0
0
Bytes
0
Packets
0
Bytes
0
Packets
0
Release Information
Description
Options
view
Field Description
Level of Output
Interface
All levels
Admin
All levels
Link
All levels
Proto
All levels
Input Filter
Name of the firewall filter to be evaluated when packers are received on the
interface.
All levels
Output Filter
All levels
Output Filter
985
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0
986
up
up
up
up
up
up
up
up
up
down
down
down
down
down
down
down
down
down
Output Filter
Release Information
Description
Options
interface.
Required Privilege Level
Related Topics
Output Fields
view
Field Description
Level of Output
Interface
All levels
Admin
All levels
Link
All levels
Proto
All levels
Input Policer
Policer to be evaluated when packets are received on the interface. It has the
format interface-name-in-policer.
All levels
Output Policer
All levels
Output Policer
987
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Interface
ge-0/0/1
ge-0/0/1.0
Interface
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0
988
Output Policer
Output Policer
Output Policer
Output Policer
Output Policer
Output Policer
show policer
Syntax
Release Information
Description
Options
show policer
<policer-name>
view
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
Field Description
Level of Output
Filter
Name of filter that is configured with the filter statement at the [edit firewall]
hierarchy level.
All levels
Policers
All levels
NameName of policer.
PacketsNumber of packets that matched the filter term where the policer
action is specified. This is the number of packets that exceed the rate
limits that the policer specifies.
show policer
Packets
show policer
989
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
show policer
(policer-name)
990
show policer
0
0
Packets
0
Part 12
CoS
CoS
991
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
992
CoS
Chapter 56
Understanding CoS
993
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
treatment of traffic across the network. For example, voice traffic can be sent across
certain links, and data traffic can use other links. In addition, the data traffic streams
can be serviced differently along the network path to ensure that higher-paying
customers receive better service. As the traffic leaves the network at the far edge,
you can reclassify the traffic to meet the policies of the targeted peer.
To support CoS, you must configure each switch in the network. Generally, each
switch examines the packets that enter it to determine their CoS settings. These
settings then dictate which packets are transmitted first to the next downstream
switch. Switches at the edges of the network might be required to alter the CoS
settings of the packets that enter the network to classify the packet into the
appropriate service group.
Figure 51 on page 994 represents the network scenario of an enterprise. Switch A is
receiving traffic from various network nodes such as desktop computers, servers,
surveillance cameras, and VoIP telephones. As each packet enters, Switch A examines
the packets CoS settings and classifies the traffic into one of the groupings defined
by the enterprise. This definition allows Switch A to prioritize resources for servicing
the traffic streams it receives. Switch A might alter the CoS settings of the packets
to better match the enterprisess traffic groups.
When Switch B receives the packets, it examines the CoS settings, determines the
appropriate traffic group, and processes the packet according to those settings. It
then transmits the packets to Switch C, which performs the same actions. Switch D
also examines the packets and determines the appropriate group. Because Switch
D sits at the far end of the network, it might alter the CoS settings of the packets
before transmitting them.
Figure 51: Packet Flow Across the Network
994
Code-Point Aliases
A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.
Policers
Policers limit traffic of a certain class to a specified bandwidth and burst size. Packets
exceeding the policer limits can be discarded. You define policers with filters that
can be associated with input interfaces.
For more information about policers, see Understanding the Use of Policers in
Firewall Filters on page 921.
NOTE: You can configure policers to discard packets that exceed the rate limits. If
you want to configure CoS parameters such as loss-priority and forwarding-class, you
must use firewall filters.
Classifiers
Packet classification associates incoming packets with a particular CoS servicing
level. In JUNOS software, classifiers associate packets with a forwarding class and
loss priority and, based on the associated forwarding class, assign packets to output
queues. JUNOS software supports two general types of classifiers:
995
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Forwarding Classes
Forwarding classes group the packets for transmission. Based on forwarding classes,
you assign packets to output queues. Forwarding classes affect the forwarding,
scheduling, and marking policies applied to packets as they transit a switching
platform. By default, four categories of forwarding classes are defined: best effort,
assured forwarding, expedited forwarding, and network control. For EX-series
switches, 16 forwarding classes are supported, providing granular classification
capability.
Schedulers
Each switch interface has multiple queues assigned to store packets. The switch
determines which queue to service based on a particular method of scheduling. This
process often involves determining which type of packet should be transmitted before
another. You can define the priority, bandwidth, delay buffer size, and tail drop
profiles to be applied to a particular queue for packet transmission.
Scheduler map associates a specified forwarding class with a scheduler configuration.
You can associate up to four user-defined scheduler maps with the interfaces.
Rewrite Rules
A rewrite rule sets the appropriate CoS bits in the outgoing packet thus allowing the
next downstream device to classify the packet into the appropriate service group.
Rewriting, or marking, outbound packets is useful when the switch is at the border
of a network and must alter the CoS values to meet the policies of the targeted peer.
996
NOTE: Rewrite rules are applied when the packets are routed. Rewrite rules are not
applied when the packets are forwarded.
Egress firewall filters can also assign forwarding class and loss priority so that the
packets are rewritten based on forwarding class and loss priority.
Related Topics
997
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Mapping
101110
af11
001010
af12
001100
af13
001110
af21
010010
af22
010100
af23
010110
af31
011010
af32
011100
af33
011110
af41
100010
af42
100100
af43
100110
be
000000
cs1
001000
cs2
010000
cs3
011000
cs4
100000
cs5
101000
nc1/cs6
110000
nc2/cs7
111000
998
000
Mapping
be1
001
ef
010
ef1
011
af11
100
af12
101
nc1/cs6
110
nc2/cs7
111
000
be1
001
ef
010
ef1
011
af11
100
af12
101
nc1/cs6
110
nc2/cs7
111
Related Topics
999
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
For a specified interface, you can configure both an MF classifier and a BA classifier
without conflicts. In such cases, BA classification is performed first, followed by MF
classification. In case of conflict, MF classifier overrides a BA classification result.
NOTE: When a source MAC address is learned, the frame that contains the source
MAC address is always sent out on queue 0 while egressing from the network
interface, irrespective of the classifier applied to the ingress interface.
IP precedence bits
NOTE: Although you can configure many classifiers, you can apply only one classifier
on the switch. Whenever you apply a new classifier, you must explicitly remove the
currently applied classifier and then apply the new classifier.
1000
Default BA Classification
Trunk interface
ieee8021p-default
Layer 3 interface
dscp-default
Access interface
Untrusted
When you explicitly associate a classifier with a logical interface, you are in effect
overriding the implicit default classifier with an explicit classifier.
NOTE: By default, all BA classifiers classify traffic into either best-effort forwarding
class or network-control forwarding class.
Multifield Classifiers
Multifield classifiers examine multiple fields in the packet such as source and
destination addresses and source and destination port numbers of the packet. With
MF classifiers, you set the forwarding class and loss priority of a packet based on
firewall filter rules.
MF classification is normally performed at the network edge because of the general
lack of DiffServ Code Point (DSCP) or IP precedence support in end-user applications.
On an edge switch, an MF classifier provides the filtering functionality that scans
through a variety of packet fields to determine the forwarding class for a packet.
Typically, a classifier performs matching operations on the selected fields against a
configured value.
Related Topics
1001
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Expedited forwarding (EF)Provides a low loss, low latency, low jitter, assured
bandwidth, end-to-end service.
Assured forwarding (AF)Provides a group of values you can define and includes
four subclasses: AF1, AF2, AF3, and AF4, each with two drop probabilities: low
and high.
Best effort (BE)Provides no service profile. Loss priority is typically not carried
in a class-of-service (CoS) value.
Comments
best-effort (be)
The software does not apply any special CoS handling to packets with 000000 in
the DiffServ field. This is a backward compatibility feature. These packets are usually
dropped under congested network conditions.
expedited-forwarding (ef)
The software delivers assured bandwidth, low loss, low delay, and low delay variation
(jitter) end-to-end for packets in this service class. Software accepts excess traffic in
this class, but in contrast to assured forwarding class, out-of-profile
expedited-forwarding class packets can be forwarded out of sequence or dropped.
1002
Comments
assured-forwarding (af)
The software offers a high level of assurance that the packets are delivered as long
as the packet flow from the customer stays within a certain service profile that you
define.
The software accepts excess traffic, but applies a tail drop profile to determine if the
excess packets are dropped and not forwarded.
Up to two drop probabilities (low and high) are defined for this service class.
network-control (nc)
The software delivers packets in this service class with a high priority. (These packets
are not delay-sensitive.)
Typically, these packets represent routing protocol hello or keepalive messages.
Because loss of these packets jeopardizes proper network operation, packet delay
is preferable to packet discard.
Related Topics
CoS configurations that specify more queues than the switch can support are
not accepted. The commit fails with a detailed message that states the total
number of queues available.
All default CoS configurations are based on queue number. The name of the
forwarding class that shows up when the default configuration is displayed is
the forwarding class currently associated with that queue.
1003
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: The default drop profile associated with the packets whose loss priority is low
cannot be modified. You can configure custom drop profile only for those packets
whose loss priority is high.
Related Topics
1004
Default Schedulers
Each forwarding class has an associated scheduler priority. Only two forwarding
classes, best-effort and network-control (queue 0 and queue 7), are used in the default
scheduler configuration.
By default, the best-effort forwarding class (queue 0) receives 95 percent of the
bandwidth and buffer space for the output link, and the network-control forwarding
class (queue 7) receives 5 percent. The default drop profile causes the buffer to fill
completely and then to discard all incoming packets until it has space.
The expedited-forwarding and assured-forwarding classes have no schedulers because,
by default, no resources are assigned to queue 5 and queue 1. However, you can
manually configure resources for the expedited-forwarding and assured-forwarding
classes.
Also by default, each queue can exceed the assigned bandwidth if additional
bandwidth is available from other queues. When a forwarding class does not fully
use the allocated transmission bandwidth, the remaining bandwidth can be used by
other forwarding classes if they receive a larger amount of offered load than their
allocated bandwidth allows.
Transmission Rate
The transmission-rate control determines the actual traffic bandwidth from each
forwarding class you configure. The rate is specified in bits per second. Each queue
is allocated some portion of the bandwidth of the outgoing interface.
This bandwidth amount can be a fixed value, such as 1 megabit per second (Mbps),
a percentage of the total available bandwidth, or the rest of the available bandwidth.
You can allow transmission bandwidth to exceed the configured rate if additional
bandwidth is available from other queues. In case of congestion, configured amount
of transmission rate is guaranteed for the queue. This property allows you to ensure
that each queue receives the amount of bandwidth appropriate to its level of service.
