Complete Software Guide for JUNOS Software for EX-series

Switches, Release 9.2

Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000

www.juniper.net
Part Number: , Revision R1

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue
Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public
domain.
This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software
included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by
Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol.
Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the
University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and
other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOS for EX-series Software Complete Software Guide for JUNOS for EX-series Software, Release 9.2
Copyright 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writing: Appumon Joseph, Aviva Garrett, Bhargava Y.P, Brian Deutscher, Hareesh Kumar K N, Janet Bein, Keldyn West, Regina Roman, Tim Harrington,
Vinita Kurup
Editing: Cindy Martin
Illustration: Faith Bradford Brown
Cover Design: Christine Nay
Revision History
12 August 2008Revision R1
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain
uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.

ii

End User License Agreement

READ THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively Juniper), and the person or organization that
originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer) (collectively, the Parties).
2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, and updates and
releases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller. Embedded
Software means Software which Juniper has embedded in the Juniper equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use the Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from
Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius software on multiple computers requires multiple licenses, regardless of whether such computers are physically contained on a single
chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use the Embedded Software on non-Juniper equipment; (j) use the Software (or make it available for use) on Juniper equipment that the Customer
did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third
party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes.

iii

7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customers
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively Taxes). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customers ability to export the Software without an export license.
12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of
the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris tout
avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).

iv

Table of Contents
About This Topic Collection

xxxix

How To Use This Guide .............................................................................xxxix

List of EX-series Guides for JUNOS 9.2 ......................................................xxxix
Downloading Software ...................................................................................xl
Documentation Symbols Key ........................................................................xli
Documentation Feedback .............................................................................xlii
Getting Support .............................................................................................xlii

Part 1

JUNOS for EX-series Product Overview

Chapter 1

Product Overview

Software Overview ..........................................................................................3

EX-series Switch Software Features Overview ...........................................3
Layer 3 Protocols Supported on EX-series Switches ..................................7
Layer 3 Protocols Not Supported on EX-series Switches ............................8
Security Features for EX-series Switches Overview .................................11
High Availability Features for EX-series Switches Overview ....................13
VRRP ................................................................................................13
Graceful Protocol Restart ..................................................................15
EX 4200 Redundant Routing Engines ...............................................15
EX 4200 Graceful Routing Engine Switchover ..................................16
Link Aggregation ..............................................................................16
Additional High Availability Features of EX-series Switches ..............16
Understanding Software Infrastructure and Processes ............................17
Routing Engine and Packet Forwarding Engine ................................17
JUNOS Software Processes ...............................................................18
Supported Hardware .....................................................................................19
EX-series Switch Hardware Overview .....................................................19
EX-series Switch Types .....................................................................19
EX 3200 Switches .............................................................................20
EX 4200 Switches .............................................................................20
Uplink Modules ................................................................................21
Power over Ethernet (PoE) Ports ......................................................21
EX 3200 Switch Models ..........................................................................21
EX 4200 Switch Models ..........................................................................22

Table of Contents

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Part 2

Complete Software Configuration Statement

Chapter 2

Complete Software Configuration Statement Hierarchy

25

[edit access] Configuration Statement Hierarchy ...........................................25

[edit chassis] Configuration Statement Hierarchy ..........................................26
[edit class-of-service] Configuration Statement Hierarchy ..............................26
[edit ethernet-switching-options] Configuration Statement Hierarchy ............27
[edit firewall] Configuration Statement Hierarchy .........................................29
[edit interfaces] Configuration Statement Hierarchy ......................................29
[edit poe] Configuration Statement Hierarchy ...............................................30
[edit protocols] Configuration Statement Hierarchy .......................................31
[edit snmp] Configuration Statement Hierarchy ............................................34
[edit virtual-chassis] Configuration Statement Hierarchy ...............................35
[edit vlans] Configuration Statement Hierarchy .............................................35

Part 3

Software User Interfaces

Chapter 3

JUNOS Command-Line Interface

39

JUNOS CLI .....................................................................................................39

CLI User Interface Overview ...................................................................39
CLI Overview ....................................................................................39
CLI Help and Command Completion ................................................39
CLI Command Modes .......................................................................40
Chapter 4

J-Web Graphical User Interface

43

J-Web Interface .............................................................................................43

J-Web User Interface for EX-series Switches Overview ............................43
J-Web User Interface for EX-series Switches Overview ............................45
Using the CLI Viewer in the J-Web Interface to View Configuration
Text ..................................................................................................47
Using the Point and Click CLI Tool in the J-Web Interface to Edit
Configuration Text ............................................................................48
Using the CLI Editor in the J-Web Interface to Edit Configuration
Text ..................................................................................................49
Using the CLI Terminal ...........................................................................50
Understanding J-Web Configuration Tools ..............................................51
Starting the J-Web Interface ....................................................................52
Understanding J-Web User Interface Sessions .........................................53

vi

Table of Contents

Table of Contents

Part 4

Initial Configuration, Software Installation, and Upgrades

Chapter 5

Initial Configuration

57

Connecting and Configuring the EX-series Switch (CLI Procedure) ................57

Connecting and Configuring the EX-series Switch (J-Web Procedure) ............58
Chapter 6

Software Installation

63

Software Installation ......................................................................................63

Understanding Software Installation on EX-series Switches ....................63
Overview of the Software Installation Process ..................................63
Installing Software on a Virtual Chassis ............................................64
Software Package Security ................................................................64
Troubleshooting Software Installation ..............................................64
JUNOS Software Package Names ............................................................65
Downloading Software Packages from Juniper Networks ........................65
Installing Software on EX-series Switches (CLI Procedure) ......................66
Installing Software on EX-series Switches (J-Web Procedure) ..................67
Installing Software Upgrades from a Server ......................................67
Installing Software Upgrades by Uploading Files ..............................68
Troubleshooting Software Installation .....................................................68
Recovering from a Failed Software Upgrade on an EX-series
Switch ........................................................................................68
Rebooting from the Non-Active Partition ..........................................69
Chapter 7

Configuration File Management

71

Understanding Configuration Files for EX-series Switches .............................71

Configuration Files Terms .............................................................................72
Managing Configuration Files Through the Configuration History (J-Web
Procedure) ..............................................................................................72
Displaying Configuration History ............................................................72
Displaying Users Editing the Configuration .............................................73
Comparing Configuration Files with the J-Web Interface .........................74
Downloading a Configuration File with the J-Web Interface ....................74
Loading a Previous Configuration File with the J-Web Interface ..............75
Uploading a Configuration File (CLI Procedure) .............................................75
Uploading a Configuration File (J-Web Procedure) .........................................77
Loading a Previous Configuration File (CLI Procedure) ..................................77
EX 3200 and EX 4200 Default Configuration ................................................78

Table of Contents

vii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Chapter 8

Licenses

83

Software Licenses for the EX-series Switch Overview ....................................83

License Key Components for the EX-series Switch ........................................84
Managing Licenses for the EX-series Switch (CLI Procedure) .........................85
Adding New Licenses ..............................................................................85
Deleting Licenses ....................................................................................85
Saving License Keys ................................................................................85
Managing Licenses for the EX-series Switch (J-Web Procedure) .....................85
Adding New Licenses ..............................................................................86
Deleting Licenses ....................................................................................86
Displaying License Keys ..........................................................................86
Downloading Licenses ............................................................................87
Monitoring Licenses for the EX-series Switch ................................................87
Displaying Installed Licenses and License Usage Details .........................87
Displaying License Usage ........................................................................88
Displaying Installed License Keys ...........................................................88

Part 5

System Basics

Chapter 9

Understanding Basic System Concepts

91

Understanding Alarm Types and Severity Levels on EX-series Switches ........91

Chapter 10

Configuring Basic System Functions

93

Configuring Management Access for the EX-series Switch (J-Web

Procedure) ..............................................................................................93
Configuring Date and Time for the EX-series Switch (J-Web Procedure) ........95
Generating SSL Certificates to Be Used for Secure Web Access .....................96
Managing MS-CHAPv2 for password-change support ....................................97
Configuring MS-CHAPv2 for password-change support ...........................97
Example: Configuring MS-CHAPv2 on the Switch ...................................97
Chapter 11

Administering and Monitoring Basic System Functions

99

Monitoring Hosts Using the J-Web Ping Host Tool .........................................99

Monitoring Switch Control Traffic ................................................................101
Monitoring Network Traffic Using Traceroute ..............................................103
Monitoring System Properties .....................................................................105

viii

Table of Contents

Table of Contents

Monitoring System Process Information ......................................................106

Rebooting or Halting the EX-series Switch (J-Web Procedure) .....................107
Managing Users (J-Web Procedure) ..............................................................108
Managing Log, Temporary, and Crash Files on the Switch (J-Web
Procedure) ............................................................................................110
Cleaning Up Files ..................................................................................110
Downloading Files ................................................................................111
Deleting Files ........................................................................................111
Setting or Deleting the Rescue Configuration (CLI Procedure) .....................112
Setting or Deleting the Rescue Configuration (J-Web Procedure) .................113
Checking Active Alarms with the J-Web Interface ........................................113
Monitoring System Log Messages ................................................................114
Chapter 12

Troubleshooting Basic System Functions

119

Troubleshooting Loss of the Root Password ................................................119

Chapter 13

Configuration Statements for Basic System Functions

123

radius-options .............................................................................................123
Chapter 14

Operational Mode Commands for Basic System Functions

125

clear snmp rmon history ...........................................................................1160

show snmp rmon history ..........................................................................1160

Part 6

Virtual Chassis

Chapter 15

Understanding Virtual Chassis

133

Virtual Chassis Concepts .............................................................................133

Virtual Chassis Overview ......................................................................133
Basic Configuration of a Virtual Chassis with Master and Backup
Switches ..................................................................................134
Expanding ConfigurationsWithin a Single Wiring Closet and Across
Wiring Closets ..........................................................................134
Global Management of Member Switches in a Virtual Chassis ........134
High Availability Through Redundant Routing Engines ...................135
Adaptability as an Access Switch or Distribution Switch .................135
Understanding Virtual Chassis Components ..........................................135
Virtual Chassis Ports (VCPs) ............................................................136
Master Role ....................................................................................136
Backup Role ...................................................................................137
Linecard Role .................................................................................137
Member Switch and Member ID .....................................................138

Table of Contents

ix

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Mastership Priority .........................................................................138

Virtual Chassis Identifier (VCID) ......................................................139
Understanding How the Master in a Virtual Chassis Configuration Is
Elected ...........................................................................................140
Understanding Software Upgrade in a Virtual Chassis Configuration .....140
Understanding Global Management of a Virtual Chassis
Configuration .................................................................................141
Understanding Nonvolatile Storage in a Virtual Chassis
Configuration .................................................................................143
Nonvolatile Memory Features .........................................................143
Understanding the High-Speed Interconnection of the Virtual Chassis
Members ........................................................................................143
Understanding Virtual Chassis Configurations and Link Aggregation .....144
Understanding Virtual Chassis Configuration ........................................144
Understanding Virtual Chassis EX 4200 Switch Version
Compatibility ..................................................................................146
Chapter 16

Examples of Configuring Virtual Chassis

147

Virtual Chassis Configuration Examples ......................................................147

Example: Configuring a Virtual Chassis with a Master and Backup in a
Single Wiring Closet .......................................................................147
Example: Expanding a Virtual Chassis Configuration in a Single Wiring
Closet .............................................................................................152
Example: Setting Up a Multimember Virtual Chassis Access Switch with
a Default Configuration ..................................................................158
Example: Configuring a Virtual Chassis Interconnected Across Multiple
Wiring Closets ................................................................................163
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ............................................................................................172
Example: Configuring Aggregated Ethernet High-Speed Uplinks with
LACP Between a Virtual Chassis Access Switch and a Virtual Chassis
Distribution Switch .........................................................................178
Example: Configuring a Virtual Chassis with a Preprovisioned
Configuration File ...........................................................................184

Table of Contents

Table of Contents

Chapter 17

Configuring Virtual Chassis

197

Virtual Chassis Configuration Tasks .............................................................197

Configuring a Virtual Chassis (J-Web Procedure) ...................................197
Configuring a Virtual Chassis (CLI Procedure) .......................................199
Configuring a Virtual Chassis with a Preprovisioned Configuration
File ...........................................................................................199
Configuring a Virtual Chassis with a Nonprovisioned Configuration
File ...........................................................................................200
Adding a New Switch to an Existing Virtual Chassis Configuration (CLI
Procedure) ......................................................................................202
Adding a New Switch to an Existing Virtual Chassis Configuration
Within the Same Wiring Closet ................................................202
Adding a New Switch from a Different Wiring Closet to an Existing
Virtual Chassis Configuration ...................................................203
Configuring Mastership of the Virtual Chassis (CLI Procedure) ..............204
Configuring Mastership Using a Preprovisioned Configuration
File ...........................................................................................205
Configuring Mastership Using a Configuration File That Is Not
Preprovisioned .........................................................................206
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) ............206
Setting an Uplink VCP on the Master or on an Existing Member ....208
Setting an Uplink VCP on a Standalone Switch ...............................208
Configuring the Virtual Management Ethernet Interface for Global
Management of a Virtual Chassis (CLI Procedure) ...........................210
Configuring the Timer for the Backup Member to Start Using Its Own
MAC Address, as Master of Virtual Chassis (CLI Procedure) ............210
Chapter 18

Verifying Virtual Chassis

213

Virtual Chassis Verification Tasks ................................................................213

Command Forwarding Usage with a Virtual Chassis Configuration .......213
Verifying the Member ID, Role, and Neighbor Member Connections of
a Virtual Chassis Member ...............................................................216
Verifying That the Virtual Chassis Ports Are Operational .......................217
Monitoring Virtual Chassis Configuration Status and Statistics ..............219
Replacing a Member Switch of a Virtual Chassis Configuration (CLI
Procedure) ......................................................................................219
Remove, Repair, and Reinstall the Same Switch .............................220
Remove a Member Switch, Replace with a Different Switch, and
Reapply the Old Configuration .................................................220
Remove a Member Switch and Make Its Member ID Available for
Reassignment to a Different Switch .........................................221

Table of Contents

xi

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Chapter 19

Troubleshooting Virtual Chassis

223

Troubleshooting a Virtual Chassis Configuration ..........................................223

Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment .................................................................................223
Load Factory Default Does Not Commit on a Multimember Virtual
Chassis ...........................................................................................223
Member ID Persists When a Member Switch Is Disconnected From a
Virtual Chassis ................................................................................223
Chapter 20

Configuration Statements for Virtual Chassis

225

Virtual Chassis Configuration Statement Hierarchy .....................................225

[edit virtual-chassis] Configuration Statement Hierarchy .......................225
Individual Virtual Chassis Configuration Statements ....................................226
mac-persistence-timer ........................................................................1167
mastership-priority .............................................................................1167
member ..............................................................................................1167
no-management-vlan ..........................................................................1167
preprovisioned ....................................................................................1167
role .....................................................................................................1167
serial-number .....................................................................................1167
traceoptions ........................................................................................1167
virtual-chassis .....................................................................................1167
Chapter 21

Operational Mode Commands for Virtual Chassis

237

Virtual Chassis Commands ..........................................................................237

clear virtual-chassis vc-port statistics .....................................................238
request session member .......................................................................239
request virtual-chassis recycle .............................................................1160
request virtual-chassis vc-port .............................................................1160
request virtual-chassis vc-port .............................................................1160
request virtual-chassis renumber ..........................................................245
show system uptime .............................................................................246
show virtual-chassis active topology .....................................................248
show virtual-chassis status ....................................................................250
show virtual-chassis vc-port ..................................................................252
show virtual-chassis vc-port statistics ....................................................255

xii

Table of Contents

Table of Contents

Part 7

Interfaces

Chapter 22

Understanding Interfaces

259

EX-series Switches Interfaces Overview ......................................................259

Network Interfaces ...............................................................................259
Special Interfaces ..................................................................................260
Understanding Interface Naming Conventions on EX-series Switches .........261
Physical Part of an Interface Name .......................................................261
Logical Part of an Interface Name .........................................................262
Wildcard Characters in Interface Names ...............................................263
Understanding Aggregated Ethernet Interfaces and LACP ...........................263
Link Aggregation Group (LAG) ...............................................................263
Link Aggregation Control Protocol (LACP) .............................................264
Understanding Layer 3 Subinterfaces ..........................................................265
Chapter 23

Examples of Configuring Interfaces

267

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a

Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................267
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP
Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................273
Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and
an Access Switch ..................................................................................279
Chapter 24

Configuring Interfaces

289

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ..........................289

Configuring Gigabit Ethernet Interfaces (CLI Procedure) ..............................293
Configuring VLAN Options and Port Mode ............................................293
Configuring the Link Settings ................................................................293
Configuring the IP Options ....................................................................294
Configuring Aggregated Ethernet Interfaces (CLI Procedure) .......................295
Configuring Link Aggregation (J-Web Procedure) .........................................296
Configuring Aggregated Ethernet LACP (CLI Procedure) ..............................297
Chapter 25

Verifying Interfaces

299

Monitoring Interface Status and Traffic .......................................................299

Verifying the Status of a LAG Interface ........................................................300
Verifying That LACP Is Configured Correctly and Bundle Members Are
Exchanging LACP Protocol Packets .......................................................300
Verifying the LACP Setup ......................................................................300
Verifying That the LACP Packets Are Being Exchanged .........................301
Verifying That Layer 3 Subinterfaces Are Working ......................................302

Table of Contents

xiii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Chapter 26

Troubleshooting Interfaces

303

Troubleshooting an Aggregated Ethernet Interface ......................................303

Troubleshooting Disabled or Down Interfaces .............................................303
Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink
module (EX-UM-4SFP) installed ......................................................304
Port Role Configuration with the J-Web InterfaceCLI Reference ...............304
Troubleshooting Interface Configuration and Cable Faults ...........................309
Interface Configuration or Connectivity Is Not Working ........................309
Chapter 27

Configuration Statements for Interfaces

311

Interface Configuration Statement Hierarchy ..............................................311

[edit interfaces] Configuration Statement Hierarchy .............................311
Individual Interface Configuration Statements .............................................312
802.3ad ..............................................................................................1167
auto-negotiation ..................................................................................1167
description ..........................................................................................1167
ether-options ......................................................................................1167
family .................................................................................................1167
filter ....................................................................................................1167
flow-control ........................................................................................1167
l3-interface ..........................................................................................1167
lacp .....................................................................................................1167
link-mode ...........................................................................................1167
members ............................................................................................1167
mtu .......................................................................................................322
native-vlan-id ......................................................................................1167
periodic ..............................................................................................1167
port-mode ...........................................................................................1167
speed ..................................................................................................1167
translate ..............................................................................................1167
unit .....................................................................................................1167
vlan .....................................................................................................1167
vlan-id ...................................................................................................329
vlan-tagging ..........................................................................................330
Chapter 28

Operational Mode Commands for Interfaces

331

show interfaces ...........................................................................................332

show interfaces ...........................................................................................342
show interfaces diagnostics optics ...............................................................353

xiv

Table of Contents

Table of Contents

Part 8

Layer 2 Bridging, VLANs, and Spanning Trees

Chapter 29

Understanding Layer 2 Bridging, VLANs, and GVRP

359

Understanding Bridging and VLANs on EX-series Switches ..........................359

Ethernet LANs, Transparent Bridging, and VLANs .................................359
How Bridging Works .............................................................................360
Types of Switch Ports ...........................................................................361
IEEE 802.1Q Encapsulation and Tags ...................................................362
Assignment of Traffic to VLANs ............................................................362
Ethernet switching tables ......................................................................363
Layer 2 and Layer 3 Forwarding of VLAN Traffic ..................................363
GVRP ....................................................................................................363
Routed VLAN Interface .........................................................................364
Understanding Redundant Trunk Links on EX-series Switches ....................365
Understanding Storm Control on EX-series Switches ...................................367
Chapter 30

Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

369

Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch ....369
Example: Setting Up Bridging with Multiple VLANs for EX-series
Switches ...............................................................................................376
Example: Connecting an Access Switch to a Distribution Switch .................384
Example: Configure Automatic VLAN Administration Using GVRP ..............393
Example: Configuring Redundant Trunk Links for Faster Recovery .............400
Example: Configuring Storm Control to Prevent Network Outages on EX-series
Switches ...............................................................................................404
Chapter 31

Configuring Layer 2 Bridging, VLANs, and GVRP

407

Configuring VLANs for EX-series Switches (J-Web Procedure) ......................407

Configuring VLANs for EX-series Switches (CLI Procedure) ..........................409
Configuring Routed VLAN Interfaces (CLI Procedure) ..................................410
Creating a Series of Tagged VLANs (CLI Procedure) .....................................412
Configuring MAC Table Aging (CLI Procedure) .............................................414
Configuring the Native VLAN Identifier (CLI Procedure) ...............................414
Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) ......415
Chapter 32

Verifying Layer 2 Bridging, VLANs, and GVRP

417

Verifying That a Series of Tagged VLANs Has Been Created ........................417

Chapter 33

Understanding Spanning Trees

419

Understanding STP for EX-series Switches ..................................................420

Understanding RSTP for EX-series Switches ................................................421
Understanding MSTP for EX-series Switches ...............................................422

Table of Contents

xv

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches ...............................................................................................422
Understanding Loop Protection for STP, RSTP, and MSTP on EX-series
Switches ...............................................................................................423
Understanding Root Protection for STP, RSTP, and MSTP on EX-series
Switches ...............................................................................................424
Chapter 34

Examples of Configuring Spanning Trees

427

Example: Configuring Faster Convergence and Improving Network Stability

with RSTP on EX-series Switches ..........................................................427
Example: Configuring Network Regions for VLANs with MSTP on EX-series
Switches ...............................................................................................441
Example: Configuring BPDU Protection on STP Interfaces to Prevent STP
Miscalculations on EX-series Switches ..................................................463
Example: Configuring BPDU Protection on non-STP Interfaces to Prevent
STP Miscalculations on EX-series Switches ............................................467
Example: Configuring Loop Protection to Prevent Interfaces from
Transitioning from Blocking to Forwarding in a Spanning Tree on
EX-series Switches ................................................................................472
Example: Configuring Root Protection to Enforce Root Bridge Placement in
Spanning Trees on EX-series Switches ..................................................476
Chapter 35

Configuration Statements for Bridging, VLANs, and Spanning

Trees

483

[edit vlans] Configuration Statement Hierarchy ...........................................483

[edit interfaces] Configuration Statement Hierarchy ....................................483
[edit protocols] Configuration Statement Hierarchy .....................................484
alarm ...........................................................................................................488
block ...........................................................................................................489
bpdu-block ..................................................................................................490
bpdu-block-on-edge .....................................................................................491
bpdu-timeout-action ....................................................................................492
bridge-priority .............................................................................................493
configuration-name .....................................................................................494
cost .............................................................................................................495
description ..................................................................................................496
disable .........................................................................................................496
disable .........................................................................................................518
disable-timeout ............................................................................................498
edge ............................................................................................................499
ethernet-switching-options ........................................................................1151
filter ..........................................................................................................1167
forward-delay ..............................................................................................503
group-name .................................................................................................504
gvrp .............................................................................................................505
hello-time ....................................................................................................506
interface ......................................................................................................507
interface ......................................................................................................508

xvi

Table of Contents

Table of Contents

interface ......................................................................................................509
interface ......................................................................................................510
interface ......................................................................................................511
join-timer ....................................................................................................512
l3-interface ................................................................................................1167
leaveall-timer ...............................................................................................513
leave-timer ..................................................................................................514
level ............................................................................................................515
mac-limit .....................................................................................................516
mac-table-aging-time .................................................................................1167
max-age ......................................................................................................518
max-hops ....................................................................................................519
members ...................................................................................................1167
mode ...........................................................................................................521
msti .............................................................................................................522
mstp ............................................................................................................523
native-vlan-id .............................................................................................1167
no-broadcast ...............................................................................................525
no-root-port .................................................................................................526
no-unknown-unicast ....................................................................................527
port-mode .................................................................................................1167
priority ........................................................................................................529
redundant-trunk-group ................................................................................530
rstp ..............................................................................................................531
storm-control ..............................................................................................532
stp ...............................................................................................................533
traceoptions ................................................................................................534
translate ....................................................................................................1167
vlan ...........................................................................................................1167
vlan ...........................................................................................................1167
vlan-id .......................................................................................................1167
vlan-range ...................................................................................................539
vlans ...........................................................................................................540
Chapter 36

Operational Mode Commands for Bridging, VLANs, and Spanning

Trees

541

clear ethernet-switching bpdu-error .............................................................542

clear gvrp statistics ......................................................................................543
clear spanning-tree statistics .......................................................................544
show ethernet-switching interfaces .............................................................545
show ethernet-switching mac-learning-log ...................................................548
show ethernet-switching table .....................................................................550
show gvrp ...................................................................................................555
show gvrp statistics .....................................................................................557
show redundant-trunk-group .......................................................................559
show spanning-tree bridge ..........................................................................560
show spanning-tree interface ......................................................................564
show spanning-tree mstp configuration .......................................................568

Table of Contents

xvii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show spanning-tree statistics .......................................................................569

show vlans ..................................................................................................570

Part 9

Layer 3 Protocols

Chapter 37

Understanding Layer 3 Protocols

579

DHCP Services for EX-series Switches Overview .........................................579

DHCP/BOOTP Relay for EX-series Switches Overview .................................580
IGMP Snooping on EX-series Switches Overview .........................................581
How IGMP Snooping Works ..................................................................581
How IGMP Snooping Works with Routed VLAN Interfaces ....................582
How Hosts Join and Leave Multicast Groups .........................................584
Chapter 38

Examples of Configuring Layer 3 Protocols

585

Example: Configuring IGMP Snooping on EX-series Switches ......................585

Chapter 39

Configuring Layer 3 Protocols

589

Configuring BGP Sessions (J-Web Procedure) ...............................................589

Configuring DHCP Services (J-Web Procedure) ............................................590
Configuring IGMP Snooping (CLI Procedure) ...............................................593
Configuring an OSPF Network (J-Web Procedure) ........................................594
Configuring a RIP Network (J-Web Procedure) .............................................595
Configuring SNMP (J-Web Procedure) ..........................................................596
Configuring Static Routing (CLI Procedure) ..................................................600
Configuring Static Routing (J-Web Procedure) ..............................................601
Chapter 40

Verifying Layer 3 Protocols

Monitoring
Monitoring
Monitoring
Monitoring
Monitoring

Chapter 41

603

BGP Routing Information ..........................................................603

DHCP Services ..........................................................................605
OSPF Routing Information ........................................................606
RIP Routing Information ...........................................................608
Routing Information ..................................................................610

Configuration Statements for Layer 3 Protocols

613

[edit protocols] Configuration Statement Hierarchy .....................................613

disable .........................................................................................................617
group .........................................................................................................1167
igmp-snooping ..........................................................................................1167
immediate-leave ........................................................................................1167
interface ....................................................................................................1167

xviii

Table of Contents

Table of Contents

multicast-router-interface ..........................................................................1167
query-interval ............................................................................................1167
query-last-member-interval .......................................................................1167
query-response-interval .............................................................................1167
robust-count ..............................................................................................1167
traceoptions ..............................................................................................1167
vlan ...........................................................................................................1167
Chapter 42

Operational Mode Commands for Layer 3 Protocols

627

clear igmp-snooping membership .............................................................1160

clear igmp-snooping statistics ....................................................................1160
show igmp-snooping membership ..............................................................630
show igmp-snooping route ..........................................................................632
show igmp-snooping statistics .....................................................................634
show igmp-snooping vlans ..........................................................................635

Part 10

802.1X, Port Security, and VoIP

Chapter 43

Understanding 802.1X, Port Security, and VoIP

639

802.1X for EX-series Switches Overview .....................................................639

Understanding 802.1X Authentication on EX-series Switches ......................641
Understanding Dynamic VLANs for 802.1X on EX-series Switches ..............645
Understanding Guest VLANs for 802.1X on EX-series Switches ...................646
Understanding 802.1X and AAA Accounting on EX-series Switches ............647
Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches .....648
Understanding 802.1X Static MAC on EX-series Switches ...........................650
Understanding 802.1X and VoIP on EX-series Switches ..............................652
Understanding 802.1X and VSAs on EX-series Switches ..............................654
Port Security for EX-series Switches Overview ............................................654
Understanding How to Protect Access Ports on EX-series Switches from
Common Attacks ..................................................................................656
Mitigation of Ethernet Switching Table Overflow Attacks ......................656
Mitigation of Rogue DHCP Server Attacks .............................................656
Protection Against ARP Spoofing Attacks ..............................................656
Protection Against DHCP Snooping Database Alteration Attacks ...........657
Protection Against DHCP Starvation Attacks .........................................657
Understanding DHCP Snooping for Port Security on EX-series Switches .....658
DHCP Snooping Basics ..........................................................................658
DHCP Snooping Process .......................................................................659
DHCP Server Access .............................................................................660
DHCP Snooping Table ...........................................................................660
Static IP Address Additions to the DHCP Snooping Database ................661
Understanding DAI for Port Security on EX-series Switches ........................662
Address Resolution Protocol .................................................................662
ARP Spoofing ........................................................................................662
DAI on EX-series Switches ....................................................................663

Table of Contents

xix

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches ................................................................................664
MAC Limiting ........................................................................................664
MAC Move Limiting ..............................................................................664
Actions for MAC Limiting and MAC Move Limiting ...............................665
MAC Addresses That Exceed the MAC Limit or MAC Move Limit ..........665
Understanding Trusted DHCP Servers for Port Security on EX-series
Switches ...............................................................................................666
Understanding IP Source Guard for Port Security on EX-series Switches .....666
IP Address Spoofing ..............................................................................666
How IP Source Guard Works .................................................................666
The IP Source Guard Database ..............................................................667
Typical Uses of Other JUNOS Software Features with IP Source
Guard .............................................................................................667
Chapter 44

Examples of Configuring 802.1X, Port Security, and VoIP

669

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch ...................................................................................................670
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access
to Corporate Visitors on an EX-series Switch .........................................675
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series
Switch ...................................................................................................680
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant
Configurations on an EX-series Switch ..................................................685
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series
Switch ...................................................................................................691
Example: Configuring VoIP on an EX-series Switch Without Including 802.1X
Authentication ......................................................................................698
Example: Configuring VoIP on an EX-series Switch Without Including
LLDP-MED Support ...............................................................................704
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch ..................................708
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC
Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks ..................................................................................................714
Example: Configuring a DHCP Server Interface as Untrusted to Protect the
Switch from Rogue DHCP Server Attacks ..............................................718
Example: Configuring MAC Limiting to Protect the Switch from DHCP
Starvation Attacks .................................................................................721
Example: Configuring DHCP Snooping and DAI to Protect the Switch from
ARP Spoofing Attacks ...........................................................................725
Example: Configuring Allowed MAC Addresses to Protect the Switch from
DHCP Snooping Database Alteration Attacks ........................................729
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an
EX-series Switch with Access to a DHCP Server Through a Second
Switch ...................................................................................................732

xx

Table of Contents

Table of Contents

Example: Configuring IP Source Guard on a Data VLAN That Shares an

Interface with a Voice VLAN .................................................................740
Example: Configuring IP Source Guard with Other EX-series Switch Features
to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces ....746
Chapter 45

Configuring 802.1X, Port Security, and VoIP

755

Configuring 802.1X Authentication (CLI Procedure) ....................................756

Configuring the RADIUS Server .............................................................756
Configuring Static MAC Bypass .............................................................757
Configuring 802.1X Interface Settings ...................................................757
Configuring 802.1X Authentication (J-Web Procedure) ................................758
Configuring 802.1X RADIUS Accounting (CLI Procedure) ............................761
Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI
Procedure) ............................................................................................762
Load the Juniper Dictionary ..................................................................763
Configuring LLDP (CLI Procedure) ...............................................................764
Configuring LLDP (J-Web Procedure) ...........................................................765
Configuring LLDP-MED (CLI Procedure) .......................................................766
Configuring Port Security (CLI Procedure) ...................................................768
Configuring Port Security (J-Web Procedure) ...............................................769
Enabling DHCP Snooping (CLI Procedure) ...................................................771
Enabling DHCP Snooping (J-Web Procedure) ...............................................772
Enabling a Trusted DHCP Server (CLI Procedure) ........................................773
Enabling a Trusted DHCP Server (J-Web Procedure) ....................................773
Enabling Dynamic ARP Inspection (CLI Procedure) .....................................774
Enabling Dynamic ARP Inspection (J-Web Procedure) .................................775
Configuring MAC Limiting (CLI Procedure) ..................................................776
Configuring MAC Limiting (J-Web Procedure) ..............................................777
Configuring MAC Move Limiting (CLI Procedure) .........................................779
Configuring MAC Move Limiting (J-Web Procedure) .....................................779
Setting the none Action on an Interface to Override a MAC Limit Applied to
All Interfaces (CLI Procedure) ................................................................780
Configuring IP Source Guard (CLI Procedure) ..............................................781
Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI
Procedure) ............................................................................................783
Chapter 46

Verifying 802.1X, Port Security, and VoIP

785

Monitoring 802.1X Authentication ..............................................................785

Monitoring Port Security .............................................................................786
Verifying That DHCP Snooping Is Working Correctly ...................................787
Verifying That a Trusted DHCP Server Is Working Correctly ........................788
Verifying That DAI Is Working Correctly ......................................................789
Verifying That MAC Limiting Is Working Correctly ......................................790
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working
Correctly ........................................................................................790
Verifying That Allowed MAC Addresses Are Working Correctly .............790

Table of Contents

xxi

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verifying Results of Various Action Settings When the MAC Limit Is

Exceeded ........................................................................................791
Customizing the Ethernet Switching Table Display to View Information
for a Specific Interface ....................................................................793
Verifying That MAC Move Limiting Is Working Correctly .............................793
Verifying That IP Source Guard Is Working Correctly ...................................794
Chapter 47

Configuration Statements for 802.1X, Port Security, and VoIP

795

[edit access] Configuration Statement Hierarchy .........................................795

[edit protocols] Configuration Statement Hierarchy .....................................795
[edit ethernet-switching-options] Configuration Statement Hierarchy ..........799
access ..........................................................................................................801
accounting ...................................................................................................840
accounting-server ........................................................................................803
advertisement-interval ................................................................................804
allowed-mac ..............................................................................................1167
arp-inspection ...........................................................................................1167
authentication-order ....................................................................................807
authenticator .............................................................................................1167
authentication-profile-name ........................................................................809
authentication-server ...................................................................................810
ca-type ........................................................................................................811
ca-value .......................................................................................................812
civic-based ..................................................................................................819
country-code ...............................................................................................814
dhcp-trusted ..............................................................................................1167
disable .......................................................................................................1167
disable .......................................................................................................1167
disable .......................................................................................................1167
dot1x ...........................................................................................................818
elin ..............................................................................................................819
ethernet-switching-options ........................................................................1151
examine-dhcp ...........................................................................................1167
fast-start ......................................................................................................823
forwarding-class ..........................................................................................824
guest-vlan ....................................................................................................825
hold-multiplier .............................................................................................826
interface ....................................................................................................1167
interface ......................................................................................................828
interface ......................................................................................................829
interface ......................................................................................................830
interface ......................................................................................................831
ip-source-guard ..........................................................................................1167
lldp ..............................................................................................................833
lldp-med ......................................................................................................834
location .....................................................................................................1167
mac ...........................................................................................................1167
mac-limit ...................................................................................................1167
mac-move-limit .........................................................................................1167

xxii

Table of Contents

Table of Contents

maximum-requests .....................................................................................839
no-reauthentication .....................................................................................839
order ...........................................................................................................840
profile ..........................................................................................................841
quiet-period .................................................................................................842
radius ..........................................................................................................843
reauthentication ..........................................................................................844
retries ..........................................................................................................845
secure-access-port .....................................................................................1167
server-timeout .............................................................................................847
static ...........................................................................................................848
static-ip .....................................................................................................1167
stop-on-access-deny ....................................................................................849
stop-on-failure .............................................................................................850
supplicant ....................................................................................................851
supplicant-timeout .......................................................................................852
traceoptions ..............................................................................................1167
traceoptions ..............................................................................................1167
traceoptions ..............................................................................................1167
transmit-delay ...........................................................................................1167
transmit-period ...........................................................................................859
vlan ...........................................................................................................1167
vlan ...........................................................................................................1167
vlan-assignment ..........................................................................................861
voip .............................................................................................................862
what ............................................................................................................863
Chapter 48

Operational Mode Commands for 802.1X, Port Security, and

VoIP

865

clear arp inspection statistics .......................................................................866

clear dhcp snooping binding .......................................................................867
clear dot1x ..................................................................................................868
clear lldp neighbors .....................................................................................869
clear lldp statistics .......................................................................................870
show arp inspection statistics ......................................................................871
show dhcp snooping binding .......................................................................872
show dot1x .................................................................................................873
show dot1x authentication-failed-users .......................................................876
show dot1x static-mac-address ...................................................................877
show ip-source-guard ................................................................................1160
show lldp .....................................................................................................881
show lldp local-info .....................................................................................886
show lldp neighbors ....................................................................................888
show lldp statistics ......................................................................................891
show network-access aaa statistics accounting ............................................893
show network-access aaa statistics authentication ......................................895
show network-access aaa statistics dynamic-requests .................................895

Table of Contents

xxiii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Part 11

Packet Filtering

Chapter 49

Understanding Packet Filtering

899

Firewall Filters for EX-series Switches Overview ..........................................899

Firewall Filter Types ..............................................................................899
Firewall Filter Components ...................................................................900
Firewall Filter Processing ......................................................................900
Understanding Planning of Firewall Filters ..................................................901
Understanding Firewall Filter Processing Points for Bridged and Routed
Packets on EX-series Switches ..............................................................903
Understanding How Firewall Filters Control Packet Flows ...........................905
Firewall Filter Match Conditions and Actions for EX-series Switches ...........906
Understanding How Firewall Filters Are Evaluated ......................................915
Understanding Firewall Filter Match Conditions ..........................................917
Filter Match Conditions .........................................................................917
Numeric Filter Match Conditions ..........................................................917
Interface Filter Match Conditions ..........................................................918
IP Address Filter Match Conditions .......................................................918
MAC Address Filter Match Conditions ...................................................919
Bit-Field Filter Match Conditions ...........................................................919
Understanding How Firewall Filters Test a Packet's Protocol .......................921
Understanding the Use of Policers in Firewall Filters ...................................921
Chapter 50

Examples of Configuring Packet Filtering

923

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches ................................................................................923
Chapter 51

Configuring Packet Filtering

945

Configuring Firewall Filters (CLI Procedure) .................................................945

Configuring a Firewall Filter ..................................................................945
Applying a Firewall Filter to a Port on a Switch .....................................948
Applying a Firewall Filter to a VLAN on a Network ................................949
Applying a Firewall Filter to a Layer 3 (Routed) Interface ......................949
Configuring Firewall Filters (J-Web Procedure) ............................................950
Configuring Policers to Control Traffic Rates (CLI Procedure) ......................954
Configuring Policers ..............................................................................955
Specifying Policers in a Firewall Filter Configuration .............................956
Applying a Firewall Filter That Is Configured with a Policer ..................956
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding
Behavior (CLI Procedure) ......................................................................957

xxiv

Table of Contents

Table of Contents

Chapter 52

Verifying Packet Filtering

959

Verifying That Firewall Filters Are Operational ............................................959

Verifying That Policers Are Operational .......................................................960
Monitoring Firewall Filter Traffic .................................................................960
Monitoring Traffic for All Firewall Filters and Policers That Are Configured
on the Switch .................................................................................961
Monitoring Traffic for a Specific Firewall Filter ......................................961
Monitoring Traffic for a Specific Policer ................................................961
Chapter 53

Troubleshooting Packet Filtering

963

Troubleshooting Firewall Filters ...................................................................963

Firewall Filter Configuration Returns a No Space Available in TCAM
Message .........................................................................................963
Chapter 54

Configuration Statements for Packet Filtering

967

[edit firewall] Configuration Statement Hierarchy .......................................967

Firewall Filter Configuration Statements Supported by JUNOS Software for
EX-series Switches ................................................................................968
bandwidth-limit .........................................................................................1167
burst-size-limit ...........................................................................................1167
family ........................................................................................................1167
filter ..........................................................................................................1167
filter ..........................................................................................................1167
from ..........................................................................................................1167
if-exceeding ...............................................................................................1167
policer .......................................................................................................1167
term ..........................................................................................................1167
then ...........................................................................................................1167
then ...........................................................................................................1167
Chapter 55

Operational Mode Commands for Packet Filtering

981

clear firewall ..............................................................................................1160

show firewall .............................................................................................1160
show interfaces filters ...............................................................................1160
show interfaces policers ............................................................................1160
show policer ..............................................................................................1160

Table of Contents

xxv

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Part 12

CoS

Chapter 56

Understanding CoS

993

JUNOS CoS for EX-series Switches Overview ...............................................993

How JUNOS CoS Works ........................................................................993
Default CoS Behavior on EX-series Switches .........................................994
Understanding JUNOS CoS Components for EX-series Switches ..................995
Code-Point Aliases ................................................................................995
Policers .................................................................................................995
Classifiers .............................................................................................995
Forwarding Classes ...............................................................................996
Tail Drop Profiles ..................................................................................996
Schedulers ............................................................................................996
Rewrite Rules ........................................................................................996
Understanding CoS Code-Point Aliases ........................................................997
Default Code-Point Aliases ....................................................................998
Understanding CoS Classifiers ...................................................................1000
Behavior Aggregate Classifiers ............................................................1000
Default Behavior Aggregate Classification .....................................1001
Multifield Classifiers ............................................................................1001
Understanding CoS Forwarding Classes .....................................................1002
Default Forwarding Classes .................................................................1002
Understanding CoS Tail Drop Profiles ........................................................1004
Understanding CoS Schedulers ..................................................................1004
Default Schedulers ..............................................................................1005
Transmission Rate ..............................................................................1005
Scheduler Buffer Size ..........................................................................1005
Priority Scheduling ..............................................................................1006
Scheduler Drop-Profile Maps ...............................................................1006
Scheduler Maps ...................................................................................1007
Understanding CoS Two-Color Marking .....................................................1007
Understanding CoS Rewrite Rules .............................................................1008
Default Rewrite Rule ...........................................................................1008
Chapter 57

Examples of Configuring CoS

1011

Example: Configuring CoS on EX-series Switches ......................................1011

Chapter 58

Configuring CoS

1029

Configuring CoS (J-Web Procedure) ...........................................................1029

Defining CoS Code-Point Aliases (J-Web Procedure) ..................................1030
Defining CoS Code-Point Aliases (CLI Procedure) ......................................1032
Defining CoS Classifiers (CLI Procedure) ....................................................1033
Defining CoS Classifiers (J-Web Procedure) ...............................................1034
Defining CoS Forwarding Classes (CLI Procedure) .....................................1036
Defining CoS Forwarding Classes (J-Web Procedure) .................................1037
Defining CoS Schedulers (CLI Procedure) ..................................................1038

xxvi

Table of Contents

Table of Contents

Defining CoS Schedulers (J-Web Procedure) ..............................................1038

Configuring CoS Tail Drop Profiles (CLI Procedure) ...................................1041
Defining CoS Rewrite Rules (CLI Procedure) ..............................................1042
Defining CoS Rewrite Rules (J-Web Procedure) ..........................................1042
Assigning CoS Components to Interfaces (CLI Procedure) .........................1044
Assigning CoS Components to Interfaces (J-Web Procedure) .....................1045
Chapter 59

Verifying CoS
Monitoring
Monitoring
Monitoring
Monitoring
Monitoring
Monitoring

Chapter 60

1047

CoS Classifiers .........................................................................1047

CoS Forwarding Classes ..........................................................1048
Interfaces That Have CoS Components ...................................1049
CoS Rewrite Rules ...................................................................1050
CoS Scheduler Maps ................................................................1051
CoS Value Aliases ....................................................................1053

Configuration Statements for CoS

1055

[edit class-of-service] Configuration Statement Hierarchy ..........................1055

buffer-size .................................................................................................1167
class ..........................................................................................................1167
class-of-service ..........................................................................................1167
classifiers ..................................................................................................1167
code-point-aliases ......................................................................................1167
code-points ................................................................................................1167
drop-profile-map .......................................................................................1167
dscp ..........................................................................................................1167
forwarding-class ........................................................................................1167
forwarding-class ........................................................................................1167
ieee-802.1 .................................................................................................1167
import .......................................................................................................1167
inet-precedence .........................................................................................1167
interfaces ..................................................................................................1167
loss-priority ...............................................................................................1167
priority ......................................................................................................1167
protocol .....................................................................................................1167
rewrite-rules ..............................................................................................1167
scheduler-map ...........................................................................................1167
scheduler-maps .........................................................................................1167
schedulers .................................................................................................1167
shaping-rate ..............................................................................................1167
transmit-rate .............................................................................................1167
unit ...........................................................................................................1167
Chapter 61

Operational Mode Commands for CoS

1079

show class-of-service .................................................................................1080

Table of Contents

xxvii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Part 13

PoE

Chapter 62

Understanding PoE

1087

PoE and EX-series Switches Overview .......................................................1087

PoE and Power Supply Units in EX-series Switches .............................1087
Power Management Mode ..................................................................1088
Classes of Powered Devices ................................................................1088
Global and Specific PoE Parameters ....................................................1088
Chapter 63

Examples of Configuring PoE

1091

Example: Configuring PoE Interfaces on an EX-series Switch ....................1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series
Switch .................................................................................................1094
Chapter 64

Configuring PoE

1099

Configuring PoE (CLI Procedure) ...............................................................1099

Configuring PoE (J-Web Procedure) ...........................................................1100
Chapter 65

Verifying PoE

1103

Monitoring PoE .........................................................................................1103

Verifying Status of PoE Interfaces on an EX-series Switch .........................1104
Chapter 66

Configuration Statements for PoE

1105

[edit poe] Configuration Statement Hierarchy ...........................................1105

disable .......................................................................................................1167
duration ....................................................................................................1167
guard-band ................................................................................................1167
interface ....................................................................................................1167
interval ......................................................................................................1167
management .............................................................................................1167
maximum-power .......................................................................................1167
priority ......................................................................................................1167
telemetries ................................................................................................1167
Chapter 67

Operational Mode Commands for PoE

1115

show poe controller ...................................................................................1116

show poe interface ....................................................................................1117
show poe telemetries interface ..................................................................1119

xxviii

Table of Contents

Table of Contents

Part 14

Port Mirroring

Chapter 68

Understanding Port Mirroring

1123

Port Mirroring on EX-series Switches Overview .........................................1123

Port Mirroring Overview .....................................................................1123
Limitations of Port Mirroring ........................................................1124
Port Mirroring Terminology ................................................................1124
Chapter 69

Examples of Configuring Port Mirroring

1127

Example: Configuring Port Mirroring for Local Monitoring of Employee

Resource Use on EX-series Switches ...................................................1127
Example: Configuring Port Mirroring for Remote Monitoring of Employee
Resource Use on EX-series Switches ...................................................1133
Chapter 70

Configuring Port Mirroring

1139

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) ...................1139

Configuring Port Mirroring for Local Traffic Analysis ...........................1140
Configuring Port Mirroring for Remote Traffic Analysis .......................1140
Filtering the Traffic Entering a Port Mirroring Analyzer .......................1141
Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) ...............1143
Chapter 71

Configuration Statements for Port Mirroring

1147

[edit ethernet-switching-options] Configuration Statement Hierarchy ........1147

analyzer ....................................................................................................1167
egress ........................................................................................................1167
ethernet-switching-options ........................................................................1151
ingress .......................................................................................................1167
input .........................................................................................................1167
interface ....................................................................................................1167
loss-priority ...............................................................................................1167
output .......................................................................................................1167
ratio ..........................................................................................................1167
vlan ...........................................................................................................1167
Chapter 72

Operational Mode Commands for Port Mirroring

1159

show analyzer ...........................................................................................1160

Table of Contents

xxix

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Part 15

Network Management

Chapter 73

Configuration Statements for Network Management

1163

[edit snmp] Configuration Statement Hierarchy ........................................1163

bucket-size ................................................................................................1167
history .......................................................................................................1167
interface ....................................................................................................1167
owner ........................................................................................................1167
rmon .........................................................................................................1167

Part 16

Index
Index .........................................................................................................1171

xxx

Table of Contents

List of Figures
Figure 1: Basic VRRP on EX-series Switches ..................................................14
Figure 2: VRRP on EX 4200 Virtual Chassis Switches ....................................14
Figure 3: LCD Panel .......................................................................................59
Figure 4: Connecting PC to Port 0 .................................................................60
Figure 5: Connecting to the Console Port on the EX-series Switch ...............119
Figure 6: Console Session Redirection .........................................................141
Figure 7: Management Ethernet Port Redirection to VME ............................142
Figure 8: Basic Virtual Chassis with Master and Backup ..............................149
Figure 9: Expanded Virtual Chassis in Single Wiring Closet .........................154
Figure 10: Default Configuration of Multimember Virtual Chassis in a Single
Wiring Closet ........................................................................................159
Figure 11: A Virtual Chassis Interconnected Across Wiring Closets ..............167
Figure 12: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................174
Figure 13: Maximum Size Virtual Chassis Interconnected Across Wiring
Closets ..................................................................................................188
Figure 14: Network Ports on the 24Port EX-series Switch ..........................262
Figure 15: Network Ports on the 48-Port EX-series Switch ...........................262
Figure 16: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................269
Figure 17: Redundant Trunk Group, Link 1 Active .......................................366
Figure 18: Redundant Trunk Group, Link 2 Active .......................................366
Figure 19: Topology for Configuring the Redundant Trunk Links .................402
Figure 20: Network Topology for RSTP ........................................................428
Figure 21: Network Topology for MSTP .......................................................443
Figure 22: BPDU Protection Topology .........................................................464
Figure 23: BPDU Protection Topology .........................................................469
Figure 24: Network Topology for Loop Protection .......................................473
Figure 25: Network Topology for Root Protection ........................................478
Figure 26: IGMP Traffic Flow with IGMP Snooping Enabled .........................582
Figure 27: IGMP Traffic Flow with Routed VLAN Intefaces ..........................583
Figure 28: Example 802.1X Topology .........................................................643
Figure 29: Authentication Process ...............................................................644
Figure 30: Process Flowchart for Non-Responsive Host Requests ................651
Figure 31: VoIP Multiple Supplicant Topology .............................................652
Figure 32: VoIP Single Supplicant Topology .................................................653
Figure 33: DHCP Snooping ..........................................................................659
Figure 34: DHCP Server Connected to Switch ..............................................660
Figure 35: Topology for Configuration .........................................................672
Figure 36: Topology for Guest VLAN Example .............................................677
Figure 37: Topology for Static MAC Authentication Configuration ...............682
Figure 38: Topology for Configuring Supplicant Modes ................................687

List of Figures

xxxi

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 39: VoIP Topology ............................................................................693

Figure 40: Network Topology for Basic Port Security ...................................730
Figure 41: Network Topology for Basic Port Security ...................................730
Figure 42: Network Topology for Basic Port Security ...................................730
Figure 43: Network Topology for Basic Port Security ...................................730
Figure 44: Network Topology for Basic Port Security ...................................730
Figure 45: Network Topology for Basic Port Security ...................................730
Figure 46: Network Topology for Port Security Setup with Two Switches on
Same VLAN ...........................................................................................734
Figure 47: Firewall Filter Processing Points in the Packet Forwarding
Path ......................................................................................................904
Figure 48: Application of Firewall Filters to Control Packet Flow .................906
Figure 49: Evaluation of Terms within a Firewall Filter ................................916
Figure 50: Application of Port, VLAN, and Layer 3 Routed Firewall Filters ....925
Figure 51: Packet Flow Across the Network .................................................994
Figure 52: Topology for Configuring CoS ...................................................1012
Figure 53: Network Topology for Local Port Mirroring Example ................1128
Figure 54: Remote Port Mirroring Example Network Topology .................1134

xxxii

List of Figures

List of Tables
Table 1: Summary of Software Features Available on EX-series Switches ........4
Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not
Supported .................................................................................................8
Table 3: JUNOS Software Processes ...............................................................18
Table 4: EX 3200 Switch Models ...................................................................21
Table 5: EX 4200 Switch Models ...................................................................22
Table 6: J-Web Interface ................................................................................46
Table 7: J-Web Interface ................................................................................46
Table 8: J-Web Edit Point & Click Configuration Links ...................................48
Table 9: J-Web Edit Point & Click Configuration Icons ...................................49
Table 10: J-Web Edit Point & Click Configuration Buttons .............................49
Table 11: Switching Platform Configuration Interfaces ..................................51
Table 12: Install Remote Summary ...............................................................67
Table 13: Upload Package Summary .............................................................68
Table 14: Configuration File Terms ...............................................................72
Table 15: J-Web Configuration History Summary ..........................................73
Table 16: J-Web Configuration Database Information Summary ...................74
Table 17: Options for the load command ......................................................75
Table 18: Alarm Terms ..................................................................................91
Table 19: Secure Management Access Configuration Summary ....................94
Table 20: Date and Time Settings ..................................................................95
Table 21: J-Web Ping Host Field Summary ..................................................100
Table 22: Packet Capture Field Summary ....................................................101
Table 23: Traceroute field summary ............................................................104
Table 24: Summary of Key System Properties Output Fields .......................105
Table 25: Summary of System Process Information Output Fields ..............106
Table 26: User Management > Add a User Configuration Page
Summary ..............................................................................................109
Table 27: Add an Authentication Server ......................................................109
Table 28: Summary of Key Alarm Output Fields .........................................114
Table 29: Filtering System Log Messages .....................................................114
Table 30: Viewing System Log Messages .....................................................116
Table 31: show smp rmon history Output Fields .........................................127
Table 32: Components of the Basic Virtual Chassis Access Switch
Topology ...............................................................................................149
Table 33: Components of the Expanded Virtual Chassis Access Switch .......154
Table 34: Components of a Virtual Chassis Interconnected Across Multiple
Wiring Closets .......................................................................................166
Table 35: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................269
Table 36: Components of a Preprovisioned Virtual Chassis Interconnected
Across Multiple Wiring Closets ..............................................................187

List of Tables

xxxiii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 37: Virtual Chassis Configuration Fields .............................................198

Table 38: Commands That Can be Run on All or Specific Members of the
Virtual Chassis Configuration ................................................................214
Table 39: Commands Relevant Only to the Master ......................................216
Table 40: show system uptime Output Fields ..............................................246
Table 41: show virtual-chassis active-topology Output Fields .......................248
Table 42: show virtual-chassis Output Fields .............................................1160
Table 43: show virtual-chassis vc-port Output Fields ...................................252
Table 44: show virtual-chassis vc-port statistics Output Fields .....................255
Table 45: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................269
Table 46: Components of the Topology for Creating Layer 3 Subinterfaces
on an Access Switch and a Distribution Switch .....................................280
Table 47: Port Edit Options .........................................................................290
Table 48: Recommended CoS Settings for Port Roles ..................................292
Table 49: VLAN Options ..............................................................................297
Table 50: Port Role Configuration Summary ...............................................304
Table 51: Recommended CoS Settings for Port Roles ..................................307
Table 52: Gigabit Ethernet show interfaces Output Fields ............................332
Table 53: 10-Gigabit Ethernet show interfaces Output Fields .......................342
Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics
Output Fields ........................................................................................353
Table 55: Components of the Basic Bridging Configuration Topology ..........370
Table 56: Components of the Multiple VLAN Topology ................................377
Table 57: Components of the Topology for Connecting an Access Switch to
a Distribution Switch .............................................................................385
Table 58: Components of the GVRP Network Topology ...............................394
Table 59: Components of the Redundant Trunk Link Topology ...................402
Table 60: VLAN Configuration Details ..........................................................408
Table 61: Components of the Topology for Configuring RSTP on EX-series
Switches ...............................................................................................429
Table 62: Components of the Topology for Configuring MSTP on EX-series
Switches ...............................................................................................443
Table 63: Components of the Topology for Configuring BPDU Protection on
EX-series Switches ................................................................................469
Table 64: Components of the Topology for Configuring BPDU Protection on
EX-series Switches ................................................................................469
Table 65: Components of the Topology for Configuring Loop Protection on
EX-series Switches ................................................................................473
Table 66: Components of the Topology for Configuring Root Protection on
EX-series Switches ................................................................................478
Table 67: show ethernet-switching interfaces Output Fields ........................545
Table 68: show ethernet-switching mac-learning-log Output Fields .............548
Table 69: show ethernet-switching table Output Fields ................................550
Table 70: show gvrp Output Fields ..............................................................555
Table 71: show gvrp statistics Output Fields ................................................557
Table 72: show redundant-trunk-group Output Fields ..................................559
Table 73: show spanning-tree bridge Output Fields .....................................560
Table 74: show spanning-tree interface Output Fields .................................564
Table 75: show spanning-tree mstp configuration Output Fields .................568
Table 76: show spanning-tree statistics Output Fields .................................569

xxxiv

List of Tables

List of Tables

Table 77: show vlans Output Fields .............................................................891

Table 78: Components of the IGMP Snooping Topology ..............................586
Table 79: BGP Routing Configuration Summary ..........................................589
Table 80: DHCP Server Configuration Pages Summary ...............................591
Table 81: OSPF Routing Configuration Summary ........................................594
Table 82: RIP Routing Configuration Summary ...........................................596
Table 83: SNMP Configuration Page ............................................................596
Table 84: Static Routing Configuration Summary ........................................601
Table 85: Summary of Key BGP Routing Output Fields ...............................603
Table 86: Summary of DHCP Output Fields .................................................605
Table 87: Summary of Key OSPF Routing Output Fields .............................607
Table 88: Summary of Key RIP Routing Output Fields ................................609
Table 89: Summary of Key Routing Information Output Fields ...................610
Table 90: show igmp-snooping membership Output Fields .......................1160
Table 91: show igmp-snooping route Output Fields ...................................1160
Table 92: show igmp-snooping statistics Output Fields ..............................1160
Table 93: show igmp-snooping vlans Output Fields ...................................1160
Table 94: Components of the Topology .......................................................673
Table 95: Components of the Guest VLAN Topology ...................................678
Table 96: Components of the Static MAC Authentication Configuration
Topology ...............................................................................................683
Table 97: Components of the Supplicant Mode Configuration Topology ......688
Table 98: Components of the VoIP Configuration Topology ........................693
Table 99: Components of the Port Security Topology ..................................730
Table 100: Components of the Port Security Topology ................................730
Table 101: Components of the Port Security Topology ................................730
Table 102: Components of the Port Security Topology ................................730
Table 103: Components of the Port Security Topology ................................730
Table 104: Components of the Port Security Topology ................................730
Table 105: Components of Port Security Setup on Switch 1 with a DHCP
Server Connected to Switch 2 ...............................................................734
Table 106: RADIUS Server Settings .............................................................759
Table 107: 802.1X Exclusion List ................................................................759
Table 108: 802.1X Port Settings ..................................................................759
Table 109: Global Settings ...........................................................................765
Table 110: Edit Port Settings .......................................................................766
Table 111: Port Security Settings on VLANs .................................................770
Table 112: Port Security on Interfaces .........................................................770
Table 113: show arp inspection statistics Output Fields ...............................871
Table 114: show dhcp snooping binding Output Fields ...............................872
Table 115: show dot1x statistics Output Fields ............................................873
Table 116: show dot1x static-mac-address Output Fields ............................877
Table 117: show dot1x static-mac-address Output Fields ............................877
Table 118: show ip-source-guard Output Fields .........................................1160
Table 119: show lldp Output Fields .............................................................881
Table 120: show lldp local-info Output Fields ..............................................886
Table 121: show lldp neighbors Output Fields .............................................888
Table 122: show lldp statistics Output Fields ...............................................891
Table 123: show network-access aaa statistics accounting Output Fields ....893
Table 124: show network-access aaa statistics authentication Output
Fields ....................................................................................................894

List of Tables

xxxv

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 125: show network-access aaa statistics dynamic-requests Output

Fields ....................................................................................................895
Table 126: Supported Match Conditions for Firewall Filters on EX-series
Switches ...............................................................................................907
Table 127: Actions for Firewall Filters .........................................................914
Table 128: Action Modifiers for Firewall Filters ...........................................914
Table 129: Actions for Firewall Filters .........................................................920
Table 130: Configuration Components: Firewall Filters ...............................924
Table 131: Configuration Components: VLANs ............................................925
Table 132: Configuration Components: Switch Ports on a 48-Port All-PoE
Switch ...................................................................................................926
Table 133: Create a New Filter ....................................................................951
Table 134: Create a New Term ....................................................................951
Table 135: Term-Advanced Options ............................................................952
Table 136: Supported Options for Firewall Filter Statements .......................968
Table 137: Firewall Filter Statements That Are Not Supported byJUNOS
Software for EX-series switches ............................................................970
Table 138: show firewall Output Fields ......................................................1160
Table 139: show interfaces filters Output Fields ........................................1160
Table 140: show interfaces policers Output Fields .....................................1160
Table 141: show policer Output Fields ......................................................1160
Table 142: Default Code-Point Aliases .........................................................998
Table 143: Default BA Classification ..........................................................1001
Table 144: Default Forwarding Classes ......................................................1002
Table 145: Default Packet Header Rewrite Mappings ................................1008
Table 146: Configuration Components: VLANs ..........................................1013
Table 147: Configuration Components: Switch Ports on a 48-Port All-PoE
Switch .................................................................................................1013
Table 148: CoS Value Aliases Configuration Pages Summary ....................1030
Table 149: BA-classifier Loss Priority Assignments ....................................1033
Table 150: Classifiers Configuration Page Summary ..................................1034
Table 151: Forwarding Classes Configuration Pages Summary ..................1037
Table 152: Schedulers Configuration Page Summary ................................1039
Table 153: Scheduler Maps Configuration Page Summary .........................1040
Table 154: Rewrite Rules Configuration Page Summary ............................1043
Table 155: Assigning CoS Components to Interfaces .................................1045
Table 156: Summary of Key CoS Classifier Output Fields ..........................1047
Table 157: Summary of Key CoS Forwarding Class Output Fields .............1049
Table 158: Summary of Key CoS Interfaces Output Fields .........................1049
Table 159: Summary of Key CoS Rewrite Rules Output Fields ...................1050
Table 160: Summary of Key CoS Scheduler Maps Output Fields ...............1051
Table 161: Summary of Key CoS Value Alias Output Fields .......................1053
Table 162: show class-of-service Output Fields ..........................................1080
Table 163: Class of Powered Device and Power Levels ..............................1088
Table 164: Components of the PoE Configuration Topology ......................1092
Table 165: Components of the PoE Configuration Topology ......................1095
Table 166: PoE Edit Settings ......................................................................1101
Table 167: System Settings .......................................................................1101
Table 168: show poe controller Output Fields ...........................................1116
Table 169: show poe interface Output Fields .............................................1117
Table 170: show poe telemetries interface Output Fields ..........................1119

xxxvi

List of Tables

List of Tables

Table 171: Port Mirroring Configuration Settings .......................................1144

Table 172: command-name Output Fields ................................................1160

List of Tables

xxxvii

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

xxxviii

List of Tables

About This Topic Collection

How To Use This Guide on page xxxix

List of EX-series Guides for JUNOS 9.2 on page xxxix

Downloading Software on page xl

Documentation Symbols Key on page xli

Documentation Feedback on page xlii

Getting Support on page xlii

How To Use This Guide

Complete documentation for EX-series product family is provided on web pages at
http://www.juniper.net/techpubs/en_US/release-independent/information-products/pathway-pages/ex-series/product/index.html.
We have selected content from these web pages and created a number of EX-series
guides that collect related topics into a book-like format so that the information is
easy to print and easy to download to your local computer.
This guide, Complete Software Guide for JUNOS Software for EX-series Switches, Release
9.2, collects together information about the JUNOS for EX-series Release 9.2 software.
For release-specific information, see the release notes at
http://www.juniper.net/techpubs/en_US/junos9.2/information-products/pathway-pages/ex-series/software/index.html.

List of EX-series Guides for JUNOS 9.2

Title

Description

Complete Hardware Guide for EX 3200 and EX 4200

Switches

Component descriptions, site preparation, installation, replacement,

and safety and compliance

Complete Software Guide for JUNOS Software for

EX-series Switches, Release 9.2

Software feature descriptions, configuration examples and tasks, and

reference pages for configuration statements and operational
commands

J-Web User Interface Guide for JUNOS Software for

EX-series Switches

How to use the J-Web graphical user interface (GUI) with JUNOS for
EX-series software

JUNOS Software for EX-series Switches Release Notes,

Release 9.2

Summary of hardware and software features and known problems

with the software and hardware

How To Use This Guide

xxxix

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Downloading Software
You can download the JUNOS for EX-series software from the Download Software
area at http://www.juniper.net/customers/support/. To download the software, you must
have a Juniper Networks user account. For information about obtaining an account,
see http://www.juniper.net/entitlement/setupAccountInfo.do.

xl

Downloading Software

About This Topic Collection

Documentation Symbols Key

Icon

Notice
Meaning
Icons

Description

Informational note

Indicates important features or instructions.

Caution

Indicates a situation that might result in loss of data or hardware damage.

Warning

Alerts you to the risk of personal injury or death.

Laser warning

Alerts you to the risk of personal injury from a laser.

Text and Syntax

Conventions

Convention

Description

Bold text like this

Represents text that you type.

Examples
To enter configuration mode, type the
configure command:
user@host> configure

Fixed-width text like this

Represents output that appears on the

terminal screen.

Italic text like this

Introduces important new terms.

Identifies book names.

Identifies RFC and Internet draft

titles.

user@host> show chassis alarms

No alarms currently active

A policy term is a named structure

that defines match conditions and
actions.

JUNOS System Basics Configuration

Guide

RFC 1997, BGP Communities

Attribute

Represents variables (options for which

you substitute a value) in commands or
configuration statements.

Configure the machines domain name:

Represents names of configuration

statements, commands, files, and
directories; IP addresses; configuration
hierarchy levels; or labels on routing
platform components.

To configure a stub area, include

the stub statement at the [edit
protocols ospf area area-id] hierarchy
level.

The console port is labeled

CONSOLE.

< > (angle brackets)

Enclose optional keywords or variables.

stub <default-metric metric>;

| (pipe symbol)

Indicates a choice between the mutually

exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.

broadcast | multicast

Italic text like this

Plain text like this

[edit]
root@# set system domain-name
domain-name

(string1 | string2 | string3)

Documentation Symbols Key

xli

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

# (pound sign)

Indicates a comment specified on the

same line as the configuration statement
to which it applies.

rsvp { # Required for dynamic MPLS only

[ ] (square brackets)

Enclose a variable for which you can

substitute one or more values.

community name members [ community-ids

]

Indention and braces ( { } )

Identify a level in the configuration

hierarchy.

; (semicolon)

Identifies a leaf statement at a

configuration hierarchy level.

[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}

J-Web GUI Conventions

Bold text like this

Represents J-Web graphical user

interface (GUI) items you click or select.

> (bold right angle bracket)

Separates levels in a hierarchy of J-Web

selections.

In the Logical Interfaces box, select

All Interfaces.

To cancel the configuration, click

Cancel.

In the configuration editor hierarchy,

select Protocols>Ospf.

Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. Send email to techpubs-comments@juniper.net with the
following:

Document URL or title

Page number if applicable

Software version

Your name and company

Getting Support
For technical support, open a support case with the Case Manager link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada,
or Mexico) or 1-408-745-9500 (from elsewhere).

xlii

Documentation Feedback

Part 1

JUNOS for EX-series Product Overview

Product Overview on page 3

JUNOS for EX-series Product Overview

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

JUNOS for EX-series Product Overview

Chapter 1

Product Overview

Software Overview on page 3

Supported Hardware on page 19

Software Overview

EX-series Switch Software Features Overview on page 3

Layer 3 Protocols Supported on EX-series Switches on page 7

Layer 3 Protocols Not Supported on EX-series Switches on page 8

Security Features for EX-series Switches Overview on page 11

High Availability Features for EX-series Switches Overview on page 13

Understanding Software Infrastructure and Processes on page 17

EX-series Switch Software Features Overview

Table 1 on page 4 lists the EX-series software features and the JUNOS release in
which they were introduced.

Software Overview

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 1: Summary of Software Features Available on EX-series Switches

Feature Category

EX-series Feature

Introduced
in Release

Layer 2 Network Protocols

Routed VLAN interfaces (RVIs)

JUNOS 9.0R2

GVRP (GARP VLAN Registration Protocol)

JUNOS 9.1R1

Security

Spanning Tree Protocol (STP)

Rapid Spanning Tree Protocol (RSTP)

Multiple Spanning Tree Protocol

(MSTP)

JUNOS 9.0R2

BPDU protection for spanning-tree protocols

JUNOS 9.1R1

Loop protection for spanning-tree protocols

JUNOS 9.1R1

Root protection for spanning-tree protocols

JUNOS 9.1R1

Storm control

JUNOS 9.1R1

Link Layer Discovery Protocol (LLDP)

JUNOS 9.0R2

Link Layer Discovery Protocol Media

Endpoint Discovery (LLDP-MED) with voice
over IP (VoIP) integration

JUNOS 9.0R2

Port security:

JUNOS 9.0R2

DHCP snooping

Dynamic ARP Inspection (DAI)

MAC limiting

MAC move limiting

Static ARP support

IP source guard

JUNOS 9.2R1

802.1X authentication

JUNOS 9.0R2

MAC-based VLAN

JUNOS 9.2R1

Denial-of-service (DoS) and distributed DoS

(DDoS) protection

JUNOS 9.0R2

Rate limiting and firewall filters

JUNOS 9.0R2

Internet Protocols

IPv4

JUNOS 9.0R2

IP Address Management

Static addresses

JUNOS 9.0R2

Dynamic Host Configuration Protocol

(DHCP)

JUNOS 9.0R2

EX-series Switch Software Features Overview

Chapter 1: Product Overview

Table 1: Summary of Software Features Available on EX-series Switches (continued)

Feature Category

EX-series Feature

Introduced
in Release

Routing and Multicast Protocols

Bidirectional Forwarding Detection

JUNOS 9.0R2

Border Gateway Protocol (BGP)

JUNOS 9.0R2

A separate software license is required for

BGP. For information about software
licenses, see Software Licenses for the
EX-series Switch Overview on page 83.
Distance Vector Multicast Routing Protocol
(DVMRP)

JUNOS 9.0R2

Intermediate System-to-Intermediate
System (IS-IS)

JUNOS 9.0R2

A separate software license is required for

IS-IS. For information about software
licenses, see Software Licenses for the
EX-series Switch Overview on page 83.

Encapsulation

Traffic Management

Internet Group Management Protocol (IGMP)

JUNOS 9.0R2

IGMP snooping

JUNOS 9.1R1

Open Shortest Path First (OSPF)

JUNOS 9.0R2

Protocol Independent Multicast (PIM) sparse

mode

JUNOS 9.0R2

Routing Information Protocol version 1

(RIPv1) and RIPv2

JUNOS 9.0R2

Single-source multicast

JUNOS 9.0R2

Static routes

JUNOS 9.0R2

Ethernet:

JUNOS 9.0R2

Media access control (MAC)

encapsulation

802.1p tagging

802.1Q filtering and forwarding

JUNOS 9.0R2

Policing and shaping

JUNOS 9.0R2

Transparent bridging

JUNOS 9.0R2

Class of Service (CoS)Class-based queuing

with prioritization

JUNOS 9.0R2

EX-series Switch Software Features Overview

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 1: Summary of Software Features Available on EX-series Switches (continued)

Feature Category

EX-series Feature

Introduced
in Release

High Availability and Resiliency

Virtual Router Redundancy Protocol (VRRP)

JUNOS 9.0R2

Graceful protocol restart for OSPF and BGP

JUNOS 9.0R2

Redundant interfaces

JUNOS 9.0R2

Graceful Routing Engine switchover (GRES)

for EX 4200 virtual chassis configurations

JUNOS 9.1R1

Redundant trunk groups

JUNOS 9.0R2

Link aggregation

JUNOS 9.0R2

J-Web interfaceFor switch configuration

and management

JUNOS 9.0R2

JUNOS command-line interface (CLI)For

switch configuration and management
through the console, Telnet, SSH, or J-Web
CLI terminal

JUNOS 9.0R2

Simple Network Management Protocol

version 1 (SNMPv1) and SNMPv2

JUNOS 9.0R2

J-Web licensing

JUNOS 9.1R1

System log (syslog)

JUNOS 9.0R2

J-Web event viewer

JUNOS 9.0R2

Traceroute

JUNOS 9.0R2

Support for RADIUS external administrator

databases

JUNOS 9.0R2

Autoinstallation

JUNOS 9.0R2

Configuration rollback

JUNOS 9.0R2

Confirmation of configuration changes

JUNOS 9.0R2

Software upgrades

JUNOS 9.0R2

Supports the following features for

automating network operations and
troubleshooting:

JUNOS 9.0R2

System Management

Activity Logging and Monitoring

Administration

Commit scripts

Operation scripts

Event policies

EX-series Switch Software Features Overview

Chapter 1: Product Overview

Related Topics

Features in JUNOS Software for EX-series Switches, Release 9.0

Features in JUNOS Software for EX-series Switches, Release 9.1

Layer 3 Protocols Supported on EX-series Switches on page 7

Layer 3 Protocols Not Supported on EX-series Switches on page 8

High Availability Features for EX-series Switches Overview on page 13

Security Features for EX-series Switches Overview on page 11

Layer 3 Protocols Supported on EX-series Switches

EX-series switches support the following existing JUNOS Layer 3 protocols:

Protocol

Notes

For More Information

BGP

Supported, with the exceptions noted in Layer 3

Protocols Not Supported on EX-series
Switches on page 8.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

BFD

Fully supported.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

DVMRP

Supported, with the exceptions noted in Layer 3

Protocols Not Supported on EX-series
Switches on page 8.

See the JUNOS Software Multicast Configuration Guide

at
http://www.juniper.net/techpubs/software/junos/.

GRE

Fully supported.

See the JUNOS Software VPNs Configuration Guide

at
http://www.juniper.net/techpubs/software/junos/.

ICMP

Fully supported.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/

IGMP

Fully supported.

See the JUNOS Software Multicast Configuration Guide

at
http://www.juniper.net/techpubs/software/junos/.

IS-IS

Supported, with the exceptions noted in Layer 3

Protocols Not Supported on EX-series
Switches on page 8.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

OSPF

Supported, with the exceptions noted in Layer 3

Protocols Not Supported on EX-series
Switches on page 8.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

PIM

Supported, with the exception of IPv6, as noted in

Layer 3 Protocols Not Supported on EX-series
Switches on page 8.

See the JUNOS Software Multicast Configuration Guide

at
http://www.juniper.net/techpubs/software/junos/.

RIP

Fully supported.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

Layer 3 Protocols Supported on EX-series Switches

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

RIPng

Fully supported.

See the JUNOS Software Routing Protocols

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

SNMP

Fully supported.

See the JUNOS Software Network Management

Configuration Guide at
http://www.juniper.net/techpubs/software/junos/.

VRRP

Fully supported.

See High Availability Features for EX-series

Switches Overview on page 13. See also the JUNOS
Software High Availability Guide at
http://www.juniper.net/techpubs/software/junos/.

Related Topics

Layer 3 Protocols Not Supported on EX-series Switches on page 8

Firewall Filter Configuration Statements Supported by JUNOS Software for

EX-series Switches on page 968

EX-series Switch Software Features Overview on page 3

Layer 3 Protocols Not Supported on EX-series Switches

EX-series switches do not support the following JUNOS Layer 3 protocols and features.
Table 2 on page 8 describes the specific JUNOS layer 3 features and configuration
statements from that are not supported on EX-series switches.
Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported
Feature

Configuration Statements Not Supported on EX-Series Switches

BGP:

ipsec-sa and subordinate statements

IPv6 and VPN families

labeled-unicast and subordinate statements

Multiprotocol BGP
(MBGP)

resolve-vpn and subordinate statements

route-target and subordinate statements

signaling and subordinate statements

vpn-apply-export statement

DVMRP

dvmrp and subordinate statements

Flow aggregation (cflowd)

cflow and subordinate statements

IPSec

[edit services] statements related to IPSec

IPv6

All statements related to IPv6 are unsupported.

Layer 3 Protocols Not Supported on EX-series Switches

Chapter 1: Product Overview

Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature

Configuration Statements Not Supported on EX-Series Switches

IS-IS:

clns-routing statement

ES-IS

ipv6multicast statement

IPv6

ipv6unicast statement

Traffic engineering

lsp-interval statement

label-switched-path statement

lsp-lifetime statement

no-ipv6-routing statement

te-metric statement

traffic-engineering and subordinate statements

Layer 2 Tunneling Protocol

(L2TP)

l2tp and subordinate statements

Logical routers

logical-routers and subordinate statements

MLD

mld and all subordinate statements

MPLS:

ldp and all subordinate statements

mpls and all subordinate statements

MSTP

mstp and all subordinate statements

Network Address Translation

(NAT)

nat and subordinate statements

Policy statements related to NAT

All of MPLS

Label Distribution
Protocol (LDP)

Layer 3 VPNs

Multiprotocol BGP
(MP-BGP) for VPN-IPv4
family

Pseudowire emulation
(PWE3)

Resource Reservation
Protocol (RSVP)

Routing policy
statements related to
Layer 3 VPNs and MPLS

Traffic engineering (TE)

extensions in OSPF and
IS-IS

Layer 3 Protocols Not Supported on EX-series Switches

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature

Configuration Statements Not Supported on EX-Series Switches

OSPF:

demand-circuit statement

IPv6

label-switched-path and subordinate statements

Traffic engineering

neighbor statement within an OSPF area

peer-interface and subordinate statements within an OSPF area

poll-interval statement

sham-link statement

te-metric statement

traffic-engineering and subordinate statements

OSPFv3

ospf3 and all subordinate statements

PIM

inet6 family

RIPng

ripng and all subordinate statements

Routing instances:

isis and subordinate statements

l2vpn and subordinate statements

ldp and subordinate statements

no-vrf-advertise statement

ospf 3 and subordinate statements

route-distinguisher statement

vpls and subordinate statements

vrf-export statement

vrf-import statement

vrf-table-label statement

vrf-target statement

SAP and SDP

sap and all subordinate statements

General routing options in the

routing-options hierarchy:

auto-export and subordinate statements

dynamic-tunnels and subordinate statements

MPLS and
label-switched-paths

lsp-next-hop and subordinate statements

multicast and subordinate statements

IPv6

p2mp-lsp-next-hop and subordinate statements

route-distinguisher-id statement

10

IPv6

Routing instance
forwarding

Layer 3 Protocols Not Supported on EX-series Switches

Chapter 1: Product Overview

Table 2: JUNOS Layer 3 Protocol Statements and Features That Are Not Supported (continued)
Feature

Configuration Statements Not Supported on EX-Series Switches

Traffic sampling and

fowarding in the
forwarding-options hierarchy

accounting and subordinate statements

family mpls and family multiservice under hash-key hierarchy

Under monitoring group-name family inet output hierarchy:

cflowd statement

export-format-cflowd-version-5 statement

flow-active-timeout statement

flow-export-destination statement

flow-inactive-timeout statement

interface statement

port-mirroring statement

NOTE: Implement port mirroring on EX-series switches using the analyzer and subordinate
statements.

Related Topics

sampling and subordinate statements

EX-series Switch Software Features Overview on page 3

Layer 3 Protocols Supported on EX-series Switches on page 7

Firewall Filter Configuration Statements Supported by JUNOS Software for

EX-series Switches on page 968

Security Features for EX-series Switches Overview

JUNOS software is a network operating system that has been hardened through the
separation of control forwarding and services planes, with each function running in
protected memory. The control-plane CPU is protected by rate limiting, routing policy,
and firewall filters to ensure switch uptime even under severe attack. In addition,
the switches fully integrate with the Juniper Network Unified Access Control (UAC)
product to provide both standards-based 802.1X port-level access and Layer 2 through
Layer 4 policy enforcement based on user identity. Access port security features such
as dynamic ARP inspection, DHCP snooping, and MAC limiting are controlled through
a single JUNOS CLI command.
EX-series switches provide the following hardware and software security features:
Console PortAllows use of the console port to connect to the Routing Engine
through an RJ-45 cable. You then use the command-line interface (CLI) to configure
the switch.
Out-of-Band ManagementA dedicated management Ethernet port on the rear
panel allows out-of-band management.
Software ImagesAll JUNOS software images are signed by Juniper Networks
certificate authority (CA) with public key infrastructure (PKI).

Security Features for EX-series Switches Overview

11

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

User Authentication, Authorization, and Accounting (AAA)Features include:

User and group accounts with password encryption and authentication.

Access privilege levels configurable for login classes and user templates.

RADIUS authentication, TACACS+ authentication, or both, for authenticating

users who attempt to access the switch.

Auditing of configuration changes through system logging or RADIUS/TACACS+.

802.1X AuthenticationProvides network access control. Supplicants (hosts) are

authenticated when they initially connect to a LAN. Authenticating supplicants before
they receive an IP address from a DHCP server prevents unauthorized supplicants
from gaining access to the LAN. EX-series switches support Extensible Authentication
Protocol (EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.
Port SecurityAccess port security features include:

DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted

ports; builds and maintains an IP-address/MAC-address binding database (called
the DHCP snooping database).

Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests

and replies are compared against entries in the DHCP snooping database, and
filtering decisions are made based on the results of those comparisons.

MAC limitingProtects against flooding of the Ethernet switching table.

MAC move limitingDetects MAC movement and MAC spoofing on access ports.
Prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network.

Trusted DHCP serverWith a DHCP server on a trusted port, protects against

rogue DHCP servers sending leases.

Firewall FiltersAllows auditing of various types of security violations, including

attempts to access the switch from unauthorized locations. Firewall filters can detect
such attempts and create audit log entries when they occur. The filters can also
restrict access by limiting traffic to source and destination MAC addresses, specific
protocols, or, in combination with policers, to specified data rates to prevent denial
of service (DoS) attacks.
PolicersProvidse rate-limiting capability to control the amount of traffic that enters
an interface, which acts to counter DoS attacks.
Encryption StandardsSupported standards include:

Related Topics

12

128-, 192-, and 256-bit Advanced Encryption Standard (AES)

56-bit Data Encryption Standard (DES) and 168-bit 3DES

802.1X for EX-series Switches Overview on page 639

Firewall Filters for EX-series Switches Overview on page 899

Port Security for EX-series Switches Overview on page 654

Understanding the Use of Policers in Firewall Filters on page 921

Security Features for EX-series Switches Overview

Chapter 1: Product Overview

High Availability Features for EX-series Switches Overview

High availability refers to the hardware and software components that provide
redundancy and reliability for packet-based communications. This topic covers the
following high availability features of EX-series switches:

VRRP on page 13

Graceful Protocol Restart on page 15

EX 4200 Redundant Routing Engines on page 15

EX 4200 Graceful Routing Engine Switchover on page 16

Link Aggregation on page 16

Additional High Availability Features of EX-series Switches on page 16

VRRP
For Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces
on EX-series switches, you can configure the Virtual Router Redundancy Protocol
(VRRP). The switches act as virtual routing platforms. VRRP enables hosts on a LAN
to make use of redundant routing platforms on that LAN without requiring more than
the static configuration of a single default route on the hosts. The VRRP routing
platforms share the IP address corresponding to the default route configured on the
hosts. At any time, one of the VRRP routing platforms is the master (active) and the
others are backups. If the master routing platform fails, one of the backup routing
platforms becomes the new master, providing a virtual default routing platform and
enabling traffic on the LAN to be routed without relying on a single routing platform.
Using VRRP, a backup EX-series switch can take over a failed default switch within
few seconds. This is done with minimum VRRP traffic and without any interaction
with the hosts.

NOTE: The VRRP master and backup routing platforms should not be confused with
the master and backup member switches of a Virtual Chassis configuration. The
master and backup members of a Virtual Chassis configuration compose a single
host. In a VRRP topology, one host operates as a master routing platform and another
host operates as a backup routing platform, as shown in Figure 2 on page 14.
Switches running VRRP dynamically elect master and backup routing platforms. You
can also force assignment of master and backup routing platforms using priorities
from 1 through 255, with 255 being the highest priority. In VRRP operation, the
default master routing platform sends advertisements to backup routing platforms
at regular intervals. The default interval is 1 second. If a backup routing platform
does not receive an advertisement for a set period, the backup routing platform with
the next highest priority takes over as master and begins forwarding packets.
Figure 1 on page 14 illustrates a basic VRRP topology with EX-series switches. In
this example, Switches A, B, and C are running VRRP and together they make up a
virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1
(the same address as the physical interface of Switch A).

High Availability Features for EX-series Switches Overview

13

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 1: Basic VRRP on EX-series Switches

Figure 2 on page 14 illustrates a basic VRRP topology using Virtual Chassis

configurations. Switch A, Switch B, and Switch C are each composed of multiple
interconnected EX 4200 switches. Each Virtual Chassis configuration operates as a
single switch, which is running VRRP, and together they make up a virtual routing
platform. The IP address of this virtual routing platform is 10.10.0.1 (the same address
as the physical interface of Switch A).
Figure 2: VRRP on EX 4200 Virtual Chassis Switches

Because the virtual routing platform uses the IP address of the physical interface of
Switch A, Switch A is the master VRRP routing platform, while switches B and C
function as backup VRRP routing platforms. Clients 1 through 3 are configured with
the default gateway IP address of 10.10.0.1. As the master router, Switch A forwards
packets sent to its IP address. If the master virtual routing platform fails, the switch
configured with the higher priority becomes the master virtual routing platform and

14

High Availability Features for EX-series Switches Overview

Chapter 1: Product Overview

provides uninterrupted service for the LAN hosts. When Switch A recovers, it becomes
the master virtual routing platform again.
VRRP is defined in RFC 3768, Virtual Router Redundancy Protocol.

Graceful Protocol Restart

With standard implementations of routing protocols, any service interruption requires
an affected switch to recalculate adjacencies with neighboring switches, restore
routing table entries, and update other protocol-specific information. An unprotected
restart of a switch can result in forwarding delays, route flapping, wait times stemming
from protocol reconvergence, and even dropped packets. Graceful protocol restart
allows a restarting switch and its neighbors to continue forwarding packets without
disrupting network performance. Because neighboring switches assist in the restart
(these neighbors are called helper switches), the restarting switch can quickly resume
full operation without recalculating algorithms from scratch.
On EX-series switches, graceful protocol restart can be applied to aggregate and static
routes and for routing protocols (BGP, IS-IS, OSPF and RIP).
Graceful protocol restart works similarly for the different routing protocols. The main
benefits of graceful protocol restart are uninterrupted packet forwarding and
temporary suppression of all routing protocol updates. Graceful protocol restart thus
allows a switch to pass through intermediate convergence states that are hidden
from the rest of the network. Most graceful restart implementations define two types
of switchesthe restarting switch and the helper switch. The restarting switch requires
rapid restoration of forwarding state information so it can resume the forwarding of
network traffic. The helper switch assists the restarting switch in this process.
Individual graceful restart configuration statements typically apply to either the
restarting switch or the helper switch.

EX 4200 Redundant Routing Engines

Two to ten EX 4200 switches can be interconnected to create a Virtual Chassis
configuration that operates as a single network entity. Every Virtual Chassis
configuration with two or more members has a master and a backup. The master
acts as the master Routing Engine and the backup acts as the backup Routing Engine.
The Routing Engine provides the following functionality:

Runs various routing protocols

Provides the forwarding table to the Packet Forwarding Engines (PFEs) in all the
member switches of the Virtual Chassis configuration

Runs other management and control processes for the entire Virtual Chassis
configuration

The master Routing Engine, which is in the master of the Virtual Chassis configuration,
runs JUNOS software in the master role. It receives and transmits routing information,
builds and maintains routing tables, communicates with interfaces and Packet
Forwarding Engine components of the member switches, and has full control over
the Virtual Chassis configuration.

High Availability Features for EX-series Switches Overview

15

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The backup Routing Engine, which is in the backup of the Virtual Chassis
configuration, runs JUNOS software in a backup role. It stays in sync with the master
Routing Engine in terms of protocol states, forwarding tables, and so forth. If the
master becomes unavailable, the backup Routing Engine takes over the functions
that the master Routing Engine performs.

EX 4200 Graceful Routing Engine Switchover

You can configure graceful Routing Engine switchover (GRES) in a Virtual Chassis
configuration, allowing the configuration to switch from the master Routing Engine
in the master to the backup Routing Engine in the backup with minimal interruption
to network communications. When you configure graceful Routing Engine switchover,
the backup Routing Engine automatically synchronizes with the master Routing
Engine to preserve kernel state information and forwarding state. Any updates to
the master Routing Engine are replicated to the backup Routing Engine as soon as
they occur. If the kernel on the master Routing Engine stops operating, the master
Routing Engine experiences a hardware failure, or the administrator initiates a manual
switchover, mastership switches to the backup Routing Engine.
When the backup Routing Engine assumes mastership in a redundant failover
configuration (when graceful Routing Engine switchover is not enabled), the Packet
Forwarding Engines initialize their state to boot up state before they connect to the
new master Routing Engine. In contrast, in a graceful switchover configuration, the
Packet Forwarding Engines do not reinitialize their state, but instead resynchronize
their state with the new master Routing Engine. The interruption to the traffic is
minimal.
Graceful Routing Engine switchover on EX 4200 switches supports software features
in JUNOS Release 9.2 or later for EX-series switches.

Link Aggregation
You can combine multiple physical Ethernet ports to form a logical point-to-point
link, known as a link aggregation group (LAG) or bundle. A LAG provides more
bandwidth than a single Ethernet link can provide. Additionally, link aggregation
provides network redundancy by load-balancing traffic across all available links. If
one of the links should fail, the system automatically load-balances traffic across all
remaining links.
You can select up to eight Ethernet interfaces and include them within a link
aggregation group. In an EX 4200 Virtual Chassis configuration composed of multiple
members, the interfaces that compose a LAG can be on different members of the
Virtual Chassis. See Understanding Virtual Chassis Configurations and Link
Aggregation on page 144.

Additional High Availability Features of EX-series Switches

To ensure continuous operation, all EX-series switches use field-replaceable power
supply units, fan trays, and uplink modules. EX 4200 switches include options for
external power-supply redundancy.

16

High Availability Features for EX-series Switches Overview

Chapter 1: Product Overview

The EX 3200 switches support a single field-replaceable power supply unit, a

field-replaceable fan tray, and a field-replaceable uplink module.
The EX 4200 switches supports connection of virtual chassis members using two
dedicated Virtual Chassis ports (VCPs) on the rear panel or SFP uplink module ports.
The EX 4200 switches also support two internal load-sharing redundant hot-swappable
power supplies, field-replaceable fan trays with redundant blowers, and
field-replaceable uplink modules that provide SFP or XFP ports.
Notification of hardware issues is provided through system log messages and alarms.
Related Topics

For more information on high availability features, see the JUNOS Software High
Availability Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.