1005
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
For each scheduler, you can configure the buffer size as one of the following:
The remaining buffer available. The remainder is the buffer percentage that is
not assigned to other queues. For example, if you assign 40 percent of the delay
buffer to queue 0, allow queue 7 to keep the default allotment of 5 percent, and
assign the remainder to queue 3, then queue 3 uses approximately 55 percent
of the delay buffer.
Priority Scheduling
Priority scheduling determines the order in which an output interface transmits traffic
from the queues, thus ensuring that queues containing important traffic are provided
better access to the outgoing interface.
Priority scheduling is accomplished through a procedure in which the scheduler
examines the priority of the queue. JUNOS software supports two levels of
transmission priority:
Packets in low priority queues are transmitted only when strict-high priority queues
are empty.
1006
Scheduler Maps
A scheduler map associates a specified forwarding class with a scheduler
configuration. After configuring a scheduler, you must include it in a scheduler map
and then associate the scheduler map with an output interface.
EX-series switches allow you to associate up to four user-defined scheduler maps
with interfaces.
Related Topics
1007
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: When an IP precedence rewrite rule is active, bits 3,4, and 5 of the ToS byte
are always reset to zero when code-points are rewritten.
PLP Value
Map to DSCP/IEEE/IP
expedited-forwarding
low
ef
expedited-forwarding
high
ef
assured-forwarding
low
af11
assured-forwarding
high
af12 (DSCP)
best-effort
low
be
best-effort
high
be
1008
PLP Value
Map to DSCP/IEEE/IP
network-control
low
nc1/cs6
network-control
high
nc2/cs7
Related Topics
1009
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1010
Chapter 57
Requirements
This example uses the following hardware and software components:
1011
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
The topology for this configuration example consists of one EX-series switch at the
access layer.
The EX-series access switch is configured to support VLAN membership. Switch ports
ge-0/0/0and ge-0/0/1 are assigned to the voice-vlan for two VoIP phones. Switch
port ge-0/0/2 is assigned to the camera-vlan for the surveillance camera. Switch ports
ge-0/0/3, ge-0/0/4, ge-0/0/5, and ge-0/0/6 are assigned to the server-vlan for the
servers hosting various applications such as those provided by Citrix, Microsoft,
Oracle, and SAP.
Table 146 on page 1013 shows the VLAN configuration components.
1012
VLAN ID
VLAN Description
voice-vlan
10
192.168.1.0/32
192.168.1.1 through
192.168.1.11
broadcast address.
camera-vlan
20
192.168.1.13/32
192.168.1.14 through
192.168.1.20
192.168.1.21 is the subnets
broadcast address.
server-vlan
30
192.168.1.22/32
192.168.1.23 through
192.168.1.35
192.168.1.36 is the subnets
broadcast address.
Ports on the EX-series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports.
Table 147 on page 1013 shows the switch interfaces that are assigned to the VLANs
and the IP addresses for devices connected to the switch ports:
Table 147: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Interfaces
VLAN Membership
IP Addresses
Port Devices
ge-0/0/0, ge-0/0/1
voice-vlan
192.168.1.1 through
192.168.1.2
ge-0/0/2
camera-vlan
192.168.1.14
Surveillance camera.
sevrer-vlan
192.168.1.23 through
192.168.1.26
1013
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: This example shows how to configure CoS on a single EX-series switch. This
example does not consider across-the-network applications of CoS in which you
might implement different configurations on ingress and egress switches to provide
differentiated treatment to different classes across a set of nodes in a network.
Configuration
CLI Quick Configuration
To quickly configure CoS, copy the following commands and paste them into the
switch terminal window:
[edit]
set class-of-service forwarding-classes class app queue-num 5
set class-of-service forwarding-classes class mail queue-num 1
set class-of-service forwarding-classes class db queue-num 2
set class-of-service forwarding-classes class erp queue-num 3
set class-of-service forwarding-classes class video queue-num 4
set class-of-service forwarding-classes class best-effort queue-num 0
set class-of-service forwarding-classes class voice queue-num 6
set class-of-service forwarding-classes class network-control queue-num 7
set firewall family ethernet-switching filter voip_class term voip from
source-address 192.168.1.1/32
set firewall family ethernet-switching filter voip_class term voip from
source-address 192.168.1.2/32
set firewall family ethernet-switching filter voip_class term voip from protocol
udp
set firewall family ethernet-switching filter voip_class term voip from source-port
2698
set firewall family ethernet-switching filter voip_class term voip then
forwarding-class voice loss-priority low
set firewall family ethernet-switching filter voip_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter voip_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter voip_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/0 description phone1voip-ingress-port
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input voip_class
set interfaces ge-0/0/1 description phone2voip-ingress-port
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input voip_class
set firewall family ethernet-switching filter video_class term video from
source-address 192.168.1.14/32
set firewall family ethernet-switching filter video_class term video from protocol
udp
set firewall family ethernet-switching filter video_class term video from
source-port 2979
set firewall family ethernet-switching filter video_class term video then
forwarding-class video loss-priority low
set firewall family ethernet-switching filter video_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter video_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter video_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/2 description video-ingress-port
set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input video_class
1014
Configuration
1015
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
2.
3.
4.
1016
Configuration
[edit firewall]
user@switch# set family ethernet-switching filter voip_class term
network_control from precedence [net-control internet-control]
user@switch# set family ethernet-switching filter voip_class term
network_control then forwarding-class network-control loss-priority low
5.
6.
Apply the firewall filter voip_class as an input filter to the interfaces for the VoIP
phones:
[edit interfaces]
user@switch# set ge-0/0/0
user@switch# set ge-0/0/0
voip_class
user@switch# set ge-0/0/1
user@switch# set ge-0/0/1
voip_class
7.
description phone1voip-ingress-port
unit 0 family ethernet-switching filter input
description phone2voip-ingress-port
unit 0 family ethernet-switching filter input
8.
9.
10.
Configuration
1017
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
11.
Apply the firewall filter video_class as an input filter to the interface for the
surveillance camera:
[edit interfaces]
user@switch# set ge-0/0/2 description video-ingress-port
user@switch# set ge-0/0/2 unit 0 family ethernet-switching filter input
video_class
12.
Define the firewall filter app_class to classify the application server traffic:
[edit firewall]
user@switch# set family ethernet-switching filter app_class
13.
14.
15.
16.
1018
Configuration
17.
18.
19.
Apply the firewall filter app_class as an input filter to the interfaces for the
servers hosting applications:
[edit interfaces]
user@switch# set ge-0/0/3
app_class
user@switch# set ge-0/0/4
app_class
user@switch# set ge-0/0/5
app_class
user@switch# set ge-0/0/6
app_class
20.
Configure schedulers:
[edit class-of-service]
user@switch# set schedulers voice-sched buffer-size percent 10
user@switch# set schedulers voice-sched priority strict-high
user@switch# set schedulers voice-sched transmit-rate percent 10
user@switch# set schedulers video-sched buffer-size percent 15
user@switch# set schedulers video-sched priority low
user@switch# set schedulers video-sched transmit-rate percent 15
user@switch# set schedulers app-sched buffer-size percent 10
user@switch# set schedulers app-sched priority low
user@switch# set schedulers app-sched transmit-rate percent 10
user@switch# set schedulers mail-sched buffer-size percent 5
user@switch# set schedulers mail-sched priority low
user@switch# set schedulers mail-sched transmit-rate percent 5
user@switch# set schedulers db-sched buffer-size percent 10
user@switch# set schedulers db-sched priority low
user@switch# set schedulers db-sched transmit-rate percent 10
user@switch# set schedulers erp-sched buffer-size percent 10
user@switch# set schedulers erp-sched priority low
user@switch# set schedulers erp-sched transmit-rate percent 10
user@switch# set schedulers nc-sched buffer-size percent 5
Configuration
1019
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
user@switch#
user@switch#
user@switch#
user@switch#
user@switch#
21.
set
set
set
set
set
schedulers
schedulers
schedulers
schedulers
schedulers
nc-sched
nc-sched
be-sched
be-sched
be-sched
priority strict-high
transmit-rate percent 5
buffer-size percent 35
priority low
transmit-rate percent 35
22.
Results
1020
Configuration
Configuration
1021
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
term mail {
from {
source-address {
192.168.1.24/32;
}
protocol tcp;
source-port [25 143 389 691 993 3268 3269];
}
then {
forwarding-class mail;
loss-priority low;
}
}
term db {
from {
source-address {
192.168.1.25/32;
}
protocol tcp;
source-port [1521 1525 1527 1571 1810 2481];
}
then {
forwarding-class db;
loss-priority low;
}
}
term erp {
from {
source-address {
192.168.1.26/32;
}
protocol tcp;
source-port [3200 3300 3301 3600];
}
then {
forwarding-class erp;
loss-priority low;
}
}
term network control {
from {
precedence [net-control internet-control];
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term best_effort_traffic {
then {
forwarding-class best-effort;
loss-priority low;
}
}
1022
Configuration
}
}
user@switch# show class-of-service
forwarding-classes {
class app queue-num 5;
class mail queue-num 1;
class db queue-num 2;
class erp queue-num 3;
class video queue-num 4;
class best-effort queue-num 0;
class voice queue-num 6;
class network-control queue-num 7;
}
schedulers {
voice-sched {
buffer-size percent 10;
priority strict-high;
transmit-rate percent 10;
}
video-sched {
buffer-size percent 15;
priority low;
transmit-rate percent 15;
}
app-sched {
buffer-size percent 10;
priority low;
transmit-rate percent 10;
}
mail-sched {
buffer-size percent 5;
priority low;
transmit-rate percent 5;
}
db-sched {
buffer-size percent 10;
priority low;
transmit-rate percent 10;
}
erp-sched {
buffer-size percent 10;
priority low;
transmit-rate percent 10;
}
nc-sched {
buffer-size percent 5;
priority strict-high;
transmit-rate percent 5;
}
be-sched {
buffer-size percent 35;
priority low;
transmit-rate percent 35;
}
Configuration
1023
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
scheduler-maps {
ethernet-cos-map {
forwarding-class voice scheduler voice-sched;
forwarding-class video scheduler video-sched;
forwarding-class app scheduler app-sched;
forwarding-class mail scheduler mail-sched;
forwarding-class db scheduler db-sched;
forwarding-class erp scheduler erp-sched;
forwarding-class network-control scheduler nc-sched;
forwarding-class best-effort scheduler be-sched;
}
}
user@switch# show interfaces
ge-0/0/0 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet {
filter {
input video_class;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet {
filter {
1024
Configuration
input app_class;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/20 {
scheduler-map ethernet-cos-map;
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues on page 1025
Verifying That the Scheduler Map Has Been Applied to the Interface on page 1027
Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues
Purpose
Action
Verify that the following forwarding classes app, db, erp, mail, video, and voice have
been defined and mapped to queues.
user@switch> show class-of-service forwarding-class
Forwarding class
ID
Queue
app
0
5
db
1
2
erp
2
3
best-effort
3
0
mail
4
1
voice
5
6
video
6
4
network-control
7
7
Verification
1025
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Meaning
This output shows that the forwarding classes have been defined and mapped to
appropriate queues.