Virtual Chassis Overview on page 133

Understanding Virtual Chassis Components on page 135

Understanding Virtual Chassis Configurations and Link Aggregation on page 144

Understanding Software Infrastructure and Processes

Each switch runs the JUNOS software for EX-series switches on its general-purpose
processors. JUNOS software includes processes for Internet Protocol (IP) routing and
for managing interfaces, networks, and the chassis.
The JUNOS software runs on the Routing Engine. The Routing Engine kernel
coordinates communication among the JUNOS software processes and provides a
link to the Packet Forwarding Engine.
With the J-Web interface and the command-line interface (CLI) to the JUNOS software,
you configure switching features and routing protocols and set the properties of
network interfaces on your switch. After activating a software configuration, use
either the J-Web or CLI user interface to monitor the switch, manage operations, and
diagnose protocol and network connectivity problems.

Routing Engine and Packet Forwarding Engine on page 17

JUNOS Software Processes on page 18

Routing Engine and Packet Forwarding Engine

A switch has two primary software processing components:

Packet Forwarding EngineProcesses packets; applies filters, routing policies,

and other features; and forwards packets to the next hop along the route to their
final destination.

Routing EngineProvides three main functions:

Creates the packet forwarding switch fabric for the switch, providing route
lookup, filtering, and switching on incoming data packets, then directing
outbound packets to the appropriate interface for transmission to the network

Maintains the routing tables used by the switch and controls the routing
protocols that run on the switch.

Understanding Software Infrastructure and Processes

17

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Provides control and monitoring functions for the switch, including controlling
power and monitoring system status.

JUNOS Software Processes

The JUNOS software running on the Routing Engine and Packet Forwarding Engine
consists of multiple processes that are responsible for individual functions.
The separation of functions provides operational stability, because each process
accesses its own protected memory space. In addition, because each process is a
separate software package, you can selectively upgrade all or part of the JUNOS
software, for added flexibility.
Table 3 on page 18 describes the primary JUNOS software processes.
Table 3: JUNOS Software Processes
Process

Name

Description

Chassis process

chassisd

Detects hardware on the system that is used to configure network interfaces.

Monitors the physical status of hardware components and field-replaceable units
(FRUs), detecting when environment sensors such as temperature sensors are triggered.
Relays signals and interruptsfor example, when devices are taken offline, so that
the system can close sessions and shut down gracefully.

Ethernet
switching
process

eswd

Handles Layer 2 switching functionality such as MAC address learning, Spanning Tree
protocol and access port security. The process is also responsible for managing Ethernet
switching interfaces, VLANs, and VLAN interfaces.
Manages Ethernet switching interfaces, VLANs, and VLAN interfaces.

Forwarding
process

pfem

Defines how routing protocols operate on the switch. The overall performance of the
switch is largely determined by the effectiveness of the forwarding process.

Interface
process

dcd

Configures and monitors network interfaces by defining physical characteristics such

as link encapsulation, hold times, and keepalive timers.

Management
process

mgd

Provides communication between the other processes and an interface to the

configuration database.
Populates the configuration database with configuration information and retrieves the
information when queried by other processes to ensure that the system operates as
configured.
Interacts with the other processes when commands are issued through one of the user
interfaces on the switch.
If a process terminates or fails to start when called, the management process attempts
to restart it a limited number of times to prevent thrashing and logs any failure
information for further investigation.

Routing protocol
process

18

rpd

Defines how routing protocols such as RIP, OSPF, and BGP operate on the device,
including selecting routes and maintaining forwarding tables.

Understanding Software Infrastructure and Processes

Chapter 1: Product Overview

Related Topics

For more information about processes, see the JUNOS Network Operations Guide
at http://www.juniper.net/techpubs/software/junos/junos90/index.html.

For more information about basic system parameters, supported protocols, and
software processes, see JUNOS System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.

Supported Hardware

EX-series Switch Hardware Overview on page 19

EX 3200 Switch Models on page 21

EX 4200 Switch Models on page 22

EX-series Switch Hardware Overview

EX-series switches provide scalable connectivity for the enterprise market, including
branch offices, campus locations, and data centers. The switches run under the
JUNOS software, which provides Layer 2 and Layer 3 switching, routing, and security
services. The same JUNOS code base that runs on EX-series switches also runs on
all Juniper Networks J-series, M-series, MX-series, and T-series routing platforms.

EX-series Switch Types on page 19

EX 3200 Switches on page 20

EX 4200 Switches on page 20

Uplink Modules on page 21

Power over Ethernet (PoE) Ports on page 21

EX-series Switch Types

EX-series switches are available in two product lines:

EX 3200 switchesTypically, you deploy these switches in branch environments

or wiring closets.

EX 4200 switchesYou can interconnect EX 4200 switches to form a virtual

chassis that operates as a single network entity. You can deploy these switches
wherever you need a high density of Gigabit Ethernet ports (24 to 480 ports),
redundancy, or the ability to span a single switch across several wiring closets.
Typically, EX 4200 switches are used in large branch offices, campus wiring
closets, and top-of-rack locations in a data center.

Both lines have these features:

Run under JUNOS software for EX-series switches

Have options of 24-port and 48-port models

Have options of full (all ports) or partial (8 ports) Power over Ethernet (PoE)
capability

Have optional uplink modules that provide connection to distribution switches

Supported Hardware

19

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

EX 3200 Switches
EX 3200 switches provide connectivity for low-density environments. Typically, you
deploy these switches in branch environments or wiring closets where only one
switch is required.
EX 3200 switches are available in models with either 24 or 48 ports and with either
all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE.
All ports have 10/100/1000Base-T Gigabit Ethernet connectors.
EX 3200 switches include:

A field-replaceable power supply and an optional additional connection to an

external power source.

A field-replaceable fan tray with single fan.

JUNOS software with its modular design that enables failed system processes to
gracefully restart.

EX 4200 Switches
EX 4200 switches provide connectivity for medium- and high-density environments
and scalability for growing networks. These switches can be deployed wherever you
need a high density of Gigabit Ethernet ports (24 to 480 ports) or redundancy.
Typically, EX 4200 switches are used in large branch offices, campus wiring closets,
and data centers where they can be positioned as the top device in a rack to provide
connectivity for all the devices in the rack.
You can connect individual EX 4200 switches together to form one unit and manage
the unit as a single chassis, called a virtual chassis. You can add more member
switches to the virtual chassis as needed, up to a total of 10 members.
EX 4200 switches are available in models with 24 or 48 ports and with either all
ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. All
models provide ports that have 10/100/1000Base-T Gigabit Ethernet connectors and
optional small form-factor pluggable (SFP) transceivers or 10-gigabit small form-factor
pluggable (XFP) transceivers for use with fiber connections.
Additionally, a 24-port model provides 100Base-FX/1000Base-X SFP transceivers.
This model is typically used as a small distribution switch.
All EX 4200 switches have dedicated 64-Gbps virtual chassis ports that allow you to
connect the switches to each other. You can also use optional 10-Gbps uplink ports
to connect members of a virtual chassis across multiple wiring closets.
To provide carrier-class reliability, EX 4200 switches include:

20

Dual redundant power supplies that are field-replaceable and hot-swappable. An

optional additional connection to an external power source is also available.

A field-replaceable fan tray with three fans. The switch remains operational if a
single fan fails.

EX-series Switch Hardware Overview

Chapter 1: Product Overview

Redundant Routing Engines in a virtual chassis configuration. This redundancy

enables GRES (Graceful Routing Engine Switchover) and nonstop active routing.

JUNOS software with its modular design that enables failed system processes to
gracefully restart.

Uplink Modules
Optional uplink modules are available for all EX 3200 and EX 4200 models. Uplink
modules provide either two 10-gigabit small form-factor pluggable (XFP) transceivers
or four 1-gigabit small form-factor pluggable (SFP) transceivers. You can use SFP or
XFP ports to connect an access switch to a distribution switch or to interconnect
member switches of a virtual chassis across multiple wiring closets.

NOTE: If you insert a transceiver in an SFP uplink module installed in an EX 3200

switch, a corresponding network port from the last four ports is disabled. For example,
if you insert an SFP transceiver in ge-0/1/3, ge-0/0/23 is disabled. The disabled port
is not listed in the output of show interface commands.

Power over Ethernet (PoE) Ports

PoE ports provide electrical current to devices through the network cables so that
separate power cords for devices such as IP phones, wireless access points, and
security cameras are unnecessary. Both the EX 3200 and EX 4200 switch lines have
options of full (all 24 or 48 ports) or partial (8 ports) PoE capability.
Full PoE models are primarily used in IP telephony environments. Partial PoE models
are used in environments where, for example, only a few ports for wireless access
points or security cameras are required.
Related Topics

EX 3200 Switch Models on page 21

EX 4200 Switch Models on page 22

Field-Replaceable Units in EX-series Switches

Site Preparation Checklist for EX-series Switches

EX 3200 Switch Models

The EX 3200 switch is available with 24 or 48 ports with partial or full Power over
Ethernet (PoE) capability. Table 4 on page 21 lists the EX 3200 switch models.
Table 4: EX 3200 Switch Models
Model

Typical Deployment

Access Ports

Number of PoE-enabled
Ports

Power Supply
(Minimum)

EX 3200-24T

Access or Distribution
switch

24 Gigabit Ethernet

First 8 ports

320 W

EX 3200-24P

Access switch

24 Gigabit Ethernet

All 24 ports

600 W

EX 3200 Switch Models

21

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 4: EX 3200 Switch Models (continued)

Model

Typical Deployment

Access Ports

Number of PoE-enabled
Ports

Power Supply
(Minimum)

EX 3200-48T

Access or Distribution
switch

48 Gigabit Ethernet

First 8 ports

320 W

EX 3200-48P

Access switch

48 Gigabit Ethernet

All 48 ports

930 W

Related Topics

EX 4200 Switch Models on page 22

EX 3200 SwitchFront-Panel Description

EX 3200 SwitchRear-Panel Description

EX-series Switch Hardware Overview on page 19

EX 4200 Switch Models

The EX 4200 switch is available with 24 or 48 ports and with partial or full Power
over Ethernet (PoE) capability. Table 5 on page 22 lists the EX 4200 switch models.
Table 5: EX 4200 Switch Models
Model

Ports

Number of PoE-enabled Ports

Power Supply
(Minimum)

EX 4200-24T

24 Gigabit Ethernet

First 8 ports

320 W

EX 4200-24P

24 Gigabit Ethernet

All 24 ports

600 W

EX 4200-48T

48 Gigabit Ethernet

First 8 ports

320 W

EX 4200-48P

48 Gigabit Ethernet

All 48 ports

930 W

EX 4200-24F

24 small form-factor pluggable

(SFP) transceivers

Not applicable

320 W

Related Topics

22

EX 3200 Switch Models on page 21

EX 4200 SwitchFront-Panel Description

EX 4200 SwitchRear-Panel Description

EX-series Switch Hardware Overview on page 19

EX 4200 Switch Models

Part 2

Complete Software Configuration

Statement

Complete Software Configuration Statement Hierarchy on page 25

Complete Software Configuration Statement

23

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

24

Complete Software Configuration Statement

Chapter 2

Complete Software Configuration

Statement Hierarchy

[edit access] Configuration Statement Hierarchy on page 25

[edit chassis] Configuration Statement Hierarchy on page 26

[edit class-of-service] Configuration Statement Hierarchy on page 26

[edit ethernet-switching-options] Configuration Statement Hierarchy on page 27

[edit firewall] Configuration Statement Hierarchy on page 29

[edit interfaces] Configuration Statement Hierarchy on page 29

[edit poe] Configuration Statement Hierarchy on page 30

[edit protocols] Configuration Statement Hierarchy on page 31

[edit snmp] Configuration Statement Hierarchy on page 34

[edit virtual-chassis] Configuration Statement Hierarchy on page 35

[edit vlans] Configuration Statement Hierarchy on page 35

[edit access] Configuration Statement Hierarchy

access {
profile profile-name {
accounting {
order [ radius | none ];
stop-on-access-deny;
stop-on-failure;
}
authentication-order [ authentication-method ];
radius {
accounting-server [ server-address ];
authentication-server [ server-address ];
}
}
}
Related Topics

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

[edit access] Configuration Statement Hierarchy

25

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit chassis] Configuration Statement Hierarchy

chassis {
aggregated-devices {
ethernet {
device-count number;
}
}
}
Related Topics

JUNOS Software Hierarchy and RFC Reference at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

[edit class-of-service] Configuration Statement Hierarchy

class-of-service {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority loss-priority {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
}
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
forwarding-classes {
class class-name queue-num queue-number;
}
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
forwarding-class class-name {
loss-priority loss-priority code-point (alias | bits);
}
}
}

26

[edit chassis] Configuration Statement Hierarchy

Chapter 2: Complete Software Configuration Statement Hierarchy

scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
}
Related Topics

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

[edit ethernet-switching-options] Configuration Statement Hierarchy

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}

[edit ethernet-switching-options] Configuration Statement Hierarchy

27

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable
| no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Related Topics

28

Port Mirroring on EX-series Switches Overview on page 1123

Port Security for EX-series Switches Overview on page 654

Understanding 802.1X and VoIP on EX-series Switches on page 652

[edit ethernet-switching-options] Configuration Statement Hierarchy

Chapter 2: Complete Software Configuration Statement Hierarchy

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding 802.1X and VoIP on EX-series Switches on page 652

[edit firewall] Configuration Statement Hierarchy

firewall {
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
policer policer-name {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
}
Related Topics

Firewall Filter Configuration Statements Supported by JUNOS Software for

EX-series Switches on page 968

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Firewall Filters for EX-series Switches Overview on page 899

[edit interfaces] Configuration Statement Hierarchy

interfaces {
ae-x {

aggregated-ether-options {
lacp mode {
periodic interval;
}
}

[edit firewall] Configuration Statement Hierarchy

29

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
mtu bytes;
unit logical-unit-number {
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
vlan-id vlan-id-number;
}
vlan-tagging;
}
}
Related Topics

EX-series Switches Interfaces Overview on page 259

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring a Layer 3 Subinterface (CLI Procedure)

[edit poe] Configuration Statement Hierarchy

poe {
guard-band watts;
interface (all | interface-name) {
disable;
maximum-power watts;
priority value;
telemetries {
disable;
duration hours;
interval minutes;
}
}
management type;
}
Related Topics

30

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

[edit poe] Configuration Statement Hierarchy

Chapter 2: Complete Software Configuration Statement Hierarchy

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

[edit protocols] Configuration Statement Hierarchy

protocols {
dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
interface (all | interface-name) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;

[edit protocols] Configuration Statement Hierarchy

31

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {

32

[edit protocols] Configuration Statement Hierarchy

Chapter 2: Complete Software Configuration Statement Hierarchy

block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;

[edit protocols] Configuration Statement Hierarchy

33

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
Related Topics

802.1X for EX-series Switches Overview on page 639

Example: Configure Automatic VLAN Administration Using GVRP on page 393

IGMP Snooping on EX-series Switches Overview on page 581

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

[edit snmp] Configuration Statement Hierarchy

snmp {
rmon {
history index {
bucket-size number;
interface interface-name;
interval seconds;
owner owner-name;
}
}
}
Related Topics

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

34

[edit snmp] Configuration Statement Hierarchy

Chapter 2: Complete Software Configuration Statement Hierarchy

[edit virtual-chassis] Configuration Statement Hierarchy

virtual-chassis {
mac-persistence-timer seconds;
preprovisioned;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag ;
}
}
Related Topics

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Virtual Chassis Overview on page 133

[edit vlans] Configuration Statement Hierarchy

vlans {
vlan-name {
mac-limit action;
description text-description;
filter input filter-name;
filter output filter-name;
l3-interface vlan.logical-interface-number;
mac-table-aging-time seconds;
vlan-id number;
vlan-range vlan-id-low-vlan-id-high;
}
}
Related Topics

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

[edit virtual-chassis] Configuration Statement Hierarchy

35

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

36

Example: Connecting an Access Switch to a Distribution Switch on page 384

Understanding Bridging and VLANs on EX-series Switches on page 359

[edit vlans] Configuration Statement Hierarchy

Part 3

Software User Interfaces

JUNOS Command-Line Interface on page 39

J-Web Graphical User Interface on page 43

Software User Interfaces

37

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

38

Software User Interfaces

Chapter 3

JUNOS Command-Line Interface

JUNOS CLI on page 39

CLI User Interface Overview on page 39

JUNOS CLI

CLI User Interface Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage an
EX-series switch: the J-Web graphical user interface and the JUNOS command-line
interface (CLI). Both of these user interfaces are shipped with the switch. This topic
describes the CLI. For information about the J-Web user interface, see J-Web User
Interface for EX-series Switches Overview on page 43.

CLI Overview on page 39

CLI Help and Command Completion on page 39

CLI Command Modes on page 40

CLI Overview
JUNOS CLI is a Juniper Networks specific command shell that runs on top of a
UNIX-based operating system kernel. The CLI provides command help and command
completion.
The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard
sequences that allow you to move around on a command line and scroll through
recently executed commands, regular expression matching to locate and replace
values and identifiers in a configuration, filter command output, or log file entries,
store and archive router files on a UNIX-based file system, and exit from the CLI
environment and create a UNIX C shell or Bourne shell to navigate the file system,
manage switch processes, and so on.

CLI Help and Command Completion

To access CLI Help, type a question mark (?) at any level of the hierarchy. The system
displays a list of the available commands or statements and a short description of
each.

JUNOS CLI

39

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To complete a command, statement, or option that you have partially typed, press
the Tab key or the Spacebar. If the partially typed letters uniquely identify a command,
the complete command name appears. Otherwise, a beep indicates that you have
entered an ambiguous command and the possible completions are displayed. This
completion feature also applies to other strings, such as filenames, interface names,
usernames, and configuration statements.

CLI Command Modes

The CLI has two modes, operational mode and configuration mode.
In operational mode, you enter commands to monitor and troubleshoot switch
hardware and software and network connectivity. Operational mode is indicated by
the > promptfor example, user@switch>.
In configuration mode, you can define all properties of the JUNOS software, including
interfaces, VLANs, virtual chassis information, routing protocols, user access, and
several system hardware properties.
To enter configuration mode, enter the configure command: .
user@switch> configure

Configuration mode is indicated by the # prompt, and includes the current location
in the configuration hierarchyfor example:
[edit interfaces ge-0/0/12]
user@switch#

In configuration mode, you are actually viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the current operating configuration,
called the active configuration. When you commit the changes you added to the
candidate configuration, the system updates the active configuration. Candidate
configurations enable you to alter your configuration without causing potential damage
to your current network operations.
To activate your configuration changes, enter the commit command.
To return to operational mode, go to the top of the configuration hierarchy and then
quitfor example:
[edit interfaces ge-0/0/12]
user@switch# top
[edit]
user@switch# exit

You can also activate your configuration changes and exit configuration mode with
a single command, commit and-quit. This command succeeds only if there are no
mistakes or syntax errors in the configuration.
Tip

40

When you commit the candidate configuration, you can require an explicit
confirmation for the commit to become permanent by using the commit confirmed
command. This is useful for verifying that a configuration change works correctly

CLI User Interface Overview

Chapter 3: JUNOS Command-Line Interface

and does not prevent management access to the switch. After you issue the commit
confirmed command, you must issue another commit command within the defined
period of time (10 minutes by default) or the system reverts to the previous
configuration.
Related Topics

EX-series Switch Software Features Overview on page 3

JUNOS Software CLI User Guide at http://www.juniper.net/techpubs/software/junos.

CLI User Interface Overview

41

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

42

CLI User Interface Overview

Chapter 4

J-Web Graphical User Interface

J-Web Interface on page 43

J-Web User Interface for EX-series Switches Overview on page 43

J-Web User Interface for EX-series Switches Overview on page 45

Using the CLI Viewer in the J-Web Interface to View Configuration Text on page 47

Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration
Text on page 48

Using the CLI Editor in the J-Web Interface to Edit Configuration Text on page 49

Using the CLI Terminal on page 50

Understanding J-Web Configuration Tools on page 51

Starting the J-Web Interface on page 52

Understanding J-Web User Interface Sessions on page 53

J-Web Interface

J-Web User Interface for EX-series Switches Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage an
EX-series switch: the J-Web graphical user interface and the JUNOS command-line
interface (CLI). Both of these user interfaces are shipped with the switch. This topic
describes the J-Web interface. You can navigate the J-Web interface, scroll pages,
and expand and collapse elements as you do in a typical Web browser interface. For
information about the CLI user interface, see CLI User Interface
Overview on page 39.
Use Internet Explorer version 6.0 and higher, or Firefox version 2.0 and higher, to
access the J-Web interface.

NOTE: The browser and the network must support receiving and processing HTTP
1.1 GZIP compressed data.
Each page of the J-Web interface is divided into panes.

Top paneDisplays system identity information and links.

J-Web Interface

43

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Main paneLocation where you monitor, configure, diagnose (troubleshoot),

and manage (maintain) the switch by entering information in text boxes, making
selections, and clicking buttons.

Side paneDisplays suboptions of the Monitor, Configure, Troubleshoot, or

Maintain task currently displayed in the main pane. Click a suboption to access
it in the main pane.

The layout of the panes allows you to quickly navigate through the interface.
Table 6 on page 46 summarizes the elements of the J-Web interface.
The J-Web interface provides CLI tools that allow you to perform all of the tasks that
you can perform from the JUNOS command-line interface (CLI), including a CLI
Viewer to view the current configuration, a CLI Editor for viewing and modifying the
configuration, and a Point & Click CLI editor that allows you to click through all of
the available CLI statements.
Table 6: J-Web Interface
J-Web Interface Element

Description

Top Pane

hostname

Hostname of the switch.

Logged in as: username

Username you used to log in to the switch.

Help

Link to context-sensitive help information.

About

Displays information about the J-Web interface, such as the version number.

Logout

Ends your current login session with the switch and returns you to the login page.

Taskbar

Menu of J-Web main options. Click the tab to access the option.

DashboardDisplays a high-level, graphical view of the chassis and status of

the switch. It displays system health information, alarms, and system status.

ConfigureConfigure the switch, and view configuration history.

MonitorView information about configuration and hardware on the switch.

MaintainManage files and licenses, upgrade software, and reboot the switch.

TroubleshootRun diagnostic tools to troubleshoot network issues.

Main Pane

Help (?) icon

Displays useful informationsuch as the definition, format, and valid range of an

optionwhen you move the cursor over the question mark.

Red asterisk (*)

Indicates a required field.

44

J-Web User Interface for EX-series Switches Overview

Chapter 4: J-Web Graphical User Interface

Table 6: J-Web Interface (continued)

J-Web Interface Element

Description

Icon legend

(Applies to the Point & Click CLI editor only) Explains icons that appear in the user
interface to provide information about configuration statements:

CComment. Move your cursor over the icon to view a comment about the
configuration statement.

IInactive. The configuration statement does not affect the switch.

MModified. The configuration statement has been added or modified.

*Mandatory. The configuration statement must have a value.

Task Pane

Configuration hierarchy

Related Topics

(Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of
committed statements in the switch configuration.

Click Expand all to display the entire hierarchy.

Click Hide all to display only the statements at the top level.

Click plus signs (+) to expand individual items.

Click minus signs (-) to hide individual items.

EX-series Switch Software Features Overview on page 3

EX-series Switch Hardware Overview on page 19

EX-series Switch Software Features Overview on page 3

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

CLI User Interface Overview on page 39

J-Web User Interface for EX-series Switches Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage an
EX-series switch: the J-Web graphical user interface and the JUNOS command-line
interface (CLI). Both of these user interfaces are shipped with the switch. This topic
describes the J-Web interface. You can navigate the J-Web interface, scroll pages,
and expand and collapse elements as you do in a typical Web browser interface. For
information about the CLI user interface, see CLI User Interface
Overview on page 39.
Use Internet Explorer version 6.0 and higher, or Firefox version 2.0 and higher, to
access the J-Web interface.

NOTE: The browser and the network must support receiving and processing HTTP
1.1 GZIP compressed data.
Each page of the J-Web interface is divided into panes.

Top paneDisplays system identity information and links.

J-Web User Interface for EX-series Switches Overview

45

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Main paneLocation where you monitor, configure, diagnose (troubleshoot),

and manage (maintain) the switch by entering information in text boxes, making
selections, and clicking buttons.

Side paneDisplays suboptions of the Monitor, Configure, Troubleshoot, or

Maintain task currently displayed in the main pane. Click a suboption to access
it in the main pane.

The layout of the panes allows you to quickly navigate through the interface.
Table 6 on page 46 summarizes the elements of the J-Web interface.
The J-Web interface provides CLI tools that allow you to perform all of the tasks that
you can perform from the JUNOS command-line interface (CLI), including a CLI
Viewer to view the current configuration, a CLI Editor for viewing and modifying the
configuration, and a Point & Click CLI editor that allows you to click through all of
the available CLI statements.
Table 7: J-Web Interface
J-Web Interface Element

Description

Top Pane

hostname

Hostname of the switch.

Logged in as: username

Username you used to log in to the switch.

Help

Link to context-sensitive help information.

About

Displays information about the J-Web interface, such as the version number.

Logout

Ends your current login session with the switch and returns you to the login page.

Taskbar

Menu of J-Web main options. Click the tab to access the option.

DashboardDisplays a high-level, graphical view of the chassis and status of

the switch. It displays system health information, alarms, and system status.

ConfigureConfigure the switch, and view configuration history.

MonitorView information about configuration and hardware on the switch.

MaintainManage files and licenses, upgrade software, and reboot the switch.

TroubleshootRun diagnostic tools to troubleshoot network issues.

Main Pane

Help (?) icon

Displays useful informationsuch as the definition, format, and valid range of an

optionwhen you move the cursor over the question mark.

Red asterisk (*)

Indicates a required field.

46

J-Web User Interface for EX-series Switches Overview

Chapter 4: J-Web Graphical User Interface

Table 7: J-Web Interface (continued)

J-Web Interface Element

Description

Icon legend

(Applies to the Point & Click CLI editor only) Explains icons that appear in the user
interface to provide information about configuration statements:

CComment. Move your cursor over the icon to view a comment about the
configuration statement.

IInactive. The configuration statement does not affect the switch.

MModified. The configuration statement has been added or modified.

*Mandatory. The configuration statement must have a value.

Task Pane

Configuration hierarchy

Related Topics

(Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of
committed statements in the switch configuration.

Click Expand all to display the entire hierarchy.

Click Hide all to display only the statements at the top level.

Click plus signs (+) to expand individual items.

Click minus signs (-) to hide individual items.

EX-series Switch Software Features Overview on page 3

EX-series Switch Hardware Overview on page 19

EX-series Switch Software Features Overview on page 3

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

CLI User Interface Overview on page 39

Using the CLI Viewer in the J-Web Interface to View Configuration Text
To view the entire configuration file contents in text format, select Configure>CLI
Tools >CLI Viewer. The main pane displays the configuration in text format.
Each level in the hierarchy is indented to indicate each statement's relative position
in the hierarchy. Each level is generally set off with braces, with an open brace ({)
at the beginning of each hierarchy level and a closing brace (}) at the end. If the
statement at a hierarchy level is empty, the braces are not displayed. Each leaf
statement ends with a semicolon (;), as does the last statement in the hierarchy.
This indented representation is used when the configuration is displayed or saved
as an ASCII file. However, when you load an ASCII configuration file, the format of
the file is not so strict. The braces and semicolons are required, but the indention
and use of new lines are not required in ASCII configuration files.

Using the CLI Viewer in the J-Web Interface to View Configuration Text

47

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Understanding J-Web Configuration Tools on page 51

Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
To edit the configuration on a series of pages of clickable options that steps you
through the hierarchy, select Configure>CLI Tools>Point&Click CLI. The side pane
displays the top level of the configured hierarchy, and the main pane displays
configured hierarchy options and the Icon Legend.
To expand or hide the hierarchy of all the statements in the side pane, click Expand
all or Hide all. To expand or hide an individual statement in the hierarchy, click the
expand (+) or collapse () icon to the left of the statement.
Tip

Only those statements included in the committed configuration are displayed in the
hierarchy.
The configuration information in the main pane consists of configuration options
that correspond to configuration statements. Configuration options that contain
subordinate statements are identified by the term Nested.
To include, edit, or delete statements in the candidate configuration, click one of the
links described in Table 8 on page 48. Then specify configuration information by
typing in a field, selecting a value from a list, or clicking a check box (toggle).

Table 8: J-Web Edit Point & Click Configuration Links

Link

Function

Add new entry

Displays fields and lists for a statement identifier, allowing you to add a new identifier to a
statement.

Configure

Displays information for a configuration option that has not been configured, allowing you to
include a statement.

Delete

Deletes the corresponding statement or identifier from the configuration. All subordinate statements
and identifiers contained within a deleted statement are also discarded.

Edit

Displays information for a configuration option that has already been configured, allowing you to
edit a statement.

Identifier

Displays fields and lists for an existing statement identifier, allowing you to edit the identifier.

As you navigate through the configuration, the hierarchy level is displayed at the top
of the main pane. You can click a statement or identifier in the hierarchy to display
the corresponding configuration options in the main pane.
The main pane includes icons that display information about statements and
identifiers when you place your cursor over them. Table 9 on page 49 describes
these icons.

48

Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text

Chapter 4: J-Web Graphical User Interface

Table 9: J-Web Edit Point & Click Configuration Icons

Icon

Function

Displays a comment about a statement.

Indicates that a statement is inactive.

Indicates that a statement has been added or modified but has not been committed.

Indicates that the statement or identifier is required in the configuration.

Provides online help information.

After typing or selecting your configuration edits, click a button in the main pane
(described in Table 10 on page 49) to apply your changes or cancel them, refresh
the display, or discard parts of the candidate configuration. An updated configuration
does not take effect until you commit it.
Table 10: J-Web Edit Point & Click Configuration Buttons
Button

Function

Refresh

Updates the display with any changes to the configuration made by other users.

Commit

Verifies edits and applies them to the current configuration file running on the switch.

Discard

Removes edits applied to or deletes existing statements or identifiers from the candidate
configuration.

Related Topics

CLI User Interface Overview on page 39

Understanding J-Web Configuration Tools on page 51

Using the CLI Editor in the J-Web Interface to Edit Configuration Text
Use the CLI Editor to edit configuration if you know the JUNOS CLI or prefer a
command interface.
To edit the entire configuration in text format:

CAUTION: We recommend that you use this method to edit and commit the
configuration only if you have experience editing configurations through the CLI.

1.

Select Configure>CLI Tools>CLI Editor. The main pane displays the configuration
in a text editor.

2.

Navigate to the hierarchy level you want to edit.

Using the CLI Editor in the J-Web Interface to Edit Configuration Text

49

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

You can edit the candidate configuration using standard text editor
operationsinsert lines (by using the Enter key), delete lines, and modify, copy,
and paste text.
3.

Click Commit to load and commit the configuration.

The switching platform checks the configuration for the correct syntax before
committing it.

Related Topics

CLI User Interface Overview on page 39

Understanding J-Web Configuration Tools on page 51

Using the CLI Terminal

The J-Web CLI terminal provides access to the JUNOS command line interface (CLI)
through the J-Web interface. The functionality and behavior of the CLI available
through the CLI terminal page is the same as that of the JUNOS CLI available through
the switch console. The CLI terminal supports all CLI commands and other features
such as CLI help and autocompletion. Using the CLI terminal page you can fully
configure, monitor, and manage the switch.

Before you can use you must configure the CLI terminal the domain name and
hostname of the switch. See Configuring System Identity for the EX-Series Switch
(J-Web Procedure) for more information.

To access the CLI through the J-Web interface, your management device requires
the following features:

SSH accessEnable Secure shell (SSH) on your system. SSH provides a

secured method of logging in to the switch, to encrypt traffic so that it is not
intercepted. If SSH is not enabled on the system, the CLI terminal page
displays an error.

Java applet supportMake sure that your Web browser supports Java applets.

JRE installed on the clientInstall Java Runtime Environment (JRE) version

1.4 or later on your system. JRE is a software package that must be installed
on a system to run Java applications. Download the latest JRE version from
the Java Software Web site http://www.java.com/. Installing JRE installs Java
plug-ins, which once installed, load automatically and transparently to render
Java applets.

NOTE: The CLI terminal is supported on JRE version 1.4 and later only.
To access the CLI terminal, select Troubleshoot >CLI Terminal.
Related Topics

50

CLI User Interface Overview on page 39

Understanding J-Web Configuration Tools on page 51

Using the CLI Terminal

Chapter 4: J-Web Graphical User Interface

Understanding J-Web Configuration Tools

The J-Web graphical user interface (GUI) allows you to monitor, configure,
troubleshoot, and manage the switching platform by means of a Web browser with
Hypertext Transfer Protocol (HTTP) or HTTP over Secure Sockets Layer (HTTPS)
enabled. The J-Web interface provides access to all the configuration statements
supported by the switch, so you can fully configure the switch without using the CLI.
The J-Web interface provides three methods of configuring the switch:

Configure menu

Point & Click CLI Editor

CLI Editor

Table 11 on page 51 gives a comparison of the three methods of configuration.

Table 11: Switching Platform Configuration Interfaces
Tool

Description

Function

Use

Configure
menu

Web browser pages for setting up the switch

quickly and easily without configuring each
statement individually.

Configure basic switch platform

services:

Use for basic

configuration.

Interfaces

For example, use the Virtual Chassis Configuration

page to configure the virtual chassis parameters on
the switch.

Switching

Virtual Chassis

Security

Services

System Properties

Routing

Point &
Click CLI
editor

Web browser pages divided into panes in which

you can do any of the following:

Configure all switching platform

services:

Expand the entire configuration hierarchy and

click a configuration statement to view or edit.
The main pane displays all the options for the
statement, with a text box for each option.

System parameters

User Accounting and Access

Interfaces

Paste a complete configuration hierarchy into

a scrollable text box, or edit individual lines.

VLAN properties

Virtual Chassis properties

Upload or download a complete configuration.

Secure Access

Roll back to a previous configuration.

Services

Create or delete a rescue configuration.

Routing protocols

Use for complete

configuration if you
are not familiar with
the JUNOS CLI or
prefer a graphical
interface.

Understanding J-Web Configuration Tools

51

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 11: Switching Platform Configuration Interfaces (continued)

CLI editor

Interface in which you do any of the following:

Type commands on a line and press Enter to

create a hierarchy of configuration statements.

Create an ASCII text file that contains the

statement hierarchy.

Upload a complete configuration, or roll back

to a previous configuration.

Create or delete a rescue configuration.

Related Topics

Configure all switching platform

services:

System parameters

User Accounting and Access

Interfaces

VLAN properties

Virtual Chassis properties

Secure Access

Services

Routing protocols

Use for complete

configuration if you
know the JUNOS CLI
or prefer a command
interface.

Understanding J-Web User Interface Sessions on page 53

J-Web User Interface for EX-series Switches Overview on page 43

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

Configuration Files Terms on page 72

Starting the J-Web Interface

You can use the J-Web graphical interface to configure and manage the Ex-series
switch.
To start the J-Web interface:
1.

Launch your HTTP-enabled or HTTPS-enabled Web browser.

To use HTTPS, you must have installed a certificate on the switch and enabled
HTTPS.

2.

After http:// or https:// in your Web browser, type the hostname or IP address
of the switch and press Enter.
The J-Web login page appears.

3.

On the login page, type your username and password, and click Log In.
To correct or change the username or password you typed, click Reset, type the
new entry or entries, and click Log In.

NOTE: The default username is root with no password. You must change this during
initial configuration or the system does not accept the configuration.
The Chassis Dashboard information page appears.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics

52

J-Web User Interface for EX-series Switches Overview on page 43

Starting the J-Web Interface

Chapter 4: J-Web Graphical User Interface

Understanding How to Use the J-Web Interface to View System Information

Understanding J-Web User Interface Sessions

You establish a J-Web session with the switch through an HTTP-enabled or
HTTPS-enabled Web browser. The HTTPS protocol, which uses 128-bit encryption,
is available only in domestic versions of the JUNOS software. To use HTTPS, you
must have installed a certificate on the switch and enabled HTTPS. See Generating
SSL Certificates to Be Used for Secure Web Access on page 96.
When you attempt to log in through the J-Web interface, the switch authenticates
your username with the same methods used for Telnet and SSH.
If the switch does not detect any activity through the J-Web interface for 15 minutes,
the session times out and is terminated. You must log in again to begin a new session.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics

J-Web User Interface for EX-series Switches Overview on page 43

Configuring Management Access for the EX-series Switch (J-Web

Procedure) on page 93

Understanding J-Web User Interface Sessions

53

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

54

Understanding J-Web User Interface Sessions

Part 4

Initial Configuration, Software

Installation, and Upgrades

Initial Configuration on page 57

Software Installation on page 63

Configuration File Management on page 71

Licenses on page 83

Initial Configuration, Software Installation, and Upgrades

55

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

56

Initial Configuration, Software Installation, and Upgrades

Chapter 5

Initial Configuration

Connecting and Configuring the EX-series Switch (CLI Procedure) on page 57

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

Connecting and Configuring the EX-series Switch (CLI Procedure)

There are two ways to connect and configure the EX-series switch: one method is
through the console using the CLI and the other is using the J-Web interface. This
section describes the CLI procedure.
To configure the switch from the console:
1.

Connect the console port to a laptop or PC using the RJ-45 to DB-9 serial port
adapter. The RJ-45 cable and RJ-45 to DB-9 serial port adapter are supplied with
the switch.

2.

At the shell prompt type ezsetup.

3.

Enter the hostname. This is optional.

4.

Enter the root password. You are prompted to re-enter the root password.

5.

Enter yes to enable services like Telnet and SSH. By default, Telnet is not enabled
and SSH is enabled.

6.

Next, select one of the switch management options:

Configure in-band management. In this scenario you have the following two

options:

Use the default VLAN.

Create a new VLANIf you select this option, you are prompted to
specify the VLAN name, VLAN ID, management IP address, default
gateway. Select the ports that must be part of this VLAN.

Configure out-of-band management. Specify the IP address and gateway of

the management interface. Use this IP address to connect to the switch.

7.

Specify the SNMP Read Community, Location, and Contact to configure SNMP
parameters. These parameters are optional.

8.

Specify the system date and time. Select the time zone from the list. These
options are optional.
The configured parameters are displayed. Enter yes to commit the configuration.

Connecting and Configuring the EX-series Switch (CLI Procedure)

57

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The configuration is committed as the active configuration for the switch. You
can now log in with the CLI or the J-Web interface to continue configuring the
switch. If you use the J-Web interface to continue configuring the switch, the
Web session is redirected to the new management IP address. If the connection
cannot be made, the J-Web interface displays instructions for starting a J-Web
session.
Related Topics

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

Installing and Connecting an EX-series Switch

EX-series SwitchLCD

EX-series Switch Hardware Overview on page 19

EX-series Switch Software Features Overview on page 3

Connecting and Configuring the EX-series Switch (J-Web Procedure)

There are two ways to connect and configure the EX-series switch: one method is
through the console using the CLI and the other is using the J-Web interface. This
section describes the J-Web procedure.

NOTE: To obtain an IP address dynamically, you must enable a DHCP client on the
management PC you connect to the switch. If you have configured a static IP on
your PC, you will not be able to connect to the switch.

58

Connecting and Configuring the EX-series Switch (J-Web Procedure)

Chapter 5: Initial Configuration

1.

To transition the switch into initial setup mode, use the Menu and Enter buttons
to the right of the LCD panel on the front panel of the switch (see
Figure 3 on page 59):

Figure 3: LCD Panel

LCD panel

Menu button Enter button

ALM
SYS

LEDs

g020093

MST

Press Menu until you see MAINTENANCE MENU. Then press Enter.

Press Menu until you see ENTER EZSetup. Then press Enter.

NOTE: If EZSetup does not appear as an option in the Maintenance menu, select
Factory Default to return the switch to the factory default configuration. EZSetup is
displayed in the menu only when the switch is set to the factory default configuration.

Press Enter to confirm setup and continue with EZSetup.

The ge-0/0/0 interface on the front panel of the switch is configured as the DHCP
server with the default IP address, 192.168.1.1. The switch can assign an IP
address to the management PC in the IP address range 192.168.1.2 through
192.168.1.253.

NOTE: You must complete the initial configuration using the J-Web interface within
10 minutes. The LCD displays a count-down timer once you connect the switch to
the management PC. The switch exits the EZSetup mode after 10 minutes and reverts
to factory configuration, and the PC loses connectivity to the switch.

2.

Insert one end of the Ethernet cable into the Ethernet port on the PC and connect
the other end to port 0 (ge-0/0/0) on the front panel of the switch (see
Figure 4 on page 60).

Connecting and Configuring the EX-series Switch (J-Web Procedure)

59

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 4: Connecting PC to Port 0

3.

From the PC, open a Web browser, type http://192.168.1.1 in the address field,
and press Enter.

4.

On the Login page, type root as the username, leave the password field blank,
and click Login.

5.

On the Introduction page, click Next.

6.

On the Basic Settings page, modify the hostname, the root password, and date
and time settings.

Enter the hostname. This is optional.

Enter a password and reenter the password.

Specify the time zone.

Synchronize the date and time settings of the switch with the management
PC or set them manually by selecting the appropriate option button. This is
optional.

Click Next.
7.

Use the Management Options page to select the management scenario:

In-band Management-Use VLAN 'default' for management.

Select this option to configure all data interfaces as members of the default
VLAN. Click Next. Specify the management IP address and the default
gateway for the default VLAN.

In-band Management-Create new VLAN for management.

Select this option to create a management VLAN. Click Next. Specify the
VLAN name, VLAN ID, member interfaces, and management IP address and
default gateway for the new VLAN.

Out-of-band Management-Configure management port.

Select this option to configure only the management interface. Click Next.
Specify the IP address and default gateway for the management interface.

60

8.

Click Next.

9.

On the Manage Access page, you may select options to enable Telnet, SSH, and
SNMP services. For SNMP, you can configure the read community, location, and
contact.

Connecting and Configuring the EX-series Switch (J-Web Procedure)

Chapter 5: Initial Configuration

10. Click Next.

11. The Summary screen displays the configured settings. Click Finish.

The configuration is committed as the active configuration for the switch. You can
now log in with the CLI or the J-Web interface to continue configuring the switch. If
you use the J-Web interface to continue configuring the switch, the Web session is
redirected to the new management IP address. If the connection cannot be made,
the J-Web interface displays instructions for starting a J-Web session.

NOTE: After the configuration takes effect, you might lose connectivity between the
PC and the switch. To renew the connection, release and renew the IP address by
executing the appropriate commands on the management PC or by removing and
re-inserting the Ethernet cable.
Related Topics

Connecting and Configuring the EX-series Switch (CLI Procedure) on page 57

Installing and Connecting an EX-series Switch

EX-series Switch Hardware Overview on page 19

EX-series Switch Software Features Overview on page 3

EX-series SwitchLCD

Connecting and Configuring the EX-series Switch (J-Web Procedure)

61

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

62

Connecting and Configuring the EX-series Switch (J-Web Procedure)

Chapter 6

Software Installation

Software Installation on page 63

Software Installation

Understanding Software Installation on EX-series Switches on page 63

JUNOS Software Package Names on page 65

Downloading Software Packages from Juniper Networks on page 65

Installing Software on EX-series Switches (CLI Procedure) on page 66

Installing Software on EX-series Switches (J-Web Procedure) on page 67

Troubleshooting Software Installation on page 68

Understanding Software Installation on EX-series Switches

An EX-series switch is delivered with the JUNOS software preinstalled. As new features
and software fixes become available, you must upgrade your software to use them.
You can also downgrade a newly purchased system to a previous JUNOS software
release if you want to maintain consistent versions in your network.
This topic covers:

Overview of the Software Installation Process on page 63

Installing Software on a Virtual Chassis on page 64

Software Package Security on page 64

Troubleshooting Software Installation on page 64

Overview of the Software Installation Process

An EX-series switch is delivered with the JUNOS software preinstalled. When you
connect power to the switch, it starts (boots) up from the installed software.
You upgrade the JUNOS software on an EX-series switch by copying a software
package to your switch or another system on your local network, then use either the
J-Web interface or the CLI to install the new software package on the switch. Finally,
you reboot the switch, at which time it boots from the upgraded software.

Software Installation

63

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

During a successful upgrade, the upgrade package removes all files from /var/tmp
and completely reinstalls the existing software. It retains configuration files, and
similar information, such as secure shell and host keys, from the previous version.
The previous software package is preserved in a separate disk partition, and you can
manually revert back to it if necessary. If the software installation fails for any reason,
such as loss of power during the installation process, the system returns to the
originally active installation when you reboot.
After a successful upgrade, remember to back up the new current configuration to
the secondary device.

Installing Software on a Virtual Chassis

You can connect individual EX 4200 switches together to form one unit and manage
the unit as a single chassis, called a virtual chassis. The virtual chassis operates as a
single network entity comprised of members. Each member of a virtual chassis runs
JUNOS software packages.
For ease of management, the virtual chassis provides flexible methods to upgrade
software releases. You can deploy a new software release to all of the members of
a virtual chassis or to only a particular member.

Software Package Security

All JUNOS software is delivered in signed packages that contain digital signatures to
ensure official Juniper Networks software. For more information about signed software
packages, see the JUNOS Software Installation and Upgrade Guide at
http://www.juniper.net/techpubs/software/junos/.

Troubleshooting Software Installation

If the JUNOS software loads but the CLI is not working for any reason, or if the switch
has no software installed, you can use the recovery installation procedure to install
the JUNOS software on the switch. See Troubleshooting Software
Installation on page 68

NOTE: You can also use this procedure to load two versions of JUNOS software in
separate partitions on the switch.
Related Topics

64

Downloading Software Packages from Juniper Networks on page 65

Installing Software on EX-series Switches (J-Web Procedure) on page 67

Installing Software on EX-series Switches (CLI Procedure) on page 66

Troubleshooting Software Installation on page 68

Understanding Software Installation on EX-series Switches

Chapter 6: Software Installation

JUNOS Software Package Names

You upgrade the JUNOS software on an EX-series switch by copying a software
package to your switch or another system on your local network, then install the
new software package on the switch.
A software package name is in the following format:
package-name-m.nZx-distribution.tgz.

package-name is the name of the packagefor example, jinstall-ex.

m.n is the software release, with m representing the major release number and
n representing the minor release numberfor example, 9.1.

Z indicates the type of software release. For example, R indicates released

software, and B indicates beta-level software.

x represents the version of the major software releasefor example, 2.

distribution indicates the area for which the software package is providedFor
most JUNOS packages, domestic is used for the United States and Canada and
export for worldwide distribution. However, for EX-series software, the domestic

is used for worlwide distribution as well.

A sample EX-series software package name is jinstall-ex-9.0R2-domestic.tgz.
Related Topics

Installing Software on EX-series Switches (J-Web Procedure) on page 67

Installing Software on EX-series Switches (CLI Procedure) on page 66

Understanding Software Installation on EX-series Switches on page 63

Downloading Software Packages from Juniper Networks

You can download JUNOS software packages from the Juniper Networks Web site
to upgrade software on your EX-series switch.
Before you begin to download software upgrades, ensure that you have a Juniper
Networks Web account and a valid support contract. To obtain an account, complete
the registration form at the Juniper Networks Web site:
https://www.juniper.net/registration/Register.jsp.
To download software upgrades from Juniper Networks:
1.

Using a Web browser, follow the links to the download URL on the Juniper
Networks Web page. For EX-series, there are not separate software packages
for Canada the U.S. and other locations. Therefore, select Canada and U.S.
Version regardless of your location:

2.

https://www.juniper.net/support/csc/swdist-domestic/

Log in to the Juniper Networks authentication system using the username

(generally your e-mail address) and password supplied by Juniper Networks
representatives.

JUNOS Software Package Names

65

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

3.

Using the J-Web interface or the CLI, select the appropriate software package for
your application. See JUNOS Software Package Names on page 65.

4.

Download the software to a local host or to an internal software distribution site.

Installing Software on EX-series Switches (J-Web Procedure) on page 67

Installing Software on EX-series Switches (CLI Procedure) on page 66

Understanding Software Installation on EX-series Switches on page 63

Installing Software on EX-series Switches (CLI Procedure)

You can upgrade software packages on a single fixed-configuration switch, on an
individual member of a virtual chassis, or for all members of a virtual chassis.
To install software upgrades on an EX-series switch with the CLI:
1.

Download the software package as described in Downloading Software Packages

from Juniper Networks on page 65.

2.

Copy the software package to the switch. We recommend that you use FTP to
copy the file to the /var/tmp directory.

3.

To install the new package on the switch, enter the following command:
user@switch> request system software add source [member member_id] reboot

Include the member option to install the software package on only one member
of a virtual chassis. Other members of the virtual chassis are not affected. To
install the software on all members of the virtual chassis, do not include the
member option.
Replace source with one of the following paths:

For a software package that is installed from a local directory on the

switch/pathname/package-name, .

For software packages that are downloaded and installed from a remote
location:

ftp://hostname/pathname/package-name

http://hostname/pathname/package-name

Where package-name is, for example, jinstall-ex-9.0R2-domestic.tgz

Related Topics

66

Installing Software on EX-series Switches (J-Web Procedure) on page 67

Troubleshooting Software Installation on page 68

See the JUNOS Software System Basics and Services Command Reference for details
about the request system software add command.

Understanding Software Installation on EX-series Switches on page 63

Installing Software on EX-series Switches (CLI Procedure)

Chapter 6: Software Installation

Installing Software on EX-series Switches (J-Web Procedure)

You can upgrade software packages on a single fixed-configuration switch, on an
individual member of a virtual chassis, or for all members of a virtual chassis.
You can use the J-Web interface to install software upgrades from a server using FTP
or HTTP, or by copying the file to the EX-series switch.
This topic describes:
1. Installing Software Upgrades from a Server on page 67
2. Installing Software Upgrades by Uploading Files on page 68

Installing Software Upgrades from a Server

To install software upgrades from a remote server by using FTP or HTTP:
1.

Download the software package as described in Downloading Software Packages

from Juniper Networks on page 65.

2.

Log in to the Juniper Networks authentication system using the username

(generally your e-mail address) and password supplied by Juniper Networks
representatives.

3.

In the J-Web interface, select Maintain>Software>Install Package.

4.

On the Install Remote page, enter information into the fields described in
Table 12 on page 67.

5.

Click Fetch and Install Package. The software is activated after the switch has
rebooted.

Table 12: Install Remote Summary

Field

Function

Your Action

Package Location
(required)

Specifies the FTP or HTTP server, file path, and

software package name.

Type the full address of the software package

location on the FTP or HTTP serverone of the
following:
ftp://hostname/pathname/package-name
http://hostname/pathname/package-name

User

Specifies the username, if the server requires

one.

Type the username.

Password

Specifies the password, if the server requires

one.

Type the password.

Reboot If Required

If this box is checked, the switching platform is

automatically rebooted when the upgrade is
complete.

Check the box if you want the switching platform

to reboot automatically when the upgrade is
complete.

Installing Software on EX-series Switches (J-Web Procedure)

67

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Installing Software Upgrades by Uploading Files

To install software upgrades by uploading files:
1.

Download the software package.

2.

In the J-Web interface, select Maintain>Software>Upload Package.

3.

On the Upload Package page, enter information into the fields described in
Table 13 on page 68.

4.

Click Upload Package. The software is activated after the switching platform has
rebooted.

Table 13: Upload Package Summary

Field

Function

Your Action

File to Upload (required)

Specifies the location of the software

package.

Type the location of the software package, or click

Browse to navigate to the location.

Reboot If Required

Specifies that the switching platform is

automatically rebooted when the upgrade is
complete.

Select the check box if you want the switching

platform to reboot automatically when the upgrade
is complete.

Related Topics

Installing Software on EX-series Switches (CLI Procedure) on page 66

Understanding Software Installation on EX-series Switches on page 63

Troubleshooting Software Installation on page 68

Troubleshooting Software Installation

Recovering from a Failed Software Upgrade on an EX-series Switch on page 68

Rebooting from the Non-Active Partition on page 69

Recovering from a Failed Software Upgrade on an EX-series Switch

Problem

If the JUNOS software loads but the CLI is not working for any reason, or if the switch
has no software installed, you can use this recovery installation procedure to install
the JUNOS software.

Solution

If there is already a JUNOS image on the system, you can either install the new JUNOS
package in a separate partition and both JUNOS images will remain on the system,
or you can wipe the disk clean before the new installation proceeds.
To perform a recovery installation:
1.

Power on the switch. The loader script starts.

2.

After the message Loading /boot/defaults/loader.conf displays, you are prompted

with:
Hit [Enter] to boot immediately, or space bar for command prompt.

68

Installing Software Upgrades by Uploading Files

Chapter 6: Software Installation

Press the space bar to enter the manual loader. The loader> prompt displays.
3.

Enter the following command:

loader> install [ format] [ external] source

Where:

formatUse this option to wipe the installation media (internal disk or USB
drive) before installing the software package. If you do not include this option,
the system installs the new JUNOS software package in a different partition
from that of the most recently installed JUNOS software package.

externalUse this option to install the software package onto an external

media.

sourceRepresents the name and location of the JUNOS software package

either on a server on the network or as a file on an external USB drive:

Network address of the server and the path on the server; for example,
tftp://192.17.1.28/junos/jinstall-ex-9.2R1-domestic.tgz

The JUNOS package on a USB device is commonly stored in the root

drive as the only file; for example, file:///jinstall-ex-9.2R1-domestic.tgz

The installation proceeds as normal and ends with a login prompt.

Rebooting from the Non-Active Partition

Problem

An EX-series switch ships with the JUNOS software loaded on the system disk in
partition 1. The first time you upgrade, the new software package is installed in
partition 2. When you finish the installation and reboot, partition 2 becomes the
active partition. Similarly, subsequent software packages are installed in the non-active
partition which becomes the active partition when you reboot at the end of the
installation process.
If you performed an upgrade and rebooted, the system resets the active partition.
You can use this procedure to manually boot from the non-active partition.

NOTE: If you have completed the installation of the software image but have not yet
rebooted, you can issue a request system software rollback to return to the original
software installation package.

Solution

To reboot from the non-active partition, use the following command:

user@switch> request system reboot partition alternate

Rebooting from the Non-Active Partition

69

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: If you cannot access the CLI, you can reboot from the non-active partition
using the following procedure from the loader script prompt:
1.

Unload and clear the interrupted boot from the active partition:
loader> unload
loader> unset vfs.root.mountfrom

2.

Select the new (inactive) partition to boot from:

loader> set currdev=diskmediaspartition:

Where media is either 0 (internal) or 1 (external) and partition indicates the

partition number, either 1 or 2.
You must include the colon (:) at the end of this command.
3.

Boot JUNOS from the inactive partition:

loader> boot

Related Topics

70

Installing Software on EX-series Switches (CLI Procedure) on page 66

Installing Software on EX-series Switches (J-Web Procedure) on page 67

Understanding Software Installation on EX-series Switches on page 63

Rebooting from the Non-Active Partition

Chapter 7

Configuration File Management

Understanding Configuration Files for EX-series Switches on page 71

Configuration Files Terms on page 72

Managing Configuration Files Through the Configuration History (J-Web

Procedure) on page 72

Uploading a Configuration File (CLI Procedure) on page 75

Uploading a Configuration File (J-Web Procedure) on page 77

Loading a Previous Configuration File (CLI Procedure) on page 77

EX 3200 and EX 4200 Default Configuration on page 78

Understanding Configuration Files for EX-series Switches

A configuration file stores the complete configuration of a switch. The current
configuration of a switch is called the active configuration. You can alter this current
configuration and you can also return to a previous configuration. For more
information, see Configuration Files Terms on page 72.
JUNOS software saves the 50 most recently committed configuration files on the
switch so that you can return to a previous configuration. The configuration files are
named:

juniper.conf.gzThe current active configuration.

juniper.conf.1.gz to juniper.conf.49.gzRollback configurations.

To make changes to the configuration file, you have to work in the configuration
mode in the CLI or use the configuration tools in the J-Web interface. When making
changes to a configuration file, you are viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the active configuration or causing
potential damage to your current network operations. Once you commit the changes
made to the candidate configuration, the system updates the active configuration.
Related Topics

Managing Configuration Files Through the Configuration History (J-Web

Procedure) on page 72

Uploading a Configuration File (CLI Procedure) on page 75

Uploading a Configuration File (J-Web Procedure) on page 77

Configuration Files Terms on page 72

Understanding Configuration Files for EX-series Switches

71

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuration Files Terms

Table 14 on page 72 lists the various configuration file terms and their definitions.
Table 14: Configuration File Terms
Term

Definition

active configuration

The current committed configuration of a switch.

candidate configuration

A working copy of the configuration that allows users to make configurational changes
without causing any operational changes until this copy is committed.

configuration group

Group of configuration statements that can be inherited by the rest of the configuration.

commit a configuration

Have the candidate configuration checked for proper syntax, activated, and marked as
the current configuration file running on the switching platform.

configuration hierarchy

The JUNOS software configuration consists of a hierarchy of statements. There are two
types of statements: container statements, which contain other statements, and leaf
statements, which do not contain other statements. All the container and leaf statements
together form the configuration hierarchy.

default configuration

The default configuration contains the initial values set for each configuration parameter
when a switch is shipped.

roll back a configuration

Return to a previously committed configuration.

Related Topics

EX 3200 and EX 4200 Default Configuration on page 78

Loading a Previous Configuration File (CLI Procedure) on page 77

Managing Configuration Files Through the Configuration History (J-Web

Procedure) on page 72

Understanding Configuration Files for EX-series Switches on page 71

Managing Configuration Files Through the Configuration History (J-Web Procedure)

Use the Configuration History function to manage configuration files.
1. Displaying Configuration History on page 72
2. Displaying Users Editing the Configuration on page 73
3. Comparing Configuration Files with the J-Web Interface on page 74
4. Downloading a Configuration File with the J-Web Interface on page 74
5. Loading a Previous Configuration File with the J-Web Interface on page 75

Displaying Configuration History

To manage configuration files with the J-Web interface, select Maintain > Config
Management >History. The main pane displays History Database Information
page.

72

Configuration Files Terms

Chapter 7: Configuration File Management

Table 15 on page 73 summarizes the contents of the display.

The configuration history display allows you to:

View a configuration.

Compare two configurations.

Download a configuration file to your local system.

Roll back the configuration to any of the previous versions stored on the switch.

Table 15: J-Web Configuration History Summary

Field

Description

Number

Version of the configuration file.

Date/Time

Date and time the configuration was committed.

User

Name of the user who committed the configuration.

Client

Method by which the configuration was committed:

cliA user entered a JUNOS CLI command.

junoscriptA JUNOScript client performed the operation. Commit operations performed by users

through the J-Web interface are identified in this way.

snmpAn SNMP set request started the operation.

otherAnother method was used to commit the configuration.

Comment

Comment.

Log Message

Method used to edit the configuration:

Action

Imported via paste Configuration was edited and loaded with the Configure>CLI Tools>Edit
Configuration Text option.

Imported upload [filename]Configuration was uploaded with the Configure>CLI Tools>Point Click
Editor option.

Modified via JWeb Configure Configuration was modified with the J-Web Configure menu.

Rolled back via user-interface Configuration was rolled back to a previous version through the user
interface specified by user-interface, which can be Web Interface or CLI.

Action to perform with the configuration file. The action can be Download or Rollback.

Displaying Users Editing the Configuration

To display a list of users editing the switching platform configuration, select Config
Management >History. The list is displayed as Database Information in the main
pane. Table 16 on page 74 summarizes the Database Information display.

Displaying Users Editing the Configuration

73

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 16: J-Web Configuration Database Information Summary

Field

Description

User Name

Name of user editing the configuration.

Start Time

Time of day the user logged in to the switch.

Idle Time

Elapsed time since the user issued a configuration command from the CLI.

Terminal

Terminal on which the user is logged in.

PID

Process identifier assigned to the user by the switching platform.

Edit Flags

Designates a private or exclusive edit.

Edit Path

Level of the configuration hierarchy that the user is editing.

Comparing Configuration Files with the J-Web Interface

To compare any two of the past 50 committed configuration files:
1.

Select Config Management >History. A list of the current and the previous 49
configurations is displayed as Configuration History in the main pane.

2.

Select the check boxes to the left of the two configuration versions you want to
compare.

3.

Click Compare.
The main pane displays the differences between the two configuration files at
each hierarchy level as follows:

Lines that have changed are highlighted side by side in green.

Lines that exist only in the more recent configuration file are displayed in
red on the left.

Lines that exist only in the older configuration file are displayed in blue on
the right.

Downloading a Configuration File with the J-Web Interface

To download a configuration file from the switch to your local system:
1.

Select Config Management >History. A list of current and previous 49 configurations

is displayed as Configuration History in the main pane.

2.

In the Action column, click Download for the version of the configuration you
want to download.

3.

Select the options your Web browser provides that allow you to save the
configuration file to a target directory on your local system.
The file is saved as an ASCII file.

74

Comparing Configuration Files with the J-Web Interface

Chapter 7: Configuration File Management

Loading a Previous Configuration File with the J-Web Interface

To load (roll back) and commit a previous configuration file stored on the switching
platform:
1.

Select Config Management >History. A list of current and previous 49 configurations

is displayed as Configuration History in the main pane.

2.

In the Action column, click Rollback for the version of the configuration you want
to load.
The main pane displays the results of the rollback operation.

NOTE: When you click Rollback, the switch loads and commits the selected
configuration. This behavior is different from the switch's behavior that occurs after
you enter the rollback configuration mode command from the CLI. In the latter case,
the configuration is loaded but not committed.

Related Topics

Loading a Previous Configuration File (CLI Procedure) on page 77

Understanding Configuration Files for EX-series Switches on page 71

Understanding J-Web Configuration Tools on page 51

Uploading a Configuration File (CLI Procedure)

You can create a configuration file on your local system, copy the file to the EX-series
switch and then load the file into the CLI. After you have loaded the configuration
file, you can commit it to activate the configuration on the switch. You can also edit
the configuration interactively using the CLI and commit it at a later time.
To upload a configuration file from your local system:
1.

Create the configuration file using a text editor such as Notepad, making sure
that the syntax of the configuration file is correct. For more information about
testing the syntax of a configuration file see JUNOS Software System Basics and
Services Command Reference at http://www.juniper.net/techpubs/software/junos/.

2.

In the configuration text file, use an option to perform the required action when
the file is loaded. Table 17 on page 75 lists and describes some options for the
load command.

Table 17: Options for the load command

Options

Description

merge

Combines the current active configuration and the configuration

in filename or the one that you type at the terminal. A merge
operation is useful when you are adding a new section to an
existing configuration. If the active configuration and the incoming
configuration contain conflicting statements, the statements in
the incoming configuration override those in the active
configuration.

Loading a Previous Configuration File with the J-Web Interface

75

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 17: Options for the load command (continued)

Options

Description

override

Discards the current candidate configuration and loads the

configuration in filename or the one that you type at the terminal.
When you use the override option and commit the configuration,
all system processes reparse the configuration. You can use the
override option at any level of the hierarchy.

replace

Searches for the replace tags, deletes the existing statements of

the same name, if any, and replaces them with the incoming
configuration. If there is no existing statement of the same name,
the replace operation adds the statements marked with the replace
tag to the active configuration.
NOTE: For this operation to work, you must include replace tags
in the text file or in the configuration you type at the terminal.

3.

Press Ctrl+A to select all the text in the configuration file.

4.

Press Ctrl+C to copy the contents of the configuration text file to the Clipboard.

5.

Log in to the switch using your username and password.

6.

To enter configuration mode:

user@switch> configure

You will see this output, with the hash or pound mark indicating configuration
mode.
Entering configuration mode
[edit]
user@switch#
7.

Load the configuration file:

[edit]
user@switch# load merge terminal

8.

At the cursor, paste the contents of the Clipboard using the mouse and the Paste
icon:
[edit]
user@switch# load merge terminal
[Type ^D at a new line to end input]
>Cursor is here. Paste the contents of the clipboard here<

9.

Press Enter.

10. Press Ctrl+D to set the end-of-file marker.

To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.You can also edit the configuration interactively using the CLI and
commit it at a later time.
Related Topics

76

Uploading a Configuration File (J-Web Procedure) on page 77

Uploading a Configuration File (CLI Procedure)

Chapter 7: Configuration File Management

Understanding Configuration Files for EX-series Switches on page 71

Uploading a Configuration File (J-Web Procedure)

You can create a configuration file on your local system, copy the file to the EX-series
switch and then load the file into the CLI. After you have loaded the configuration
file, you can commit it to activate the configuration on the switch. You can also edit
the configuration interactively using the CLI and commit it at a later time.
To upload a configuration file from your local system:
1.

Select Maintain > Config Management > Upload.

The main pane displays the File to Upload box.

2.

3.

Specify the name of the file to upload using one of the following methods:

Type the absolute path and filename in the File to Upload box.

Click Browse to navigate to the file.

Click Upload and Commit to upload and commit the configuration.

The switch checks the configuration for the correct syntax before committing it.

Related Topics

Uploading a Configuration File (CLI Procedure) on page 75

Understanding J-Web Configuration Tools on page 51

Understanding Configuration Files for EX-series Switches on page 71

Loading a Previous Configuration File (CLI Procedure)

You can return to a previously committed configuration file if you need to revert to
a previous configuration or if you have lost management access to the switch. The
EX-series switch saves the last 50 committed configurations, including the rollback
number, date, time, and name of the user who issued the commit configuration
command.
Syntax
rollback (number)
Options

None Return to the most recently saved configuration.

Number Configuration to return to.

Range: 0 through 49. The most recently saved configuration is number 0,

and the oldest saved configuration is number 49.

Default: 0

Uploading a Configuration File (J-Web Procedure)

77

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To return to a configuration prior to the most recently committed one:

1.

Specify the rollback number:

[edit]
user@switch# rollback number
load complete

2.

Activate the configuration you have loaded:

[edit]
user@switch# commit

Related Topics

Managing Configuration Files Through the Configuration History (J-Web

Procedure) on page 72

For more information on rollback see CLI User Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html .

EX 3200 and EX 4200 Default Configuration

Each EX-series switch is programmed with a factory default configuration that contains
the values set for each configuration parameter when a switch is shipped. The default
configuration file sets values for system parameters such as syslog and commit,
configures Power over Ethernet and Ethernet switching on all interfaces, and enables
the LLDP and RSTP protocols.
The following factory default configuration file is for a 24-port switch. For models
that have more ports, this default configuration file has more interfaces.

NOTE: In this example, ge-0/0/0 through ge-0/0/23 are the network interface ports.
Optional uplink modules provide either two 10-gigabit small form-factor pluggable
(XFP) transceivers (xe-0/1/0 and xe-0/1/1) or four 1-gigabit small form-factor
pluggable (SFP) transceivers (ge-0/1/0 through ge-0/1/3). Although you can install
only one uplink module, the interfaces for both are shown below.
When you commit changes to the configuration, a new configuration file is created
which becomes the active configuration. You can always revert to the factory default
configuration.
This topic shows the factory default configuration file of a 24-port EX 3200 or EX
4200 switch:
system {
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;

78

EX 3200 and EX 4200 Default Configuration

Chapter 7: Configuration File Management

}
file interactive-commands {
interactive-commands any;
}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;

EX 3200 and EX 4200 Default Configuration

79

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}

80

EX 3200 and EX 4200 Default Configuration

Chapter 7: Configuration File Management

}
ge-0/0/20 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
}
protocols {
lldp {
interface all;
}

EX 3200 and EX 4200 Default Configuration

81

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

rstp;
}
poe {
interface all;
}
Related Topics

82

Reverting to the Default Factory Configuration for the EX-series Switch

Connecting and Configuring the EX-series Switch (CLI Procedure) on page 57

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

Understanding Configuration Files for EX-series Switches on page 71

EX-series Switches Interfaces Overview on page 259

EX 3200 and EX 4200 Default Configuration

Chapter 8

Licenses

Software Licenses for the EX-series Switch Overview on page 83

License Key Components for the EX-series Switch on page 84

Managing Licenses for the EX-series Switch (CLI Procedure) on page 85

Managing Licenses for the EX-series Switch (J-Web Procedure) on page 85

Monitoring Licenses for the EX-series Switch on page 87

Software Licenses for the EX-series Switch Overview

To enable some JUNOS software features, you might have to purchase, install, and
manage separate software license packs. The presence on the switch of the
appropriate software license keys (passwords) determines whether you are eligible
to configure and use certain features.
As an honor-based licensing structure, JUNOS feature licenses are universal, and the
same feature can be installed and configured on multiple switches. However, to
conform to JUNOS feature licensing requirements, you must purchase one license
per switch. For a virtual chassis, only 2 licenses are needed, one for the master and
one for the backup. If you have additional members in a virtual chassis, you do not
need more licenses.
For features that require a license, you must install and properly configure the license
to meet the requirements for using the licensable feature. The switch enables you
to commit a configuration that specifies a licensable feature without a license for a
30-day grace period. The grace period is a short-term grant that enables you to start
using features in the pack (regardless of the license key limit) without a license key
installed. The grace period begins when the licensable feature is actually used by the
switch (not when it is first committed). In other words, you can commit licensable
features to the switch configuration but the grace period does not begin until the
switch uses the licensable feature. After the grace period expires, the system generates
system log messages saying that the feature requires a license.
Before you begin managing licenses, be sure that you have:

Related Topics

Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.

Managing Licenses for the EX-series Switch (CLI Procedure) on page 85

Managing Licenses for the EX-series Switch (J-Web Procedure) on page 85

Software Licenses for the EX-series Switch Overview

83

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Monitoring Licenses for the EX-series Switch on page 87

License Key Components for the EX-series Switch on page 84

License Key Components for the EX-series Switch

When you purchase a license for a JUNOS software feature that requires a separate
license, you receive a license key.
A license key consists of two parts:

License IDAlphanumeric string that uniquely identifies the license key. When
a license is generated, it is given a license ID.

License dataBlock of binary data that defines and stores all license key objects.

For example, in the following typical license key, the string li29183743 is the license
ID, and the trailing block of data is the license data:
li29183743 4ky27y acasck 82fsj6 jzsn4q ix8i8d adj7kr
8uq38t ix8i8d jzsn4q ix8i8d 4ky27y acasck
82fsj6 ii8i7e adj7kr 8uq38t ks2923 a9382e

The license data defines the device ID for which the license is valid and the version
of the license.
Related Topics

Managing Licenses for the EX-series Switch (CLI Procedure) on page 85

Managing Licenses for the EX-series Switch (J-Web Procedure) on page 85

Software Licenses for the EX-series Switch Overview on page 83

Managing Licenses for the EX-series Switch (CLI Procedure)

To enable some JUNOS software features on an EX-series switch, you must purchase,
install, and manage separate software licenses. Each switch requires one license per
licensed feature. The licenses are on an honor system, meaning that after you have
configured the features, you have a 30-day grace period to install the license. You
will see a warning message if the switch does not have a license for the feature after
those 30 days.
Before you begin managing licenses, be sure that you have:

Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.

This topic includes the following tasks:

84

Adding New Licenses on page 85

Deleting Licenses on page 85

Saving License Keys on page 85

License Key Components for the EX-series Switch

Chapter 8: Licenses

Adding New Licenses

To add a new license key on the switch with CLI:
1.

Enter one of the following operational mode CLI commands:

To add a license key from a file or URL, enter the following command,
specifying the filename of the file or the URL where the key is located:
user@switch> request system license add filename | url

To add a license key from the terminal, enter the following command:
user@switch> request system license add terminal

2.

When prompted, enter the license key, separating multiple license keys with a
blank line.
If the license key you enter is invalid, an error appears in the CLI output when
you press Ctrl+d to exit license entry mode.

Deleting Licenses
To delete one or more license keys from the switch with the CLI, enter the following
operational mode CLI command for each license, specifying the license ID.
user@switch> request system license delete license-id

You can delete only one license at a time.

Saving License Keys

To save the installed license keys to a file (which can be a URL) or to the terminal,
enter the following operational mode CLI command:
user@switch> request system license save filename | url

For example, the following command saves the installed license keys to a file named
license.conf:
user@switch> request system license save ftp://user@switch/license.conf

Related Topics

Managing Licenses for the EX-series Switch (J-Web Procedure) on page 85

Monitoring Licenses for the EX-series Switch on page 87

Managing Licenses for the EX-series Switch (J-Web Procedure)

To enable some JUNOS software features on an EX-series switch, you must purchase,
install, and manage separate software licenses. Each switch requires one license per

Adding New Licenses

85

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

licensed feature. The licenses are on an honor system, meaning that after you have
configured the features, you have a 30-day grace period to install the license. You
will see a warning message if the switch does not have a license for the feature after
those 30 days.
Before you begin managing licenses, be sure that you have:

Obtained the needed licenses. For information about how to purchase software
licenses, contact your Juniper Networks sales representative.

Adding New Licenses on page 86

Deleting Licenses on page 86

Displaying License Keys on page 86

Downloading Licenses on page 87

Adding New Licenses

To add a new license key on the switch with the J-Web license manager:
1.

In the J-Web interface, select Maintain>Licenses.

2.

Under Installed Licenses, click Add to add a new license key.

3.

Do one of the following, using a blank line to separate multiple license keys:

4.

In the License File URL box, type the full URL to the destination file containing
the license key to be added.

In the License Key Text box, paste the license key text, in plain-text format,
for the license to be added.

Click OK to add the license key.

A list of features that use the license key is displayed. The table also lists the ID, state,
and version of the license key.

Deleting Licenses
To delete one or more license keys from a switch with the J-Web license manager:
1.

In the J-Web interface, select Maintain>Licenses.

2.

Select the check box of the license or licenses you want to delete.

3.

Click Delete.

Displaying License Keys

To display the license keys installed on a switch with the J-Web license manager:

86

1.

In the J-Web interface, select Maintain>Licenses.

2.

Under Installed Licenses, click Display Keys to display all the license keys installed
on the switch.

Adding New Licenses

Chapter 8: Licenses

A screen displaying the license keys in text format appears. Multiple licenses are
separated by a blank line.

Downloading Licenses
To download the license keys installed on the switch with the J-Web license manager:

Related Topics

1.

In the J-Web interface, select Maintain>Licenses.

2.

Under Installed Licenses, click Download Keys to download all the license keys
installed on the switch to a single file.

3.

Select Save it to disk and specify the file to which the license keys are to be
written. You can also download the license file to your system.

Managing Licenses for the EX-series Switch (CLI Procedure) on page 85

Monitoring Licenses for the EX-series Switch on page 87

Monitoring Licenses for the EX-series Switch

To enable and use some JUNOS software features on the EX-series switch, you must
purchase, install, and manage separate software licenses.
To monitor your installed licenses perform the following tasks:

Displaying Installed Licenses and License Usage Details on page 87

Displaying License Usage on page 88

Displaying Installed License Keys on page 88

Displaying Installed Licenses and License Usage Details

Purpose
Action
Meaning

Verify that the expected licenses are installed and active on the switch.
From the CLI, enter the show system license command.
The output shows a list of the license usage and a list of the licenses installed on the
switch. Verify the following information:

Each license is present. Licenses are listed in ascending alphanumeric order by

license ID.

The state of each license is valid.

A state of invalid indicates that the license key is not a valid license key. Either it was
entered incorrectly or it is not valid for the specific device.

The feature for each license is the expected feature. The features enabled are
listed by license. An all-inclusive license has All features listed.

All configured features have the required licenses installed. The Licenses needed
column must show that no licenses are required.

Downloading Licenses

87

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Displaying License Usage

Purpose
Action
Meaning

Verify that the licenses fully cover the feature configuration on the switch.
From the CLI, enter the show system license usage command.
The output shows a list of the licenses installed on the switch and how they are used.
Verify the following information:

Each licensed feature and port is present. Features and ports are listed in
ascending alphabetical order by license name. The number of licenses is shown
in the fourth column. Verify that the appropriate number of licenses is installed.

The number of used licenses matches the number of configured features and
ports. If a licensed feature or port is configured, the feature or port is considered
used.

A license is installed on the switch for each configured feature and port. For
every feature or port configured that does not have a license, one license is
needed.

Displaying Installed License Keys

Purpose
Action
Meaning

Related Topics

88

Verify that the expected license keys are installed on the switch.
From the CLI, enter the show system license keys command.
The output shows a list of the license keys installed on the switch. Verify that each
expected license key is present.

Managing Licenses for the EX-series Switch (CLI Procedure) on page 85

Managing Licenses for the EX-series Switch (J-Web Procedure) on page 85

Displaying License Usage

Part 5

System Basics

Understanding Basic System Concepts on page 91

Configuring Basic System Functions on page 93

Administering and Monitoring Basic System Functions on page 99

Troubleshooting Basic System Functions on page 119

Configuration Statements for Basic System Functions on page 123

Operational Mode Commands for Basic System Functions on page 125

System Basics

89

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

90

System Basics

Chapter 9

Understanding Basic System Concepts

Understanding Alarm Types and Severity Levels on EX-series Switches on page 91

Understanding Alarm Types and Severity Levels on EX-series Switches

Before monitoring alarms on the switch, become familiar with the terms defined in
Table 18 on page 91.
Table 18: Alarm Terms
Term

Definition

alarm

Signal alerting you to conditions that might prevent normal operation. On a switch, the alarm
signal is the yellow ALARM LED lit on the front of the chassis.

alarm condition

Failure event that triggers an alarm.

alarm severity

Seriousness of the alarm. The level of severity can be either major (red) or minor (yellow).

chassis alarm

Predefined alarm triggered by a physical condition on the switch such as a power supply failure,
excessive component temperature, or media failure.

system alarm

Predefined alarm triggered by a missing rescue configuration or failure to install a license for a
licensed software feature.

Alarm Types
The switch supports these alarms:

Chassis alarms indicate a failure on the switch or one of its components. Chassis
alarms are preset and cannot be modified.

System alarms indicate a missing rescue configuration. System alarms are preset
and cannot be modified, although you can configure them to appear automatically
in the J-Web interface display or CLI display.

Alarm Severity Levels

Alarms on a Ex-series switch have two severity levels:

Major (red)Indicates a critical situation on the switch that has resulted from
one of the following conditions. A red alarm condition requires immediate action.

Understanding Alarm Types and Severity Levels on EX-series Switches

91

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

One or more hardware components have failed.

One or more hardware components have exceeded temperature thresholds.

An alarm condition configured on an interface has triggered a critical warning.

Minor (yellow)Indicates a noncritical condition on the switch that, if left

unchecked, might cause an interruption in service or degradation in performance.
A yellow alarm condition requires monitoring or maintenance.
A missing rescue configuration generates a yellow system alarm.

Related Topics

92

Checking Active Alarms on the Switch with the J-Web Interface

Understanding How to Use the J-Web Interface to View System Information

Understanding Alarm Types and Severity Levels on EX-series Switches

Chapter 10

Configuring Basic System Functions

Configuring Management Access for the EX-series Switch (J-Web

Procedure) on page 93

Configuring Date and Time for the EX-series Switch (J-Web Procedure) on page 95

Generating SSL Certificates to Be Used for Secure Web Access on page 96

Managing MS-CHAPv2 for password-change support on page 97

Configuring Management Access for the EX-series Switch (J-Web Procedure)

You can manage an EX-series switch remotely through the J-Web interface. To
communicate with the switch, the J-Web interface uses Hypertext Transfer Protocol
(HTTP). HTTP allows easy Web access but no encryption. The data that is transmitted
between the Web browser and the switch by means of HTTP is vulnerable to
interception and attack. To enable secure Web access the switch supports HTTP over
Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific
interfaces and ports as needed.
Navigate to the Secure Access Configuration page by selecting Configure>System
Properties>Management Access. On this page, you can enable HTTP and HTTPS
access on interfaces for managing the EX-series switch through the J-Web interface.
You can also install SSL certificates and enable JUNOScript over SSL with the Secure
Access page.
1.

Click Edit to modify the configuration. Enter information into the Management
Access Configuration page, as described in Table 19 on page 94.

2.

To verify that Web access is enabled correctly, connect to the switch using the
appropriate method:

For HTTP accessIn your Web browser, type http://URL or http://IP address.

For HTTPS accessIn your Web browser, type https://URL or https://IP

address.

For SSL JUNOScript access To use this option, you must have aJUNOScript
client such as JUNOScope. For information about how to log into JUNOScope,
see the JUNOScope Software User Guide.

Configuring Management Access for the EX-series Switch (J-Web Procedure)

93

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 19: Secure Management Access Configuration Summary

Field

Function

Your Action

Management Access tab

Management Port IP

Specifies the management port IP

address.

Type a 32-bit IP address, in dotted decimal notation.

Subnet Mask

Specifies the subnet mask.

Enter the subnet mask or address prefix. For example,

24 bits represents 255.255.255.0.

Default Gateway

Defines a default gateway through which

to direct packets addressed to networks
that are not explicitly listed in the bridge
table constructed by the switch.

Type a 32-bit IP address, in dotted decimal notation.

Services

Specifies services to be enabled: telnet

and SSH.

Select to enable the required services.

Enable JUNOScript
over Clear Text

Enables clear text access to the

JUNOScript XML scripting API.

To enable clear text access, select the Enable JUNOScript

over Clear Text check box.

Enable JUNOScript
over SSL

Enables secure SSL access to the

JUNOScript XML scripting API.

To enable SSL access, select the Enable JUNOScript over

SSL check box.

JUNOScript Certificate

Specifies SSL certificates to be used for

encryption.

To enable an SSL certificate, select a certificate from the

JUNOScript SSL Certificate listfor example, new.

This field is available only after you create

at least one SSL certificate.
HTTP Web Access

Enable HTTP Access

Enables HTTP access on interfaces.

To enable HTTP access, select the Enable HTTP access

check box.
Select and clear interfaces by clicking the direction
arrows:

To enable HTTP access on an interface, add the

interface to the HTTP Interfaces list. You can either
select all interfaces or specific interfaces.

HTTPS Web Access

Enable HTTPS Access

Enables HTTPS access on interfaces.

To enable HTTPS access, select the Enable HTTPS access

check box.
Select and deselect interfaces by clicking the direction
arrows:

To enable HTTPS access on an interface, add the

interface to the HTTPS Interfaces list. You can either
select all interfaces or specific interfaces.

NOTE: Specify the certificate to be used for HTTPS

access.
Certificates tab

94

Configuring Management Access for the EX-series Switch (J-Web Procedure)

Chapter 10: Configuring Basic System Functions

Table 19: Secure Management Access Configuration Summary (continued)

Certificates

Displays digital certificates required for

SSL access to the switch.

To add a certificate:

1.

Have a general SSL certificate

available. See Generating SSL
Certificates for more information.

2.

Click Add. The Add a Local

Certificate page opens.

3.

Type a name in the Certificate

Name boxfor example, new.

4.

Open the certificate file and copy

its contents.

5.

Paste the generated certificate and

RSA private key in the Certificate
box.

Allows you to add and delete SSL

certificates.

To edit a certificate, select it and click

Edit.
To delete a certificate, select it and click
Delete.

Related Topics

Security Features for EX-series Switches Overview on page 11

Understanding J-Web User Interface Sessions on page 53

Configuring Date and Time for the EX-series Switch (J-Web Procedure)
To configure date and time:
1.

Select Configure>System Properties>Date & Time.

2.

To modify the information, click Edit. Enter information into the Edit Date &
Time page, as described in Table 20 on page 95.

3.

Click one:

To apply the configuration, click OK.

To cancel your entries and return to the System Properties page, click Cancel.

Table 20: Date and Time Settings

Time

Time Zone

Identifies the timezone that the

switching platform is located in.

Select the appropriate time zone from

the list.

Configuring Date and Time for the EX-series Switch (J-Web Procedure)

95

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 20: Date and Time Settings (continued)

Set Time

Synchronizes the system time with that

of the NTP server. You can also manually
set the system time and date.

To immediately set the time, click one:

Synchronize with PC timeThe

switch synchronizes the time with

that of the PC.

NTP ServersThe switch sends a

request to the NTP server and

synchronizes the system time.

Related Topics

ManualA pop-up window allows

you to select the current date and
time from a list.

J-Web User Interface for EX-series Switches Overview on page 43

Generating SSL Certificates to Be Used for Secure Web Access

To enable secure Web access, you must generate a digital SSL certificate and then
enable HTTPS access on the switching platform.
To generate an SSL certificate:
1.

Enter the following openssl command in your Secure Shell command-line

interface. The openssl command generates a self-signed SSL certificate in the
privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted
1024-bit RSA private key to the specified file.
% openssl req x509 nodes newkey rsa:1024 keyout filename.pem -out
filename.pem

Replace filename with the name of a file in which you want the SSL certificate
to be writtenfor example, new.pem.
2.

When prompted, type the appropriate information in the identification form.

For example, type US for the country name.

3.

Display the contents of the file new.pem.

cat new.pem

NOTE: When you are ready to install the SSL certificate, open this file and copy its
contents so you can paste it into the Certificate box on the Secure Access
Configuration page.

You can use either J-Web Configuration or a configuration editor to install the SSL
certificate and enable HTTPS.
Related Topics

96

Security Features for EX-series Switches Overview on page 11

Configuring Management Access for the EX-series Switch (J-Web

Procedure) on page 93

Generating SSL Certificates to Be Used for Secure Web Access

Chapter 10: Configuring Basic System Functions

Managing MS-CHAPv2 for password-change support

JUNOS enables you to configure Microsoft's implementation of the Challenge
Handshake Authentication Protocol version 2 (MS-CHAPv2) on the switch for
password-change support. This provides users accessing a switch the option of
changing the password when the password expires, is reset, or is configured to be
changed at next logon.
This section contains the following:
1. Configuring MS-CHAPv2 for password-change support on page 97
2. Example: Configuring MS-CHAPv2 on the Switch on page 97

Configuring MS-CHAPv2 for password-change support

Before you configure MS-CHAPv2 for password-change support, ensure that you have
configured the following:

RADIUS server authentication.

Set the first tried option in the authentication order to RADIUS server.

To configure MS-CHAP-v2, include the following statements at the [edit system

radius-options] hierarchy level
[edit system radius-options]
password-protocol mschap-v2;

Example: Configuring MS-CHAPv2 on the Switch

The following example shows statements for configuring the MS-CHAPv2 password
protocol, password authentication order, and user accounts.
[edit]
system {
[ radius password ];
{
192.168.69.149 secret "$9$G-j.5Qz6tpBk.1hrlXxUjiq5Qn/C"; ## SECRET-DATA
}
radius-options {
password-protocol mschap-v2;
}
login {
user bob {
class operator;
}
}
}
Related Topics

Configuring Basic Settings for an EX-series Switch

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Managing MS-CHAPv2 for password-change support

97

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

98

Example: Configuring MS-CHAPv2 on the Switch

Chapter 11

Administering and Monitoring Basic

System Functions

Monitoring Hosts Using the J-Web Ping Host Tool on page 99

Monitoring Switch Control Traffic on page 101

Monitoring Network Traffic Using Traceroute on page 103

Monitoring System Properties on page 105

Monitoring System Process Information on page 106

Rebooting or Halting the EX-series Switch (J-Web Procedure) on page 107

Managing Users (J-Web Procedure) on page 108

Managing Log, Temporary, and Crash Files on the Switch (J-Web

Procedure) on page 110

Setting or Deleting the Rescue Configuration (CLI Procedure) on page 112

Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 113

Checking Active Alarms with the J-Web Interface on page 113

Monitoring System Log Messages on page 114

Monitoring Hosts Using the J-Web Ping Host Tool

Purpose

Action

Use the J-Web ping host tool to verify that the host can be reached over the network.
The output is useful for diagnosing host and network connectivity problems. The
switch sends a series of ICMP echo (ping) requests to a specified host and receives
ICMP echo responses.
To use the J-Web ping host tool:
1.

Select Troubleshoot>Ping Host.

2.

Next to Advanced options, click the expand icon.

3.

Enter information into the Ping Host page, as described in Table 21 on page 100.
The Remote Host field is the only required field.

4.

Click Start.
The results of the ping operation are displayed in the main pane . If no options
are specified, each ping response is in the following format:

Monitoring Hosts Using the J-Web Ping Host Tool

99

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

bytes bytes from ip-address: icmp_seq=number ttl=number time=time

5.

To stop the ping operation before it is complete, click OK.

Table 21: J-Web

Meaning
Ping Host Field Summary
Field

Function

Your Action

Remote Host

Identifies the host to ping.

Type the hostname or IP address of the host to ping.

Determines whether to display hostnames of the

hops along the path.

To suppress the display of the hop hostnames,

select the check box.

To display the hop hostnames, clear the check

box.

Advanced Options

Don't Resolve
Addresses

Interface

Specifies the interface on which the ping requests

are sent.

Select the interface on which ping requests are sent

from the list. If you select any, the ping requests are
sent on all interfaces.

Count

Specifies the number of ping requests to send.

Select the number of ping requests to send from the

list.

Don't Fragment

Specifies the Don't Fragment (DF) bit in the IP

header of the ping request packet.

To set the DF bit, select the check box.

To clear the DF bit, clear the check box.

Sets the record route option in the IP header of the

ping request packet. The path of the ping request
packet is recorded within the packet and displayed
in the main pane.

To record and display the path of the packet,

select the check box.

To suppress the recording and display of the

path of the packet, clear the check box.

Type-of-Service

Specifies the type-of-service (TOS) value in the IP

header of the ping request packet.

Select the decimal value of the TOS field from the

list.

Routing Instance

Name of the routing instance for the ping attempt.

Select the routing instance name from the list.

Interval

Specifies the interval, in seconds, between

transmissions of individual ping requests.

Select the interval from the list.

Packet Size

Specifies the size of the ping request packet.

Type the size, in bytes, of the packet. The size can

be from 0 through 65468. The switch adds 8 bytes
of ICMP header to the size.

Source Address

Specifies the source address of the ping request

packet.

Type the source IP address.

Time-to-Live

Specifies the time-to-live (TTL) hop count for the

ping request packet.

Select the TTL value from the list.

Record Route

100

Monitoring Hosts Using the J-Web Ping Host Tool

Chapter 11: Administering and Monitoring Basic System Functions

Table 21: J-Web Ping Host Field Summary (continued)

Field

Function

Your Action

Bypass Routing

Determines whether ping requests are routed by

means of the routing table.

To bypass the routing table and send the ping

requests to hosts on the specified interface
only, select the check box.

To route the ping requests using the routing

table, clear the check box.

If the routing table is not used, ping requests are

sent only to hosts on the interface specified in the
Interface box. If the host is not on that interface,
ping responses are not sent.

Related Topics

Monitoring Interface Status and Traffic on page 299

Monitoring Switch Control Traffic

Purpose

Use the packet capture feature when you need to quickly capture and analyze switch
control traffic on a switch. The packet capture feature allows you to capture traffic
destined for or originating from the Routing Engine.

Action

To use the packet capture feature in the J-Web interface, select Troubleshoot>Packet
Capture.
To use the packet capture feature in the CLI, enter the following CLI command:
monitor traffic

Meaning

You can use the packet capture feature to compose expressions with various matching
criteria to specify the packets that you want to capture. You can decode and view
the captured packets in the J-Web interface as they are captured. The packet capture
feature does not capture transient traffic.

Table 22: Packet Capture Field Summary

Field

Function

Your Action

Interface

Specifies the interface on which the packets are captured.

If you select default, packets on the Ethernet management
port 0, are captured.

From the list, select an interfacefor

example, ge-0/0/0.