Action
1026
Meaning
This output shows that the forwarding classes have been assigned to schedulers.
Verifying That the Scheduler Map Has Been Applied to the Interface
Purpose
Action
Meaning
Related Topics
Verify that the scheduler map has been applied to the interface.
user@switch> show class-of-service interface
...
Physical interface: ge-0/0/20, Index: 149
Queues supported: 8, Queues in use: 8
Scheduler map: ethernet-cos-map, Index: 43366
Input scheduler map: <default>, Index: 3
...
This output shows that the scheduler map (ethernet-cos-map) has been applied to the
interface (ge-0/0/20).
Verifying That the Scheduler Map Has Been Applied to the Interface
1027
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1028
Verifying That the Scheduler Map Has Been Applied to the Interface
Chapter 58
Configuring CoS
2.
On the Class of Service Configuration page, select one of the following options
depending on the CoS component that you want to define. Enter information
into the pages as described in the respective table:
1029
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
3.
Function
Your Action
Click DSCP.
DSCP
1030
None.
Function
Your Action
Default Value
None.
None.
Click Add.
Delete
Related Topics
1031
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To configure a code-point alias for a specified CoS marker type (dscp), assign an alias
(my1) to the code-point (110001):
[edit class-of-service code-point-aliases]
user@switch# set dscp my1 110001
Related Topics
1032
This procedure describes how to configure the DSCP BA classifier ba-classifier as the
default DSCP map and apply it to the Gigabit Ethernet interface ge-0/0/0 of the
EX-series switch. The BA classifier assigns loss priorities, as shown in
Table 149 on page 1033, to incoming packets in the four forwarding classes.
Table 149: BA-classifier Loss Priority Assignments
Forwarding Class
ba-classifier Assignment
be
Best-effort traffic
ef
Expedited-forwarding traffic
af
Assured-forwarding traffic
nc
Network-control traffic
Associate code point 000001 with forwarding class be and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier import default forwarding-class be
loss-priority high code-points 000001
2.
Associate code point 101110 with forwarding class ef and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier forwarding-class ef loss-priority high
code-points 101110
3.
Associate code point 001100 with forwarding class af and loss priority high:
[edit class-of-service classifiers]
1033
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
4.
Associate code point 110001 with forwarding class nc and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier forwarding-class nc loss-priority high
code-points 110001
5.
Related Topics
Function
Your Action
DSCP
Click DSCP.
IPv4 Precedence
Classifier Name
Classifier Summary
None.
Classify to Forwarding
Class
None.
None.
1034
Function
Your Action
Add
Delete
Classifier Name
None.
Forwarding Class
Loss Priority
Add
assured-forwardingProvides high
assurance for packets within the specified
service profile. Excess packets are
dropped.
1035
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Delete
Related Topics
Related Topics
1036
Function
Your Action
Queue #
None.
Queue #
Related Topics
1037
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
2.
Configure a scheduler map (be-map) that associates the scheduler (be-sched) with
the forwarding class (best-effort):
[edit class-of-service scheduler-maps]
user@switch# set be-map forwarding-classbest-effort scheduler be-sched
3.
Related Topics
1038
2.
Function
Your Action
Scheduler Summary
Scheduler Name
None.
Add
Click Add.
Delete
Removes a scheduler.
Click Delete.
Scheduler Name
Buffer Size
Queue 10 percent
Queue 20 percent
Queue 30 percent
Queue 40 percent
Queue 50 percent
Queue 60 percent
Queue 75 percent
1039
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Scheduling Priority
Queue 10 percent
Queue 20 percent
Queue 35 percent
Queue 40 percent
Queue 60 percent
Queue 75 percent
Function
Your Action
None.
Add
Click Add.
Delete
1040
Function
Your Action
Scheduler Mapping
Related Topics
Related Topics
1041
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
1042
targeted peer. A rewrite rule examines the forwarding class and loss priority of a
packet and sets its bits to a corresponding value specified in the rule.
Table 154: Rewrite Rules Configuration Page Summary
Field
Function
Your Action
DSCP
Click DSCP.
IPv4 Precedence
None.
Loss Priority
None.
None.
Add
Delete
1043
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
1.
2.
3.
4.
Click Add.
Related Topics
Related Topics
1044
2.
Enter information into these pages, as described in Table 155 on page 1045.
3.
Click one:
Function
Your Action
Scheduler Map
Add CoS Service to a Logical Interface Unit/Edit CoS Logical Interface Unit
Logical Interface
Unit Name
Forwarding Class
1045
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Function
Your Action
Classifiers
Related Topics
1046
Chapter 59
Verifying CoS
Action
Use the monitoring functionality to display the mapping of incoming CoS values to
forwarding class and loss priority for each classifier.
To monitor CoS classifiers in the J-Web interface, select Monitor>Class of
Service>Classifiers
To monitor CoS classifiers in the CLI, enter the following CLI command:
show class-of-service classifier
Meaning
Table 156 on page 1047 summarizes key output fields for CoS classifiers.
Values
Additional Information
Classifier Name
Name of a classifier.
802.1 type.
IP precedence type.
Index
1047
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
Related Topics
Additional Information
Use the monitoring functionality to view the current assignment of CoS forwarding
classes to queue numbers on the system.
Action
Meaning
1048
Table 157 on page 1049 summarizes key output fields for CoS forwarding classes.
Values
Forwarding Class
Additional Information
assured-forwardingProvides high
network-controlPackets can be
Related Topics
Action
Use the monitoring functionality to display details about the physical and logical
interfaces and the CoS components assigned to them.
To monitor interfaces that have CoS components in the J-Web interface, select
Monitor>Class of Service>Interface Association.
To monitor interfaces that have CoS components in the CLI, enter the following
command:
show class-of-service interface interface
Meaning
Table 158 on page 1049 summarizes key output fields for CoS interfaces.
Values
Additional Information
Interface
1049
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Values
Scheduler Map
Queues Supported
Queues in Use
Logical Interface
Object
Name
Type
Index
Related Topics
Additional Information
Action
Use the monitoring functionality to display information about CoS value rewrite rules,
which are based on the forwarding class and loss priority.
To monitor CoS rewrite rules in the J-Web interface, select Monitor>Class of
Service>Rewrite Rules.
To monitor CoS rewrite rules in the CLI, enter the following command:
show class-of-service rewrite-rules
Meaning
Table 159 on page 1050 summarizes key output fields for CoS rewrite rules.
Values
1050
Additional Information
Table 159: Summary of Key CoS Rewrite Rules Output Fields (continued)
Field
Values
Additional Information
Index
Forwarding Class
Loss Priority
Related Topics
Action
Meaning
Table 160 on page 1051 summarizes key output fields for CoS scheduler maps.
Values
Additional Information
Scheduler Map
Index
Scheduler Name
Name of a scheduler.
1051
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Table 160: Summary of Key CoS Scheduler Maps Output Fields (continued)
Field
Values
Forwarding Class
Transmit Rate
Additional Information
A percentageThe buffer is a
percentage of the total buffer
allocation.
transmitted first.
transmitted last.
Drop Profiles
Loss Priority
Protocol
Index
Related Topics
1052
Action
Use the monitoring functionality to display information about the CoS value aliases
that the system is currently using to represent DSCP, IEEE 802.1p, and IPv4
precedence bits.
To monitor CoS value aliases in the J-Web interface, select Monitor>Class of
Service>CoS Value Aliases.
To monitor CoS value aliases in the CLI, enter the following command:
show class-of-service code-point-aliases
Meaning
Table 161 on page 1053 summarizes key output fields for CoS value aliases.
Values
Additional Information
inet-precedenceExamines Layer 3
CoS Value
Related Topics
1053
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1054
Chapter 60
1055
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
}
Related Topics
1056
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
buffer-size
Syntax
Hierarchy Level
Release Information
Description
Default
If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
Options
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
buffer-size
1057
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
class
Syntax
Hierarchy Level
Release Information
Description
Options
1058
class
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
class-of-service
Syntax
class-of-service {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
}
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
forwarding-classes {
class class-name queue-num queue-number;
}
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
forwarding-class class-name {
loss-priority priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
class-of-service
1059
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
Hierarchy Level
Release Information
Description
[edit]
Default
Required Privilege Level
Related Topics
1060
class-of-service
If you do not configure any CoS features, the default CoS settings are used.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
classifiers
Syntax
Hierarchy Level
Release Information
Description
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
}
[edit class-of-service],
[edit class-of-service interfaces interface-name unit logical-unit-number]
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
classifiers
1061
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
code-point-aliases
Syntax
Hierarchy Level
Release Information
Description
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
[edit class-of-service]
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
code-points
Syntax
Hierarchy Level
Release Information
Description
Options
1062
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
code-point-aliases
drop-profile-map
Syntax
Hierarchy Level
Release Information
Description
Options
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
drop-profile-map
1063
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
dscp
Syntax
Hierarchy Level
Release Information
Description
Options
dscp classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
[edit class-of-service rewrite-rules]
1064
dscp
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
forwarding-class
Syntax
Hierarchy Level
Release Information
Description
Options
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
forwarding-class
1065
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
forwarding-class
Syntax
Hierarchy Level
Release Information
Description
Options
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]
1066
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
forwarding-class
ieee-802.1
Syntax
Hierarchy Level
Release Information
Description
Options
ieee-802.1 classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
[edit class-of-service rewrite-rules]
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
ieee-802.1
1067
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
import
Syntax
Hierarchy Level
Release Information
Description
Options
1068
import
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
inet-precedence
Syntax
Hierarchy Level
Release Information
inet-precedence classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
[edit class-of-service rewrite-rules]
Description
Options
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
inet-precedence
1069
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interfaces
Syntax
Hierarchy Level
Release Information
Description
Options
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
[edit class-of-service]
1070
interfaces
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
loss-priority
Syntax
Hierarchy Level
Release Information
Description
Options
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name
forwarding-class class-name],
[edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name
forwarding-class class-name]
Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
loss-priority
1071
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
priority
Syntax
Hierarchy Level
Release Information
Description
Options
priority priority;
[edit class-of-service schedulers scheduler-name]
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
protocol
Syntax
Hierarchy Level
Release Information
Description
Options
1072
priority
rewrite-rules
Syntax
Hierarchy Level
Release Information
Description
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
forwarding-class class-name {
loss-priority level code-point (alias | bits);
}
}
}
[edit class-of-service]
Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042
scheduler-map
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics
scheduler-map map-name;
[editclass-of-service interfaces]
rewrite-rules
1073
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
scheduler-maps
Syntax
Hierarchy Level
Release Information
Description
Options
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
[edit class-of-service]
1074
scheduler-maps
Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037
schedulers
Syntax
Hierarchy Level
Release Information
Description
Options
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
[edit class-of-service]
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
schedulers
1075
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
shaping-rate
Syntax
Hierarchy Level
Release Information
Description
Default
If you do not include this statement, the default shaping rate is 100 percent, which
is the same as no shaping at all.