Detail level

Specifies the extent of details to be displayed for the

packet headers.

From the list, select Detail.

BriefDisplays the minimum packet header

information. This is the default.

DetailDisplays packet header information in

moderate detail.

ExtensiveDisplays the maximum packet header

information.

Monitoring Switch Control Traffic

101

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 22: Packet Capture Field Summary (continued)

Field

Function

Your Action

Packets

Specifies the number of packets to be captured. Values

range from 1 to 1000. Default is 10. Packet capture stops
capturing packets after this number is reached.

From the list, select the number of packets

to be capturedfor example, 10.

Addresses

Specifies the addresses to be matched for capturing the

packets using a combination of the following parameters:

Select address-matching criteria. For example:

1.

From the Direction list, select source.

DirectionMatches the packet headers for IP

address, hostname, or network address of the source,
destination or both.

2.

From the Type list, select host.

3.

In the Address box, type 10.1.40.48.

TypeSpecifies if packet headers are matched for

host address or network address.

4.

Click Add.

You can add multiple entries to refine the match criteria

for addresses.
Protocols

Matches the protocol for which packets are captured. You

can choose to capture TCP, UDP, or ICMP packets or a
combination of TCP, UDP, and ICMP packets.

From the list, select a protocolfor example,

tcp.

Ports

Matches packet headers containing the specified source

or destination TCP or UDP port number or port name.

Select a direction and a port. For example:

From the Type list, select src.

In the Port box, type 23.

Advanced Options
Absolute TCP
Sequence

Specifies that absolute TCP sequence numbers are to be

displayed for the packet headers.

To display absolute TCP sequence numbers

in the packet headers, select this check box.

Layer 2 Headers

Specifies that link-layer packet headers are to be

displayed.

To include link-layer packet headers while

capturing packets, select this check box.

Non-Promiscuous

Specifies not to place the interface in promiscuous mode,

so that the interface reads only packets addressed to it.
In promiscuous mode, the interface reads every packet
that reaches it.

To read all packets that reach the interface,

select this check box.

Display Hex

Specifies that packet headers, except link-layer headers,

are to be displayed in hexadecimal format.

To display the packet headers in hexadecimal

format, select this check box.

Display ASCII and

Hex

Specifies that packet headers are to be displayed in

hexadecimal and ASCII format.

To display the packet headers in ASCII and

hexadecimal formats, select this check box.

Header
Expression

Specifies the match condition for the packets to be

captured. The match conditions you specify for Addresses,
Protocols, and Ports are displayed in expression format
in this field.

You can enter match conditions directly in

this field in expression format or modify the
expression composed from the match
conditions you specified for Addresses,
Protocols, and Ports. If you change the match
conditions specified for Addresses, Protocols,
and Ports again, packet capture overwrites
your changes with the new match conditions.

102

Monitoring Switch Control Traffic

Chapter 11: Administering and Monitoring Basic System Functions

Table 22: Packet Capture Field Summary (continued)

Field

Function

Your Action

Packet Size

Specifies the number of bytes to be displayed for each

packet. If a packet header exceeds this size, the display
is truncated for the packet header. The default value is
96 bytes.

Type the number of bytes you want to

capture for each packet headerfor example,
256.

Don't Resolve
Addresses

Specifies that IP addresses are not to be resolved into

hostnames in the packet headers displayed.

To prevent packet capture from resolving IP

addresses to hostnames, select this check
box.

No Timestamp

Suppresses the display of packet header timestamps.

To stop displaying timestamps in the captured

packet headers, select this check box.

Write Packet
Capture File

Writes the captured packets to a file in PCAP format in

/var/tmp. The files are named with the prefix jweb-pcap
and the extension .pcap. If you select this option, the
decoded packet headers are not displayed on the packet
capture page.

To decode and display the packet headers on

the J-Web page, clear this check box.

Related Topics

Using the CLI Terminal on page 50

Monitoring Network Traffic Using Traceroute

Purpose

Action

Use the Traceroute page in the J-Web interface to trace a route between the switch
and a remote host. You can use a traceroute task to display a list of waypoints
between the switch and a specified destination host. The output is useful for
diagnosing a point of failure in the path from the switch platform to the destination
host and addressing network traffic latency and throughput problems.
To use the traceroute tool:
1.

Select Troubleshoot>Traceroute.

2.

Next to Advanced options, click the expand icon.

3.

Enter information into the Traceroute page.

The Remote Host field is the only required field.

Meaning

4.

Click Start.

5.

To stop the traceroute operation before it is complete, click OK while the results
of the traceroute operation are being displayed.

The switch generates the list of waypoints by sending a series of ICMP traceroute
packets in which the time-to-live (TTL) value in the messages sent to each successive
waypoint is incremented by 1. (The TTL value of the first traceroute packet is set to
1.) In this manner, each waypoint along the path to the destination host replies with
a Time Exceeded packet from which the source IP address can be obtained.

Monitoring Network Traffic Using Traceroute

103

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The results of the traceroute operation are displayed in the main pane. If no options
are specified, each line of the traceroute display is in the following format:
hop-number host (ip-address) [as-number] time1 time2 time3

The switch sends a total of three traceroute packets to each waypoint along the path
and displays the round-trip time for each traceroute operation. If the switch times
out before receiving a Time Exceeded message, an asterisk (*) is displayed for that
round-trip time.
Table 23: Traceroute field summary
Field

Function

Your Action

Remote Host

Identifies the destination host of the traceroute.

Type the hostname or IP address of the

destination host.

Don't Resolve
Addresses

Determines whether hostnames of the hops along the

path are displayed, in addition to IP addresses.

To suppress the display of the hop

hostnames, select the check box.

Gateway

Specifies the IP address of the gateway to route through.

Type the gateway IP address.

Source Address

Specifies the source address of the outgoing traceroute

packets.

Type the source IP address.

Bypass Routing

Determines whether traceroute packets are routed by

means of the routing table. If the routing table is not
used, traceroute packets are sent only to hosts on the
interface specified in the Interface box. If the host is not
on that interface, traceroute responses are not sent.

To bypass the routing table and send the

traceroute packets to hosts on the specified
interface only, select the check box.

Interface

Specifies the interface on which the traceroute packets

are sent.

From the list, select the interface on which

traceroute packets are sent. If you select any,
the traceroute requests are sent on all
interfaces.

Time-to-live

Specifies the maximum time-to-live (TTL) hop count for

the traceroute request packet.

From the list, select the TTL.

Type-of-Service

Specifies the type-of-service (TOS) value to include in the

IP header of the traceroute request packet.

From the list, select the decimal value of the

TOS field.

Resolve AS
Numbers

Determines whether the autonomous system (AS)

number of each intermediate hop between the router
and the destination host is displayed.

To display the AS numbers, select the check

box.

Advanced Options

Related Topics

104

Connecting and Configuring the EX-series Switch (CLI Procedure) on page 57

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Monitoring Interface Status and Traffic on page 299

Monitoring Network Traffic Using Traceroute

Chapter 11: Administering and Monitoring Basic System Functions

Monitoring System Properties

Purpose

Use the monitoring functionality to view system properties such as the name and IP
address of the switch and resource usage.

Action

To monitor system properties in the J-Web interface, select Monitor > System View >
System Information.
To monitor system properties in the CLI, enter the following commands:

Meaning

show system uptime

show system users

show system storage

Table 24 on page 105 summarizes key output fields in the system properties display.

Table 24: Summary of Key System Properties Output Fields

Field

Values

Additional Information

General Information

Serial
Number

Serial number for the switch.

JUNOS
Software
Version

Version of JUNOS software active on the switch,

including whether the software is for domestic or
export use.

Export software is for use outside of the U.S. and

Canada.

Time Information

Current
Time

Current system time, in Coordinated Universal Time

(UTC).

System
Booted
Time

Date and time when the switch was last booted and
how long it has been running.

Protocol
Started
Time

Date and time when the switching protocols were last

started and how long they have been running.

Last
Configured
Time

Date and time when a configuration was last

committed. This field also shows the name of the user
who issued the last commit command, through either
the J-Web interface or the CLI.

Load
Average

The CPU load average for 1, 5, and 15 minutes.

Used Memory

Used
Memory

Memory usage details of all the USB partitions.

Logged in Users Details

Monitoring System Properties

105

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 24: Summary of Key System Properties Output Fields (continued)

Field

Values

User

Username of any user logged in to the switching

platform.

Terminal

Terminal through which the user is logged in.

From

System from which the user has logged in. A hyphen

indicates that the user is logged in through the console.

Login Time

Time when the user logged in.

Idle Time

How long the user has been idle.

Related Topics

Additional Information

This is the LOGIN@ field in show system users command

output.

Monitoring System Process Information on page 106

Understanding J-Web User Interface Sessions on page 53

Monitoring System Process Information

Purpose
Action

Use the monitoring functionality to view the processes running on the switch.
To view the software processes running on the switch in the J-Web interface, select
Monitor>System View>Process Details.
To view the software processes running on the switch in the CLI, enter the following
command.
show system processes

Meaning

Table 25 on page 106 summarizes the output fields in the system process information
display.
The display includes the total CPU load and total memory utilization.

Table 25: Summary of System Process Information Output Fields

Field

Values

PID

Identifier of the process.

Name

Owner of the process.

State

Current state of the process.

CPU Load

Percentage of the CPU that is being used by the

process.

Memory Utilization

Amount of memory that is being used by the

process.

106

Monitoring System Process Information

Additional Information

Chapter 11: Administering and Monitoring Basic System Functions

Table 25: Summary of System Process Information Output Fields (continued)

Field

Values

Start Time

Time of day when the process started.

Related Topics

Additional Information

Monitoring System Properties on page 105

For more information about show system properties command, see show system
uptime on page 246

Rebooting or Halting the EX-series Switch (J-Web Procedure)

You can use the J-Web interface to schedule a reboot or to halt the switching platform.
To reboot or halt the switching platform by using the J-Web interface:
1.

In the J-Web interface, select Maintain>Reboot.

2.

Select one:

Reboot ImmediatelyReboots the switching platform immediately.

Reboot in number of minutesReboots the switch in the number of minutes

from now that you specify.

Reboot when the system time is hour:minuteReboots the switch at the

absolute time that you specify, on the current day. You must select a 2-digit
hour in 24-hour format and a 2-digit minute.

Halt Immediately Stops the switching platform software immediately.

After the switching platform software has stopped, you can access the
switching platform through the console port only.

3.

(Optional) In the Message box, type a message to be displayed to any users on

the switching platform before the reboot occurs.

4.

Click Schedule. The J-Web interface requests confirmation to perform the reboot
or halt.

5.

Click OK to confirm the operation.

If the reboot is scheduled to occur immediately, the switch reboots. You

cannot access the J-Web interface until the switch has restarted and the boot
sequence is complete. After the reboot is complete, refresh the browser
window to display the J-Web interface login page.

If the reboot is scheduled to occur in the future, the Reboot page displays
the time until reboot. You have the option to cancel the request by clicking
Cancel Reboot on the J-Web interface Reboot page.

If the switch is halted, all software processes stop and you can access the
switching platform through the console port only. Reboot the switch by
pressing any key on the keyboard.

Rebooting or Halting the EX-series Switch (J-Web Procedure)

107

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Starting the J-Web Interface on page 52

Managing Users (J-Web Procedure)

You can use the Users Configuration page for user information to add new users to
a switching platform. For each account, you define a login name and password for
the user and specify a login class for access privileges.
To configure users:
1.

In the J-Web interface, select Configure>System Properties>User Management.

The User Management page displays details of users, the authentication order,
the RADIUS servers and TACACS servers present.

2.

Click Edit.

3.

Click any of the following options on the Users tab:

4.

AddSelect this option to add a user. Enter details as described in

Table 26 on page 109.

EditSelect this option to edit an existing user's details. Enter details as

described in Table 26 on page 109.

DeleteSelect this option to delete a user.

Click any desired option on the Authentication Methods and Order tab:

Authentication OrderDrag and drop the authentication type from the

Available Methods section to the Selected Methods. Click the up or down
buttons to modify the authentication order.

RADIUS serverClick one:

108

AddSelect this option to add an authentication server. Enter details

as described in Table 27 on page 109.

EditSelect this option to modify the authentication server details. Enter

details as described in Table 27 on page 109.

DeleteSelect this option to delete an authentication server from the

list.

TACACS serverClick one:

AddSelect this option to add an authentication server. Enter details

as described in Table 27 on page 109.

EditSelect this option to modify the authentication server details. Enter

details as described in Table 27 on page 109.

DeleteSelect this option to delete an authentication server from the

list.

Managing Users (J-Web Procedure)

Chapter 11: Administering and Monitoring Basic System Functions

Table 26: User Management > Add a User Configuration Page Summary
Field

Function

Your Action

Username (required)

Specifies the name that

identifies the user.

Type the username. It must be unique within the switching

platform. Do not include spaces, colons, or commas in the
username.

Full Name

Specifies the user's full name.

Type the user's full name. If the full name contains spaces,
enclose it in quotation marks. Do not include colons or commas.

Login Class (required)

Defines the user's access

privilege.

Select the user's login class from the list:

User Information

operator

read-only

super-user/superuser

unauthorized

This list also includes any user-defined login classes.

Login Password
(required)

Confirm Password
(required)

Specifies the login password for

this user.

Verifies the login password for

this user.

Type the login password for this user. The login password must
meet these criteria:

The password must be at least 6 characters long.

It can include alphabetic, numeric, and special characters,

but not control characters.

It must contain at least one change of case or character

class.

Retype the login password for this user.

Table 27: Add an Authentication Server

Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Type the servers 32-bit IP address, in dotted

decimal notation.

Password

Specifies the password of the server.

Type the password of the server.

Confirm Password

Verifies that the password of the server is entered

correctly.

Retype the password of the server.

Server Port Number

Specifies the port with which the server is

associated.

Type the port number.

Source Address

Specifies the source address of the server.

Type the servers 32-bit IP address, in dotted

decimal notation.

Retry Attempts

Specifies the number of login retries allowed after

a login failure.

Type the number.

NOTE: Only 1 retry is permitted for a TACACS
server.

Managing Users (J-Web Procedure)

109

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 27: Add an Authentication Server (continued)

Field

Function

Your Action

Timeout

Specifies the time interval to wait before the

connection to the server is closed.

Type the interval in seconds.

Related Topics

Configuring Management Access for the EX-series Switch (J-Web

Procedure) on page 93

Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
You can use the J-Web interface to rotate log files and delete unnecessary log,
temporary, and crash files on the switching platform.
1. Cleaning Up Files on page 110
2. Downloading Files on page 111
3. Deleting Files on page 111

Cleaning Up Files
If you are running low on storage space, use the file cleanup procedure to quickly
identify files to delete.
The file cleanup procedure performs the following tasks:

Rotates log filesArchives the current log files, and creates fresh log files.

Deletes log files in /var/logDeletes files that are not currently being written to.

Deletes temporary files in /var/tmpDeletes files that have not been accessed
within two days.

Deletes all crash files in /var/crashDeletes core files that the switch has written
during an error.

To rotate log files and delete unnecessary files with the J-Web interface:
1.

Select Maintain>Files.

2.

In the Clean Up Files section, click Clean Up Files. The switching platform rotates
log files and identifies files that can be safely deleted.
The J-Web interface displays the files that you can delete and the amount of
space that will be freed on the file system.

3.

110

Click one:

To delete the files and return to the Files page, click OK.

To cancel your entries and return to the list of files in the directory, click
Cancel.

Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)

Chapter 11: Administering and Monitoring Basic System Functions

Downloading Files
You can use the J-Web interface to download a copy of an individual log, temporary,
or crash file from the switching platform. When you download a file, it is not deleted
from the file system.
To download files with the J-Web interface:
1.

In the J-Web interface, select Maintain>Files.

2.

In the Download and Delete Files section, click one:

Log FilesLog files in the /var/log directory on the switch.

Temporary FilesLists the temporary files in the /var/tmp directory on the

switching platform.

Crash (Core) FilesLists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files located in the directory.

3.

Select the files that you want to download and click Download.

4.

Choose a location for the saved file.

The file is saved as a text file, with a .txt file extension.

Deleting Files
You can use the J-Web interface to delete an individual log, temporary, and crash
file from the switching platform. When you delete the file, it is permanently removed
from the file system.

CAUTION: If you are unsure whether to delete a file from the switching platform,
we recommend using the Clean Up Files tool described in Cleaning Up Files. This
tool determines which files can be safely deleted from the file system.
To delete files with the J-Web interface:
1.

Select Maintain>Files.

2.

In the Download and Delete Files section, click one:

Log FilesLists the log files in the /var/log directory on the switching
platform.

Temporary FilesLists the temporary files in the /var/tmp directory on the

switching platform.

Crash (Core) FilesLists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files in the directory.

Downloading Files

111

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

3.

Select the box next to each file you plan to delete.

4.

Click Delete.
The J-Web interface displays the files you can delete and the amount of space
that will be freed on the file system.

5.

Click one of the following buttons on the confirmation page:

To delete the files and return to the Files page, click OK.

To cancel your entries and return to the list of files in the directory, click
Cancel.

Setting or Deleting the Rescue Configuration (CLI Procedure)

A rescue configuration is a previously defined, valid configuration with a known state
that you can rollback to at any time.
You use the rescue configuration when you need to roll back to a known configuration
or if your switch configuration and/or the backup configuration files become damaged
beyond repair or if you loose management access to the switch.
The rescue configuration must have been set previously either through the J-Web
interface or the CLI.
To set the current active configuration as the rescue configuration:
user@switch> request system configuration rescue save
user@switch>

Activate the rescue configuration you have loaded:

[edit]
user@switch# rollback rescue
load complete
[edit]
user@switch# commit

To delete an existing rescue configuration:

user@switch> request system configuration rescue delete

NOTE: If the rescue configuration does not exist, or if the rescue configuration is not
a complete, viable configuration [THIS SENTENCE WILL NOT BE CORRECT], the
rollback command fails, an error message appears, and the current configuration
remains active.
Related Topics

112

Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 113

Loading a Previous Configuration File (CLI Procedure) on page 77

Setting or Deleting the Rescue Configuration (CLI Procedure)

Chapter 11: Administering and Monitoring Basic System Functions

Setting or Deleting the Rescue Configuration (J-Web Procedure)

A rescue configuration is a previously defined, valid configuration with a known state
that you can rollback to at any time.
You use the rescue configuration when you need to roll back to a known configuration
or if your switch configuration and/or the backup configuration files become damaged
beyond repair or if you loose management access to the switch.
The rescue configuration must have been set previously either through the J-Web
interface or the CLI.
To view, set, or delete the rescue configuration using the J-Web interface, select
Maintain > Config Management >Rescue. On the Rescue page, you can perform the
following tasks:

Related Topics

View the current rescue configurationClick View rescue configuration.

Set the current running configuration as the rescue configurationClick Set

rescue configuration.

Delete the current rescue configurationClick Delete rescue configuration.

Setting or Deleting the Rescue Configuration (CLI Procedure) on page 112

Configuration Files Terms on page 72

Checking Active Alarms with the J-Web Interface

Purpose

Action

Use the monitoring functionality to view alarm information for the EX-series switches
including alarm type, alarm severity, and a brief description for each active alarm
on the switching platform.
To view the active alarms:
1.

Select Monitor> Events and Alarms > View Alarms in the J-Web interface.

2.

Select an alarm filter based on alarm type, severity, description, and date range.

3.

Click Go.
All the alarms matching the filter are displayed.

NOTE: When the switch is reset, the active alarms are displayed.

Meaning

Table 28 on page 114 lists the alarm output fields.

Setting or Deleting the Rescue Configuration (J-Web Procedure)

113

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 28: Summary of Key Alarm Output Fields

Field

Values

Type

Category of the alarm:

ChassisIndicates an alarm condition on the chassis (typically an environmental alarm such

as one related to temperature).

SystemIndicates an alarm condition in the system.

Severity

Alarm severityeither major (red) or minor (yellow).

Description

Brief synopsis of the alarm.

Time

Date and time when the failure was detected.

Related Topics

Monitoring System Log Messages on page 114

Understanding How to Use the J-Web Interface to View System Information

Understanding Alarm Types and Severity Levels on EX-series Switches on page 91

Monitoring System Log Messages

Purpose
Action

Use the monitoring functionality to filter and view system log messages.
To view events in the J-Web interface, select Monitor > Events and Alarms > View
Events.
Apply a filter or a combination of filters to view messages. You can use filters to
display relevant events. Table 29 on page 114 describes the different filters, their
functions, and the associated actions.
To view events in the CLI, enter the following command:
show log

Table 29: Filtering System Log Messages

Field

Function

Your Action

System Log
File

Specifies the name of a system log file for which you want
to display the recorded events.

To specify events recorded in a particular file,

select the system log filename from the listfor
example, messages.

Lists the names of all the system log files that you configure.
By default, a log file, messages, is included in the /var/log/
directory.

114

Monitoring System Log Messages

Chapter 11: Administering and Monitoring Basic System Functions

Table 29: Filtering System Log Messages (continued)

Field

Function

Your Action

Event ID

Specifies the event ID for which you want to display the

messages.

To specify events with a specific ID, type the

partial or complete IDfor example,
TFTPD_AF_ERR.

Allows you to type part of the ID and completes the

remainder automatically.
An event ID, also known as a system log message code,
uniquely identifies a system log message. It begins with a
prefix that indicates the generating software process or
library.
Text in Event
Description

Specifies text from the description of events that you want

to display.
Allows you to use regular expressions to match text from
the event description.

Process

To specify events with a specific description,

type a text string from the description with
regular expression.

NOTE: Regular expression matching is case-sensitive.

For example, type ^Initial* to display all

messages with lines beginning with the term
Initial.

Specifies the name of the process generating the events you

want to display.

To specify events generated by a process, type

the name of the process.

To view all the processes running on your system, enter the

CLI command show system processes.

For example, type mgd to list all messages

generated by the management process.

For more information about processes, see the JUNOS

Software Installation and Upgrade Guide at
www.juniper.net/techpubs
Start Time

Specifies the time period in which the events you want

displayed are generated.

End Time

To specify the time period:

Select the Start Time checkbox and select

the year, month, date, and timefor
example, 02/10/2007 11:32.

Select the End Time checkbox and select

the year, month, date, and timefor
example, 02/10/2007 3:32.

Displays a calendar that allows you to select the year, month,

day, and time. It also allows you to select the local time.
By default, the messages generated in the last hour are
displayed. End Time shows the current time and Start Time
shows the time one hour before End Time.

To select the current time as the start time,

select local time.
Number of
Events to
Display

Specifies the number of events to be displayed on the View

Events page.

To view a specified number of events, select

the number from the listfor example, 50.

By default, the View Events page displays 25 events.

OK

Applies the specified filter and displays the matching

messages.

Meaning

To apply the filter, click OK.

Table 30 on page 116 describes the Event Summary fields.

Monitoring System Log Messages

115

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: By default, the View Events page in the J-Web interface displays the most
recent 25 events, with severity levels highlighted in different colors. After you specify
the filters, Event Summary displays the events matching the specified filters. Click
First, Next, Prev, and Last links to navigate through messages.

Table 30: Viewing System Log Messages

Field

Function

Time

Displays the time at which the message was logged.

Process

Displays the name and ID of the process that generated

the system log message.

The information displayed in this field is different

for messages generated on the local Routing Engine
than for messages generated on another Routing
Engine (on a system with two Routing Engines
installed and operational). Messages from the other
Routing Engine also include the identifiers re0 and
re1 to identify the Routing Engine.

Event ID

Displays a code that uniquely identifies the message.

The event ID begins with a prefix that indicates the

generating software process.

The prefix on each code identifies the message source,

and the rest of the code indicates the specific event or
error.
Displays context-sensitive help that provides more
information about the event:

Event
Description

116

Additional Information

Some processes on a switching platform do not use

codes. This field might be blank in a message
generated from such a process.
An Event can belong to one of the following Type
categories:

HelpShort description of the message.

DescriptionMore detailed explanation of the

message.

ErrorIndicates an error or failure condition

that might require corrective action.

TypeCategory to which the message belongs.

SeverityLevel of severity.

EventIndicates a condition or occurrence

that does not generally require corrective
action.

Displays a more detailed explanation of the message.

Monitoring System Log Messages

Chapter 11: Administering and Monitoring Basic System Functions

Table 30: Viewing System Log Messages (continued)

Field

Function

Additional Information

Severity

Severity level of a message is indicated by different colors.

A severity level indicates how seriously the

triggering event affects switch functions. When you
configure a location for logging a facility, you also
specify a severity level for the facility. Only
messages from the facility that are rated at that
level or higher are logged to the specified file.

UnknownGrayIndicates no severity level is

specified.

Debug/Info/NoticeGreen Indicates conditions

that are not errors but are of interest or might warrant
special handling.

WarningYellowIndicates conditions that warrant

monitoring.

ErrorBlue Indicates standard error conditions

that generally have less serious consequences than
errors in the emergency, alert, and critical levels.

CriticalPinkIndicates critical conditions, such as

hard drive errors.

AlertOrangeIndicates conditions that require

immediate correction, such as a corrupted system
database.

EmergencyRedIndicates system panic or other

conditions that cause the switching platform to stop
functioning.

Related Topics

Checking Active Alarms with the J-Web Interface on page 113

Understanding Alarm Types and Severity Levels on EX-series Switches on page 91

Monitoring System Log Messages

117

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

118

Monitoring System Log Messages

Chapter 12

Troubleshooting Basic System Functions

Troubleshooting Loss of the Root Password on page 119

Troubleshooting Loss of the Root Password

Problem

If you forget the root password for the switch, you can use the password recovery
procedure to reset the root password.

NOTE: You need physical access to the switch to recover the root password.

Solution

To recover the root password:

1.

Power off your switch by unplugging the power cord or turning off the power at
the wall switch.

2.

Insert one end of the Ethernet cable into the serial port on the management
device and connect the other end to the console port on the back of the switch.
See Figure 5 on page 119

Figure 5: Connecting to the Console Port on the EX-series Switch

3.

On the management device, start your asynchronous terminal emulation

application (such as Microsoft Windows Hyperterminal) and select the appropriate
COM port to use (for example, COM1).

4.

Configure the port settings as follows:

Troubleshooting Loss of the Root Password

119

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

5.

Power on your switch by plugging in the power cord or turning on the power at
the wall switch.

6.

When the following prompt appears, press the Spacebar to access the switch's
bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 1 second...

7.

At the following prompt, type boot -s to start up the system in single-user mode:
loader> boot -s

8.

At the following prompt, type recovery to start the root password recovery
procedure:
Enter full path name of shell or 'recovery' for root password recovery or RETURN for
/bin/sh: recovery

A series of messages describe consistency checks, mounting of filesystems, and

initialization and checkout of management services. Then the CLI prompt appears.
9.

Enter configuration mode in the CLI:

user@switch> cli

10. Set the root password. For example:

user@switch# set system root-authentication plain-text-password

11. At the following prompt, enter the new root password. For example:

New password: juniper1

Retype new password:

12. At the second prompt, reenter the new root password.

13. If you are finished configuring the network, commit the configuration.

root@switch# commit
commit complete

14. Exit configuration mode in the CLI.

root@switch# exit
15. Exit operational mode in the CLI.

root@switch> exit
16. At the prompt, enter y to reboot the switch.

Reboot the system? [y/n] y

120

Troubleshooting Loss of the Root Password

Chapter 12: Troubleshooting Basic System Functions

Related Topics

Connecting and Configuring the EX-series Switch (CLI Procedure) on page 57

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

For information about configuring an encrypted root password, configuring SSH

keys to authenticate root logins, and configuring special requirements for
plain-text passwords, see the JUNOS System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/.

Troubleshooting Loss of the Root Password

121

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

122

Troubleshooting Loss of the Root Password

Chapter 13

Configuration Statements for Basic

System Functions
radius-options
Syntax

Hierarchy Level
Release Information

radius-options {
attributes {
nas-ip-addressip-address;
}
password-protocol mschap-v2;
[edit system]

Statement introduced in JUNOS Release 8.3. The MS-CHAPv2 password protocol

configuration option introduced in JUNOS 9.2.

Description

Configure RADIUS options for NAS-IP address for outgoing RADIUS packets and
password protocol used in RADIUS packets.

Options

nas-ip-addressIP address of the network access server (NAS) that requests user

authentication.
mschap-v2Password protocol MS-CHAPv2, used in RADIUS packets.
Required Privilege Level
Related Topics

systemTo view this statement in the configuration.

system-controlTo add this statement to the configuration.

Managing MS-CHAPv2 for password-change support on page 97

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

radius-options

123

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

124

radius-options

Chapter 14

Operational Mode Commands for Basic

System Functions

125

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear snmp rmon history

Syntax
Release Information
Description

clear snmp rmon history <interface-name | all>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Delete the samples of Ethernet statistics collected, but do not delete the RMON history
configuration.
The clear snmp rmon history command deletes all the samples collected for the
interface configured for the history group, but not the configuration of that group. If
you want to delete the RMON history group configuration, you must use the delete
snmp rmon history configuration-mode command.

Options

interface-nameDelete the samples of Ethernet statistics collected for this interface.

allDelete the samples of Ethernet statistics collected for all interfaces that have

been configured for RMON monitoring.

Required Privilege Level
Related Topics

126

clear

show snmp rmon history on page 1160

clear snmp rmon history

Chapter 14: Operational Mode Commands for Basic System Functions

show snmp rmon history

Syntax

Release Information
Description
Options

show snmp rmon history

<history-index>
<sample-index>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the contents of the RMON history group.
noneDisplay all the entries in the RMON history group.
history-index(Optional) Display the contents of the specified entry in the RMON

history group.
sample-index(Optional) Display the statistics collected for the specified sample

within the specified entry in the RMON history group.

Required Privilege Level
Related Topics
List of Sample Output
Output Fields

view

clear snmp rmon history on page 1160

show snmp rmon history 1 on page 128

show snmp rmon history 1 sample 15 on page 129
Table 31 on page 127 lists the output fields for the show smp rmon history command.
Output fields are listed in the approximate order in which they appear.

Table 31: show smp rmon history Output Fields

Field Name

Field Description

History Index

Identifies this RMON history entry within the RMON history group.

Owner

The entity that configured this entry. Range is 0 to 32 alphanumeric characters.

Status

The status of the RMON history entry.

Interface or Data
Source

The ifndex object that identifies the interface that is being monitored.

Interval

The interval (in seconds) configured for this RMON history entry.

Buckets Requested

The requested number of buckets (intervals) configured for this RMON history
entry.

Buckets Granted

The number of buckets granted for this RMON history entry.

show snmp rmon history

127

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 31: show smp rmon history Output Fields (continued)

Field Name

Field Description

Sample Index

The sample statistics taken at the specified interval.

Drop EventsNumber of packets dropped by the input queue of the I/O

Manager ASIC. If the interface is saturated, this number increments once

for every packet that is dropped by the ASIC's RED mechanism.

OctetsTotal number of octets and packets. For Gigabit Ethernet IQ PICs,

the received octets count varies by interface type.

PacketsTotal number of packets.

Broadcast PacketsNumber of broadcast packets.

Multicast PacketsNumber of multicast packets.

CRC errorsTotal number of packets received that had a length (excluding

framing bits, but including FCS octets) of between 64 and 1518 octets,
inclusive, and had either a bad FCS with an integral number of octets (FCS
error) or a bad FCS with a nonintegral number of octets (alignment error).

Undersize PktsNumber of packets received during this sampling interval

that were less than 64 octets long (excluding framing bits but including
FCS octets) and were otherwise well formed.

Oversize PktsNumber of packets received during the sampling interval

that were longer than 1518 octets (excluding framing bits, but including
FCS octets) but were otherwise well formed.

FragmentsTotal number of packets that were less than 64 octets in length

(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. Fragment frames normally increment because
both runts (which are normal occurrences caused by collisions) and noise
hits are counted.

JabbersNumber of frames that were longer than 1518 octets (excluding

framing bits, but including FCS octets), and had either an FCS error or an
alignment error. This definition of jabber is different from the definition
in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2).
These documents define jabber as the condition in which any packet
exceeds 20 ms. The allowed range to detect jabber is from 20 ms to
150 ms.

CollisionsNumber of Ethernet collisions. The Gigabit Ethernet PIC

supports only full-duplex operation, so for Gigabit Ethernet PICs, this

number should always remain 0. If it is nonzero, there is a software bug.

Utilization(%)The best estimate of the mean physical layer network

utilization on this interface during this sampling interval, in hundredths

of a percent.

show snmp rmon history

1

user@host> show snmp rmon history 1

History Index 1:
Interface
Requested Buckets
Interval

171
50
10

Sample Index 1: Interval Start: Tue Feb 12 04:12:32 2008

Drop Events
0
Octets
486
Packets
2
Broadcast Packet
0
Multicast Packets
2

128

show snmp rmon history

Chapter 14: Operational Mode Commands for Basic System Functions

CRC errors
Undersize Pkts
Oversize Pkts
Fragments
Jabbers
Collisions
Utilization(%)

0
0
0
0
0
0
0

Sample Index 2: Interval Start: Tue Feb 12 04:12:42 2008

Drop Events
0
Octets
486
Packets
2
Broadcast Packet
0
Multicast Packets
2
CRC errors
0
Undersize Pkts
0
Oversize Pkts
0
Fragments
0
Jabbers
0
Collisions
0
Utilization(%)
0
Sample Index 3: Interval Start: Tue Feb 12 04:12:52 2008
Drop Events
0
Octets
486
Packets
2
Broadcast Packet
0
Multicast Packets
2
CRC errors
0
Undersize Pkts
0
Oversize Pkts
0
Fragments
0
Jabbers
0
Collisions
0
Utilization(%)
0

show snmp rmon history

1 sample 15

user@host> show snmp rmon history 1 sample 15

Index 1
Owner
= monitor
Status
= valid
Data Source = ifIndex.17
Interval
= 1800
Buckets Requested = 50
Buckets Granted = 50

Sample Index 44: Interval Start: Thu Jan

Drop Events
= 0
Octetes
= 0
Packets
= 0
Broadcast Pkts = 0
Multicast Pkts = 0
CRC Errors = 0
Undersize Pkts = 0
Oversize Pkts = 0
Fragments = 0
Jabbers
= 0
Collisions = 0
Utilization (%) = 0

1 00:08:35 1970

show snmp rmon history

129

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

130

show snmp rmon history

Part 6

Virtual Chassis

Understanding Virtual Chassis on page 133

Examples of Configuring Virtual Chassis on page 147

Configuring Virtual Chassis on page 197

Verifying Virtual Chassis on page 213

Troubleshooting Virtual Chassis on page 223

Configuration Statements for Virtual Chassis on page 225

Operational Mode Commands for Virtual Chassis on page 237

Virtual Chassis

131

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

132

Virtual Chassis

Chapter 15

Understanding Virtual Chassis

Virtual Chassis Concepts on page 133

Virtual Chassis Concepts

Virtual Chassis Overview on page 133

Understanding Virtual Chassis Components on page 135

Understanding How the Master in a Virtual Chassis Configuration Is

Elected on page 140

Understanding Software Upgrade in a Virtual Chassis Configuration on page 140

Understanding Global Management of a Virtual Chassis Configuration on page 141

Understanding Nonvolatile Storage in a Virtual Chassis Configuration on page 143

Understanding the High-Speed Interconnection of the Virtual Chassis

Members on page 143

Understanding Virtual Chassis Configurations and Link Aggregation on page 144

Understanding Virtual Chassis Configuration on page 144

Understanding Virtual Chassis EX 4200 Switch Version Compatibility on page 146

Virtual Chassis Overview

The EX 4200 switch is the basis for the virtual chassis flexible, scaling switch solution.
You can connect individual EX 4200 switches together to form one unit and manage
the unit as a single chassis, called a Virtual Chassis. Up to ten EX 4200 switches can
be interconnected, providing up to a total of 480 access ports. The available bandwidth
increases as you include more members within the Virtual Chassis configuration.
See Understanding the High-Speed Interconnection of the Virtual Chassis
Members on page 143.
The Virtual Chassis configuration provides the following key features:

Basic Configuration of a Virtual Chassis with Master and Backup

Switches on page 134

Expanding ConfigurationsWithin a Single Wiring Closet and Across Wiring

Closets on page 134

Global Management of Member Switches in a Virtual Chassis on page 134

Virtual Chassis Concepts

133

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

High Availability Through Redundant Routing Engines on page 135

Adaptability as an Access Switch or Distribution Switch on page 135

Basic Configuration of a Virtual Chassis with Master and Backup Switches

To take advantage of the Virtual Chassis configurations higher bandwidth capacity
and software redundancy features, you need to interconnect at least two EX 4200
switches in a Virtual Chassis configuration. You can start with a default configuration,
composed of two EX 4200 member switches interconnected with the dedicated
64-Gbps Virtual Chassis ports (VCPs) on the rear panel. These ports do not have to
be configured. They are operational as soon as the member switches are powered
on. See Example: Configuring a Virtual Chassis with a Master and Backup in a Single
Wiring Closet on page 147 for additional information.

Expanding ConfigurationsWithin a Single Wiring Closet and Across Wiring

Closets
As your needs grow, you can easily expand the Virtual Chassis configuration to include
more member switches. Within a single wiring closet, simply add member switches
by cabling together the dedicated VCPs. For more information about expanding
Virtual Chassis configurations within a single wiring closet, see Example: Expanding
a Virtual Chassis Configuration in a Single Wiring Closet on page 152 and Example:
Setting Up a Multimember Virtual Chassis Access Switch with a Default
Configuration on page 158.
You can also expand a Virtual Chassis configuration beyond a single wiring closet.
Interconnect switches located in multiple wiring closets or in a multiple data center
rack by installing the optional EX-UM-2XFP uplink module and connecting the 10-Gbps
uplink ports or by installing the optional EX-UM-4SFP uplink module and connecting
the 1-Gbps Ethernet uplink ports. To use either the 10-Gbps or 1-Gbps uplink ports
for interconnecting member switches, you must explicitly configure them as Virtual
Chassis ports (VCPs). This procedure includes configuring the uplink ports of a
standalone EX 4200 switch as VCPs prior to interconnecting the new member switch
with the existing Virtual Chassis configuration. See Example: Configuring a Virtual
Chassis Interconnected Across Multiple Wiring Closets on page 163 for detailed
information.
When you are creating a Virtual Chassis configuration with multiple members, you
might want to deterministically control the role and member ID assigned to each
member switch. You can do this by creating a preprovisioned configuration. See
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration
File on page 184 for detailed information.

Global Management of Member Switches in a Virtual Chassis

The interconnected member switches in a Virtual Chassis configuration operate and
as a single network entity. You run EZ Setup only once to specify the identification
parameters for the master, and these parameters implicitly apply to all members of
the Virtual Chassis configuration. You can view the Virtual Chassis configuration as
a single device in the J-Web user interface and apply various device management
functions to all members of the Virtual Chassis configuration.

134

Virtual Chassis Overview

Chapter 15: Understanding Virtual Chassis

The serial console port and dedicated out-of-band management port that are on the
rear panel of the individual switches have global virtual counterparts when the
switches are interconnected in a Virtual Chassis configuration. A virtual console
allows you to connect to the master by connecting a terminal directly to the console
port of any member switch. A virtual management Ethernet (VME) interface allows
you to remotely manage the Virtual Chassis configuration by connecting to the
out-of-band management port of any member switch through a single IP address.
See Understanding Global Management of a Virtual Chassis
Configuration on page 141.

High Availability Through Redundant Routing Engines

A Virtual Chassis configuration has a master and a backup, each of which has a
Routing Engine. These redundant Routing Engines handle all routing protocol
processes and control the Virtual Chassis configuration. See High Availability Features
for EX-series Switches Overview on page 13 for further information on redundant
Routing Engines and additional high availability features.

Adaptability as an Access Switch or Distribution Switch

A Virtual Chassis configuration supports a variety of user environments, because it
can be composed of different model EX 4200 switches, with either 24 or 48 access
ports, and with these having either full (24 or 48 ports) or partial (8 ports) Power
over Ethernet (PoE) port capabilities. You can select different switch models to support
various functions. For example, you might set up one Virtual Chassis access switch
configuration, composed of the full PoE models to support users sitting in cubicles
equipped with PCs and VoIP phones. You could set up another Virtual Chassis
configuration with partial PoE models to support the company's internal servers and
configure one more Virtual Chassis configuration with partial PoE models to support
the company's external servers. Alternatively, the Virtual Chassis configuration can
be used as a distribution switch. For this type of deployment, you might select the
EX 4200-24F model with fiber-optic cables to connect the distribution switch to
multiple access switches located in different buildings on the campus.
Related Topics

Understanding Virtual Chassis Components on page 135

Understanding How the Master in a Virtual Chassis Configuration Is

Elected on page 140

Understanding Virtual Chassis EX 4200 Switch Version Compatibility on page 146

Understanding Virtual Chassis Configurations and Link Aggregation on page 144

EX 4200 Switch Models on page 22

Understanding Virtual Chassis Components

A Virtual Chassis configuration allows you to interconnect two to ten EX 4200 switches
and run them as a single network entity. While it is true that you need at least two
interconnected switches to take advantage of Virtual Chassis features, it is also true
that any individual EX 4200 switch has some Virtual Chassis components.

Understanding Virtual Chassis Components

135

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

This topic covers:

Virtual Chassis Ports (VCPs) on page 136

Master Role on page 136

Backup Role on page 137

Linecard Role on page 137

Member Switch and Member ID on page 138

Mastership Priority on page 138

Virtual Chassis Identifier (VCID) on page 139

Virtual Chassis Ports (VCPs)

There are two dedicated Virtual Chassis ports (VCPs) on the rear panel of the EX 4200
switch that are used exclusively to interconnect EX 4200 switches in a Virtual Chassis
configuration. The interfaces for these dedicated ports are operational by default
when the ports are properly cabled. For an example of two EX 4200 switches
interconnected with their dedicated VCPs, see Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 147. In addition, you
can interconnect the switch with another EX 4200 switch across a wider distance
by installing an optional EX-UM-2XFP or EX-UM-4SFP uplink module in an EX 4200
switch. To do this, you need to install one uplink module in at least one EX 4200
switch at each end of the link. You must set the these ports to function as VCPs in
order for the interconnected switches to be recognized as members of the same
Virtual Chassis configuration. This procedure includes setting the uplink ports of a
standalone EX 4200 switch as VCPs prior to interconnecting the new member switch
with the existing Virtual Chassis configuration. For an example of EX 4200 switches
interconnected with the uplink ports functioning as VCPs, see Example: Configuring
a Virtual Chassis Interconnected Across Multiple Wiring Closets on page 163.
You can display the status of both the dedicated VCP interfaces and the uplink ports
configured as VCP interfaces with the show virtual-chassis vc-port on page 252
command.

Master Role
The member that functions in the master role:

Manages the member switches.

Runs JUNOS software for EX-series switches in a master role.

Runs the chassis management processes and control protocols.

Represents all the member switches interconnected within the Virtual Chassis
configuration. (The hostname and other properties that you assign to this switch
during setup apply to all members of the Virtual Chassis configuration.)

When an EX 4200 switch is powered on as a standalone switch, it is considered the

master member. In a multimember Virtual Chassis, two members function as the
master and the backup of the Virtual Chassis configuration:

136

Understanding Virtual Chassis Components

Chapter 15: Understanding Virtual Chassis

In a preprovisioned configuration, one of the two members assigned as

routing-engine functions as the master member. The selection of which member
assigned as routing-engine functions as master and which as backup is determined
by the software based on the master election algorithm. See Understanding
How the Master in a Virtual Chassis Configuration Is Elected on page 140.

In a configuration that is not preprovisioned, the selection of the master and

backup is determined by the mastership priority value and secondary factors in
the master election algorithm.

Backup Role
The member that functions in the backup role:

Maintains a state of readiness to take over the master role if the master fails.

Runs JUNOS software for EX-series switches in a backup role.

Synchronizes with the master in terms of protocol states, forwarding tables, and
so forth, so that it is prepared to preserve routing information and maintain
network connectivity without disruption in case the master is unavailable.

You must have at least two member switches in a Virtual Chassis configuration in
order to have a backup member.

In a preprovisioned configuration, one of the two members assigned as

routing-engine functions in the backup role. The selection of which member
assigned as routing-engine functions as master and which as backup is determined
by the software based on the master election algorithm. See Understanding
How the Master in a Virtual Chassis Configuration Is Elected on page 140.

In a configuration that is not preprovisioned, the selection of the master and

backup is determined by the mastership priority value and secondary factors in
the master election algorithm.

Linecard Role
A member that functions in the linecard role:

Runs only a subset of JUNOS software for EX-series switches.

Does not run the chassis control protocols.

Can detect certain error conditions (such as an unplugged cable) on any interfaces
that have been configured on it through the master.

A Virtual Chassis configuration must have at least three members in order to include
a linecard member.

In a preprovisioned configuration, you can explicitly configure a member with

the role of linecard, which makes it ineligible for functioning as a master or
backup.

In a configuration that is not preprovisioned, the members that are not selected
as master or backup function as linecard members of the Virtual Chassis

Understanding Virtual Chassis Components

137

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

configuration. The selection of the master and backup is determined by the

mastership priority value and secondary factors in the master election algorithm.

Member Switch and Member ID

Each physically discrete EX 4200 switch is a potential member of a Virtual Chassis
configuration. When an EX 4200 switch is powered on, it receives a member ID that
is displayed on the front-panel LCD. If the switch is powered on as a standalone
switch, its member ID is always 0. When the switch is interconnected with other
EX 4200 switches in a Virtual Chassis configuration, its member ID (0 through 9) is
assigned by the master based on various factors, such as the order in which the
switch was added to the Virtual Chassis configuration. As each switch is added and
powered on, it receives the next available (unused) member ID.
If the Virtual Chassis configuration previously included a member switch and that
member was physically disconnected or removed from the Virtual Chassis, its member
ID is not available for assignment as part of the standard sequential assignment by
the master. For example, you might have a Virtual Chassis configuration composed
of member 0, member 2, and member 3, because member 1 was removed. When
you add another member switch and power it on, the master assigns it as member
4. However, you can use the request virtual-chassis renumber on page 245 command
to explicitly change the member ID of the new member switch to use member ID
1.
The member ID distinguishes the member switches from one another. You use the
member ID:

To assign a mastership priority value to a member switch

To configure interfaces for a member switch (the function is similar to a slot

number on Juniper Networks routers)

To apply some operational commands to a member switch

To display status or characteristics of a member switch

Mastership Priority
In a configuration that is not preprovisioned, you can designate the role (master,
backup, or linecard) that a member switch performs within the Virtual Chassis
configuration by configuring its mastership priority (from 1 to 255). The mastership
priority value is the factor with the highest precedence for selecting the master of
the Virtual Chassis configuration.
The default value for mastership priority is 128. When an EX 4200 switch is powered
on, it receives the default mastership priority value. Because it is the only member
of the Virtual Chassis configuration, it is also the master. When you interconnect a
standalone switch to an existing Virtual Chassis configuration (which implicitly
includes its own master), we recommend that you explicitly configure the mastership
priority of the members that you want to function as the master and backup.
We recommend that you specify the same mastership priority value for both the
master and backup members.

138

Understanding Virtual Chassis Components

Chapter 15: Understanding Virtual Chassis

NOTE: Configuring the same mastership priority value for both the master and backup
helps to ensure a smooth transition from master to backup in case the master
becomes unavailable. It prevents the old master from preempting control from the
backup in situations where the backup has taken control of the Virtual Chassis
configuration due to the original master being unavailable.
We also recommend that you configure the highest possible mastership priority value
(255) for those two members, because that guarantees that these two members
continue to function as the master and backup when other members are added to
the Virtual Chassis configuration. Any other members of the Virtual Chassis
configuration (members with lower mastership priority) are considered linecard
members.
In a preprovisioned configuration, the mastership priority value is assigned by the
software, based on the specified role.

Virtual Chassis Identifier (VCID)

All members of a Virtual Chassis configuration share one Virtual Chassis identifier
(VCID). This identifier is derived from internal parameters. When you are monitoring
a Virtual Chassis configuration, the VCID is displayed in the user interface.
Related Topics

Virtual Chassis Overview on page 133

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206

Command Forwarding Usage with a Virtual Chassis Configuration on page 213

Understanding Virtual Chassis Components

139

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding How the Master in a Virtual Chassis Configuration Is Elected

All switches that are interconnected in a Virtual Chassis configuration are member
switches of that Virtual Chassis. Each Virtual Chassis configuration has one member
that functions as the master and controls the Virtual Chassis configuration.
When a Virtual Chassis configuration boots, the JUNOS software for EX-series switches
automatically runs a master election algorithm to determine which member switch
takes the role of master.
The algorithm that the software uses to determine the master is as follows:
1.

Choose the member with the highest user-configured mastership priority (255
is the highest possible value).

2.

Choose the member that was master the last time the Virtual Chassis
configuration booted.

3.

Choose the member that has been included in the Virtual Chassis configuration
for the longest period of time. (For this to be a deciding factor, there has to be
a minimum time lapse of one minute between the power-ons of the individual
interconnected member switches.)

4.

Choose the member with the lowest MAC address.

The variations among switch models, such as whether the switch has 48 or 24 ports,
do not impact the master election algorithm. To ensure that a specific member is
elected as the master:

Related Topics

1.

Power on only the switch that you want to configure as master of the Virtual
Chassis configuration.

2.

Configure the mastership priority of that member to have the highest possible
value (255).

3.

Continue to configure other members through the master member, as desired.

4.

Power on the other members.

Virtual Chassis Overview on page 133

Understanding Virtual Chassis Components on page 135

Understanding Virtual Chassis Configuration on page 144

Understanding Software Upgrade in a Virtual Chassis Configuration

A Virtual Chassis configuration can be composed of multiple EX 4200-series switches
and each member switch is running JUNOS software packages. For ease of
management, the Virtual Chassis configuration provides flexible methods to upgrade
software releases.
A new software release can be upgraded to the entire Virtual Chassis configuration
or to a particular member in the Virtual Chassis configuration through a CLI or J-Web
command. A user can add software packages to either a single member of the Virtual

140

Understanding How the Master in a Virtual Chassis Configuration Is Elected

Chapter 15: Understanding Virtual Chassis

Chassis configuration or to all members of the Virtual Chassis configuration at the

same time.
Related Topics

Virtual Chassis Overview on page 133

Understanding Virtual Chassis Components on page 135

Installing Software on EX-series Switches (CLI Procedure) on page 66

Understanding Global Management of a Virtual Chassis Configuration

A Virtual Chassis configuration is composed of multiple EX 4200 switches, so it has
multiple console ports and multiple out-of-band management Ethernet ports located
on the rear panels of the switches.
You can connect a PC or laptop directly to a console port of any member switch to
set up and configure the Virtual Chassis. When you connect to the console port of
any member switch, the console session is redirected to the master switch, as shown
in Figure 6 on page 141.
Figure 6: Console Session Redirection

Understanding Global Management of a Virtual Chassis Configuration

141

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

If the master becomes unavailable, the console session is disconnected from the old
master and a new session is established with the newly elected master.
An out-of-band management Ethernet port is often referred to simply as a
management Ethernet port. It uses a dedicated management channel for device
maintenance and allows a system administrator to monitor and manage the switch
by remote control.
The Virtual Chassis configuration can be managed remotely through SSH or Telnet
using a global management interface called the virtual management Ethernet (VME)
interface. VME is a logical interface representing any and all of the out-of-band
management ports on the member switches. When you connect to the Virtual Chassis
configuration using the VME IP address, the connection is redirected to the master
member as shown in Figure 7 on page 142.
Figure 7: Management Ethernet Port Redirection to VME

142

Understanding Global Management of a Virtual Chassis Configuration

Chapter 15: Understanding Virtual Chassis

If the master management Ethernet link is unavailable, the session is redirected

through the backup management Ethernet link. If there is no active management
Ethernet link on the backup, the VME interface chooses a management Ethernet link
on one of the linecard members, selecting the linecard member with the lowest
member ID as its first choice.
You can configure an IP address for the VME global management interface at any
time.
You can perform remote configuration and administration of all members of the
Virtual Chassis configuration through the VME interface.
Related Topics

Understanding Virtual Chassis Components on page 135

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Configuring the Virtual Management Ethernet Interface for Global Management

of a Virtual Chassis (CLI Procedure) on page 210

Understanding Nonvolatile Storage in a Virtual Chassis Configuration

The EX 4200 switch stores JUNOS system files in internal flash memory. In a Virtual
Chassis configuration, both the master and the backup switch store the configuration
information for all the member switches.

Nonvolatile Memory Features on page 143

Nonvolatile Memory Features

The JUNOS software for EX-series switches optimizes the way the Virtual Chassis
stores its configuration if a member switch or the Virtual Chassis configuration is
shut down improperly:

Related Topics

If the master is not available, the backup switch takes on the role of the master
and its internal flash memory takes over as the alternate location for maintaining
nonvolatile configuration memory.

If a member switch is taken offline for repair, the master stores the configuration
of the member switch.

Command Forwarding Usage with a Virtual Chassis Configuration on page 213

Monitoring System Properties on page 105

Understanding the High-Speed Interconnection of the Virtual Chassis Members

Two high-speed Virtual Chassis ports (VCPs) on the rear panel of the Virtual Chassis
member switches enable the members to be interconnected and operate as a single,
powerful switch. Each VCP interface is 32 Gbps bidirectional. When VCP interfaces
are used to form a ring topology, each segment provides 64 Gbps bidirectional
bandwidth. Because the VCP links act as point-to-point links, multiple segments of
the ring can be used simultaneously. This allows the Virtual Chassis configuration
bandwidth to scale as you interconnect more members within the ring topology.

Understanding Nonvolatile Storage in a Virtual Chassis Configuration

143

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Understanding Virtual Chassis Components on page 135

Virtual Chassis Cabling Configuration Examples

Understanding Virtual Chassis Configurations and Link Aggregation

You can combine physical Ethernet ports belonging to different member switches
of a Virtual Chassis configuration to form a logical point-to-point link, known as a
link aggregation group (LAG) or bundle. A LAG provides more bandwidth than a single
Ethernet link can provide. Additionally, link aggregation provides network redundancy
by load-balancing traffic across all available links. If one of the links fails, the system
automatically load-balances traffic across all remaining links.
You can select up to 8 Ethernet interfaces from the different member switches of
the Virtual Chassis configuration and include them within a link aggregation group.
A full Virtual Chassis configuration can support up to 64 LAGs.

NOTE: The interfaces that are included within a LAG are sometimes referred to as
member interfaces. Do not confuse member interfaces and member switches. The
member switches are individual EX 4200 switches that have been interconnected
with their Virtual Chassis ports (VCPs) to operate as a single network entity. In a
Virtual Chassis configuration, you can create a LAG formed of member interfaces
that represent ports belonging to different member switches.
Related Topics

Virtual Chassis Overview on page 133

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Understanding Virtual Chassis Configuration

You configure and manage almost all aspects of a Virtual Chassis configuration
through the master of the Virtual Chassis. However, you can also configure Virtual
Chassis parameters when an EX 4200 is a standalone switch not interconnected with
other members.
An EX 4200 switch has some innate characteristics of a Virtual Chassis by default.
A standalone EX 4200 switch is assigned member ID 0 and is the master of itself.
Therefore, you can edit its Virtual Chassis configuration. When the standalone switch
is interconnected with an existing Virtual Chassis configuration, the Virtual Chassis
configuration statements and any VCP uplink settings that you previously specified
on the standalone switch remain part of its configuration.
A switch cannot be recognized as a member of a Virtual Chassis configuration until
it is interconnected with the master or interconnected with an existing member of

144

Understanding Virtual Chassis Configurations and Link Aggregation

Chapter 15: Understanding Virtual Chassis

the Virtual Chassis configuration. When a switch is located too far away to be
interconnected with the dedicated Virtual Chassis ports, you can specify an uplink
as a Virtual Chassis port using the request virtual-chassis vc-port on page 1160 command.
The request virtual-chassis vc-port command must be executed on the standalone
switch, because it is not yet part of the Virtual Chassis configuration. Without an
uplink VCP, the standalone switch cannot be recognized by the master as belonging
to the Virtual Chassis configuration.
While an uplink port is set as a VCP interface, it cannot be used for any additional
purpose. If you want to use the uplink port for another purpose, you can delete the
VCP setting by using the request virtual-chassis vc-port on page 1160 command. You
can execute this command directly on the member whose uplink VCP setting you
want to delete or through the master of the Virtual Chassis configuration.
In addition, you may choose to create a preprovisioned configuration. This type of
configuration allows you to deterministically control the member ID and role assigned
to a member switch by associating the switch to its serial number. For an example
of a preprovisioned configuration, see Example: Configuring a Virtual Chassis with
a Preprovisioned Configuration File on page 184.

NOTE: If an EX 4200 switch is interconnected with other switches in a Virtual Chassis

configuration, each individual switch that is included as a member of the configuration
is identified with a member ID. The member ID functions as an FPC slot number.
When you are configuring interfaces for a Virtual Chassis configuration, you specify
the appropriate member ID (0 through 9) as the slot element of the interface name.
The default factory settings for a Virtual Chassis configuration include FPC 0 as a
member of the default VLAN because FPC 0 is configured as part of the
ethernet-switching family. In order to include FPC 1 through FPC 9 in the default
VLAN, add the ethernet-switching family to the configurations for those interfaces.

Related Topics

Understanding Virtual Chassis Components on page 135

Understanding How the Master in a Virtual Chassis Configuration Is

Elected on page 140

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Understanding Virtual Chassis Configuration

145

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding Virtual Chassis EX 4200 Switch Version Compatibility

For EX 4200 switches to be interconnected as a Virtual Chassis configuration, the
switches must be running the same software versions. The master checks the
hardware version, JUNOS software version, and other component versions running
in a switch that is physically interconnected to its Virtual Chassis port (VCP). Different
hardware models can be members of the same Virtual Chassis configuration. However,
the master will not assign a member ID to a switch that is running a different software
version. A switch that is running a different version of software will not be allowed
to join the Virtual Chassis configuration.
Related Topics

146

Understanding Virtual Chassis Components on page 135

Understanding Software Upgrade in a Virtual Chassis Configuration on page 140

Understanding Software Installation on EX-series Switches on page 63

Installing Software on EX-series Switches (CLI Procedure) on page 66

Installing Software Upgrades by Uploading Files on page 68

Installing Software Upgrades from a Server on page 67

Understanding Virtual Chassis EX 4200 Switch Version Compatibility

Chapter 16

Examples of Configuring Virtual Chassis

Virtual Chassis Configuration Examples on page 147

Virtual Chassis Configuration Examples

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 152

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet
A Virtual Chassis configuration is a scalable switch. You can provide secure, redundant
network accessibility with a basic two-member Virtual Chassis configuration and
later expand the Virtual Chassis configuration to provide additional access ports as
your office grows.
This example describes how to configure a Virtual Chassis with a master and backup
in a single wiring closet:

Requirements on page 148

Overview and Topology on page 148

Configuration on page 150

Verification on page 150

Troubleshooting the Virtual Chassis on page 151

Virtual Chassis Configuration Examples

147

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX 4200-48P switch

One EX 4200-24T switch

One EX-UM-2XFP uplink module

Before you begin, be sure you have:

1.

Rack-mounted the switches. See Mounting an EX-series Switch on a Rack or

Cabinet or Mounting an EX-series Switch on a Desk or Other Level Surface.

2.

Installed the uplink module. See Installing an Uplink Module in an EX-series

Switch.

3.

Cabled the switches. See Connecting a Virtual Chassis Cable to an EX-series

Switch.

Overview and Topology

A Virtual Chassis configuration allows you to accommodate the networking needs
of a growing office. The default configuration of a two-member Virtual Chassis includes
a master and a backup switch. In addition to providing more access ports than a
single EX 4200 switch can provide, a Virtual Chassis configuration provides high
availability through redundancy.
This example shows a Virtual Chassis configuration composed of two EX 4200
switches. One of the switches has an uplink module with ports that can be configured
to connect to a distribution switch or customer edge (CE) router or that can be
configured as Virtual Chassis ports (VCPs) to interconnect with a member switch that
is located too far for the dedicated VCP cabling. For information on configuring the
uplink ports as trunk ports to a distribution switch, see Configuring Gigabit Ethernet
Interfaces (CLI Procedure) on page 293. For an example of configuring uplink ports
as VCPs, see Example: Configuring a Virtual Chassis Interconnected Across Multiple
Wiring Closets on page 163.
By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. The software elects a master based on several
criteria, including how long a member switch has belonged to the Virtual Chassis
configuration. For additional details, see Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 140. Therefore, we recommend that you
start by powering on only one member switch, the one that you want to function as
the master.

NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis.

148

Requirements

Chapter 16: Examples of Configuring Virtual Chassis

The Virtual Chassis configuration provides networking access for 50 onsite workers,
who are sitting within range of a single wiring closet. The workers all use personal
computers and VoIP phones. As the office grows, you can add more EX 4200 switches
to meet increased needs for access ports.
The topology for this example consists of two switches, one of which contains an
uplink module:

One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports
that support PoE

One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support PoE

One EX-UM-2XFP uplink module, with two 10Gigabit Ethernet ports, is installed
in the EX 4200-48P switch

Table 32 on page 149 shows the default configuration settings for the two-member
Virtual Chassis.
Table 32: Components of the Basic Virtual Chassis Access Switch Topology
Member Switch

Hardware

Member ID

Role and Priority

SWA-0

EX 4200-48P switch

Master: mastership priority

128

SWA-1

EX 4200-24T switch

Backup: mastership priority

128

Figure 8 on page 149 shows that SWA-0 and SWA-1 are interconnected with their
dedicated VCPs on the rear panel. The LCD on the front displays the Member ID and
Role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect
to a distribution switch.
Figure 8: Basic Virtual Chassis with Master and Backup

Overview and Topology

149

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuration
Configure a Virtual Chassis with a default master and backup in a single wiring closet:
Step-by-Step Procedure

To configure a Virtual Chassis with master and backup:

1.

Make sure the VCPs on the rear panel of the member switches are properly
cabled. See Virtual Chassis Cabling Configuration Examples.

2.

Power on SWA-0 (the member switch that you want to function as the master).

3.

Check the front-panel LCD to confirm that the switch has powered on correctly.

4.

Run the EZ Setup program on SWA-0, specifying the identification parameters.

See Connecting and Configuring the EX-series Switch (CLI Procedure) on page
57 or Connecting and Configuring the EX-series Switch (J-Web
Procedure) on page 58 for details.

5.

Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

6.

Power on SWA-1.

Verification
To confirm that the Virtual Chassis configuration is operational, perform these tasks:

Verifying That the Mastership Priority Is Assigned Appropriately on page 150

Verifying That the VCPs Are Operational on page 151

Verifying That the Mastership Priority Is Assigned Appropriately

Purpose

Action

Verify that the master, which has been selected by default, is the member switch
that you want to function in that role.
1.

Check the front-panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.

2.

List the member switches of the Virtual Chassis configuration.

user@SWA-0>show virtual-chassis status on page 250

Virtual Chassis ID: 0019.e250.47a0
Mastership
Member ID Status
Serial No
Model
priority
0 (FPC 0) Prsnt
AK0207360276 ex4200-48p
128

Role
Master*

1 (FPC 1)

Backup

Prsnt

AK0207360281 ex4200-24t

Member ID for next new member: 2 (FPC 2)

150

Configuration

128

Neighbor List
ID Interface
1 vcp-0
1 vcp-1
0 vcp-0
0 vcp-1

Chapter 16: Examples of Configuring Virtual Chassis

Meaning

The show virtual-chassis status on page 250 command lists the member switches
interconnected in a Virtual Chassis configuration with the member IDs that have
been assigned by the master, the mastership priority values, and the roles. It also
displays the neighbor members with which each member is interconnected. The
output shows that SWA-0, member 0, has been assigned default mastership priority
128. Because SWA-0 is the first member to be powered on, it has the most seniority
and is therefore assigned the role of master. SWA-1 is powered on after member 0,
so it is assigned the role of backup. The member IDs are displayed on the front panel
of the switches. Check and confirm whether the default assignment is satisfactory.
Verifying That the VCPs Are Operational

Purpose

Action

Verify that the dedicated Virtual Chassis ports interconnecting the switches are
operational.
Display the Virtual Chassis ports of all the members:
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up

Meaning

The show virtual-chassis vc-port on page 252 command lists the interfaces that are
enabled for the member switches of the Virtual Chassis configuration and shows the
status of the interfaces. The output in this example shows that two of the VCPs are
operational and two VCPs are not. A single cable has been used to interconnect vcp-0
of member ID 0 and vcp-0 of member ID 1. That interconnection is sufficient for the
switch to be operational. However, we recommend that you connect the second set
of VCPs for redundancy.

Troubleshooting the Virtual Chassis

To troubleshoot the configuration of a Virtual Chassis, perform these tasks:
Troubleshooting the Assignment of Roles
Problem

The master and backup roles are not assigned to the member switches that you want
to function in these roles.

Verifying That the VCPs Are Operational

151

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Solution

Modify the mastership priority values.

To quickly modify the mastership priority of SWA-1 (member ID 1), copy the following
command and paste it into the switch terminal window:
[edit virtual-chassis]
user@SWA-1# set member 1 mastership-priority 255

Troubleshooting the VCPs

Problem

The VCPs are down.

Solution

1.

Check to make sure that you have cabled the appropriate ports.

2.

Check to make sure that the cables are seated properly.

You should generally cable and interconnect both of the VCPs on the member
switches, for redundancy and high availability.
Related Topics

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 152

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Example: Expanding a Virtual Chassis Configuration in a Single Wiring Closet

A Virtual Chassis configuration is a scalable switch composed of multiple
interconnected EX 4200 switches. Up to ten EX 4200 switches can be interconnected
as a Virtual Chassis configuration.
This example describes how to configure an expanding Virtual Chassis within a single
wiring closet:

152

Requirements on page 153

Overview and Topology on page 153

Configuration on page 154

Verification on page 155

Troubleshooting on page 157

Troubleshooting the VCPs

Chapter 16: Examples of Configuring Virtual Chassis

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX 4200-48P switch

One EX 4200-24T switch

One EX 4200-24P switch

One EX-UM-2XFP uplink module

Before you begin, be sure you have:

Confirmed that the existing Virtual Chassis configuration is operating correctly.

See Example: Configuring a Virtual Chassis with a Master and Backup in a Single
Wiring Closet on page 147.

Overview and Topology

A Virtual Chassis configuration can be expanded without disrupting the site's network
connectivity. This example describes adding a member switch to an existing Virtual
Chassis configuration to provide additional access ports for connecting more PCs
and VoIP phones at this location. You can continue to expand the Virtual Chassis
configuration with additional members in the same wiring closet, using the same
procedure. If you want to expand the Virtual Chassis configuration to include member
switches in another wiring closet, see Example: Configuring a Virtual Chassis
Interconnected Across Multiple Wiring Closets on page 163.
If you want to retain the roles of the existing master and backup switches, explicitly
configure the mastership priority of these switches, specifying the highest possible
value (255) for both the master and the backup.
During expansion, the existing Virtual Chassis configuration can remain powered on
and connected to the network. Before powering up the new switch, interconnect it
to the other the switches using the dedicated VCPs on the rear panel. Do not run the
EZ Setup program on the added member switch.
This example shows an existing Virtual Chassis configuration composed of two EX
4200 switches. The Virtual Chassis configuration is being expanded to include a EX
4200-24P switch as a linecard member.
The topology for this example consists of:

One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports
that support PoE

One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support
Power over Ethernet (PoE)

One EX 4200-24P switch (SWA-2) with 24 access ports, all of which support PoE

One uplink module with two 10-gigabit ports is installed in the EX 4200-48P
switch. These ports can be configured as trunk ports to connect to a distribution
switch or customer edge (CE) router or as Virtual Chassis ports (VCPs) to

Requirements

153

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interconnect with a member switch that is located too far for dedicated VCP
cabling. For information on configuring the uplink ports as trunk ports to a
distribution switch, see Configuring Gigabit Ethernet Interfaces (CLI
Procedure) on page 293 or Configuring Gigabit Ethernet Interfaces (J-Web
Procedure) on page 289. For information on configuring uplink ports as Virtual
Chassis ports, see Setting an Uplink Port as a Virtual Chassis Port (CLI
Procedure) on page 206.
Table 33 on page 154 shows the configuration settings for the expanded Virtual
Chassis.
Table 33: Components of the Expanded Virtual Chassis Access Switch
Member Switch

Hardware

Member ID

Role in Virtual Chassis

SWA-0

EX 4200-48P switch

master; mastership priority

255

SWA-1

EX 4200-24T switch

backup; mastership priority

255

SWA-2

EX 4200-24P switch

linecard; mastership priority

128

Figure 9 on page 154 shows that the three member switches ( SWA-0, SWA-1 and
SWA-2) are interconnected with their dedicated VCPs on the rear panel. The LCD on
the front displays the member ID and role. SWA-0 also includes an uplink module.
Its uplink ports can be used to connect to a distribution switch.
Figure 9: Expanded Virtual Chassis in Single Wiring Closet

Configuration
To expand a Virtual Chassis configuration to include additional member switches
within a single wiring closet, perform these tasks:

154

Configuration

Chapter 16: Examples of Configuring Virtual Chassis

NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration

To maintain the master and backup roles of the existing members and ensure that
the new member switch functions in a linecard role, copy the following commands
and paste them into the terminal window:
[edit]
user@SWA-0# set virtual-chassis member 0 mastership-priority 255
user@SWA-1# set virtual-chassis member 1 mastership-priority 255

Step-by-Step Procedure

To ensure that the existing member switches retain their current roles and to add
another member switch in a linecard role:
1.

Configure the mastership priority of SWA-0 (member 0) to be the highest possible

value, thereby ensuring that it functions as the master of the expanded Virtual
Chassis configuration.
[edit virtual-chassis]
user@SWA-0# set member 0 mastership-priority 255

2.

Configure the mastership priority of SWA-1 (member 1) to be the highest possible

value. This setting is recommended for high availability and smooth transition
of mastership in case the original master becomes unavailable.
[edit virtual-chassis]
user@SWA-1# set member 1 mastership-priority 255

3.

Interconnect the unpowered SWA-2 with SWA-0 and SWA-1 using the dedicated
VCPs on the rear panel. See Virtual Chassis Cabling Configuration Examples for
additional information.

4.

Power on SWA-2.
You do not need to configure or run EZ Setup on SWA-2. The identification
parameters that were set up for the master apply implicitly to all members of
the Virtual Chassis configuration. SWA-2 functions in a linecard role, since SWA-0
and SWA-1 have been configured to the highest mastership priority values.

Verification
To verify that the new switch has been added as a linecard and that its VCPs are
operational, perform these tasks:

Verifying That the New Switch Has Been Added as a Linecard on page 155

Verifying That the VCPs Are Operational on page 156

Verifying That the New Switch Has Been Added as a Linecard

Purpose

Verify that SWA-2 has been added in a linecard role to the Virtual Chassis
configuration.

Verification

155

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Action

Use the show virtual-chassis status on page 250 command to list the member switches
with their member IDs, mastership priority values, and assigned roles.
user@SWA-0> show virtual-chassis status
Virtual Chassis ID: 0000.e255.00e0

Meaning

Mastership
Priority

Role

Neighbor List
ID Interface

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

255

Master*

1 vcp-0
2 vcp-1

1 (FPC 1)

Prsnt

def456

ex4200-24t

255

Backup

2 vcp-0
0 vcp-1

2 (FPC 2)

Prsnt

abd231

ex4200-24p

128

Linecard

0 vcp-0
1 vcp-1

The show virtual-chassis status command lists the member switches of the Virtual
Chassis configuration with the member IDs and mastership priority values. It also
displays the neighbor members with which each member is interconnected. This
output shows that SWA-2 has been assigned member ID 2 and has the default
mastership priority value 128. Because the mastership priority is lower than the
mastership priority of the other members, SWA-2 functions in the linecard role. You
can continue to add more member switches, following the same procedure. It is
possible to have multiple members in linecard roles with the same mastership priority
value.
Verifying That the VCPs Are Operational

Purpose
Action

Verify that the dedicated VCPs interconnecting the member switches are operational.
List the VCP interfaces on the Virtual Chassis configuration.
user@SWA-0>show virtual-chassis vc-port all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port

156

Verifying That the VCPs Are Operational

Chapter 16: Examples of Configuring Virtual Chassis

vcp-0
vcp-1

Meaning

Dedicated
Dedicated

Up
Up

The show virtual-chassis vc-port all-members command lists all the interfaces for the
Virtual Chassis configuration. In this case, no VCP uplinks have been configured.
However, the VCP interfaces are automatically configured and enabled when you
interconnect member switches using the dedicated Virtual Chassis ports. There are
two dedicated VCPs on the rear panel of each EX 4200 switch. It is recommended
that you interconnect the member switches using both VCPs for redundancy. The
VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same
as the member ID.

Troubleshooting
To troubleshoot the configuration of an expanded Virtual Chassis, perform these
tasks:
Troubleshooting Mastership Priority
Problem

You want to designate a different member as the master.

Solution

Change the mastership priority value or values of the switches, designating the highest
mastership priority value for the switch that you want to be master.
1.

Lower the mastership priority of the existing master (member 0).

[edit virtual-chassis]
user@SWA-0# set member 0 mastership-priority 1

2.

Set the mastership priority of the member that you want to be the master to the
highest possible value (255):
[edit virtual-chassis]
user@SWA-2# set member 2 mastership-priority 255

Troubleshooting Nonoperational VCPs

Problem

The VCP interface shows a status of down.

Solution

Check the cable to make sure that it is properly and securely connected to the VCPs.

Related Topics

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Troubleshooting

157

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration
You can configure a multimember Virtual Chassis access switch in a single wiring
closet without setting any parametersby simply cabling the switches together,
using the dedicated Virtual Chassis ports (VCPs). You do not need to modify the
default configuration to enable these ports. They are operational by default. The
Virtual Chassis configuration automatically assigns the master, backup, and linecard
roles, based on the sequence in which the switches are powered on and other factors
in the master election algorithm. See Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 140.
Tip

We recommend that you explicitly configure the mastership priority of the switches
to ensure that the switches continue to perform the desired roles when additional
switches are added or other changes occur. However, it is possible to use the default
configuration described in this example.
This example describes how to configure a multimember Virtual Chassis in a single
wiring closet, using the default role assignments:

Requirements on page 158

Overview and Topology on page 158

Configuration on page 159

Verification on page 160

Troubleshooting on page 162

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

Two EX 4200-48P switches

Four EX 4200-24P switches

Overview and Topology

A Virtual Chassis configuration is easily expandable. This example shows a Virtual
Chassis configuration composed of six EX 4200 switches. It provides networking
access for 180 onsite workers, who are sitting within range of a single wiring closet.
The six combined switches are identified by a single host name and managed through
a global management IP address.
To set up a multimember Virtual Chassis configuration within a single wiring closet,
you need to run the EZ Setup program only once. Connect to the master and run EZ
Setup to specify its identification, time zone, and network properties. When additional
switches are connected through the Virtual Chassis ports (VCPs), they automatically
receive the same properties that were specified for the master.
The topology for this example (see Figure 1) consists of six switches:

158

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration

Chapter 16: Examples of Configuring Virtual Chassis

Two EX 4200-48P switches (SWA-0 and SWA-1) with 48 access ports, all of which
support Power over Ethernet (PoE)

Four EX 4200-24P switches (SWA-2, SWA-3, SWA-4, and SWA-5) with 24 access
ports, all of which support PoE

Figure 10 on page 159 shows that all the member switches are interconnected with
the dedicated VCPs on the rear panel. The LCD on the front displays the member ID
and role.
Figure 10: Default Configuration of Multimember Virtual Chassis in a Single Wiring
Closet

Configuration
Configure a multimember Virtual Chassis access switch in a single wiring closet using
the factory defaults:
CLI Quick Configuration

By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. To determine which switch has been selected as
the master, check the LCD on the front panel. It should be the first switch that you
power on. The backup should be the second switch that you power on. The other
switches are all linecards. Wait at least one minute after powering on the master,
before continuing to power on the other switches.

Step-by-Step Procedure

To configure a multimember Virtual Chassis with default role assignments:

1.

Make sure the dedicated VCPs on the rear panel are properly cabled. See Virtual
Chassis Cabling Configuration Examples for additional information.

2.

Power on the switch that you want to function as the master (SWA-0). This
examples uses one of the larger switches (EX 4200-48P) as the master.

Configuration

159

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

3.

Check the front panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.

4.

Run the EZ Setup program on SWA-0, the master, specifying the identification
parameters. See Connecting and Configuring the EX-series Switch (CLI
Procedure) on page 57 or Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58 for details.

5.

Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

6.

After a lapse of at least one minute, power on SWA-1. This example uses the
second EX 4200-48P switch as the backup.

7.

Check the front panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.

8.

Power on SWA-2, and check the front panels to make sure that the switch is
operating correctly.

9.

Continue to power on the member switches one by one, checking the front
panels as you proceed.

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying the Member IDs and Roles of the Member Switches on page 160

Verifying That the VCPs Are Operational on page 161

Verifying the Member IDs and Roles of the Member Switches

Purpose

Action

Verify that all the interconnected member switches are included within the Virtual
Chassis configuration and that their roles are assigned appropriately.
Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status on page 250
Virtual Chassis ID: 0000.e255.00e0

160

Verification

Mastership
Priority

Role

Neighbor List
ID Interface

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

128

Master*

1 vcp-0
5 vcp-1

1 (FPC 1)

Prsnt

def123

ex4200-48p

128

Backup

2 vcp-0
0 vcp-1

2 (FPC 2)

Prsnt

abd231

ex4200-24p

128

Linecard

3 vcp-0

Chapter 16: Examples of Configuring Virtual Chassis

1 vcp-1

Meaning

3 (FPC 3)

Prsnt

cab123

ex4200-24p

128

Linecard

4 vcp-0
2 vcp-1

4 (FPC 4)

Prsnt

fed456

ex4200-24p

128

Linecard

5 vcp-0
3 vcp-1

5 (FPC 5)

Prsnt

jkl231

ex4200-24p

128

Linecard

0 vcp-0
4 vcp-1

The show virtual-chassis status command lists the member switches of the Virtual
Chassis configuration with the member IDs and mastership priority values. It also
displays the neighbor members with which each member is interconnected. The fpc
number is the same as the member ID.
Verifying That the VCPs Are Operational

Purpose
Action

Verify that the dedicated VCPs interconnecting the member switches are operational.
Display the Virtual Chassis interfaces.
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status

Verifying That the VCPs Are Operational

161

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

or
PIC / Port
vcp-0
vcp-1

Dedicated
Dedicated

Up
Up

Type

Status

Dedicated
Dedicated

Up
Up

fpc5:
Interface
or
PIC / Port
vcp-0
vcp-1

Meaning

The show virtual-chassis vc-port all-members command lists the Virtual Chassis
interfaces that are enabled for the member switches of the Virtual Chassis
configuration and shows the status of the interfaces. In this case, no VCP uplinks
have been configured. However, the VCP interfaces are automatically configured
and enabled when you interconnect member switches using the dedicated VCPs.
There are two dedicated VCPs on the rear panel of each EX 4200 switch. The
dedicated VCP interfaces are identified simply as vcp-0 and vcp-1. They do not use
the standard interface address (in which the member ID is represented by the first
digit). The output in this example shows that all interfaces are operational. The fpc
number is the same as the member ID.

Troubleshooting
To troubleshoot the configuration of a multimember Virtual Chassis in a single wiring
closet, perform these tasks:
Troubleshooting Mastership Priority
Problem

You want to explicitly designate one member as the master and another as backup.

Solution

Change the mastership priority value of the member that you want to function as
master, designating the highest mastership priority value that member.

NOTE: These configuration changes are made through the current master, SWA-0.

1.

Configure mastership priority of member 0 to be the highest possible value.

[edit virtual-chassis]
user@SWA-0# set member 0 mastership-priority 255

2.

Set the mastership priority of another member that you want to function as the
backup member as the same value:
[edit virtual-chassis]
user@SWA-0# set member 2 mastership-priority 255

162

Troubleshooting

Chapter 16: Examples of Configuring Virtual Chassis

Troubleshooting Nonoperational VCPs

Problem

The VCP interface shows a status of down.

Solution

Check the cable to make sure that it is properly and securely connected to the VCPs.

Related Topics

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets

A Virtual Chassis configuration is a very adaptable access switch solution. You can
install member switches in different wiring closets, interconnecting the member
switches by cabling and configuring uplink ports as Virtual Chassis ports (VCPs).
This example describes how to configure a Virtual Chassis access switch
interconnected across wiring closets:

Requirements on page 163

Overview and Topology on page 164

Configuration on page 167

Verification on page 170

Troubleshooting on page 172

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

Two EX 4200-48P switches

Two EX 4200-24T switches

Four EX-UM-2XFP uplink modules

Troubleshooting Nonoperational VCPs

163

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Before you interconnect the members of the Virtual Chassis configuration across
wiring closets, be sure you have:
1.

Installed an EX-UM-2XFP uplink module in the member switches that will be

interconnected across wiring closets. See Installing an Uplink Module in an
EX-series Switch.

2.

Powered on, connected and run the EZ Setup program on SWA-0. Follow the
prompts to specify the host name and other identification, time zone, and
network properties. See Connecting and Configuring the EX-series Switch (CLI
Procedure) on page 57 or Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58 for details. SWA-0 is going to be configured in
the example to function as the master of the Virtual Chassis. Thus, the properties
that you specified for SWA-0 apply to the entire Virtual Chassis configuration,
including all the member switches that you later interconnect with the master.

3.

Configured SWA-0 with the virtual management Ethernet (VME) for remote,
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

4.

Interconnected SWA-0 and SWA-1 (the two member switches in wiring closet
A) using the dedicated VCPs on the rear panel. SWA-1 should not be powered
on at this time.

5.

Interconnected SWA-2 and SWA-3 (the two member switches in wiring closet
B) using the dedicated VCPs on the rear panel. SWA-2 and SWA-3 should not be
powered on at this time.

NOTE: Beginning with JUNOS Release 9.2 for EX-series switches, you can use either
a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps Ethernet uplink port
(EX-UM-4SFP) as a VCP interface. When an uplink port is set as a VCP interface, it
cannot be used for any other purpose. The EX-UM-2XP uplink module has two 10-Gbps
ports; the EX-UM-4SFP has four 1-Gbps ports. You can set one port as a VCP interface
and configure the other port in trunk mode as an uplink to a distribution switch.

Overview and Topology

In this example, four EX 4200 switches will be interconnected in a Virtual Chassis
configuration. Two switches (SWA-0 and SWA-1) are located in wiring closet A and
two switches (SWA-2 and SWA-3) are located at the other end of the floor in wiring
closet B.
For easier monitoring and manageability, we want to interconnect all four switches
as members of a Virtual Chassis configuration. Prior to configuring the Virtual Chassis,
we installed uplink modules in each of the member switches. We are going to
interconnect the member switches across wiring closets, setting the 10-gigabit uplink
ports as VCP interfaces. In this example, uplink modules are installed in all four
members so that there are redundant VCP connections across the wiring closets. If
you want to expand this configuration to include more members within these wiring
closets, you do not need to add any more uplink modules. Simply use the dedicated

164

Overview and Topology

Chapter 16: Examples of Configuring Virtual Chassis

VCPs on the rear panel. The redundancy of uplink VCPs provided in this example is
sufficient.
First, we will complete the Virtual Chassis configuration of the member switches in
wiring closet A.
We have decided that SWA-0 will function as the master, so we set its mastership
priority value to the highest possible value (255).
The switches (SWA-0 and SWA-1) in wiring closet A have been interconnected using
the dedicated Virtual Chassis ports (VCPs) . The interfaces for the rear panel, dedicated
VCPs are operational by default. They do not need to be configured.
However, the rear-panel Virtual Chassis cables that interconnect the VCPs of member
switches within a single wiring closet are not long enough to connect member switches
across wiring closets. Instead, you can use the fiber cable connections in the uplink
modules to interconnect the member switches in wiring closet A to the member
switch in wiring closet B. For redundancy, this example connects uplink ports from
the two member switches in wiring closet A to the two member switches in wiring
closet B.
After specifying the highest mastership priority value (255) for SWA-0, we power on
SWA-1. Because SWA-0 and SWA-1 are interconnected with the dedicated VCPs, the
master detects that SWA-1 is a member of its Virtual Chassis configuration and
assigns a member ID. We can now set the VCP uplinks for both SWA-0 and SWA-1
through the master in preparation for interconnecting them with the member switches
in wiring closet B.
However, in order for the master to recognize the existence of SWA-2, you must first
set one of the SWA-2 uplinks as a VCP. You cannot set the SWA-2 uplink through the
master of the Virtual Chassis configuration, because SWA-2 is not yet interconnected
as a member switch.
We will power on and configure SWA-2 prior to powering on SWA-3.
When you power on SWA-2, its member ID is 0, its default mastership priority is
128, and it is functioning in the master role.
You can configure SWA-2 without running EZ Setup by directly connecting to the
console port. If you wish, you can run EZ Setup and specify identification parameters.
Later, when you interconnect SWA-2 with the master of the Virtual Chassis
configuration, the master overwrites any conflicting parameters.
We want to use SWA-2 as the backup of the Virtual Chassis configuration. If a problem
occurs in wiring closet A, SWA-2 would take control of the Virtual Chassis configuration
and maintain the network connections. We configure the same mastership priority
value for SWA-2 (255) that we configured for the master. Because SWA-0 has already
been powered on prior to SWA-2, it has additional prioritization properties that allow
it to retain mastership of the Virtual Chassis configuration. See Understanding How
the Master in a Virtual Chassis Configuration Is Elected on page 140. We recommend
setting identical mastership priority values for the master and backup members for
high availability and smooth transition of mastership in case the original master
becomes unavailable. (Setting identical mastership priority values for the master and

Overview and Topology

165

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

backup members prevents the previous master from pre-empting the master role
from the new master when the previous master comes back online.)
After SWA-2 has been configured and its uplink port has been set as a VCP interface,
interconnect its VCP uplink port with the VCP uplink of SWA-0 in wiring closet A.
SWA-2 reboots and joins the Virtual Chassis configuration as member 2 and as backup
of the expanded Virtual Chassis configuration.
Now, power on SWA-3. Because SWA-3 is interconnected with SWA-2 using the
dedicated VCPs on the rear panel, the master detects that SWA-3 is part of the
expanded Virtual Chassis configuration and assigns it member ID 3. For redundancy,
configure a VCP uplink on member 3 through the master and interconnect this uplink
with the VCP uplink of SWA-1 in wiring closet A.
The topology for this example consists of:

Two EX 4200-48P switches

Two EX 4200-24T switches

Four EX-UM-2XFP uplink modules.

Table 34 on page 166 shows the Virtual Chassis configuration settings for a Virtual
Chassis composed of member switches in different wiring closets.
Table 34: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch

Member ID

Role and Priority

Uplinks
Connecting
Member Switches

Hardware

Location

SWA-0

master;
mastership priority
255

xe-0/1/0

EX 4200-48P and
EX-UM-2XFP
uplink module

Wiring closet A

SWA-1

linecard;
mastership priority
128

xe-1/1/0

EX 4200-24T and
EX-UM-2XFP
uplink module

Wiring closet A

SWA-2

backup;
mastership priority
255

xe-0/1/0

EX 4200-48P and
EX-UM-2XFP
uplink module

Wiring closet B

SWA-3

linecard;
mastership priority
128

xe-3/1/0

EX 4200-24T and
EX-UM-2XFP
uplink module

Wiring closet B

Figure 11 on page 167 shows the different types of interconnections used for this
Virtual Chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink ports that have been set as VCP interfaces and
interconnected across the wiring closets. The uplink ports that are not used as VCPs
can be configured as trunk ports to connect to a distribution switch.

166

Overview and Topology

Chapter 16: Examples of Configuring Virtual Chassis

Figure 11: A Virtual Chassis Interconnected Across Wiring Closets

Configuration
To configure the Virtual Chassis across multiple wiring closets, perform these tasks:

NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis.
CLI Quick Configuration

To quickly configure a Virtual Chassis across multiple wiring closets, configure a

master in one closet and a backup in the other by copying the following commands
into the specified terminal windows (SWA-0 and SWA-2):
[edit]
user@SWA-0#set virtual-chassis member 0 mastership-priority 255
[edit]
user@SWA-2#set virtual-chassis member 0 mastership-priority 255

NOTE: At this point, SWA-2 is a standalone switch, so its member ID is 0.

Configuration

167

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Step-by-Step Procedure

To configure a Virtual Chassis across multiple wiring closets:

1.

Configure the mastership priority of SWA-0 (member 0) to be the highest possible

value (255), thereby ensuring that it functions as the master of the expanded
Virtual Chassis configuration.
[edit virtual-chassis]
user@SWA-0#set member 0 mastership-priority 255

2.

Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
1:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member
1

NOTE:

For redundancy, this example configures an uplink VCP in both SWA-0 and
SWA-1.

3.

This example omits the specification of the member member-id option in

configuring the uplink for SWA-0. The command applies by default to the switch
where it is executed.

Prepare the potential member switch (SWA-2) in wiring closet B for

interconnecting with the Virtual Chassis configuration by configuring its
mastership priority to be the highest possible value (255). Its member ID is
currently 0, because it is not yet interconnected with the other members of the
Virtual Chassis configuration. It is operating as a standalone switch. Its member
ID will change when it is interconnected.
[edit virtual-chassis]
user@SWA-2# set member 0 mastership-priority 255

NOTE: SWA-2 is configured with the same mastership priority value that we
configured for SWA-0. However, the longer uptime of SWA-0 ensures that it functions
as the master and that SWA-2 functions as the backup.

4.

168

Configuration

Specify one uplink port in SWA-2 as a VCP interface. Its member ID is 0, because
it is not yet interconnected with the other members of the Virtual Chassis
configuration. Its member ID will change when it is interconnected with the
Virtual Chassis configuration.

Chapter 16: Examples of Configuring Virtual Chassis

NOTE: The setting of the VCP interface remains intact when SWA-2 reboots and joins
the Virtual Chassis configuration as member 2.

user@SWA-2>request virtual-chassis vc-port set pic-slot 1 port 0

This example omits the specification of the member member-id option. The
command applies by default to the switch where it is executed.
5.

After you have set the uplink VCP in SWA-2, you should physically interconnect
SWA-0 and SWA-2 across wiring closets using their uplink VCPs. Although SWA-0
and SWA-2 have the same mastership priority value (255), SWA-0 was powered
on first and thus has longer uptime. This results in SWA-0 retaining mastership
while SWA-2 reboots and joins the now expanded Virtual Chassis configuration
as a backup with member ID 2.

6.

Power on SWA-3, which is interconnected with SWA-2 using the dedicated VCPs
on the rear panel. It joins the expanded Virtual Chassis configuration as member
3.

NOTE: We have assumed that the member ID assigned to SWA-3 is 3, because it

was powered on in that sequence.

7.

Since SWA-3 is now interconnected as a member of the Virtual Chassis

configuration, you can specify a redundant VCP uplink on SWA-3 through the
master of the Virtual Chassis configuration.
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member
3

8.