Options
1076
shaping-rate
transmit-rate
Syntax
Hierarchy Level
Release Information
Description
Default
If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
Options
rateTransmission rate, in bps. You can specify a value in bits per second either as
Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038
transmit-rate
1077
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
unit
Syntax
Hierarchy Level
Release Information
Description
Options
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
[edit class-of-service interfaces interface-name]
1078
unit
Chapter 61
1079
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show class-of-service
Syntax
Release Information
Description
Options
Required Privilege Level
Related Topics
show class-of-service
Field Description
Level of Output
Forwarding class
All levels
QueueQueue number.
All levels
Alias
All levels
Bit pattern
All levels
Classifier
All levels
Code point
Code-point values.
All levels
Loss priority
Loss priority assigned to specific CoS values and aliases of the classifier.
All levels
1080
show class-of-service
Field Description
Level of Output
Rewrite rule
All levels
Drop profile
All levels
Type
Type of drop profile. EX-series switches support only the discrete type of
drop-profile.
All levels
Fill level
Percentage of queue buffer fullness of high packets after which high packets
are dropped.
All levels
Scheduler
All levels
Transmit rate
All levels
Buffer size
All levels
Drop profiles
All levels
Protocol
All levels
Name
All levels
Queues supported
All levels
Queues in use
All levels
Physical interface
All levels
Scheduler map
All levels
Index
All levels
ID
0
1
2
3
Queue
0
5
1
7
show class-of-service
1081
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
af11
...
001
...
27
Code point
000000
000000
101110
101110
001010
001100
110000
111000
1082
show class-of-service
network-control
network-control
low
high
110
111
...
...
Name
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>
show class-of-service
1083
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Drop profiles:
Loss priority
Low
Low
High
High
1084
show class-of-service
Protocol
non-TCP
TCP
non-TCP
TCP
Index
1
1
1
1
Name
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>
Part 13
PoE
PoE
1085
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1086
PoE
Chapter 62
Understanding PoE
320-W power supply unit: Supports 8 ports of PoE power at 15.4 W per port,
plus system power.
600-W power supply unit: Supports 24 ports of PoE power at 15.4 W per port,
plus system power.
930-W power supply unit: Supports 48 ports of PoE power at 15.4 W per port,
plus system power.
All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if
you follow the recommended guidelines for selecting power supply units to support
the number of PoE ports, the switch should be able to supply power to all connected
powered devices. If you install a higher capacity power supply unit on a switch model
that has only 8 PoE ports, it does not extend PoE capabilities to the non-PoE ports.
1087
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
StaticIn this mode the power allocated for each interface can be configured.
ClassIn this mode the power allocation for interfaces is decided based on the
class of powered device connected.
Usage
Default
15.4 W
Optional
4.0 W
Optional
7.0 W
Optional
15.4 W
1088
priorityThis setting defaults to low. If a port is set as high priority and a situation
arises where there is not sufficient power for all the PoE ports, the available
power is directed to the higher priority port(s). If the switch needs to shut down
powered devices because a power supply fails and there is insufficient power,
low priority devices are shut before high priority powered devices. Thus, security
cameras, emergency phones, and other high priority phones should be set to
high priority.
Related Topics
telemetriesThis setting allows you to monitor per port PoE power consumption.
It is not included in the default PoE configuration.
1089
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1090
Chapter 63
Requirements
This example uses the following software and hardware components:
1091
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (CLI Procedure) on page 57 or Connecting and Configuring
the EX-series Switch (J-Web Procedure) on page 58 for details.
Settings
Switch hardware
VLAN name
default
ge-0/0/0
Configuration
To enable the default PoE configuration on the switch:
CLI Quick Configuration
By default, PoE interfaces are created for all PoE ports and PoE is enabled. You can
simply connect powered devices to the PoE ports.
Step-by-Step Procedure
1092
1.
2.
3.
Connect the eight Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.
Verification
To verify that PoE interfaces have been created and are operational, perform this
task:
Verifying That the PoE Interfaces Have Been Created on page 1093
Verify that the PoE interfaces have been created on the switch.
List all the PoE interfaces configured on the switch:
user@switch> show poe interface
Interface Enabled status
ge-0/0/0
Enabled
ON
ge-0/0/1
Enabled
ON
ge-0/0/2
Enabled
ON
ge-0/0/3
Enabled
ON
ge-0/0/4
Enabled
ON
ge-0/0/5
Enabled
ON
ge-0/0/6
Enabled
ON
ge-0/0/7
Enabled
ON
Meaning
on page 1117
max-power priority
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
power-consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This output shows that eight
interfaces have been created with default values and are consuming power at the
expected rates.
Troubleshooting
Troubleshooting PoE Interfaces
Problem
Solution
Items to Check
Explanation
Verification
1093
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Related Topics
Requirements
This example uses the following software and hardware components:
Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (CLI Procedure) on page 57 or Connecting and Configuring
the EX-series Switch (J-Web Procedure) on page 58 for details.
1094
access points, and some IP security cameras. The remaining 16 ports provide only
network connectivity. You use the standard ports to connect devices that have their
own power sources, such as desktop and laptop computers, printers, and servers.
Table 165 on page 1095 details the topology used in this configuration example.
Table 165: Components of the PoE Configuration Topology
Property
Settings
Switch hardware
VLAN name
default
ge-0/0/0
ge-0/0/3 high
ge-0/0/4 high
Configuration
Configure Power over Ethernet Interfaces:
By default, PoE interfaces are created for all PoE ports and PoE is enabled. The default
priority for PoE interfaces is low.
To quickly configure PoE with some interfaces set to high priority and others to the
default low priority, and to include a description of the interfaces, copy the following
commands and paste them into the switch terminal window:
[edit]
set poe interface ge-0/0/1 priority
set poe interface ge-0/0/2 priority
set poe interface ge-0/0/3 priority
set poe interface ge-0/0/4 priority
set poe interface all
set interfaces ge-0/0/0 description
set interfaces ge-0/0/1 description
set interfaces ge-0/0/2 description
set interfaces ge-0/0/3 description
set interfaces ge-0/0/4 description
set interfaces ge-0/0/5 description
high
high
high
high
telemetries
telemetries
telemetries
telemetries
Configuration
1095
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Step-by-Step Procedure
Configure the PoE interfaces at the [edit poe] hierarchy level with some interfaces
set to high priority and others to the default low priority, thus enabling the
logging of per-port power consumption for the high priority ports.
[edit poe]
user@switch#
user@switch#
user@switch#
user@switch#
user@switch#
2.
set
set
set
set
set
interface
interface
interface
interface
interface
priority
priority
priority
priority
high
high
high
high
telemetries
telemetries
telemetries
telemetries
Results
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
all
description
description
description
description
description
description
description
description
3.
Connect the wireless access point to switch interface ge-0/0/0. This interface
is PoE-enabled for the default settings based on the factory configuration.
Telemetries are not enabled.
4.
Connect the two security cameras to switch interfaces ge-0/0/1 and ge-0/0/2.
These interfaces are set to high priority with telemetries enabled.
5.
Connect the emergency VoIP phone to switch interface ge-0/0/3. This interface
is set to high priority with telemetries enabled.
6.
Connect the Executive Office VoIP phone to switch interface ge-0/0/4. This
interface is set to high priority with telemetries enabled.
Connect the staff VoIP phones to switch interfaces ge-0/0/5 through ge-0/0/7. These
interfaces are set to the default values. Telemetries are not enabled.
Verification
To verify that PoE interfaces have been created and are operational, perform the
following tasks:
Verifying That the PoE Interfaces Have Been Created with Desired
Priorities on page 1096
Verifying That the PoE Interfaces Have Been Created with Desired Priorities
Purpose
1096
Verification
Verify that the PoE interfaces on the switch are now set to the desired priority settings.
Action
Meaning
on page 1117
Max-Power Priority
15.4W
Low
15.4W
High
15.4W
High
15.4W
High
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
Power-Consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
0 W
0
The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This output shows that eight
PoE interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as
priority high. The remaining interfaces are configured with the default values.
Troubleshooting
Troubleshooting PoE Interfaces
Problem
Solution
Items to Check
Explanation
Related Topics
Troubleshooting
1097
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1098
Chapter 64
Configuring PoE
Enable PoE:
poe
interface all
2.
1099
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
3.
4.
Enable logging of PoE power consumption with the default telemetries settings:
5.
Reserve a specified wattage of power for the switch in case of a spike in PoE
consumption (the default is 0):
[edit]
user@switch# set poe guard-band 15
Related Topics
1100
2.
Click one:
Description
Your Action
Enable PoE
Priority
Maximum Power
Description
Your Action
Guard Band
Related Topics
1101
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1102
Chapter 65
Verifying PoE
Monitoring PoE
Purpose
Action
Use the monitoring functionality to view real-time data of the power consumed by
each PoE interface, and to enable and configure Telemetries values. When Telemetries
is enabled, the software measures the power consumed by each interface and stores
the data for future reference.
To monitor PoE using the J-Web interface, select Monitor > Power over Ethernet.
To monitor PoE using the CLI:
To display the real-time PoE status for all PoE interfaces, enter show poe
interface on page 1117.
To display the real-time PoE status for a specific PoE interface, enter show poe
interface interface-name.
The show poe interface on page 1117 command displays the power consumption of the
interface at the moment that the command is issued.
To monitor the PoE interface's power consumption over a period of time, you can
enable telemetries for the interface with the telemetries configuration statement.
When Telemetries is enabled, you can display the log of the interface's power
consumption by using the CLI command:
show poe telemetries interface on page 1119 interface-name all| x
Meaning
In the J-Web interface the PoE Monitoring screen is divided into two parts. The top
half of the screen displays real-time data of the power consumed by each interface
and a list of ports that utilize maximum power.
Select a particular interface to view a graph of the power consumed by the selected
interface.
The bottom half of the screen displays telemetries values for interfaces. The telemetry
status displays whether telemetry has been enabled on the interface. Click the Show
Graph button to view a graph of the telemetries. The graph can be based on power
or voltage. To modify telemetries values, click Edit. Specify Interval in minutes,
Monitoring PoE
1103
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Duration in hours, and select Log Telemetries to enable telemetries on the selected
interface.
Related Topics
Action
Verify that the PoE interfaces on the switch are enabled and set to the desired priority
settings.
List all the PoE interfaces configured on the switch:
user@switch> show poe interface
Interface Enabled Status
ge-0/0/0
Enabled
ON
ge-0/0/1
Enabled
ON
ge-0/0/2
Enabled
ON
ge-0/0/3
Enabled
ON
ge-0/0/4
Enabled
ON
ge-0/0/5
Enabled
ON
ge-0/0/6
Enabled
ON
ge-0/0/7
Enabled
OFF
Meaning
Related Topics
1104
on page 1117
Max-Power Priority
15.4W
Low
15.4W
High
15.4W
High
15.4W
High
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
Power-Consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
0 W
0
The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This command has been executed
on a switch with partial PoE (8 PoE ports). The output shows that all eight PoE
interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as priority
high. The remaining interfaces were configured with the default values.
Chapter 66
1105
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
disable
Syntax
Hierarchy Level
Release Information
Description
disable;
[edit poe interface (all | interface-name)],
[edit poe interface (all | interface-name) telemetries]
Default
1106
disable
The PoE capabilities are automatically enabled when a PoE interface is set. If the
telemetries statement is specified, monitoring of PoE per-port power consumption
is enabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
duration
Syntax
Hierarchy Level
Release Information
Description
Options
duration hours;
[edit poe interface (all | interface-name) telemetries]
duration
1107
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
guard-band
Syntax
Hierarchy Level
Release Information
Description
guard-band watts;
[edit poe]
Default
0W
Options
consumption.
Range: 0 through 19 W
Default: 0 W
Required Privilege Level
Related Topics
1108
guard-band
interface
Syntax
Hierarchy Level
Release Information
Description
Default
Options
interface
1109
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interval
Syntax
Hierarchy Level
Release Information
Description
Options
interval minutes;
[edit poe interface (all | interface-name) telemetries]
1110
interval
management
Syntax
Hierarchy Level
Release Information
Description
management type;
[edit poe]
Default
static
Options
typeManagement type:
staticThe switch reserves a certain amount of power for the PoE port even
when a powered device is not connected to the port. This setting ensures that
power is available when needed.
Required Privilege Level
Related Topics
management
1111
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
maximum-power
Syntax
Hierarchy Level
Release Information
Description
maximum-power watts;
[edit poe interface (all | interface-name)]
Default
15.4 W
Options
watts
1112
maximum-power
priority
Syntax
Hierarchy Level
Release Information
Description
priority value;
[edit poe interface (all | interface-name)]
Default
low
Options
valuehigh or low:
allocation. If there is insufficient power for all the PoE ports, the available power
is directed to this port. If the switch needs to shut down powered devices because
a power supply fails and there is insufficient power, the power is not shut down
on this port until after it has been shut down on all the low priority ports.
allocation. If there is insufficient power for all the PoE ports, power is not supplied
to this port. If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, the power is shut down on this port
before it is shut down on high priority ports.
Required Privilege Level
Related Topics
priority
1113
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
telemetries
Syntax
Hierarchy Level
Release Information
Description
telemetries {
disable;
duration hours;
interval minutes;
}
[edit poe interface (all | interface-name)]
Default
1114
telemetries
If the telemetries statement is specified, logging is enabled with the default values
for interval and duration,
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
Chapter 67
1115
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Release Information
Description
Options
view
Field Description
Ctrl-index
Max-power
Specifies the maximum power that can be provided by the switch to PoE ports.
power-consumption
Specifies the total amount of power being used by the PoE ports, as measured
by the specified telemetries settings.
Guard-band
Management
1116
Max-power power-consumption
305 W
0W
Guard-band
15W
Management
Static
view
show status for all poe interfaces on the switch on page 1117
show status for a specific PoE interface on the switch on page 1118
Table 169 on page 1117 lists the output fields for the show poe interface command.
Output fields are listed in the approximate order in which they appear.
Field Description
PoE Interface
Enabled
status
max-power
priority
power-consumption
Specifies how much power is being used by the port, as measured by the specified telemetries settings.
Class
Indicates the IEEE 802.af classification that defines the maximum power requirements for a powered device.
priority
Low
High
Low
power-consumption Class
0.0W
0
0.0W
0
0.0W
0
1117
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1118
ge-0/0/3
Enabled
OFF
12.0W
High
0.0W
0
Release Information
Description
Options
view
Field Description
S1 No
Number of the record for the specified port. Record number 1 is the most
recent.
Timestamp
Power
Amount of power provided by the specified port at the time the data was
gathered.
Voltage
Maximum voltage provided by the specified port at the time the data was
gathered.
interface ge-0/0/0 10
Power
Voltage
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
1119
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
5
6
7
8
9
10
1120
01-27-2008
01-27-2008
01-27-2008
01-27-2008
01-27-2008
01-27-2008
18:15:58
18:14:58
18:13:58
18:12:57
18:11:57
18:10:57
UTC
UTC
UTC
UTC
UTC
UTC
15.4W
15.4W
15.4W
15.4W
15.4W
15.4W
51.6V
51.6V
51.6V
51.6V
51.6V
51.6V
Part 14
Port Mirroring
Port Mirroring
1121
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1122
Port Mirroring
Chapter 68
1123
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
You can use port mirroring on an EX-series switch to mirror any of the following:
Packets entering or exiting a portIn any combination. For example, you can
send copies of the packets entering some ports and the packets exiting other
ports to the same local analyzer port or analyzer VLAN.
Packets entering a VLANYou can mirror the packets entering a VLAN to either
a local analyzer port or to an analyzer VLAN.
NOTE: Firewall filters are not supported on egress ports, therefore you cannot specify
policy-based sampling of packets exiting an interface.
NOTE: JUNOS software for EX-series switches implements port mirroring differently
than other JUNOS software packages. JUNOS software for EX-series switches does
not include the port-mirroring statement found in the edit forwarding-options level of
the hierarchy of other JUNOS software packages, nor the port-mirror action in firewall
filter terms.
Packets with physical layer errors are filtered out and thus are not sent to the
analyzer port or VLAN.
1124
Description
Analyzer
Interface to which mirrored traffic is sent and to which a protocol analyzer application is
connected.
Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when
it is part of a port mirroring configuration.
If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from
the source ports, overflow packets are dropped.
Analyzer VLAN
VLAN to which mirrored traffic is sent and to which a protocol analyzer application. The
analyzer VLAN is spread across the switches in your network.
An interface on the switch that is being mirrored, either on traffic entering or exiting the
interface. An input interface cannot also be an output interface for an analyzer.
Monitoring station
Functions the same as local port mirroring, except that the traffic that is mirrored is not
copied to a local analyzer port but is instead flooded into an analyzer VLAN that you create
specifically for the purpose of receiving mirrored traffic.
Policy-based mirroring
Mirroring of packets that match the match items in the defined firewall filter term. The
action item analyzer analyzer-name is used in the firewall filter to send the packets to the
port mirror analyzer.
Statistical sampling
You can configure the system to mirror a sampling of the packets, by setting a ratio of
1:x, where x is a value from 1 through 2047.
For example, when the ratio is set to 1, all packets are copied to the analyzer. When the
ratio is set to 200, 1 of every 200 packets is copied.
Related Topics
1125
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1126
Chapter 69
Requirements
This example uses the following hardware and software components:
Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches
1127
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Network Topology
In this example, ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.
In this example, one interface, ge-0/0/10, is reserved for analysis of mirrored traffic.
Connect a PC running a protocol analyzer application to the analyzer output interface
to analyze the mirrored traffic.
NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped
packets.
Figure 53 on page 1128 shows the network topology for this example.
Figure 53: Network Topology for Local Port Mirroring Example
To quickly configure local port mirroring for ingress traffic to the two ports connected
to employee computers, copy the following commands and paste them into the
switch terminal window:
[edit ethernet-switching-options]
1128
J-Web Quick
Configuration
Step-by-Step Procedure
2.
Click Add.
3.
4.
In the Analyzer Port field, click Select to select ge-0/0/10 as the output interface.
5.
Click Add to select the ingress interfaces. Select ge-0/0/0 and click OK.
6.
Click Add to select the ingress interfaces. Select ge-0/0/1 and click OK.
7.
2.
Configure the output analyzer interface for the employee-monitor analyzer. This
will be the destination interface for the mirrored packets:
set analyzer employee-monitor output interface ge-0/0/10.0
3.
Results
commit
1129
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
To quickly configure local port mirroring of traffic from the two ports connected to
employee computers, filtering so that only traffic to the external Web is mirrored,
copy the following commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options analyzer employeewebmonitor output interface
ge-0/0/10.0
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from destination-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from source-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
then accept
set firewall family ethernet-switching filter watch-employee term employee-to-web
from destination-port 80
set firewall family ethernet-switching filter watch-employee term
employee_to_internet then analyzer employee-web-monitor
set firewall family ethernet-switching filter watch-employee
edit interfaces set ge-0/0/0 unit 0 family ethernet-switching filter input
watch-employee
edit interfaces set ge-0/0/1 unit 0 family ethernet-switching filter input
watch-employee
Step-by-Step Procedure
To configure local port mirroring of employee-to-Web traffic from the two ports
connected to employee computers:
1.
2.
3.
1130
4.
5.
Results
commit
1131
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
}
}
}
ge-0/0/1 {
family ethernet-switching {
port-mode trunk;
vlan members [employee-vlan, voice-vlan];
filter {
input watch-employee;
}
}
}
Verification
To confirm that the configuration is correct, perform these tasks:
Verifying That the Analyzer Has Been Correctly Created on page 1132
Action
employee-monitor
1
Low
ge-0/0/0.0
ge-0/0/1.0
Analyzer egress monitored interfaces : None
Analyzer monitor interface
: ge-0/0/10.0
Analyzer monitor VLAN
: None
Meaning
Related Topics
1132
Verification
This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring
every packet, the default setting), a loss priority of low (set this option to high only
when the analyzer output is to a VLAN), is mirroring the traffic entering the ge-0/0/0
and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface.
Requirements
This example uses the following hardware and software components:
Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches
1133
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
In this example:
NOTE: The interface connected to the remote monitoring station must be a member
of VLAN remote-analyzer, and this VLAN must be configured on all switches between
the monitored switch and the monitoring station.
To quickly configure remote port mirroring of all traffic from the two ports connected
to employee computers, copy the following commands and paste them into the
terminal window:
[edit]
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 999
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/0.0
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/1.0
set ethernet-switching-options analyzer employeemonitor loss-priority high output
vlan remote-analyzer
1134
Step-by-Step Procedure
2.
3.
4.