Results

After you have configured the uplink VCP of SWA-3, you should physically
interconnect SWA-3 and SWA-1 across wiring closets using their uplink VCPs.
Both SWA-1 and SWA-3 have the default mastership priority value (128) and
function in a linecard role.

Display the results of the configuration on SWA-0:

[edit]
user@SWA-0# show
virtual-chassis {
member 0 {
mastership-priority 255;
}
member 1 {
mastership-priority 128;
}
member 2 {
mastership-priority 255;

Configuration

169

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
member 3 {
mastership-priority 128;
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying the Member IDs and Roles of the Member Switches on page 170

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 171

Verifying the Member IDs and Roles of the Member Switches

Purpose

Action

Verify that all the interconnected member switches are included within the Virtual
Chassis configuration and that their roles are assigned appropriately.
Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status on page 250
Virtual Chassis ID: 0000.e255.00e0
Mastership
Member ID

Status

Serial No

Model

0 (FPC 0)
1 vcp-0

Prsnt

abc123

ex4200-48p

Priority
255

Neighbor List
Role

ID Interface

Master*

1 vcp-1
2 1/0
1 (FPC 1)

Prsnt

def456

ex4200-24t

128

Linecard

0 vcp-0
0 vcp-1
3 1/0

2 (FPC 2)

Prsnt

ghi789

ex4200-48p

255

Backup

3 vcp-0

3 vcp-1
0 1/0
3 (FPC 3)

Meaning

170

Verification

Prsnt

jkl012

ex4200-24t

128

Linecard

2 vcp-0
2 vcp-1
1 1/0

The show virtual-chassis status on page 250 command lists the member switches
interconnected as a Virtual Chassis configuration with the member IDs that have
been assigned by the master, the mastership priority values, and the roles. It also
displays the neighbor members with which each member is interconnected.

Chapter 16: Examples of Configuring Virtual Chassis

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose

Action

Verify that the dedicated VCPs interconnecting the member switches in wiring closet
A and the uplink VCPs interconnecting the member switches between wiring closets
are operational.
Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

Meaning

The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks configured as
VCPs are displayed as 1/0. The fpc number is the same as the member ID.

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational

171

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Troubleshooting
To troubleshoot a Virtual Chassis configuration that is interconnected across wiring
closets, perform these tasks:
Troubleshooting Nonoperational VCPs
Problem

A VCP interface shows a status of down.

Solution

Check the cable to make sure that it is properly and securely connected to the
ports.

If the VCP is an uplink port, make sure that the uplink port has been explicitly
set as a VCP.

If the VCP is an uplink port, make sure that you have specified the options
(pic-slot, port-number, member-id) correctly.

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 152

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206

Related Topics

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis

Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle.
This example describes how to configure uplink LAGs to connect a virtual chassis
access switch to a virtual chassis distribution switch:

Requirements on page 172

Overview and Topology on page 173

Configuration on page 175

Verification on page 177

Troubleshooting on page 178

Requirements
This example uses the following software and hardware components:

172

Troubleshooting

JUNOS Release 9.0 or later for EX-series switches

Two EX-series 4200-48P switches

Chapter 16: Examples of Configuring Virtual Chassis

Two EX-series 4200-24F switches

Four EX-UM-2XFP uplink modules

Before you configure the LAGs, be sure you have:

Configured the virtual chassis switches. See Example: Configuring a Virtual

Chassis with a Master and Backup in a Single Wiring Closet on page 147.

Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.

Overview and Topology

For maximum speed and resiliency, you can combine uplinks between an access
switch and a distribution switch into LAGs. Using LAGs can be particularly effective
when connecting a multi-member, virtual-chassis access switch to a multi-member
virtual-chassis distribution switch.
The virtual chassis access switch in this example is composed of two member
switches. Each member switch has an uplink module with two 10-Gigabit Ethernet
ports. These ports are configured as trunk ports, connecting the access switch with
the distribution switch.
Configuring the uplinks as LAGs has the following advantages:

It doubles the speed of each uplink from 10 Gbps to 20 Gbps.

If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.

The topology used in this example consists of one virtual chassis access switch and
one virtual chassis distribution switch. The access switch is composed of two
EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN.
The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second
LAG connection (ae1) to SWD-1. LAG ae1, which is used for another VLAN.

Overview and Topology

173

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 12: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch

Table 1 details the topology used in this configuration example.

Table 35: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch
Switch

Hostname and
VCID

Base Hardware

Uplink Module

Member ID

Trunk Port

SWA-0

Host-A Access
switch

EX 4200-48P
switch

One EX-UM-2XFP
uplink module

xe-0/1/0 to SWD-0
xe-0/1/1 to SWD-1

VCID 1
SWA-1

Host-A Access
switch

EX 4200-48P
switch

One EX-UM-2XFP
uplink module

xe-1/1/0 to SWD-0
xe-1/1/1 to SWD-1

VCID 1

174

Overview and Topology

Chapter 16: Examples of Configuring Virtual Chassis

Table 35: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch (continued)
SWD-0

Host-D
Distribution switch

EX-series EX 4200
L-24F switch

One EX-UM-2XFP
uplink module

xe-0/1/0 to SWA-0
xe-0/1/1 to SWA-1

VCID 4
SWD-1

Host-D
Distribution switch

EX-series EX 4200
L-24F switch

One EX-UM-2XFP
uplink module

xe-1/1/0 to SWA-0
xe-1/1/1 to SWA-1

VCID 4

Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual
chassis distribution switch:
CLI Quick Configuration

To quickly configure aggregated Ethernet high-speed uplinks between a virtual chassis

access switch and a virtual chassis distribution switch, copy the following commands
and paste them into the switch terminal window:
[edit]
set chassis aggregated-devices ethernet device-count 2
set interfaces ae0 aggregated-ether-options minimum-links 2
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae1 aggregated-ether-options minimum-links 2
set interfaces ae1 aggregated-ether-options link-speed 10g
set interfaces ae0 unit 0 family inet address 192.0.2.0/25
set interfaces ae1 unit 1 family inet address 192.0.2.128/25
set interfaces xe-0/1/0 ether-options 802.ad ae0
set interfaces xe-1/1/0 ether-options 802.ad ae0
set interfaces xe-0/1/1 ether-options 802.ad ae1
set interfaces xe-1/1/1 ether-options 802.ad ae1

Step-by-Step Procedure

To configure aggregated Ethernet high-speed uplinks between a virtual chassis access

switch and a virtual chassis distribution switch:
1.

Specify the number of LAGs to be created on the chassis:

[edit chassis]
user@Host-A# set aggregated-devices ethernet device-count 2

2.

Specify the number of links that need to be present for the ae0 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options minimum-links 2

3.

Specify the number of links that need to be present for the ae1 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae1 aggregated-ether-options minimum-links 2

Configuration

175

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

4.

Specify the media speed of the ae0 link:

[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options link-speed 10g

5.

Specify the media speed of the ae1 link:

[edit interfaces]
user@Host-A# set ae1 aggregated-ether-options link-speed 10g

6.

Specify the interface ID of the uplinks to be included in LAG ae0:

[edit interfaces]
user@Host-A# set xe-0/1/0 ether-options 802.ad ae0
user@Host-A# set xe-1/1/0 ether-options 802.ad ae0

7.

Specify the interface ID of the uplinks to be included in LAG ae1:

[edit interfaces]
user@Host-A# set xe-0/1/1 ether-options 802.ad ae1
user@Host-A# set xe-1/1/1 ether-options 802.ad ae1

8.

Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25

9.

Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
user@Host-A# set ae1 unit 1 family inet address 192.0.2.128/25

Results

Display the results of the configuration:

[edit]
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ae0 {
aggregated-ether-options {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.0/25;

176

Configuration

Chapter 16: Examples of Configuring Virtual Chassis

}
}
}
ae1 {
aggregated-ether-options {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe0/1/0 {
ether-options {
802.ad ae0;
}
}
xe1/1/0 {
ether-options {
802.ad ae0;
}
}
xe0/1/1 {
ether-options {
802.ad ae1;
}
}
xe1/1/1 {
ether-options {
802.ad ae1;
}
}
}

Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:

Verifying That LAG ae0 Has Been Created on page 177

Verifying That LAG ae1 Has Been Created on page 178

Verifying That LAG ae0 Has Been Created

Purpose
Action

Verify that LAG ae0 has been created on the switch.

show interfaces ae0 terse
Interface
ae0
ae0.0

Admin
up
up

Link Proto
up
up

inet

Local

Remote

10.10.10.2/24

Verification

177

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Meaning

The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.
Verifying That LAG ae1 Has Been Created

Purpose
Action

Verify that LAG ae1 has been created on the switch

show interfaces ae1 terse
Interface
ae1
ae1.0

Meaning

Admin Link Proto

up
down
up
down inet

Local

Remote

The output shows that the ae1 link is down.

Troubleshooting
Troubleshooting a LAG That Is Down
Problem

The show interfaces terse command shows that the LAG is down:

Solution

Check the following:

Related Topics

Verify that there is no configuration mismatch.

Verify that all member ports are up.

Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet
(Layer 3 LAG).

Verify that the LAG member is connected to the correct LAG at the other end.

Verify that the LAG members belong to the same switch (or the same virtual
chassis).

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Example: Connecting an Access Switch to a Distribution Switch on page 384.

Virtual Chassis Cabling Configuration Examples

Installing an Uplink Module in an EX-series Switch

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual
Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches

178

Verifying That LAG ae1 Has Been Created

Chapter 16: Examples of Configuring Virtual Chassis

allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172:

Requirements on page 179

Overview and Topology on page 179

Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 180

Configuring LACP for the LAGs on the Virtual Chassis Distribution

Switch on page 180

Verification on page 181

Troubleshooting on page 182

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches

Two EX-series 4200-48P switches

Two EX-series 4200-24F switches

Four EX-series EX-UM-2XFP uplink modules

Before you configure LACP, be sure you have:

Installed your EX-series switches.

Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 147.

Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.

Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed

Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 172

Overview and Topology

This example assumes that you are already familiar with the Example: Configuring
Aggregated Ethernet High-Speed Uplinks between Virtual Chassis Access Switch and
Virtual Chassis Distribution Switch. The topology in this example is exactly the same
as the topology in that other example. This example shows how to use LACP to
enhance the LAG functionality.
LACP exchanges are made between actors (the transmitting link) and partners (the
receiving link). The LACP mode can be either active or passive.

Requirements

179

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).

Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
CLI Quick Configuration

To quickly configure LACP for the access switch LAGs, copy the following commands
and paste them into the switch terminal window:
set interfaces ae0 aggregated-ether-options lacp active periodic fast
set interfaces ae1 aggregated-ether-options lacp active periodic fast

Step-by-Step Procedure

To configure LACP for Host-A LAGs ae0 and ae1:

1.

Specify the aggregated Ethernet options for both bundles:

[edit interfaces]
user@Host-A#set ae0 aggregated-ether-options lacp active periodic fast
user@Host-A#set ae1 aggregated-ether-options lacp active periodic fast

Results

Display the results of the configuration:

aggregated-ether-options{
lacp{
active;
periodic fast;
}
}

Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the virtual chassis access switch to
the virtual chassis distribution switch, perform these tasks:
CLI Quick Configuration

To quickly configure LACP for the distribution switch LAGs, copy the following
commands and paste them into the switch terminal window:
[edit interfaces]
set ae0 aggregated-ether-options lacp passive periodic fast
set ae1 aggregated-ether-options lacp passive periodic fast

180

Configuring LACP for the LAGs on the Virtual Chassis Access Switch

Chapter 16: Examples of Configuring Virtual Chassis

Step-by-Step Procedure

To configure LACP for Host D LAGs ae0 and ae1:

1.

Specify the aggregated ethernet options for both bundles:

[edit interfaces]
user@Host-D#set ae0 aggregated-ether-options lacp passive periodic fast
user@Host-D#set ae1 aggregated-ether-options lacp passive periodic fast

Results

Display the results of the configuration:

aggregated-ether-options{
lacp{
passive;
periodic fast;
}
}

Verification
To verify that LACP packets are being exchanged, perform these tasks:

Verifying the LACP Settings on page 181

Verifying That the LACP Packets Are Being Exchanged on page 182

Verifying the LACP Settings

Purpose
Action

To verify that the LACP has been set up correctly.

Use the show lacp interfaces interface-name command to check that LACP has been
enabled as active on one end.
show lacp interfaces xe-0/1/0
show lacp interfaces xe-0/1/0
Aggregated interface: ae0
LACP state:

Role

Def

Dist

Col

Syn

Aggr

Timeout

Activity

xe-0/1/0

Actor

No

Yes

No

No

No

Yes

Fast

Active

xe-0/1/0

Partner

No

Yes

No

No

No

Yes

Fast

Passive

LACP protocol:
xe-0/1/0

Meaning

Exp

Receive State
Defaulted

Transmit State

Mux State

Fast periodic

Detached

The output indicates that the LACP has been set up correctly and is active at one
end.

Verification

181

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verifying That the LACP Packets Are Being Exchanged

Purpose
Action

To verify that LACP packets are being exchanged.

Use the show interfaces lag-name statisticscommand to display LACP information.
show interfaces ae0 statistics
Physical interface: ae0, Enabled, Physical link is Down
Interface index: 153, SNMP ifIndex: 30
Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
Minimum bandwidth needed: 0
Device flags
: Present Running
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0
Last flapped
: Never
Statistics last cleared: Never
Input packets : 0
Output packets: 0
Input errors: 0, Output errors: 0
Logical interface ae0.0 (Index 71) (SNMP ifIndex 34)
Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2
Statistics
Packets
pps
Bytes
bps
Bundle:
Input :
0
0
0
0
Output:
0
0
0
0
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Meaning

The output here shows that the link is down and that no PDUs are being exchanged.

Troubleshooting
These are some tips for troubleshooting:
Troubleshooting Nonworking LACP Link
Problem

The LACP link is not working.

Solution

Check the following:

Related Topics

182

Remove the LACP configuration and verify whether the static LAG is up.

Verify that LACP is configured at both ends.

Verify that LACP is not passive at both ends.

Verify whether LACP protocol data units are being exchanged by running the
monitor traffic-interface lag-member detail command.

Example: Connecting an Access Switch to a Distribution Switch on page 384

Virtual Chassis Cabling Configuration Examples

Verifying That the LACP Packets Are Being Exchanged

Chapter 16: Examples of Configuring Virtual Chassis

Installing an Uplink Module in an EX-series Switch

Troubleshooting Nonworking LACP Link

183

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File

You can deterministically control both the role and the member ID assigned to each
member switch in a Virtual Chassis configuration by creating a preprovisioned
configuration file.
A preprovisioned configuration file links the serial number of each EX 4200 switch
to a specified member ID and role. The serial number must be specified in the
configuration file in order for the member to be recognized as part of the Virtual
Chassis configuration.
You must select two members that you want to make eligible for election as master
of the Virtual Chassis configuration. When you list these two members in the
preprovisioned configuration file, you designate the members role as routing-engine.
One will function as the master of the Virtual Chassis configuration and the other
will function as the backup.
Additional members, not eligible for election as master, can be specified as linecard
in the preprovisioned configuration file.

NOTE: When you use a preprovisioned configuration, you cannot modify the
mastership priority or member ID of member switches through the user interfaces.
This example describes how to configure a Virtual Chassis across multiple wiring
closets using a preprovisioned configuration file:

Requirements on page 184

Overview and Topology on page 185

Configuration on page 189

Verification on page 191

Troubleshooting on page 194

Requirements
This example uses the following hardware and software components:

184

JUNOS Release 9.0 or later for EX-series switches

Five EX 4200-48P switches

Five EX 4200-24T switches

Four EX-UM-2XFP uplink modules

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File

Chapter 16: Examples of Configuring Virtual Chassis

Before you create the preprovisioned configuration of the Virtual Chassis and
interconnect the members across the wiring closets, be sure you have:
1.

Made a list of the serial numbers of all the switches to be connected as a Virtual
Chassis configuration.

2.

Noted the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role , it is not eligible to
become a master or backup.

3.

Installed an EX-UM-2XFP uplink module in the member switches that will be

interconnected across wiring closets. See Installing an Uplink Module in an
EX-series Switch.

4.

Interconnected the member switches within each wiring closet using the
dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis
Cable to an EX-series Switch.

5.

Powered on the switch that you plan to use as the master switch (SWA-0).

6.

Run the EZ Setup program on SWA-0, specifying the identification parameters.

See Connecting and Configuring the EX-series Switch (CLI Procedure) on page
57 for details.
SWA-0 is going to be configured in the example to function as the master of the
Virtual Chassis configuration. Thus, the properties that you specified for SWA-0
apply to the entire Virtual Chassis configuration, including all the member
switches that you specify in the preprovisioned configuration file.

7.

Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

Overview and Topology

In this example, five EX 4200 switches (SWA-0 through SWA-4) are interconnected
with their dedicated VCPs in wiring closet A and five EX 4200 switches (SWA-5
through SWA-9) are interconnected with their dedicated VCPs in wiring closet B.
SWA-0 (in wiring closet A) is going to be the master of the Virtual Chassis
configuration. This example shows how to create a preprovisioned configuration file
on SWA-0 for all member switches that will be interconnected in the Virtual Chassis
configuration. The preprovisioned configuration file includes member IDs for the
members in wiring closet A and for the members in wiring closet B.
SWA-5 (in wiring closet B) is going to be the backup of the Virtual Chassis
configuration. Both SWA-0 and SWA-5 are specified in the preprovisioned
configuration file with the role of routing-engine. All other members are specified with
the role of linecard.
If all member switches could be interconnected with their dedicated VCPs, you could
simply power on the switches after saving and committing the preprovisioned

Overview and Topology

185

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

configuration file. The master detects the connection of the members through the
dedicated VCPs and applies the parameters specified in the preprovisioned
configuration file.
However, the Virtual Chassis cables that interconnect the VCPs of member switches
within a single wiring closet are not long enough to connect member switches across
wiring closets. Instead, you can use the fiber cable connections in the EX-UM-2XFP
or EX-UM-4SFP uplink modules to interconnect the member switches in wiring closet
A to the member switch in wiring closet B. For redundancy, this example connects
uplink ports from two member switches in wiring closet A (SWA0 and SWA2) to
two member switches (SWA-5 and SWA-7) in wiring closet B.

NOTE: You can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps
Ethernet uplink port (EX_UM-4SFP) as a VCP interface. When an uplink port is set
as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink
module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set
one port as a VCP interface and configure the other port in trunk mode as an uplink
to a distribution switch.
Because this particular preprovisioned configuration is for a Virtual Chassis that is
interconnected across wiring closets, we will bring up the Virtual Chassis configuration
in stages. First, we power on SWA-0 (without powering on any other switches) and
create the preprovisioned configuration file. Then we power on the remaining switches
in wiring closet A. If we check the status of the Virtual Chassis configuration at this
point by using the show virtual-chassis status command, it will display only member
0 through member 4. The members that have not yet been interconnected will not
be listed.
Next power on SWA-5 without powering on the remaining switches (SWA-6 through
SWA-9) in wiring closet B. Bring up SWA-5 as a standalone switch and set one of its
uplinks as a VCP interface prior to interconnecting it with the Virtual Chassis
configuration in wiring closet A. Without this setting, SWA-5 cannot be detected as
a member switch by the master of the Virtual Chassis configuration.
You can set the uplink VCP of SWA5 without running the EZ Setup program by
directly connecting to the console port. If you wish, you can run EZ Setup program
and specify identification parameters. When you interconnect SWA-5 with the master
of the Virtual Chassis configuration, the master overwrites any conflicting parameters.
After setting the VCP uplink in SWA-5, connect this VCP uplink with the VCP uplink
of SWA-0 in wiring closet A. SWA-5 (serial number pqr678) is specified as a
routing-engine in the preprovisioned configuration file.
This example uses SWA-5 as the backup of the Virtual Chassis configuration. If a
problem occurs in wiring closet A, SWA-5 would take control of the Virtual Chassis
configuration and maintain the network connections. Specify both SWA-0 and SWA-5
as routing-engine. Because SWA-0 is powered on prior to SWA-5, it has additional
prioritization properties that cause it to be elected as master of the Virtual Chassis
configuration.
After being physically interconnected with SWA-0, SWA-5 reboots and comes up as
member 5 and as the backup of the Virtual Chassis configuration.

186

Overview and Topology

Chapter 16: Examples of Configuring Virtual Chassis

Power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. The
master can now detect that all members are present. Finally, for redundancy,
configure an additional VCP uplink on SWA-7 through the master.
The topology for this example consists of:

Three EX 4200-48P switches (SWA-0 , SWA-2, and SWA-4) in wiring closet A.

Two EX 4200-48P switches (SWA-5 and SWA-9) in wiring closet B.

Two EX 4200-24T switches (SWA-1 and SWA-3) in wiring closet A.

Three EX 4200-24T switches (SWA-6, SWA-7, and SWA-8) in wiring closet B.

Four EX-UM-2XFP uplink modules. Two are installed in wiring closet A and two
are installed in wiring closet B.

Table 36 on page 187 shows the Virtual Chassis configuration settings for a
preprovisioned Virtual Chassis composed of member switches in different wiring
closets.
Table 36: Components of a Preprovisioned Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch

Serial number

Member ID

Role

Uplink Ports

Hardware

Location

SWA-0

abc123

routing-engine

xe-0/1/0

EX 4200-48P
and
EX-UM-2XFP
uplink module

Wiring closet A

SWA-1

def456

linecard

EX 4200-24T

Wiring closet A

SWA-2

ghi789

linecard

EX 4200-48P

Wiring closet A

SWA-3

jkl012

linecard

EX 4200-24T

Wiring closet A

SWA-4

mno345

linecard

EX 4200-48P

Wiring closet A

SWA-5

pqr678

routing-engine

EX 4200-48P
and
EX-UM-2XFP
uplink module

Wiring closet B

EX 4200-24T

Wiring closet B

EX 4200-24T

Wiring closet B

xe-2/1/0

xe-0/1/0

NOTE: The
member ID of
SWA-5 is 0 at
the time that its
uplink port is
configured as a
VCP.
SWA-6

stu901

linecard

SWA-7

vwx234

linecard

SWA-8

yza567

linecard

EX 4200-24T

Wiring closet B

SWA-9

bcd890

linecard

EX 4200-48P

Wiring closet B

xe-7/1/0

Overview and Topology

187

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 13 on page 188 shows the different types of interconnections used for this
Virtual Chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink ports that have been set as VCPs and interconnected
across the wiring closets. The uplink ports that are not set as VCPs can be configured
as trunk ports to connect to a distribution switch.

NOTE: The interconnections shown in this figure are the same as they would be for
a configuration that was not preprovisioned across wiring closets.

Figure 13: Maximum Size Virtual Chassis Interconnected Across Wiring Closets

188

Overview and Topology

Chapter 16: Examples of Configuring Virtual Chassis

Configuration
To configure the Virtual Chassis across multiple wiring closets using a preprovisioned
configuration, perform these tasks:

NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember Virtual Chassis configuration.
CLI Quick Configuration

To quickly configure SWA-0 with a preprovisioned configuration, copy the following

commands and paste them into the switch terminal window:
[edit]
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis
set virtual-chassis

Step-by-Step Procedure

preprovisioned
member 0 serial-number
member 1 serial-number
member 2 serial-number
member 3 serial-number
member 4 serial-number
member 5 serial-number
member 6 serial-number
member 7 serial-number
member 8 serial-number
member 9 serial-number

abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890

role
role
role
role
role
role
role
role
role
role

routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard

To create a preprovisioned configuration for the Virtual Chassis:

1.

Specify the preprovisioned configuration mode:

[edit virtual-chassis]
user@SWA0# set preprovisioned

2.

Specify all the members that will be included in the Virtual Chassis configuration,
listing each switch's serial number with the desired member ID and the desired
role:
[edit virtual-chassis]
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA-0# set member
user@SWA0# set member

0
1
2
3
4
5
6
7
8
9

serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number

abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890

role
role
role
role
role
role
role
role
role
role

routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard

3.

Power on the member switches in wiring closet A.

4.

Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
2:
user@SWA-0> request virtual-chassis vc-port on page 1160 set pic-slot 1 port 0

Configuration

189

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@SWA-2> request virtual-chassis vc-port set pic-slot 1 port 0 member

2

NOTE:

For redundancy, this example sets an uplink VCP interface in both SWA-0 and
SWA-2.

This example omits the specification of the member0 in setting the uplink for
SWA-0. The command applies by default to the switch where it is executed.

5.

Power on and connect to SWA-5. This switch comes up as member ID 0 and

functions as master of itself. Although SWA-5 is listed in the preprovisioned
configuration file, it is not a present member of the Virtual Chassis configuration
that has been powered on thus far. In order for the master to detect SWA-5 as
a connected member, you must first set an uplink VCP on SWA-5 and
interconnect that VCP uplink with the VCP uplink of SWA-0.

6.

Set the first uplink of SWA-5 to function as a VCP interface. Because SWA-5 has
been powered on as a separate switch and is still operating independently at
this point, its member ID is 0.
user@SWA-5>request virtual-chassis vc-port set pic-slot 1 port 0

NOTE: This example omits the specification of the member0 in configuring the uplink
for SWA-5 (at this point the member ID of SWA-5 is still 0). The command applies
by default to the switch where it is executed.

7.

Power off SWA-5 and connect the fiber cable from SWA-5 uplink port xe-0/1/0
to the uplink port xe-0/1/0 on SWA-0.

8.

Power on SWA-5.

9.

Now that SWA-5 has been brought up as member 5 of the Virtual Chassis
configuration, power on the remaining switches (SWA-6 through SWA-9) in
wiring closet B. They are interconnected with SWA-5 using the dedicated VCPs
on the rear panel and are therefore detected by the master as interconnected
members. If you check the status of the Virtual Chassis configuration at this
point, all the members that were specified in the preprovisioned configuration
file should be displayed as present. Additional configuration for member switches
can now be done through the master switch.

10.

Set one uplink port of SWA-7 to function as a VCP:

user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member
7

190

Configuration

Chapter 16: Examples of Configuring Virtual Chassis

Results

Display the results of the configuration on SWA-0:

[edit]
user@SWA-0# show
virtual-chassis {
member 0 {
role routing-engine;
serial-number abc123;
}
member 1 {
role linecard;
serial-number def456;
}
member 2 {
role linecard;
serial-number ghi789;
}
member 3 {
role linecard;
serial-number jkl012;
}
member 4 {
role linecard;
serial-number mno345;
}
member 5 {
role routing-engine;
serial-number pqr678;
}
member 6 {
role linecard;
serial-number stu901;
}
member 7 {
role linecard;
serial-number vwx234;
}
member 8 {
role linecard;
serial-number yza567;
}
member 9 {
role linecard;
serial-number bcd890;
}
preprovisioned;
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying the Member IDs and Roles of the Member Switches on page 192

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 193

Verification

191

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verifying the Member IDs and Roles of the Member Switches

Purpose
Action

Verify that the member IDs and roles are all set as expected.
Display the members of the Virtual Chassis configuration:
user@SWA-0> show virtual-chassis status on page 250
Preprovisioned Virtual Chassis
Virtual Chassis ID: 0000.e255.0000
Mastership
Member ID Status
Serial No
Model
Priority Role

Meaning

192

0 (FPC 0)

Prsnt

abc123

ex4200-48p

129

1 (FPC 1)

Prsnt

def456

ex4200-24t

2 (FPC 2)

Prsnt

ghi789

3 (FPC 3)

Prsnt

4 (FPC 4)

Neighbor List
ID Interface

Master*

1
4
5

vcp-0
vcp-1
1/0

Linecard

2
0

vcp-0
vcp1

ex4200-48p

Linecard

3
1
7

vcp-0
vcp-1
1/0

jkl012

ex4200-24t

Linecard

4
2

vcp-0
vcp-1

Prsnt

mno345

ex4200-48p

Linecard

0
3

vcp-0
vcp-1

FPC 5)

Prsnt

pqr678

ex4200-48p

129

Backup

6
9
0

vcp-0
vcp-1
1/0

6 (FPC 6)

Prsnt

stu901

ex4200-24t

Linecard

7
5

vcp-0
vcp-1

7 (FPC 7)

Prsnt

vwx234

ex4200-24t

Linecard

8
6
2

vcp-0
vcp-1
1/0

8 (FPC 8)

Prsnt

yza567

ex4200-24t

Linecard

9
7

vcp-0
vcp-1

9 (FPC 9)

Prsnt

bc7890

ex4200-48p

Linecard

5
8

vcp-0
vcp-1

The output shows that all members listed in the preprovisioned configuration file are
connected to the Virtual Chassis configuration. It confirms that SWA-0 (member 0)
is functioning as the master of the Virtual Chassis configuration, which was the
intention of the configuration procedure. The other configured routing-engine (SWA-5)
is functioning as the backup. The Neighbor List displays the interconnections of the
member VCPs.

Verifying the Member IDs and Roles of the Member Switches

Chapter 16: Examples of Configuring Virtual Chassis

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational
Purpose

Action

Verify that the dedicated VCPs interconnecting the member switches within each
wiring closet and the uplink VCPs interconnecting the member switches across wiring
closets are operational.
Display the Virtual Chassis interfaces:
user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc5:
Interface
or
PIC / Port
vcp-0
vcp-1
1/0

Type

Status

Dedicated
Dedicated
Configured

Up
Up
Up

Verifying That the Dedicated VCPs and Uplink VCPs Are Operational

193

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

fpc6:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc7:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up
fpc8:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc9:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up

Meaning

The dedicated VCPs interconnecting the member switches within wiring closets are
displayed as vcp-0 and vcp-1. The uplink VCP ports interconnecting member switches
(members 0, 2, 5 and 7) across wiring closets are displayed as 1/0 and 1/1 and
identified as Configured.

Troubleshooting
To troubleshoot a preprovisioned Virtual Chassis configuration that is interconnected
across wiring closets, perform these tasks:
Troubleshooting Nonoperational VCPs
Problem

A VCP interface shows a status of down.

Solution

Check the cable to make sure that it is properly and securely connected to the ports.

Related Topics

194

Troubleshooting

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Chapter 16: Examples of Configuring Virtual Chassis

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Troubleshooting Nonoperational VCPs

195

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

196

Troubleshooting Nonoperational VCPs

Chapter 17

Configuring Virtual Chassis

Virtual Chassis Configuration Tasks on page 197

Virtual Chassis Configuration Tasks

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Configuring a Virtual Chassis (CLI Procedure) on page 199

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI

Procedure) on page 202

Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 204

Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206

Configuring the Virtual Management Ethernet Interface for Global Management

of a Virtual Chassis (CLI Procedure) on page 210

Configuring the Timer for the Backup Member to Start Using Its Own MAC
Address, as Master of Virtual Chassis (CLI Procedure) on page 210

Configuring a Virtual Chassis (J-Web Procedure)

To take advantage of the scalability features of EX 4200 switches, you can configure
a Virtual Chassis that includes up to 10 member switches. You can interconnect the
member switches using the dedicated Virtual Chassis ports (VCPs) on the back of
the switch. You do not have to configure the interface for the dedicated VCPs. If you
want to interconnect member switches that are located in different racks or wiring
closets, interconnect them using uplinks configured as VCP interfaces. See Setting
an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206.
To configure a Virtual Chassis using the J-Web interface:
1.

From the Configure menu, select the option Virtual Chassis.

NOTE: The Virtual Chassis option is not available for EX 3200 switches.

2.

The properties you can configure are displayed .

The first section of the Virtual Chassis configuration page displays the Virtual
Chassis member configuration. the display includes a list of member switches,
their member IDs, and the mastership priority.

Virtual Chassis Configuration Tasks

197

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The second section displays the operational status of the Virtual Chassis
configuration, member details, and the dedicated and configured Virtual Chassis
ports (VCPs).
3.

Enter information into the page as described in Table 37 on page 198.

4.

Click one:

Add To add a member's configuration to the Virtual Chassis configuration,

click Add.

Edit To modify an existing member's configuration, click Edit.

Delete To delete the configuration of a member, click Delete.

5.

To configure an uplink as a VCP, select the member in the Virtual Chassis

members list and select Action > Select Uplink Port as VCP. Select the port from
the list.

6.

To delete an uplink VCP from a member, select the member in the Virtual Chassis
members list and select Action > Delete Uplink Port as VCP.

Table 37: Virtual Chassis Configuration Fields

Field

Function

Your Action

Member ID

Specifies the identifier for the member switch. The

master switch assigns member IDs.

Select an identifier from the list. Select an

ID from 0 through 9.

Priority

Specifies the mastership priority to be assigned to the

member.

Select a number from 1 through 255, with

255 being the highest priority (128 is the
default).

Disable
Management VLAN

If you want to reserve an individual member's

management Ethernet port for local troubleshooting, you
can remove that port from being part of the Virtual
Management Ethernet (VME).

Click to disable management VLAN on the

port.

Refresh

Refreshes the operational status of Virtual Chassis

members.

Click to refresh the operational status.

Member Details

Related Topics

198

Configuring a Virtual Chassis (CLI Procedure) on page 199

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Virtual Chassis Cabling Configuration Examples

Virtual Chassis Overview on page 133

Configuring a Virtual Chassis (J-Web Procedure)

Chapter 17: Configuring Virtual Chassis

Configuring a Virtual Chassis (CLI Procedure)

To take advantage of the scalability features of EX 4200 switches, you can configure
a Virtual Chassis that includes up to 10 member switches. You can interconnect the
member switches using the dedicated Virtual Chassis ports (VCPs) on the back of
the switch. You do not have to configure the interface for the dedicated VCPs. If you
want to interconnect member switches that are located in different racks or wiring
closets, interconnect them using uplinks configured as VCP interfaces. See Setting
an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206.

NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis. This ensures that the configuration changes are saved in
both Routing Engines.
A Virtual Chassis can be configured with either:

preprovisioned configurationAllows you to deterministically control the member

ID and role assigned to a member switch by tying it to its serial number.

nonprovisioned configurationThe master sequentially assigns a member ID

to other member switches. The role is determined by the mastership priority
value and other factors in the master election algorithm.

Configuring a Virtual Chassis with a Preprovisioned Configuration File on page 199

Configuring a Virtual Chassis with a Nonprovisioned Configuration File on page 200

Configuring a Virtual Chassis with a Preprovisioned Configuration File

To configure a Virtual Chassis using a preprovisioned configuration:
1.

Make a list of the serial numbers of all the switches to be connected in a Virtual
Chassis configuration.

2.

Note the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role, it is not eligible to
become a master or backup.

3.

Interconnect the member switches using the dedicated VCPs on the rear panel
of switches. See Connecting a Virtual Chassis Cable to an EX-series Switch.

NOTE: Arrange the switches in sequence, either from top to bottom or from bottom
to top (09).

4.

Power on only the switch that you plan to use as the master switch (SWA-0). Do
not power on the other switches at this time.

Configuring a Virtual Chassis (CLI Procedure)

199

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

5.

Run the EZ Setup program on SWA-0, specifying the identification parameters.

See Connecting and Configuring the EX-series Switch (CLI Procedure) on page
57 for details.

NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis
configuration, including all the member listed in the preprovisioned configuration
file.

6.

Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

7.

Specify the preprovisioned configuration mode:

[edit virtual-chassis]
user@SWA0# set preprovisioned

8.

Specify all the members that you want to included in the Virtual Chassis
configuration, listing each switchs serial number with the desired member ID
and the desired role:
[edit virtual-chassis]
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA0# set member
user@SWA-0# set member
user@SWA0# set member

9.

0
1
2
3
4
5
6
7
8
9

serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number
serial-number

abc123
def456
ghi789
jkl012
mno345
pqr678
stu901
vwx234
yza567
bcd890

role
role
role
role
role
role
role
role
role
role

routing-engine
linecard
linecard
linecard
linecard
routing-engine
linecard
linecard
linecard
linecard

Power on the member switches.

NOTE: You cannot modify the mastership-priority when you are using a preprovisioned
configuration. The mastership priority values are generated automatically and
controlled by the role that is assigned to the member switch in the configuration file.
The two routing engines are assigned the same mastership priority value. However,
the member that was powered on first has higher prioritization according to the
master election algorithm. See Understanding How the Master in a Virtual Chassis
Configuration Is Elected on page 140.

Configuring a Virtual Chassis with a Nonprovisioned Configuration File

To configure the Virtual Chassis using a nonprovisioned configuration:

200

Configuring a Virtual Chassis with a Nonprovisioned Configuration File

Chapter 17: Configuring Virtual Chassis

1.

Interconnect the member switches using the dedicated VCPs on the rear panel
of switches. See Connecting a Virtual Chassis Cable to an EX-series Switch.

NOTE: Arrange the switches in sequence, either from top to bottom or from bottom
to top (09).

2.

Power on only the switch that you plan to use as the master switch (SWA-0). Do
not power on the other switches at this time.

3.

Run the EZ Setup program on SWA-0, specifying the identification parameters.

See Connecting and Configuring the EX-series Switch (CLI Procedure) on page
57 for details.

NOTE: The properties that you specify for SWA-0 apply to the entire Virtual Chassis
configuration, including all the members interconnected through VCPs..

4.

Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the Virtual Chassis configuration, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

5.

Configure mastership priority for the master, backup, and other members, if
desired:
[edit virtual-chassis]
user@SWA0# set member 0 mastership-priority 255
user@SWA0# set member 5 mastership-priority 255

6.

Power on the member switches in sequential order, one by one.

NOTE: If you do not edit the Virtual Chassis configuration file, a nonprovisioned
configuration is generated by default. The mastership priority value for each member
switch is 128. The master role is selected by default. You can change the role that
is performed by the members by modifying the mastership-priority. See Configuring
Mastership of the Virtual Chassis (CLI Procedure) on page 204. We recommend that
you specify the same mastership priority value for the desired master and backup
members. We have assigned the highest possible mastership priority to two members.
However, the member that was powered on first has higher prioritization according
to the master election algorithm. See Understanding How the Master in a Virtual
Chassis Configuration Is Elected on page 140. We have allowed the other members
to use the default mastership priority, which qualifies them to function in the role of
linecard.

Configuring a Virtual Chassis with a Nonprovisioned Configuration File

201

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: If you want to change the member ID that the master has assigned to a
member switch, use the request virtual-chassis renumber on page 245 command.
Related Topics

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 204

Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 206

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure)

You can add one or more EX 4200 switches to an existing Virtual Chassis
configuration. Up to ten EX 4200 switches can be included within a Virtual Chassis
configuration.
To add a switch to an existing Virtual Chassis configuration, use the procedure that
matches what you need to accomplish:

Adding a New Switch to an Existing Virtual Chassis Configuration Within the

Same Wiring Closet on page 202

Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis
Configuration on page 203

Adding a New Switch to an Existing Virtual Chassis Configuration Within

the Same Wiring Closet
Before you begin, be sure you have:

Installed the hardware components.

Mounted the new switch in a rack.

Confirmed that the new switch is powered off.

If you are expanding a preprovisioned configuration, made a note of the serial

number (on the back of the switch). You will need to edit the Virtual Chassis
configuration to include the serial number of the new member switch.

If you are expanding a preprovisioned configuration, edited the existing Virtual

Chassis configuration to include the serial number of the new member switch.

To add a new member switch to an existing Virtual Chassis configuration within the
same wiring closet:

202

1.

If the new member switch has been previously configured, reverted that switchs
configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX-series Switch.

2.

Interconnect the unpowered new switch to at least one member of the existing
Virtual Chassis configuration, using the dedicated Virtual Chassis ports (VCPs).

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI Procedure)

Chapter 17: Configuring Virtual Chassis

3.

Power on the new switch.

4.

Confirm that the new member switch is now included within the Virtual Chassis
configuration by checking the front-panel display for the member ID. It should
display a member ID that is higher than 0 ( 1 through 9), because there is already
at least one member of the Virtual Chassis configuration.

NOTE: If you are using a preprovisioned configuration, the member ID is assigned

to the members serial number in the configuration file.

Adding a New Switch from a Different Wiring Closet to an Existing Virtual

Chassis Configuration
To add a new switch from a different wiring closet to an existing Virtual Chassis
configuration, you must use a longer cable to connect the new member switch across
wiring closets. An EX-UM-2XFP or EX-UM-4SFP uplink port and fiber optic cable can
be used for this purpose. The uplink ports on both sides of the link must be configured
as Virtual Chassis port (VCPs). The new member switch in the other wiring closet
must first be powered on as a standalone switch in order to configure its uplinks as
VCPs. Otherwise, it cannot be recognized as a member switch by the master.
Before you begin, be sure you have:

Installed the hardware components.

Mounted the new switch in a rack.

If the new member switch has been previously configured, reverted to factory
defaults. See Reverting to the Default Factory Configuration for the EX-series
Switch.

If you are expanding a preprovisioned configuration, made a note of the serial

number (on the back of the switch). You will need to edit the Virtual Chassis
configuration to include the serial number of the new member switch.

If you are expanding a preprovisioned configuration, edited the existing Virtual

Chassis configuration to include the serial number of the new member switch.
You can specify the role of the new member switch when you add its serial
number in the Virtual Chassis configuration file. The parameters specified in the
master Virtual Chassis configuration file are applied after the new member switch
has been interconnected with its uplink VCP.

Confirmed that the new, currently standalone switch is powered off.

Prepared an existing member for interconnecting with the new switch through
an uplink port by configuring an uplink port as a VCP on the existing member.

To add a new member switch that is going to be interconnected with the existing
Virtual Chassis configuration across wiring closets:
1.

Power on the new switch.

2.

Connect a laptop or terminal to the console port of the switch, or use EZ Setup
on the standalone switch to specify temporary identification parameters. (When

Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis Configuration

203

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

you interconnect the new member switch with the existing Virtual Chassis
configuration, the master will overwrite and disable any specified parameters
that conflict with the Virtual Chassis parameters or assigned member
configuration.)
3.

Use the CLI or the J-Web interface to set the uplink ports as VCP interfaces.

NOTE: If you are using a nonprovisioned configuration, you may wish to configure
the new member switch with a mastership priority value that is less than that of the
existing member switches. Doing so ensures that the new member switch will function
in a linecard role when it is included within the Virtual Chassis configuration.

4.

Power off the new switch.

5.

Interconnect the new member switch to at least one member of the existing
Virtual Chassis configuration, using the uplink ports that have been configured
as VCPs.

6.

Power on the new member switch.

7.

Confirm that the new member switch is now included within the Virtual Chassis
configuration by checking the front-panel display for the member ID. It should
display a member ID that is higher than 0 (1 through 9), because there is already
at least one member of the Virtual Chassis configuration.

NOTE: If you are using a preprovisioned configuration, the member-id is assigned

to the member's serial number in the configuration file.

Related Topics

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 152

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

Reverting to the Default Factory Configuration for the EX-series Switch

Configuring Mastership of the Virtual Chassis (CLI Procedure)

You can designate the role (master, backup, or linecard) that a member switch
performs within a Virtual Chassis configuration whether or not you are using a
preprovisioned configuration.

204

Configuring Mastership of the Virtual Chassis (CLI Procedure)

Chapter 17: Configuring Virtual Chassis

NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis. This ensures that the configuration changes are saved in
both Routing Engines.
This topic describes:

Configuring Mastership Using a Preprovisioned Configuration File on page 205

Configuring Mastership Using a Configuration File That Is Not

Preprovisioned on page 206

Configuring Mastership Using a Preprovisioned Configuration File

To configure mastership using a preprovisioned configuration:
1.

Note the serial numbers of the switches that you want to function in the master
role and backup role.

2.

Power on only the switch (SWA-0) that you want to function in the master role.

3.

Edit the configuration to specify the preprovisioned configuration mode:

[edit virtual-chassis]
user@SWA-0# set preprovisioned

4.

List the serial numbers of the member switches that you want to function as
master and backup, specifying their role as routing-engine:
[edit]
user@SWA-0# set virtual-chassis member 0 serial-number abc123 role
routing-engine
user@SWA-0# set virtual-chassis member 2 serial-number def456 role
routing-engine

NOTE: You cannot directly modify the mastership priority value when you are using
a preprovisioned configuration. The mastership priority values are generated
automatically and controlled by the role that is assigned to the member switch in
the configuration file. The two members assigned the routing-engine role are assigned
the same mastership priority value (128). However, the member that was powered
on first has higher prioritization according to the master election algorithm. See
Understanding How the Master in a Virtual Chassis Configuration Is
Elected on page 140. Only two members can be specified with the routing-engine
role.

5.

List the serial numbers of any other member switches that you want to include
in the Virtual Chassis configuration. You may also specify their role as linecard,
if desired.

Configuring Mastership Using a Preprovisioned Configuration File

205

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring Mastership Using a Configuration File That Is Not

Preprovisioned
To configure mastership of the Virtual Chassis through a configuration that is not
preprovisioned:
1.

Power on only the switch that you want to function in the master role (SWA-0).

2.

Configure the highest possible mastership priority value (255) for the member
that you want to function in the master role:
[edit virtual-chassis]
user@SWA-0# set member 0 mastership-priority 255

3.

Configure the same mastership priority value (continue to edit the Virtual Chassis
configuration on the master) for the member that you want to be the backup
(SWA-1):
[edit virtual-chassis]
user@SWA-0# set member 1 mastership-priority 255

NOTE: We recommend that the master and backup have the same mastership
priority value to prevent the master and backup status from switching back and forth
between master and backup members in failover conditions.

Related Topics

4.

Use the default mastership priority value (128) for the remaining member
switches or configure the mastership priority to a value that is lower than the
value specified for members functioning in the master and backup roles.

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 152

Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Understanding Virtual Chassis Configuration on page 144

Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure)

You can interconnect EX 4200 switches that are beyond the reach of the Virtual
Chassis cables as members of a Virtual Chassis configuration by installing the optional
10-Gbps uplink module (EX-UM-2XFP) or 1-Gbps uplink module (EX-UM-4SFP) and

206

Configuring Mastership Using a Configuration File That Is Not Preprovisioned

Chapter 17: Configuring Virtual Chassis

connecting the uplink ports. To use the uplink ports for interconnecting member
switches, you must explicitly set the uplink ports as VCPs.