Results
commit
1135
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
To quickly configure port mirroring mirror employee traffic to the external Web,
copy the following commands and paste them into the terminal window:
[edit]
set ethernet-switching-options analyzer employee-web-monitor loss-priority high
output vlan 999
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/1/1 unit 0 family ethernet-switching port mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 999
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from destination-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from source-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
then accept
set firewall family ethernet-switching filter watch-employee term employee-to-web
from destination-port 80
set firewall family ethernet-switching filter watch-employee term employee-to-web
then analyzer employeeweb-monitor
edit interfaces set ge-0/1/1.0 unit 0 family ethernet-switching filter input
watch-employee
Step-by-Step Procedure
To configure port mirroring of all traffic from the two ports connected to employee
computers to the remote-analyzer VLAN for use from a remote monitoring station:
1.
2.
3.
4.
1136
5.
6.
Results
commit
1137
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Analyzer Has Been Correctly Created on page 1138
Action
You can verify the port mirror analyzer is configured as expected using the show
analyzer command. To view previously created analyzers that are disabled, go to the
J-Web interface.
user@switch> show analyzer
Analyzer name
:
Analyzer mirror ratio
:
Analyzer loss priority
:
Analyzer ingress monitored interfaces:
ge-0/0/1.0
Analyzer egress monitored interfaces :
Analyzer monitor interface
:
Analyzer monitor VLAN
:
Meaning
Related Topics
1138
Verification
employee-monitor
1
High
ge-0/0/0.0
None
None
remote-analyzer
This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring
every packet, the default), a loss priority of high (set this option to high whenever
the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and
ge-0/0/1, and sending the mirrored traffic to the analyzer called remote-analyzer.
Chapter 70
NOTE: Only one analyzer can be enabled on an EX-series switch. To create additional
analyzers, first disable any existing analyzers using the disable analyzer analyzer-name
command or the J-Web port mirroring configuration page.
NOTE: Interfaces used as input or output for a port mirror analyzer must be configured
as family ethernet-switching.
1139
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
2.
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer.
You can use statistical sampling to reduce the volume of mirrored traffic, as a
high volume of mirrored traffic can be performance intensive for the switch.
3.
4.
commit
Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer
and given the ID of 999 by convention in this documentation:
[edit]
user@switch# set vlans remote-analyzer vlan-id 999
2.
Set the uplink module interface that is connected to the distribution switch to
trunk mode and associate it with the remote-analyzer VLAN:
[edit]
user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching
port-mode trunk vlan members 999
3.
1140
Choose a name and set the loss priority to high. Loss priority should always
be set to high when configuring for remote port mirroring:
[edit ethernet-switching-options]
user@switch# set analyzer employeemonitor loss-priority high
b.
c.
4.
Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the
analyzer. You can use this to reduce the volume of mirrored traffic as a very high
volume of mirrored traffic can be performance intensive for the switch.
5.
commit
NOTE: Port mirroring is supported for packets exiting an interface, however firewall
filters are not. Therefore, you cannot use filters where the analyzer input is the traffic
exiting an interface.
To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter
can use any of the available match conditions and must have an action of analyzer
analyzer-name. The action of the firewall filter provides the input to the analyzer.
1141
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
For local analysis, set the output to the local interface to which you will
connect the computer running the protocol analyzer application:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
b.
For remote analysis, set the loss-priority to high and set the output to the
remote-analyzer VLAN:
[edit ethernet-switching-options]
user@switch#set analyzer employeemonitor loss-priority high output vlan
999
2.
Create a firewall filter using any of the available match conditions and specify
the action as analyzer analyzer-name:
This example shows a firewall filter called example-filter, with two terms:
a.
Create the first term to define the traffic that should not pass through to the
analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter examplefilter term term1 from match-condition1
user@switch# set filter examplefilter term term1 from match-condition2
user@switch# set filter examplefilter term term1 then accept
b.
Create the second term to define the traffic that should pass through to the
analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter examplefilter term term2 from match-condition3
user@switch# set filter examplefilter term term2 then analyzer
analyzer-name
3.
Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
[edit]
user@switch# set interfaces interface-name unit 0 family ethernet-switching
filter input example-filter
user@switch# set vlan vlan-name unit 0 family ethernet-switching filter
input example-filter
Related Topics
1142
4.
commit
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923
egress
ethernet-switching-options
ingress
input
interface
loss-priority
output
ratio
vlan
2.
Click one:
1143
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
NOTE: Only one analyzer can be enabled at a time. You can have multiple disabled
analyzer configurations.
When an analyzer is deleted or disabled, any filter association is removed.
Function
Your Action
Analyzer
Name
Ratio
Loss Priority
Ingress
Egress
Related Topics
1144
1145
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1146
Chapter 71
1147
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable
| no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Related Topics
1148
analyzer
Syntax
Hierarchy Level
Release Information
Description
analyzer {
name {
ratio number;
loss-priority priority;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
[editethernet-switching-options ]
Default
Options
nameName that identifies the analyzer. The name can be up to 125 characters
long, must begin with a letter, and can include uppercase letters, lowercase
letters, numbers, dashes, and underscores. No other special characters are
allowed.
The remaining statements are explained separately.
analyzer
1149
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
egress
Syntax
Hierarchy Level
Release Information
Description
egress {
interface (all | interface-name);
}
[edit ethernet-switching-options analyzer name input]
Default
Required Privilege Level
Related Topics
1150
egress
No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
ethernet-switching-options
Syntax
ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
ethernet-switching-options
1151
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Hierarchy Level
Release Information
Description
[edit]
1152
ethernet-switching-options
ingress
Syntax
Hierarchy Level
Release Information
Description
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
[edit ethernet-switching-options analyzer name input]
Default
Required Privilege Level
Related Topics
No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
ingress
1153
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
input
Syntax
Hierarchy Level
Release Information
Description
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
}
[edit ethernet-switching-options analyzer name]
Default
Required Privilege Level
Related Topics
1154
input
No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
interface
Syntax
Hierarchy Level
Release Information
Description
Options
interface
1155
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
loss-priority
Syntax
Hierarchy Level
Release Information
Description
Options
Related Topics
Default
1156
loss-priority priority;
loss-priority
output
Syntax
Hierarchy Level
Release Information
Description
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
[edit ethernet-switching-options analyzer name]
Default
Required Privilege Level
Related Topics
No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.
output
1157
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
ratio
Syntax
Hierarchy Level
Release Information
Description
ratio number;
[edit ethernet-switching-options analyzer name]
Default
Options
vlan
Syntax
Hierarchy Level
Release Information
Description
Options
1158
ratio
Chapter 72
1159
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
show analyzer
Syntax
Release Information
Description
Options
Required Privilege Level
List of Sample Output
Output Fields
view
show analyzer on page 1160
Table 42 on page 1160 lists the output fields for the command-name command. Output
fields are listed in the approximate order in which they appear.
Field Description
name
mirror ratio
loss priority
Displays the loss priority of the mirrored packets. By default, the switch
applies a lower priority to mirrored data than to regular port-to-port
datamirrored traffic is dropped in preference for regular traffic when
capacity is exceeded. For port mirroring configurations with output to an
analyzer VLAN, set the loss priority to high.
monitor interface
monitor VLAN
show analyzer
1160
show analyzer
employee-monitor
1
High
ge-0/0/0.0
None
None
remote-analyzer
Part 15
Network Management
Network Management
1161
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1162
Network Management
Chapter 73
1163
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
bucket-size
Syntax
Hierarchy Level
Release Information
Description
bucket-size number;
[edit snmp rmon history]
Default
50
Options
1164
bucket-size
history
Syntax
Hierarchy Level
Release Information
Description
history history-index {
bucket-size number;
interface interface-name;
interval seconds;
owner owner-name;
}
[edit snmp rmon]
Default
Not configured.
Options
history
1165
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
interface
Syntax
Hierarchy Level
Release Information
Description
interface interface-name;
[edit snmp rmon history history-index]
Options
owner
Syntax
Hierarchy Level
Release Information
Description
Options
owner owner-name;
[edit snmp rmon history]
1166
interface
rmon
Syntax
Hierarchy Level
Release Information
Description
rmon {
history history-index {
interface interface-name;
bucket-size number;
interval seconds;
owner owner-name;
}
}
[edit snmp]
Default
Required Privilege Level
Related Topics
Disabled.
snmpTo view this statement in the configuration.
snmpcontrolTo add this statement to the configuration.
rmon
1167
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1168
rmon
Part 16
Index
Index
1169
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1170
Index
Index
Symbols
802.1X settings
configuring..........................................................758
monitoring..........................................................785
802.3ad statement.....................................................312
.226,
1057,
980,
979,
978,
977,
976,
975,
974,
973,
972,
971,
863,
862,
861,
860,
859,
857,
855,
853,
849,
848,
846,
838,
837,
836,
835,
834,
833,
832,
829,
828,
827,
826,
824,
823,
822,
820,
819,
818,
817,
815,
814,
813,
812,
811,
809,
808,
806,
805,
804,
622,
621,
620,
539,
538,
537,
534,
533,
532,
531,
529,
528,
527,
526,
525,
524,
523,
522,
521,
520,
519,
518,
517,
516,
515,
514,
513,
512,
511,
510,
507,
506,
505,
503,
502,
500,
499,
498,
497,
496,
495,
494,
493,
492,
491,
490,
489,
488,
330,
329,
328,
327,
326,
325,
324,
323,
322,
321,
320,
319,
318,
317,
316,
315,
314,
313,
312,
309,
233,
230,
229,
1058,
1059,
1061,
1062,
1063,
1064,
1065,
1066,
1067,
1068,
1069,
1070,
1071,
1072,
1073,
1074,
1075,
1076,
1077,
1078,
1107,
1108,
1109,
1110,
1111,
1112,
1113,
1114,
1149,
1150,
1151,
1153,
1154,
1155,
1156,
1157,
1158,
1164,
1166,
1167
analyzer statement..................................................1149
arp-inspection statement............................................806
AS path, displaying....................................................611
ASs (autonomous systems)
AS number .........................................................590
authentication
specifying access privileges ................................108
authentication-order statement..................................807
authentication-profile-name statement.......................809
authentication-server statement.................................810
authenticator statement.............................................808
auto-negotiation statement........................................313
A
access privileges
specifying ..........................................................108
access statement........................................................801
accounting statement.................................................802
accounting-server statement......................................803
active alarms
checking.............................................................113
active routes, displaying.............................................610
Add a RADIUS Server page
field summary....................................................109
Add a User Configuration page
field summary....................................................109
addresses
BGP local address ..............................................590
BGP peer address ...............................................590
destination, displaying........................................610
advertisement-interval statement...............................804
alarm severity
major (red) ...........................................................91
See also major alarms
minor (yellow)......................................................92
See also minor alarms
alarm statement
STP.....................................................................488
alarms
major See major alarms
minor See minor alarms
overview...............................................................91
red See major alarms
yellow See minor alarms
all-failures (tracing flag)
STP.....................................................................534
allowed-mac statement..............................................805
B
backbone area
area ID ...............................................................595
area type ............................................................595
bandwidth-limit statement.........................................971
BGP (Border Gateway Protocol)
AS number .........................................................590
See also ASs (autonomous systems), AS
number
Configuration......................................................589
enabling .............................................................589
local address ......................................................590
monitoring..........................................................603
peer address ......................................................590
peer AS number..................................................590
router ID ............................................................589
statistics..............................................................603
status..................................................................604
BGP groups, displaying..............................................603
BGP neighbors
displaying...........................................................604
BGP peers See BGP neighbors
peer address ......................................................590
peer AS number .................................................590
BGP routing information............................................603
BGP sessions, status...................................................604
block statement
STP.....................................................................489
boot operations, DHCP...............................................592
bpdu (tracing flag)......................................................534
bpdu-block statement
STP.....................................................................490
Index
1171
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
bpdu-block-on-edge statement
STP.....................................................................491
bpdu-timeout-action statement
STP.....................................................................492
bridge-detection-state-machine (tracing flag)..............534
bridge-priority statement...........................................493
bucket-size statement..............................................1164
buffer-size statement...............................................1057
burst-size-limit statement...........................................971
C
ca-type statement......................................................811
ca-value statement.....................................................812
certificates See SSL certificates
chassis
alarm condition indicator....................................114
chassis software process..............................................18
chassisd process..........................................................18
checking
active alarms......................................................113
civic-based statement.................................................813
Class of Service classifiers page................................1034
field summary..................................................1034
Class of Service Cos value aliases page
field summary..................................................1030
Class of Service forwarding classes page..................1037
field summary..................................................1037
Class of Service rewrite rules page...........................1042
field summary..................................................1043
Class of Service scheduler maps page......................1038
field summary..................................................1040
Class of Service schedulers page..............................1038
field summary..................................................1039
class statement........................................................1058
class-of-service statement........................................1059
classifiers
adding and editing ...........................................1035
defining ...........................................................1034
summary .........................................................1034
classifiers statement.................................................1061
classifiers, CoS.........................................................1047
clear
snmp rmon history.............................................126
clear arp inspection statistics command....................866
clear dhcp snooping binding command.....................867
clear dot1x command................................................868
clear ethernet-switching bpdu-error command..........542
clear firewall command..............................................982
clear gvrp statistics command....................................543
clear igmp-snooping membership command.............628
clear igmp-snooping statistics command...................629
clear lldp neighbors command...................................869
clear lldp statistics command.....................................870
clear snmp rmon historycommand............................126
clear spanning-tree statistics command.....................544
1172
Index
Index
loss priority.......................................................1052
packet loss priority............................................1052
rewrite rules See rewrite rules
scheduler maps See scheduler maps
schedulers See schedulers
CoS value aliases
adding .............................................................1031
summary .........................................................1030
cost statement
STP.....................................................................495
country-code statement.............................................814
CPU utilization, displaying..........................................106
D
daemons See processes, software
default gateway
defining................................................................94
default gateway, static routing...................................601
deleting
current rescue configuration (CLI configuration
editor).............................................................112
licenses (J-Web).....................................................86
description statement........................................314, 496
destination address, displaying..................................610
DHCP
monitor...............................................................605
DHCP (Dynamic Host Configuration Protocol)
Configuration......................................................590
conflicts..............................................................605
DHCP leases
configuring .........................................................591
monitoring..........................................................605
DHCP pages
field summary....................................................591
DHCP pools
configuring (Quick Configuration).......................591
monitoring..........................................................605
DHCP server
boot operations ..................................................592
Configuration......................................................590
information ........................................................591
monitoring operations........................................605
static bindings ....................................................592
subnet for configuration (Quick
Configuration).................................................591
dhcp-trusted statement..............................................815
diagnose
CLI terminal..........................................................50
packet capture....................................................101
diagnosing
traceroute tool....................................................103
diagnosis
DHCP conflicts....................................................605
viewing active alarms.........................................114
disable statement
802.1X................................................................816
GVRP..................................................................496
IGMP snooping....................................................617
LLDP...................................................................817
LLDP MED..........................................................817
power over Ethernet
telemetries.................................................1106
STP.....................................................................497
disable-timeout statement
STP.....................................................................498
dot1x statement.........................................................818
downloading
licenses (J-Web).....................................................87
drop profiles See CoS; RED drop profiles
drop-profile-map statement.....................................1063
dscp statement........................................................1064
duration statement...................................................1107
E
edge statement..........................................................499
Edit
configuration text.................................................49
egress statement
port mirroring...................................................1150
elin statement............................................................819
ether-options statement.............................................315
Ethernet interfaces
status information, displaying
Gigabit Ethernet...................................332, 342
Ethernet ports
alarm condition indicator....................................114
ethernet-switching-options statement......500, 820, 1151
event viewer, J-Web
overview.............................................................114
See also system log messages
events (tracing flag)
STP.....................................................................534
examine-dhcp statement............................................822
F
family statement........................................................316
firewall filters......................................................972
fast-start statement....................................................823
files
managing............................................................110
filter statement..........................................317, 502, 974
firewall filters......................................................973
Firewall filters
configuring..........................................................950
flow-control statement...............................................318
forward-delay statement............................................503
Index
1173
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
forwarding classes
adding and editing............................................1037
assigning to output queues ...............................1037
defining ...........................................................1037
summary .........................................................1037
forwarding software process........................................18
forwarding-class statement........................................824
class of service........................................1065, 1066
from statement..........................................................975
fwdd process................................................................18
G
Gigabit Ethernet interfaces
diagnostics information, displaying.....................353
status information, displaying.....................332, 342
group statement
IGMP snooping....................................................617
group-name statement...............................................504
groups
BGP, displaying...................................................603
guard-band statement..............................................1108
guest-vlan statement..................................................825
GVRP
configuration
show............................................................555
statistics
clearing........................................................543
show............................................................557
gvrp statement...........................................................505
H
halting a switching platform
with J-Web..........................................................107
halting a switching platform immediately
with J-Web .........................................................107
hardware
major (red) alarm conditions on............................91
hello-time statement..................................................506
history statement
RMON...............................................................1165
hold-multiplier statement...........................................826
hostname
pinging (J-Web)...................................................100
HTTP (Hypertext Transfer Protocol)
enabling Web access ............................................93
HTTPS (Hypertext Transfer Protocol over SSL)
enabling secure access .........................................93
Quick Configuration..............................................93
Hypertext Transfer Protocol See HTTP
Hypertext Transfer Protocol over SSL See HTTPS
I
idle time, displaying...................................................106
1174
Index
ieee802.1 statement..............................................1067
if-exceeding statement...............................................976
ifd process...................................................................18
IGMP snooping
group statement..................................................617
static statement..................................................617
igmp-snooping statement...........................................618
immediate-leave statement........................................619
import statement.....................................................1068
inet-precedence statement.......................................1069
ingress statement.....................................................1153
input statement........................................................1154
Install Remote page
field summary......................................................67
installation
licenses (J-Web).....................................................86
software upgrades, from a remote server.............67
software upgrades, uploading...............................68
interface
monitoring..........................................................299
interface (Storm Control) statement...................510, 532
interface software process...........................................18
interface statement............................................827, 830
802.1X................................................................831
Ethernet switching options.................................509
GVRP..................................................................508
IGMP snooping....................................................620
LLDP...................................................................829
LLDP-MED..........................................................828
port mirroring...................................................1155
power over Ethernet.........................................1109
RMON history...................................................1166
STP.............................................................507, 511
interfaces statement
class of service..................................................1070
interval statement....................................................1110
ip-source-guard statement..........................................832
J
J-Web interface
event viewer.......................................................114
join-timer statement
GVRP..................................................................512
JUNOS CLI
overview...............................................................50
JUNOS Internet software
version, displaying..............................................105
JUNOS software
overview...............................................................17
Packet Forwarding Engine....................................17
processes..............................................................18
Routing Engine.....................................................17
JUNOScript API
enabling secure access..........................................93
JUNOScript over SSL....................................................93
Index
L
l3-interface statement........................................318, 512
LACP
configuring..........................................................296
lacp statement...........................................................319
laptop See management device
leave-timer statement
GVRP..................................................................514
leaveall-timer statement
GVRP..................................................................513
level statement...........................................................515
license keys
displaying (J-Web).................................................86
Licenses
managing........................................................84, 85
licenses
adding (J-Web)......................................................86
deleting (J-Web)....................................................86
downloading (J-Web).............................................87
link aggregation
configuring..........................................................296
Link Layer Discovery Protocol
configuring..........................................................765
link-mode statement..................................................320
LLDP
configuring..........................................................765
lldp statement............................................................833
lldp-med statement....................................................834
loading a configuration file
uploading .............................................................77
location statement.....................................................835
login classes
specifying ..........................................................108
login time, displaying.................................................106
loss priority, CoS......................................................1052
loss-priority statement.............................................1156
class of service..................................................1071
M
mac statement...........................................................836
mac-limit statement...........................................516, 837
mac-move-limit statement.........................................838
mac-persistence-timer statement...............................226
mac-table-aging-time statement.................................517
major (red) alarms
description............................................................91
Management access
configuring............................................................93
management device
connecting through the CLI.................................119
connecting to console port..................................119
management software process....................................18
management statement...........................................1111
Managing
files.....................................................................110
licenses...........................................................84, 85
managing
reboots...............................................................107
mapping, CoS forwarding classes to schedulers.......1038
mastership.................................................................204
mastership-priority statement....................................227
max-age statement....................................................518
max-hops statement..................................................519
maximum-power statement.....................................1112
maximum-requests statement...................................839
member statement....................................................228
members statement
interfaces....................................................321, 520
memory utilization, displaying...................................106
mgd process................................................................18
minor (yellow) alarms
description............................................................92
mode (STP) statement................................................521
monitoring
BGP.....................................................................603
interface.............................................................299
OSPF...................................................................607
RIP......................................................................609
routing tables......................................................610
system process information................................106
system properties...............................................105
Virtual Chassis....................................................219
Monitoring
802.1X settings...................................................785
DHCP services....................................................605
PoE...................................................................1103
port security.......................................................786
msti statement...........................................................522
MSTP
configuration
displaying....................................................568
mstp statement..........................................................523
mtu statement...........................................................322
multicast-router-interface statement
IGMP snooping....................................................620
N
native-vlan-id statement.....................................322, 524
network interfaces
enabling RIP on..................................................596
next hop
address for static routes......................................601
next hop, displaying...................................................610
no-broadcast statement..............................................525
no-management-vlan statement.................................229
no-reauthentication statement...................................839
no-root-port statement
STP.....................................................................526
Index
1175
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
no-unknown-unicast statement..................................527
NSSAs (not-so-stubby areas)
area ID ...............................................................595
area type ............................................................595
O
Open Shortest Path First See OSPF
operating system See JUNOS software
order statement.........................................................840
OSPF (Open Shortest Path First)
area type ............................................................595
Configuration......................................................594
designating OSPF interfaces ...............................595
enabling .............................................................595
monitoring..........................................................606
router ID ............................................................594
statistics..............................................................608
OSPF interfaces
displaying...........................................................607
enabling..............................................................595
status..................................................................607
OSPF neighbors
displaying...........................................................607
status..................................................................607
OSPF page
field summary....................................................594
OSPF routing information..........................................606
output statement
port mirroring...................................................1157
owner statement......................................................1166
P
packet capture...........................................................101
Packet Forwarding Engine...........................................17
packet loss priority, CoS...........................................1052
passwords
for downloading software upgrades......................65
RADIUS secret....................................................109
root password, recovering..................................119
PC See management device
periodic statement.....................................................323
Ping Host page
field summary....................................................100
PoE
configuring........................................................1100
monitoring........................................................1103
poe
controller..........................................................1116
show interfaces command................................1117
policer statement.......................................................977
Port Mirroring
configuring........................................................1143
port security
configuring..........................................................769
1176
Index
Port security
monitoring..........................................................786
port-information-state-machine (tracing flag).............534
port-migration-state-machine (tracing flag)................534
port-mode statement.........................................324, 528
port-receive-state-machine (tracing flag)
STP.....................................................................535
port-role-select-state-machine (tracing flag)
STP.....................................................................535
port-role-transit-state-machine (tracing flag)
STP.....................................................................535
port-state-transit-state-machine (tracing flag)
STP.....................................................................535
port-transmit-state-machine (tracing flag)
STP.....................................................................535
power over ethernet See poe
ppmd (tracing flag)
STP.....................................................................535
preprovisioned statement..........................................230
preprovisioning..........................................................184
priority statement
class of service..................................................1072
power over Ethernet.........................................1113
STP.....................................................................529
process ID, displaying................................................106
process information, system, monitoring...................106
process owner, displaying..........................................106
process start time, displaying.....................................107
process state, displaying............................................106
processes, software
chassis process.....................................................18
forwarding process...............................................18
interface process...................................................18
management process............................................18
routing protocol process.......................................18
profile statement........................................................841
properties, system, monitoring..................................105
protocol statement...................................................1072
protocols
originating, displaying.........................................610
OSPF, monitoring...............................................606
RIP, monitoring..................................................608
routing protocols, monitoring.............................603
Q
query-interval statement
IGMP snooping....................................................621
query-last-member-interval statement.......................621
query-response-interval statement.............................622
quiet-period statement...............................................842
R
RADIUS
secret .................................................................109
Index
radius statement........................................................843
radius-options statement ...........................................123
ratio statement.........................................................1158
reauthentication statement........................................844
reboot immediately
with J-Web..........................................................107
rebooting
with J-Web .........................................................107
redundant-trunk-group statement..............................530
remote server, upgrading from....................................67
request session member command...........................239
request system configuration rescue delete
command...............................................................112
request virtual-chassis recycle command...................240
request virtual-chassis vc-port (dedicated port)
command...............................................................243
request virtual-chassis vc-port (uplink port)
command...............................................................241
request virtualchassis renumber command..............245
Rescue configuration
setting.................................................................113
retries statement........................................................845
rewrite rules
adding and editing (Quick Configuration)..........1043
defining (Configuration)....................................1042
summary .........................................................1043
rewrite-rules statement............................................1073
RIP (Routing Information Protocol)
Configuration......................................................595
designating RIP interfaces...................................596
enabling .............................................................596
monitoring..........................................................608
statistics..............................................................609
RIP neighbors
displaying...........................................................609
status..................................................................609
RIP page
field summary....................................................596
RIP routing information.............................................608
rmon
history................................................................127
rmon statement.......................................................1167
robust-count statement..............................................622
role............................................................................231
role statement............................................................231
root password recovery..............................................119
Routing Engine
software component.............................................17
routing policies
export, displaying...............................................604
import, displaying...............................................604
routing protocol software process................................18
routing table
displaying...........................................................610
rpd process..................................................................18
rstp statement............................................................531
S
scheduler maps
adding and editing ...........................................1040
defining ...........................................................1038
summary .........................................................1040
scheduler-map statement.........................................1073
scheduler-maps statement.......................................1074
schedulers
adding and editing ...........................................1039
defining ...........................................................1038
mapping to forwarding classes ........................1038
scheduler maps See scheduler maps
summary .........................................................1039
schedulers statement...............................................1075
scheduling a reboot
with J-Web..........................................................107
secret
RADIUS ..............................................................109
secure access
JUNOScript SSL access..........................................93
Secure Access page
field summary......................................................94
secure-access-port statement.....................................846
serial number
routing platform..................................................105
serial-number statement............................................232
server-timeout statement...........................................847
sessions
BGP peer, status details.......................................604
BGP peer, status summary..................................604
shaping-rate statement.............................................1076
show arp inspection statistics command....................871
show bgp neighbor command....................................603
show bgp summary command...................................603
show class-of-service classifier command................1047
show class-of-service code-point-aliases
command.............................................................1053
show class-of-service command...............................1080
show class-of-service forwarding-class
command.............................................................1048
show command.........................................................555
show dhcp snooping binding command.....................872
show dot1x authentication-failed-users
command...............................................................876
show dot1x command...............................................873
show dot1x static-mac-address command.................877
show ethernet-switching interfaces command...........545
show ethernet-switching mac-learning-log
command...............................................................548
show ethernet-switching table command...................550
show firewall
sub-topic.............................................................983
show firewall command.............................................983
show gvrp statistics command...................................557
show igmp-snooping membership command............630
show igmp-snooping route command........................632
Index
1177
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
1178
Index
Spanning Tree
BPDU errors
clearing........................................................542
speed statement.........................................................325
SSL (Secure Sockets Layer)
enabling secure access (Quick Configuration).......93
SSL certificates
adding .................................................................95
state-machine-variables (tracing flag)
STP.....................................................................535
static routes
Configuration......................................................601
Static Routes page
field summary....................................................601
static routing
default gateway..................................................601
static statement.........................................................848
IGMP snooping....................................................617
static-ip statement......................................................849
statistics
BGP.....................................................................603
DHCP..................................................................606
OSPF...................................................................608
RIP......................................................................609
status
BGP.....................................................................604
OSPF interfaces..................................................607
OSPF neighbors..................................................607
RIP neighbors.....................................................609
stop-on-access-deny statement..................................849
stop-on-failure statement...........................................850
STP
bridge
displaying....................................................560
interface
displaying....................................................564
statistics
clearing........................................................544
displaying....................................................569
stp statement.............................................................533
stub areas
area ID ...............................................................595
area type ............................................................595
supplicant statement..................................................851
supplicant-timeout statement.....................................852
switching
configuring..................................................407, 409
switching platform
halting (J-Web)....................................................107
rebooting (J-Web)................................................107
system identification, displaying................................105
system log messages
event viewer.......................................................114
monitoring (Quick Configuration).......................114
system overview
software................................................................17
Index
transmit-delay statement...........................................859
transmit-period statement..........................................859
transmit-rate statement............................................1077
troubleshooting
root password recovery......................................119
TTY, displaying..........................................................106
U
T
telemetries statement..............................................1114
term statement..........................................................978
then statement...................................................979, 980
time zone
defining ...............................................................95
timers (tracing flag)
STP.....................................................................535
topic1
sub-topci.5455
,485
,505
,708
,668
,678
,688
,698
,718
,728
,738
,768
,778
,798
,818
,888
,918
,948
,959
,829
,859
,879
,891
,0801
,160
topic2
subt-opci.5455
,485
,505
,708
,668
,678
,688
,698
,718
,728
,738
,768
,778
,798
,818
,888
,918
,948
,959
,829
,839
,859
,879
,891
,0801
,160
topology-change-state-machine (tracing flag)
STP.....................................................................535
traceoptions statement..............................534, 853, 857
IGMP snooping....................................................623
LLDP...................................................................855
Virtual Chassis....................................................233
tracing flags
all........................................................................534
all-failures
STP..............................................................534
bpdu...................................................................534
bridge-detection-state-machine...........................534
events
STP..............................................................534
port-information-state-machine..........................534
port-migration-state-machine..............................534
port-receive-state-machine
STP..............................................................535
port-role-select-state-machine
STP..............................................................535
port-role-transit-state-machine
STP..............................................................535
port-state-transit-state-machine
STP..............................................................535
port-transmit-state-machine
STP..............................................................535
ppmd
STP..............................................................535
state-machine-variables
STP..............................................................535
timers
STP..............................................................535
topology-change-state-machine
STP..............................................................535
translate statement............................................326, 537
unit statement
class of service..................................................1078
interfaces............................................................327
upgrades
installing by uploading..........................................68
installing from remote server................................67
Upload package page
field summary......................................................68
uploading a configuration file.......................................77
username
displaying...........................................................106
specifying ..........................................................108
users
adding ...............................................................108
displaying...........................................................105
V
version
software, displaying............................................105
View
configuration text.................................................47
view and edit
uploading a file.....................................................77
View Events page
field summary (filtering log messages)................114
field summary (viewing log messages)................116
Virtual Chassis
active topology...................................................248
and link aggregation...........................................144
command forwarding.........................................213
components........................................................135
configuration, understanding..............................144
configuring..................................................197, 199
configuring across multiple wiring closets...........163
configuring master and backup...........................147
dedicated VCP....................................................243
electing the master.............................................140
expanding...........................................................152
global management............................................141
mastership..........................................................204
member id..........................................................240
member ID.........................................................250
members of........................................................228
monitoring..........................................................219
nonvolatile storage..............................................143
overview.............................................................133
Index
1179
Complete Software Guide for JUNOS for EX-series Software, Release 9.2
preprovisioning...................................................184
renumber............................................................245
replacing a member switch.................................219
session................................................................239
setting uplink port as VCP...................................206
software upgrade................................................140
system uptime....................................................246
timer configuration.............................................210
troubleshooting...................................................223
uplink VCP..........................................................241
version compatibility..........................................146
Virtual Chassis ports...........................................250
VME configuration..............................................210
Virtual Chassis configuration
Virtual Chassis port.............................................252
Virtual Chassis ports
clear statistics.....................................................238
statistics..............................................................255
virtual-chassis statement............................................235
vlan statement...................................................860, 861
IGMP snooping....................................................625
interfaces....................................................328, 538
MSTI...................................................................538
port mirroring...................................................1158
vlan-assignment statement........................................861
vlan-id statement.......................................................539
vlan-range statement.................................................539
VLANs
configuring..........................................407, 409, 540
configuring VLAN range......................................539
vlans statement..........................................................540
voip statement...........................................................862
W
Web access, secure See secure access
what statement..........................................................863
Y
yellow alarms See minor alarms
1180
Index