NOTE: You can use either a 10-Gbps Ethernet uplink port (EX-UM-2XFP) or a 1-Gbps
Ethernet uplink port (EX_UM-4SFP) as a VCP interface. When an uplink port is set
as a VCP interface, it cannot be used for any other purpose. The EX-UM-2XP uplink
module has two 10-Gbps ports; the EX-UM-4SFP has four 1-Gbps ports. You can set
one port as a VCP interface and configure the other port in trunk mode as an uplink
to a distribution switch.
Before you set an uplink as a VCP:
1.

Install the uplink module (EX-UM-2XFP or EX-UM-4SFP) in the member switches

that you want to interconnect.

2.

Power on and connect to the switch that you plan to designate as the master of
the Virtual Chassis configuration.

NOTE: Do not power on the other switches at this point.

3.

Run EZ Setup on the switch that you are configuring to be the master. Follow
the prompts to specify the host name and other identification, time zone, and
network properties. See Connecting and Configuring the EX-series Switch (CLI
Procedure) on page 57 or Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58 for details. The properties that you specify for
the master apply to the entire Virtual Chassis configuration, including all the
member switches that you later interconnect with the master.

4.

If you want to configure and manage the Virtual Chassis configuration remotely,
specify the VME global management interface. You can configure the VME global
management interface when you are setting up the master or you can do it after
completing the other configuration steps for the Virtual Chassis. See Configuring
the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure) on page 210.

5.

Configure mastership of the Virtual Chassis using either the nonprovisioned or

preprovisioned configuration. See Configuring Mastership of the Virtual Chassis
(CLI Procedure) on page 204 for details.

NOTE: A multimember Virtual Chassis configuration has two Routing Engines, one
in the master and the other in the backup. Therefore, we recommend that you always
use commit synchronize rather than simply commit to save configuration changes
made for a Virtual Chassis configuration. This ensures that the configuration changes
are saved in both Routing Engines.
To interconnect a Virtual Chassis configuration across longer distances, such as wiring
closets, you need to:

Prepare the existing Virtual Chassis configuration for interconnecting with a

potential member switch that is beyond the reach of a Virtual Chassis cable by

Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure)

207

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

setting at least one uplink VCP on an existing member of Virtual Chassis

configuration.

Prepare the potential member switch for interconnecting with the existing Virtual
Chassis configuration by setting at least one uplink VCP on the standalone switch.

NOTE: We recommend that you set two uplink VCPs within each wiring closet for
redundancy.
This topic describes:
1. Setting an Uplink VCP on the Master or on an Existing Member on page 208
2. Setting an Uplink VCP on a Standalone Switch on page 208

Setting an Uplink VCP on the Master or on an Existing Member

Set an uplink port of a Virtual Chassis member as a VCP by executing the operational
command request virtual-chassis vc-port on page 1160 on the master of the Virtual
Chassis configuration.
To set the uplink ports for the master (for example, member 0) and for an existing
member (for example, member 1) to function as VCPs:
1.

Set one uplink port of member 0 (the master) as a VCP interface. You do not
need to specify the member member-id option, because the command applies by
default on the member where it is executed.
user@SWA-0> request virtual-chassis vc-port on page 1160 set pic-slot 1 port 0

2.

Set one uplink port of member 1 as VCP interface.

user@SWA-0>request virtual-chassis vc-port set pic-slot 1 port 0 member
1

This example includes the member member-id option, because it is executed on

the master (the master is member 0).

Setting an Uplink VCP on a Standalone Switch

To set an uplink VCP on a switch that is not interconnected with the master through
the dedicated VCPs on the rear panel, first power on the switch as a standalone
switch. You must set an uplink port on the standalone switch as a VCP prior to
physically interconnecting the switch with the existing Virtual Chassis configuration.
Otherwise, the master cannot detect that the switch is a member of the Virtual Chassis
configuration.

208

Setting an Uplink VCP on the Master or on an Existing Member

Chapter 17: Configuring Virtual Chassis

To set one uplink VCP on the potential member (SWA-2), which is currently operating
as a standalone switch:
1.

Power on the standalone switch.

2.

Set one uplink port as a VCP interface. You do not need to specify the member
member-id option, because the command applies by default on the member
where it is executed.
user@SWA-2> request virtual-chassis vc-port on page 1160 set pic-slot 1 port 0

NOTE: If you do specify the member member-id option, use member ID 0. Because
the switch is not yet interconnected with the other members of the Virtual Chassis
configuration, its current member ID is 0. Its member ID will change when it is
interconnected with the Virtual Chassis configuration. It does not impact the
functioning of the uplink VCP that its VCP interface is set with 0 as the member ID.
The VCP interface has significance only on the local switch.

3.

After you have set the uplink VCP on the standalone switch, physically
interconnect its uplink port with the VCP uplink ports of the members in the
existing Virtual Chassis configuration.

4.

The new member switch reboots and joins the now expanded Virtual Chassis
configuration with a different member ID.

NOTE: Its setting for the uplink VCP remains intact and is not affected by the change
of member ID.

Related Topics

5.

If you have additional members in the second wiring closet, set a redundant VCP
uplink on another member switch by issuing the command through the master
of the Virtual Chassis configuration.

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Setting an Uplink VCP on a Standalone Switch

209

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure)
If you want to configure and manage a Virtual Chassis remotely through SSH or
Telnet, configure the virtual management Ethernet (VME) interface on the master of
the Virtual Chassis. You can configure and manage all members of the Virtual Chassis
through this single global interface.
1.

Power on the switch that you want to function as the master.

2.

Check the front-panel LCD to confirm that the switch has powered on correctly.

3.

Run the EZ Setup program on the switch, specifying the identification parameters.
See Connecting and Configuring the EX-series Switch (CLI Procedure) on page
57 or Connecting and Configuring the EX-series Switch (J-Web
Procedure) on page 58 for details.

To configure the VME:

[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/

Related Topics

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Understanding Global Management of a Virtual Chassis Configuration on page 141

Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as
Master of Virtual Chassis (CLI Procedure)
When a backup member takes control of a Virtual Chassis configuration because of
a reset or other temporary failure, the backup uses the MAC address of the old master.
This helps to ensure a smooth transition of mastership with no disruption to network
connectivity.
The MAC persistence timer is used in situations when the master is no longer a
member of the Virtual Chassis configuration, because it has been physically
disconnected or removed. If the old master does not rejoin the Virtual Chassis
configuration before the timer elapses, the new master starts using its own MAC
address.
The default timer value is 10 minutes. There are no minimum or maximum limits.
Before you begin configuring the timer, ensure that you have at least two member
switches in the Virtual Chassis configuration. To configure or modify the MAC
persistence timer, use the following command:
[edit virtual-chassis]
user@switch# set mac-persistence-timer 30

This command modifies the MAC persistence timer value to specify a timer value of
30 minutes rather than the default timer value of 10 minutes.
Related Topics

210

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure)

Chapter 17: Configuring Virtual Chassis

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Understanding Virtual Chassis Components on page 135

Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI
Procedure)

211

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

212

Procedure)

Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI

Chapter 18

Verifying Virtual Chassis

Virtual Chassis Verification Tasks on page 213

Virtual Chassis Verification Tasks

Command Forwarding Usage with a Virtual Chassis Configuration on page 213

Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216

Verifying That the Virtual Chassis Ports Are Operational on page 217

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

Command Forwarding Usage with a Virtual Chassis Configuration

Some CLI commands can be run either on all members or on a specific member of
a Virtual Chassis configuration. This functionality is referred to as command
forwarding.
For example, to collect information about your system prior to contacting Juniper
Networks Technical Assistance Center (JTAC), use the command request support
information all-members to gather data for all the member switches. If you want to
gather this data only for a particular member switch, use the command request
support information member member-id.
Table 38 on page 214 provides a list of commands that can be run either on all
members of the Virtual Chassis configuration or on a specific member switch.

Virtual Chassis Verification Tasks

213

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration
Commands Available for
Command Forwarding

Purpose

all-members

member-member-id

request support information

Use this command when you

contact JTAC about your
component problem. This
command is the equivalent
of using the following CLI
commands:

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show version

show chassis firmware

show chassis hardware

show chassis
environment

show interfaces extensive

(for each configured

interface)

show configuration

(excluding any
SECRET-DATA)

show system
virtual-memory

request system partition

hard-disk

Set up the hard disk for

partitioning. After this
command is issued, the hard
disk is partitioned the next
time the system is rebooted.
When the hard disk is
partitioned, the contents of
/altroot and /altconfig are
saved and restored. All other
data on the hard disk is at
risk of being lost.

Partitions the hard disk on all

members of the Virtual
Chassis configuration.

Partitions the hard disk on

the specified member switch.

request system reboot

Reboot JUNOS for EX-series

software after a software
upgrade and occasionally to
recover from an error
condition.

Reboots all members of the

Virtual Chassis configuration.

Reboots the specified

member switch.

request system snapshot

Back up the currently running

and active file system.

Backs up the file systems on

all members of the Virtual
Chassis configuration.

Backs up the file system on

the specified member switch.

request system storage

cleanup

Free storage space on the

switch by rotating log files
and proposing a list of files
for deletion. User input is
required for file deletion.

Runs cleanup on all members

of the Virtual Chassis
configuration.

Runs cleanup on the

specified member switch.

show log user

Display users who are

viewing the system log.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

214

Command Forwarding Usage with a Virtual Chassis Configuration

Chapter 18: Verifying Virtual Chassis

Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Commands Available for
Command Forwarding

Purpose

all-members

member-member-id

show system alarms

Display active system alarms.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system audit

Display the state and

checksum values for file
systems.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system boot-messages

Display initial messages

generated by the system
kernel upon startup. These
messages are the contents of
/var/run/dmesg.boot.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system core-dumps

Display a core file generated

by an internal JUNOS process.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system directory-usage

Display directory usage

information.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system reboot

Display pending system

reboots or halts.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system snapshot

Display information about the

backup software that is
located in the /altroot and
/altconfig file systems. To
back up software, use the
request system snapshot
command.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system software

Display the JUNOS extensions

loaded on your switch.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system statistics

Display systemwide
protocol-related statistics.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system storage

Display statistics about the

amount of free disk space in
the switch's file systems.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

show system uptime

Display the current time and

information about how long
the switch, the switch
software, and any existing
protocols have been running

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

Command Forwarding Usage with a Virtual Chassis Configuration

215

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 38: Commands That Can be Run on All or Specific Members of the Virtual Chassis Configuration (continued)
Commands Available for
Command Forwarding

Purpose

all-members

member-member-id

show system users

Show all users who are

currently logged in.

Shows all users who are

currently logged in to any
members of the Virtual
Chassis configuration.

Shows all users who are

currently logged in to the
specified member switch.

show system virtual-memory

Display the usage of JUNOS

kernel memory, listed first by
size of allocation and then by
type of usage. Use show
system virtual-memory for
troubleshooting with JTAC.

Displays information for all

members of the Virtual
Chassis configuration.

Displays information for the

specified member switch.

Table 39 on page 216 shows a list of commands that are relevant only to the master.
Do not use the options all-members or member-member-id with these commands.
Table 39: Commands Relevant Only to the Master
Commands Relevant Only to the
Master

Purpose

set date

Set the data and time.

show system buffers

Display information about the buffer pool that the Routing Engine uses for local traffic.
Local traffic is the routing and management traffic that is exchanged between the Routing
Engine and the Packet Forwarding Engine within the switch, as well as the routing and
management traffic from IP (that is, from OSPF, BGP, SNMP, ping operations, and so on).

show system connections

Display information about the active IP sockets on the Routing Engine. Use this command
to verify which servers are active on a system and which connections are currently in
progress.

show system processes

Display information about software processes that are running on the switch and that have
controlling terminals.

Related Topics

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Understanding Virtual Chassis Components on page 135

JUNOS System Basics and Services Command Reference at

http://www.juniper.net/techpubs/software/junos/junos90

Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis
Member
Purpose

216

You can designate the role that a member performs within a Virtual Chassis
configuration or you can allow the role to be assigned by default. You can designate
the member ID that is assigned to a specific switch by creating a permanent
association between the switchs serial number and a member ID, using a
preprovisioned configuration. Or you can let the member ID be assigned by the

Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual Chassis Member

Chapter 18: Verifying Virtual Chassis

master, based on the sequence in which the member switch is powered on and on
which member IDs are currently available.
The role and member ID of the member switch are displayed on the front-panel LCD.
Each member switch can be cabled to one or two other member switches, using
either the dedicated Virtual Chassis ports (VCPs) on the rear panel or an uplink port
that has been set as a VCP. The members that are cabled together are considered
neighbor members.
Action

To display the role and member ID assignments using the CLI, use the show
virtual-chassis status command:
user@SWA-0> show virtual-chassis status on page 250
Virtual Chassis ID: 0000.e255.00e0

Meaning

Mastership
Priority

Role

Neighbor List
ID, Interface

Member ID

Status

Serial No

Model

0 (FPC 0)

Prsnt

abc123

ex4200-48p

255

Master*

1 vcp-0
2 vcp-1

1 (FPC 1)

Prsnt

def456

ex4200-24t

255

Backup

2 vcp-0
0 vcp-1

2 (FPC 2)

Prsnt

abd231

ex4200-24p

128

Linecard

0 vcp-0
1 vcp-1

This output verifies that three EX 4200 switches have been interconnected as a Virtual
Chassis configuration using their dedicated VCPs . The display shows which of the
VCPs is connected to which neighbor. The first port (vcp-0) of member 0 is connected
to member 1 and the second port of member 0 (vcp-1) is connected to member 2.
The FPC slots for EX-series switches are the same as the member IDs.
The Mastership Priority values indicate that the master and backup members have
been explicitly configured, because they are not using the default value (128).

Related Topics

Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 204

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Example: Expanding a Virtual Chassis Configuration in a Single Wiring

Closet on page 152

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Verifying That the Virtual Chassis Ports Are Operational

Purpose

Use the show virtual-chassis vc-port on page 252 command to display the status of
Virtual Chassis ports (VCPs).

Verifying That the Virtual Chassis Ports Are Operational

217

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: The interfaces for VCPs are not displayed when you issue the show
interfaces on page 332 command.

Action

Display the VCP interfaces:

user@SWA-0> show virtual-chassis vc-port on page 252 all-members
fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Up

Meaning

Related Topics

218

The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks set as VCPs are
displayed as 1/0. The FPC slots for EX-series switches are the same as the member
IDs.

Monitoring Virtual Chassis Status and Statistics

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Verifying That the Virtual Chassis Ports Are Operational

Chapter 18: Verifying Virtual Chassis

Monitoring Virtual Chassis Configuration Status and Statistics

Purpose

Action

Use the monitoring functionality to view the following information about Virtual
Chassis members and ports:

Member details and how members are connected with each other.

Traffic statistics between the Virtual Chassis ports of selected members.

To view Virtual Chassis monitoring details in the J-Web interface, select Monitor >
Virtual Chassis.
To view member details for all members in the CLI, enter the following command:
show virtual-chassis status

To view Virtual Chassis port traffic statistics for a specific member in the CLI, enter
the following command:
show virtual-chassis vc-port statistics member member-id
Meaning

In the J-Web interface the top half of the screen displays details of the Virtual Chassis
configuration, such as:

Member ID

Priority

Role

Interface

The member ID of the neighboring switch

In the bottom half of the screen, select a member ID to view input and output rates.
Select the interval at which the charts must be refreshed. Click the Stop button to
stop fetching values from the switch, and click the Start button to start plotting data
again from the point where it was stopped.
For details about the output from CLI commands, refer to show virtual-chassis
status on page 250 and show virtual-chassis vc-port statistics on page 255.
Related Topics

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216

Replacing a Member Switch of a Virtual Chassis Configuration (CLI Procedure)

You can replace a member switch of a Virtual Chassis configuration without disrupting
network service for the other members. You can retain the existing configuration of

Monitoring Virtual Chassis Configuration Status and Statistics

219

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

the member switch and apply it to a new member switch, or you can free up the
member ID and make it available for assignment to a new member switch.
To replace a member switch, use the procedure that matches what you need to
accomplish:

Remove, Repair, and Reinstall the Same Switch on page 220

Remove a Member Switch, Replace with a Different Switch, and Reapply the
Old Configuration on page 220

Remove a Member Switch and Make Its Member ID Available for Reassignment
to a Different Switch on page 221

Remove, Repair, and Reinstall the Same Switch

If you need to repair a member switch, you can remove it from the Virtual Chassis
configuration without disrupting network service for the other members. The master
stores the configuration of the member ID so that it can be reapplied when the
member switch (with the same base MAC address) is reconnected.
1.

Power off and disconnect the member switch to be repaired.

2.

Repair, as necessary.

3.

Reconnect and power on the member switch.

Remove a Member Switch, Replace with a Different Switch, and Reapply

the Old Configuration
If you are unable to repair a member switch, you can replace it with a different
member switch and retain the old configuration. The master stores the configuration
of the member that was removed. When you connect a different member switch,
the master assigns a new member ID. But the old configuration is still stored under
the previous member ID of the previous member switch.

NOTE: If you have used a preprovisioned configuration, use the replace command
to change the serial number in the Virtual Chassis configuration file. Substitute the
serial number of the replacement member switch (on the back of the switch) for the
serial number of the member switch that was removed.

220

1.

Power off and disconnect the member switch to be replaced.

2.

If the replacement member switch has been previously configured, revert that
switchs configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX-series Switch.

3.

Connect and power on the replacement member switch.

4.

Note the member ID displayed on the front panel.

5.

Use the request virtual-chassis renumber on page 245 command to change the
member switchs current member ID to the member ID that belonged to the
member switch that was removed from the Virtual Chassis configuration).

Remove, Repair, and Reinstall the Same Switch

Chapter 18: Verifying Virtual Chassis

Remove a Member Switch and Make Its Member ID Available for

Reassignment to a Different Switch
When you remove a member switch from the Virtual Chassis configuration, the
master keeps its member ID on reserve. To make that member switchs member ID
available for reassignment, use the request virtual-chassis recycle on page 1160
command.

NOTE: When you add or delete members in a Virtual Chassis configuration, internal
routing changes might cause temporary traffic loss for a few seconds.
Related Topics

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI

Procedure) on page 202

Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch

221

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

222

Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch

Chapter 19

Troubleshooting Virtual Chassis

Troubleshooting a Virtual Chassis Configuration on page 223

Troubleshooting a Virtual Chassis Configuration

Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment on page 223

Load Factory Default Does Not Commit on a Multimember Virtual

Chassis on page 223

Member ID Persists When a Member Switch Is Disconnected From a Virtual

Chassis on page 223

Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment
Problem

You disconnected an EX 4200 from the Virtual Chassis configuration, but the
disconnected switchs member ID is still displayed in the status output. You cannot
reassign that member ID to another switch.

Solution

When you disconnect a member of a Virtual Chassis configuration, the master retains
the member ID and member configuration in its configuration database. The show
virtual-chassis status on page 250 command continues to display the member ID of
the disconnected member with a status of NotPrsnt.
If want to permanently disconnect the member switch, you can free up the member
ID by using the request virtual-chassis recycle on page 1160 command. This will also
clear the status of that member.

Load Factory Default Does Not Commit on a Multimember Virtual Chassis

Problem

The load factory default command fails on a multimember Virtual Chassis

configuration.

Solution

The load factory default command is not supported on a multimember Virtual Chassis
configuration. For information on how to revert to factory default settings, see
Reverting to the Default Factory Configuration for the EX-series Switch.

Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis

Problem

Gigabit Ethernet interfaces retain their previous slot numbers when a member switch
is disconnected from the Virtual Chassis configuration.

Troubleshooting a Virtual Chassis Configuration

223

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Solution

If a switch had been previously connected as a member of a Virtual Chassis

configuration, it retains the member ID that it was assigned as a member of that
configuration even after it is disconnected and operating as a standalone switch. The
interfaces that were configured while the switch was a member of the Virtual Chassis
configuration retain the old member ID as the first digit of the interface name.
For example, if the switch was previously member 1, its interfaces are named
ge-1/0/0 and so on.
To change the switchs member ID, so that its member ID is 0, and to rename the
switchs interfaces accordingly, enter the following operational-mode commands:
1.

To change the member ID to 0:

user@switch> request virtual-chassis renumber on page 245 memberid 1 new-memberid
0

2.

To rename the interfaces to match the new member ID:

user@switch# replace pattern ge-1/ with ge-0/

Related Topics

224

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

For more information about the replace command, see JUNOS Software CLI User
Guide at http://www.juniper.net/techpubs/software/junos/junos90/

Member ID Persists When a Member Switch Is Disconnected From a Virtual Chassis

Chapter 20

Configuration Statements for Virtual

Chassis

Virtual Chassis Configuration Statement Hierarchy on page 225

Individual Virtual Chassis Configuration Statements on page 226

Virtual Chassis Configuration Statement Hierarchy

[edit virtual-chassis] Configuration Statement Hierarchy on page 225

[edit virtual-chassis] Configuration Statement Hierarchy

virtual-chassis {
mac-persistence-timer seconds;
preprovisioned;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag ;
}
}
Related Topics

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Virtual Chassis Overview on page 133

Virtual Chassis Configuration Statement Hierarchy

225

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Individual Virtual Chassis Configuration Statements

mac-persistence-timer
Syntax
Hierarchy Level
Release Information
Description

mac-persistence-timer minutes;
[edit virtual-chassis]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

If the master is physically disconnected or removed from the Virtual Chassis
configuration, the MAC persistence timer determines how long the backup (new
master) continues to use the address of the old master. When the MAC persistence
timer expires, the backup (new master) begins to use its own MAC address.
There are no minimum or maximum timer limits.

Default
Required Privilege Level
Related Topics

226

10 minutes
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Configuring the Timer for the Backup Member to Start Using Its Own MAC
Address, as Master of Virtual Chassis (CLI Procedure) on page 210

Understanding Virtual Chassis Components on page 135

Individual Virtual Chassis Configuration Statements

Chapter 20: Configuration Statements for Virtual Chassis

mastership-priority
Syntax
Hierarchy Level
Release Information
Description

mastership-priority number ;
[edit virtual-chassis member member-id]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

The mastership priority value is the most important factor in determining the role
of the EX 4200 member switch within the Virtual Chassis configuration. Other factors
(see Understanding How the Master in a Virtual Chassis Configuration Is
Elected on page 140) also affect the election of the master.
The mastership priority value takes the highest precedence in the master election
algorithm. The member switch with highest mastership priority becomes the master
of the Virtual Chassis configuration. Toggling back and forth between master and
backup status in failover conditions is undesirable, so we recommend that you assign
the same mastership priority value to both the master and the backup. Secondary
factors in the master election algorithm determine which of these two members (that
is, the two members that are assigned the highest mastership priority value) functions
as the master of the Virtual Chassis configuration.

Default

128

Options

numberMastership priority value.

Range: 1 through 255

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring

Closets on page 163

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Understanding Virtual Chassis Components on page 135

mastership-priority

227

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

member
Syntax

Hierarchy Level
Release Information
Description

member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
[edit virtual-chassis]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure an EX 4200 switch as a member of a Virtual Chassis configuration.

Default

When an EX 4200 is powered on as a standalone switch (not interconnected through

its Virtual Chassis ports with other EX 4200 switches), its default member ID is 0.

Options

member-idIdentifies a specific member switch of a Virtual Chassis configuration.

Range: 0 through 9
The remaining statements are explained separately.
Required Privilege Level
Related Topics

228

member

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Understanding Virtual Chassis Components on page 135

Chapter 20: Configuration Statements for Virtual Chassis

no-management-vlan
Syntax
Hierarchy Level
Release Information
Description

no-management-vlan;
[edit virtual-chassis member member-id]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Remove the specified members out-of-band management port from the Virtual
Management Ethernet (VME) global management VLAN of the Virtual Chassis
configuration.
For a member that is functioning in a linecard role, you can use this configuration
to reserve the member's management Ethernet port for local troubleshooting:
virtual-chassis {
member 2 {
no-management-vlan;
}
}

You cannot configure the IP address for a local management Ethernet port using the
CLI or the J-Web interface. To do this, you need to use the shell ifconfig command.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration on page 158

Configuring the Virtual Management Ethernet Interface for Global Management

of a Virtual Chassis (CLI Procedure) on page 210

Understanding Global Management of a Virtual Chassis Configuration on page 141

no-management-vlan

229

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

preprovisioned
Syntax
Hierarchy Level
Release Information
Description

preprovisioned;
[edit virtual-chassis]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Enable the preprovisioned configuration mode for a Virtual Chassis configuration.
When preprovisioned configuration mode is enabled, you cannot use the CLI or the
J-Web interface to change the mastership priority or member ID of member switches.

Required Privilege Level

Related Topics

230

preprovisioned

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI

Procedure) on page 202

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

Understanding Virtual Chassis Configuration on page 144

Chapter 20: Configuration Statements for Virtual Chassis

role
Syntax
Hierarchy Level
Release Information
Description

Options

role (routing-engine | line-card);

[edit virtual-chassis preprovisioned member member-id]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

In a preprovisioned Virtual Chassis configuration, specify the role to be performed
by each EX 4200 member switch. Associate the role permanently with the members
serial number.
routing-engineEnables the member eligible to function as a master or backup of

the Virtual Chassis configuration. The master manages all the members of the
Virtual Chassis configuration and runs the chassis management processes and
control protocols. The backup synchronizes with the master in terms of protocol
states, forwarding tables, and so forth, so that it is prepared to preserve routing
information and maintain network connectivity without disruption in case the
master is unavailable.
Specify two and only two members as routing-engine. The software determines
which of the two members assigned the routing-engine role functions as master,
based on the master election algorithm. See Understanding How the Master in
a Virtual Chassis Configuration Is Elected on page 140.
line-cardEnables the member to be eligible to function only in the linecard role.

Any member of the Virtual Chassis configuration other than the master or backup
functions in the linecard role and runs only a subset of JUNOS software for
EX-series switches. A member functioning in the linecard role does not run the
chassis control protocols. A Virtual Chassis configuration must have at least three
members in order to include a member that functions in the linecard role.
When you use a preprovisioned configuration, you cannot modify the mastership
priority or member ID of member switches through the user interfaces. The
mastership priority value is generated by the software, based on the assigned
role:

A member configured as routing-engine is assigned the mastership priority 129.

A member configured as line-card is assigned the mastership priority 0.

A member listed in the preprovisioned configuration without an explicitly

specified role is assigned the mastership priority 128.

The configured role specifications are permanent. If both routing-engine members

should fail, a line-card member cannot take over as master of the Virtual Chassis
configuration. You must delete the preprovisioned configuration in order to
change the specified roles.
It is possible to explicitly configure two members as routing-engine and to configure
additional switches as members of the preprovisioned Virtual Chassis by
specifying only their serial numbers. If you do not explicitly configure the role

role

231

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

of the additional members, they function in a linecard role by default. In that

case, a member that is functioning in a linecard role can take over mastership
if the members functioning as master and backup (routing-engine role) both fail.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI

Procedure) on page 202

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

Understanding Virtual Chassis Configuration on page 144

serial-number
Syntax
Hierarchy Level
Release Information

serial-number serial-number;
[edit virtual-chassis preprovisioned member member-id]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Description

In a preprovisioned Virtual Chassis configuration, specify the serial number of each

EX 4200 member switch to be included in the Virtual Chassis configuration. If you
do not include the serial number within the Virtual Chassis configuration, the switch
cannot be recognized as a member of a preprovisioned configuration.

Options

serial-numberThe switchs permanent serial number, which is located on the back

of the switch.
Required Privilege Level
Related Topics

232

serial-number

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration

File on page 184

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Adding a New Switch to an Existing Virtual Chassis Configuration (CLI

Procedure) on page 202

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

Understanding Virtual Chassis Configuration on page 144

Chapter 20: Configuration Statements for Virtual Chassis

traceoptions
Syntax

Hierarchy Level
Release Information
Description

traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
[edit virtual-chassis]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define tracing operations for the Virtual Chassis configuration.

Default

Tracing operations are disabled.

Options

file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
file number(Optional) Maximum number of trace files. When a trace file named

trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,

and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
GBnumber of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the sizeoption.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags:

allAll tracing operations.

csnTrace Virtual Chassis complete sequence number (CSN) packets.

errorTrace Virtual Chassis errored packets.

helloTrace Virtual Chassis hello packets.

krtTrace Virtual Chassis KRT events.

lspTrace Virtual Chassis link-state packets.

lsp-generationTrace Virtual Chassis link-state packet generation.

meTrace Virtual Chassis ME events.

packetsTrace Virtual Chassis packets.

parseTrace reading of the configuration.

routeTrace Virtual Chassis routing information.

spfTrace Virtual Chassis SPF events.

stateTrace Virtual Chassis state transitions.

traceoptions

233

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

taskTrace Virtual Chassis task operations.

match regex(Optional) Refine the output to include lines that contain the regular

expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes

(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the filesoption.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics

234

traceoptions

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member on page 216

Verifying That the Virtual Chassis Ports Are Operational on page 217

Troubleshooting a Virtual Chassis Configuration on page 223

Chapter 20: Configuration Statements for Virtual Chassis

virtual-chassis
Syntax

Hierarchy Level
Release Information
Description

virtual-chassis {
mac-persistence-timer seconds;
preprovisioned;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
}
[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Virtual Chassis information on an EX 4200 switch.
The statements are explained separately.

Default

Required Privilege Level

Related Topics

A standalone EX 4200 switch is a Virtual Chassis by default. It has a default member

ID of 0, a default mastership priority of 128, and a default role as master.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Configuring a Virtual Chassis (CLI Procedure) on page 199

Configuring a Virtual Chassis (J-Web Procedure) on page 197

Understanding Virtual Chassis Components on page 135

virtual-chassis

235

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

236

virtual-chassis

Chapter 21

Operational Mode Commands for Virtual

Chassis

Virtual Chassis Commands on page 237

Virtual Chassis Commands

Virtual Chassis Commands

237

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear virtual-chassis vc-port statistics

Syntax
Release Information
Description

Options

clear virtual-chassis vc-port statistics <interface-name> member member-id

Command introduced in JUNOS Release 9.0 for EX-series switches.

Reset the statistics of all the Virtual Chassis ports for the specified Virtual Chassis
member.
interface-name(Optional) Name of the interface to be cleared of its traffic statistics.
Specify either vcp-0 or vcp-1
member member-idReset the VCP traffic statistics on the specified member of the

Virtual Chassis configuration.

Required Privilege Level
Related Topics

List of Sample Output

clear virtual-chassis
vc-port statistics
member 3

238

clear

show virtual-chassis vc-port statistics on page 255

show virtual-chassis vc-port on page 252

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Understanding Virtual Chassis Components on page 135

clear virtual-chassis vc-port statistics member 3 on page 238

user@SWA-0> clear virtual-chassis vc-port statistics member 3
Cleared statistics on member 3

clear virtual-chassis vc-port statistics

Chapter 21: Operational Mode Commands for Virtual Chassis

request session member

Syntax
Release Information
Description
Options

request session member member-id

Command introduced in JUNOS Release 9.0 for EX-series switches.

Starts a session with the specified member of a Virtual Chassis configuration.
member-idSelect the specific member of the Virtual Chassis configuration with

which you want to establish a session.

Required Privilege Level
Related Topics

maintenance

member

Understanding Virtual Chassis Components on page 135

request session member

239

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

request virtual-chassis recycle

Syntax
Release Information
Description

request virtual-chassis recycle member-id member-id

Command introduced in JUNOS Release 9.0 for EX-series switches.

Make a previously used member ID available for reassignment.
When you remove a member switch from the Virtual Chassis configuration, the
master reserves that member ID. To make the member ID available for reassignment,
you must use this command.

Options

member-id member-idSpecify the member id that you want to make available for

reassignment to a different member switch.

Required Privilege Level
Related Topics

maintenance

request virtual-chassis renumber on page 245

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

List of Sample Output

request virtual-chassis recycle member-id 3 on page 240

request virtual-chassis
recycle member-id 3

user@host> request virtual-chassis recycle member-id 3

240

request virtual-chassis recycle

Chapter 21: Operational Mode Commands for Virtual Chassis

request virtual-chassis vc-port

Syntax

Release Information
Description

Options

request virtual-chassis vc-port set|delete pic-slot pic-slot port port-number

<(all-members | member member-id)>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Enable or disable an uplink port (on an EX-UM-2XFP or EX-UM-4SFP uplink module)
as a Virtual Chassis port (VCP) interface.
pic-slot pic-slotNumber of the PIC slot for the uplink. Specify 1 to represent the

uplink module PIC on the EX-series switch.

port port-numberNumber of the uplink module port (0 or 1) that is to be enabled

or disabled as a VCP interface.

all-members(Optional) Enable or disable the specified uplink VCP interface on all

members of the Virtual Chassis configuration.

member member-id(Optional) Enable or disable the specified VCP uplink interface

on the specified member of the Virtual Chassis configuration.

Additional Information

Required Privilege Level

Related Topics

List of Sample Output

If you omit (all-members | member member-id), this command defaults to enabling or

disabling the uplink VCP interface on the switch where the command is issued.
maintenance

request virtual-chassis vc-port on page 1160

show virtual-chassis vc-port on page 252

show virtual-chassis vc-port statistics on page 255

clear virtual-chassis vc-port statistics on page 238

Understanding Virtual Chassis Components on page 135

request
request
request
request

virtual-chassis
virtual-chassis
virtual-chassis
virtual-chassis

vc-port
vc-port
vc-port
vc-port

set pic-slot 1 port 0 on page 241

set pic-slot 1 port 0 all-members on page 241
set pic-slot 1 port 1 member 3 on page 242
delete pic-slot 1 port 1 member 3 on page 242

request virtual-chassis
vc-port set pic-slot 1
port 0

user@host>request virtual-chassis vc-port set pic-slot 1 port 0

request virtual-chassis
vc-port set pic-slot 1
port 0 all-members

user@host>request virtual-chassis vc-port set pic-slot 1 port 0 all-members

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.

request virtual-chassis vc-port

241

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

request virtual-chassis
vc-port set pic-slot 1
port 1 member 3

request virtual-chassis
vc-port delete pic-slot 1
port 1 member 3

242

user@host>request virtual-chassis vc-port set pic-slot 1 port 1 member 3

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
user@host>request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.

request virtual-chassis vc-port

Chapter 21: Operational Mode Commands for Virtual Chassis

request virtual-chassis vc-port

Syntax

Release Information
Description

Options

request virtual-chassis vc-port set interface vcp-interface-name

<(all-members | member member-id)>< disable>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Disable or enable a Virtual Chassis port (VCP) interface for a dedicated VCP on the
rear panel of the Virtual Chassis.
interface vcp-interface-name Name of the interface to enable or disable. Specify
either vcp-0 or vcp-1.
all-members (Optional) Enable or disable the specified VCP interface on all members

of the Virtual Chassis configuration.

member member-id (Optional) Enable or disable the specified VCP interface on the

specified member of the Virtual Chassis configuration.

disable (Optional) Disable the specified VCP. If you omit this keyword, the command

enables the dedicated VCP interface.

Additional Information

Required Privilege Level

Related Topics

List of Sample Output

If you omit (all-members | member member-id), this command defaults to disabling

or enabling the dedicated VCP interface on the switch where the command is issued.
The dedicated VCP interfaces are enabled in the factory default configuration.
maintenance

request virtual-chassis vc-port on page 1160

show virtual-chassis vc-port on page 252

show virtual-chassis vc-port statistics on page 255

clear virtual-chassis vc-port statistics on page 238

Understanding Virtual Chassis Components on page 135

request virtual-chassis vc-port set interface vcp-0 disable on page 243

request virtual-chassis vc-port set interface vcp-0 all-members disable on page 243
request virtual-chassis vc-port set interface vcp-0 member 3 disable on page 244
request virtual-chassis vc-port set interface vcp-1 all-members on page 244

request virtual-chassis
vc-port set interface
vcp-0 disable

user@host> request virtual-chassis vc-port set interface vcp-0 disable

request virtual-chassis
vc-port set interface
vcp-0 all-members
disable

user@host> crequest virtual-chassis vc-port set interface vcp-0 all-members disable

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.

request virtual-chassis vc-port

243

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

request virtual-chassis
vc-port set interface
vcp-0 member 3 disable

request virtual-chassis
vc-port set interface
vcp-1 all-members

244

user@host> request virtual-chassis vc-port set interface vcp-0 member 3 disable

To check the results of this command, use the show virtual-chassis vc-port on page
252 command.
user@host>request virtual-chassis vc-port set interface vcp-1 all-members

request virtual-chassis vc-port

Chapter 21: Operational Mode Commands for Virtual Chassis

request virtual-chassis renumber

Syntax
Release Information
Description
Options

request virtual-chassis renumber member-id old-member-id new-member-id new-member-id

Command introduced in JUNOS Release 9.0 for EX-series switches.

Renumber a member of a Virtual Chassis configuration.
member-id old-member-idSpecify the ID of the member that you wish to renumber.
new-member-id new-member-idSpecify an unassigned member ID (from 0 through

9).
Required Privilege Level
Related Topics

List of Sample Output

request virtual-chassis
renumber member-id 5
new-member-id 4

maintenance

request virtual-chassis recycle on page 1160

Replacing a Member Switch of a Virtual Chassis Configuration (CLI

Procedure) on page 219

request virtual-chassis renumber member-id 5 new-member-id 4 on page 245

user@SWA-0> request virtual-chassis renumber member-id 5 new-member-id 4

request virtual-chassis renumber

245

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show system uptime

Syntax
Release Information
Description

Options

show system uptime (all-members | member member-id)

Options introduced in JUNOS Release 9.0 for EX-series switches.

Display the current time and information about how long the Virtual Chassis, Virtual
Chassis software, and routing protocols have been running.
all-membersDisplay the current time and information about how long the Virtual

Chassis, Virtual Chassis software, and routing protocols have been running for
all the member switches of the Virtual Chassis configuration.
member member-idDisplay the current time and information about how long the

Virtual Chassis, Virtual Chassis software, and routing protocols have been running
for the specific member of the Virtual Chassis configuration.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

virtual-chassis

Monitoring System Properties on page 105

For more information about show system uptime, see the JUNOS Software System
Basics Services and Command Reference at
http://www.juniper.net/techpubs/software/junos/junos91/index.html.

show system uptime member 0 on page 247

Table 40 on page 246 lists the output fields for the show system uptime command.
Output fields are listed in the approximate order in which they appear.

Table 40: show system uptime Output Fields

Field Name

Field Description

Current time

Current system time in UTC.

System booted

Date and time when the switch was last booted and how
long it has been running.

Protocols started

Date and time when the routing protocols were last started
and how long they have been running.

Last configured

Date and time when a configuration was last committed.

Also shows the name of the user who issued the last
commit command.

Time and up

Current time, in the local time zone, and how long the
switch has been operational.

Users

Number of users logged into the switch.

246

show system uptime

Level of Output

Chapter 21: Operational Mode Commands for Virtual Chassis

Table 40: show system uptime Output Fields (continued)

Field Name

Field Description

Load averages

Load averages for the last 1 minute, 5 minutes, and 15

minutes.

show system uptime

member 0

Level of Output

user@host>show system uptime member 0

fpc0:
-----------------------------------------------------------------------Current time: 2008-02-06 05:24:20 UTC
System booted: 2008-01-31 08:26:54 UTC (5d 20:57 ago)
Protocols started: 2008-01-31 08:27:56 UTC (5d 20:56 ago)
Last configured: 2008-02-05 03:26:43 UTC (1d 01:57 ago) by root
5:24AM up 5 days, 20:57, 1 user, load averages: 0.14, 0.06, 0.01

show system uptime

247

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show virtual-chassis active topology

Syntax

Release Information

show virtual-chassis active-topology

<(all-members | member member-id)>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Description

Display the active topology of the Virtual Chassis configuration with reachability
information.

Options

noneDisplay the active topology of the member switch where the command is

issued.
all-membersDisplay the active topology of all members of the Virtual Chassis

configuration.
member member-idDisplay the active topology of a specified member of the Virtual

Chassis configuration.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Understanding Virtual Chassis Configuration on page 144

show virtual-chassis active-topology on page 248

Table 41 on page 248 lists the output fields for the show virtual-chassis active-topology
command. Output fields are listed in the approximate order in which they appear.

Table 41: show virtual-chassis active-topology Output Fields

Field Name

Field Description

Destination ID

Specifies the member ID of the destination.

Next-hop

Specifies the member ID and VCP of the next-hop to which packets for the destination ID are
forwarded.

show virtual-chassis
active-topology

248

user@SWA-0> show virtual-chassis active-topology

1
1(vcp-1)

1(vcp-1)

1(vcp-1)

show virtual-chassis active topology

Chapter 21: Operational Mode Commands for Virtual Chassis

1(vcp-1)

8(vcp-0)

8(vcp-0)

8(vcp-0)

8(vcp-0)

1(vcp-1)

show virtual-chassis active topology

249

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show virtual-chassis status

Syntax
Release Information
Description
Options

show virtual-chassis status

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display information about all the members of the Virtual Chassis configuration.
noneDisplay all information for all member switches of the Virtual Chassis

configuration.
Required Privilege Level
Related Topics

Output Fields

view

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Understanding Virtual Chassis Configuration on page 144

Table 42 on page 1160 lists the output fields for the show virtual-chassis command.
Output fields are listed in the approximate order in which they appear.

Table 42: show virtual-chassis Output Fields

Field Name

Field Description

Virtual Chassis ID

Assigned ID that applies to the entire Virtual Chassis configuration.

Member ID

Assigned member ID and FPC slot (from 0 through 9).

Status

For a nonprovisioned configuration:

Prsnt for a member that is currently connected to the Virtual Chassis

configuration

NotPrsnt for a member ID that has been assigned but is not currently

connected
For a preprovisioned configuration:

Prsnt for a member that is specified in the preprovisioned configuration

file and is currently connected to the Virtual Chassis configuration.

Unprvsnd for a member that is interconnected with the Virtual Chassis

configuration, but is not specified in the preprovisioned configuration file.

Serial No

Serial number of the member switch.

Model

Model number of the member switch.

Mastership Priority

Mastership priority value of the member switch.

Role

Role of the member switch.

Neighbor List

Member ID of the neighbor member to which this members VCP interface is

connected.

250

show virtual-chassis status

Chapter 21: Operational Mode Commands for Virtual Chassis

show virtual-chassis
status

user@SWA-0> show virtual-chassis status

Virtual Chassis ID: 0019.e250.47a0
Member ID
0 (FPC 0)

Status
Prsnt

Mastership
Serial No
Model
priority
AK0207360276 ex4200-24t
249

Role
Master*

1 (FPC 1)

Prsnt

AK0207360281 ex4200-24t

248

Backup

2 (FPC 2)

Prsnt

AJ0207391130 ex4200-48p

247

Linecard

3 (FPC 3)

Prsnt

AK0207360280 ex4200-24t

246

Linecard

4 (FPC 4)

Prsnt

AJ0207391113 ex4200-48p

245

Linecard

5 (FPC 5)

Prsnt

BP0207452204 ex4200-48t

244

Linecard

6 (FPC 6)

Prsnt

BP0207452222 ex4200-48t

243

Linecard

7 (FPC 7)

Prsnt

BR0207432028 ex4200-24f

242

Linecard

8 (FPC 8)

Prsnt

BR0207431996 ex4200-24f

241

Linecard

Neighbor List
ID Interface
8 vcp-0
1 vcp-1
0 vcp-0
2 vcp-1
1 vcp-0
3 vcp-1
2 vcp-0
4 vcp-1
3 vcp-0
5 vcp-1
4 vcp-0
6 vcp-1
5 vcp-0
7 vcp-1
6 vcp-0
8 vcp-1
7 vcp-0
0 vcp-1

Member ID for next new member: 9 (FPC 9)

show virtual-chassis status

251

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show virtual-chassis vc-port

Syntax

Release Information

show virtual-chassis vc-port

<(all-members | member member-id)>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Description

Display the status of the Virtual Chassis ports (VCPs), including both the dedicated
VCPs and the uplinks set as VCPs.

Options

noneDisplay the operational status of all the Virtual Chassis ports of the member

switch where the command is issued.

all-members(Optional) Display the operational status of all the Virtual Chassis ports

on all members of the Virtual Chassis configuration.

member member-id(Optional) Display the operational status of all the Virtual Chassis

ports for the specified member of the Virtual Chassis configuration.

Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

show virtual-chassis vc-port statistics on page 255

clear virtual-chassis vc-port statistics on page 238

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

Understanding Virtual Chassis Configuration on page 144

show virtual-chassis vc-port on page 253

show virtual-chassis vc-port all-members on page 253
Table 43 on page 252 lists the output fields for the show virtual-chassis vc-port
command. Output fields are listed in the approximate order in which they appear.

Table 43: show virtual-chassis vc-port Output Fields

Field Name

Field Description

fpcnumber

The fpc number is the same as the member ID.

Interface or PIC/Port

VCP interface name. Unlike network interfaces, a VCP interface name does
not include a slot number (member ID).
The dedicated VCP interfaces are vcp-0 and vcp-1.

The uplink ports set as a VCP interfaces are named 1/0 and 1/1,
representing the PIC number and port number.

Type of VCP:

Type

dedicated (on the rear panel)

configured (uplink port configured as a VCP)

Interface status: down or up.

Status

252

show virtual-chassis vc-port

Chapter 21: Operational Mode Commands for Virtual Chassis

show virtual-chassis
vc-port

user@SWA-0> show virtual-chassis vc-port

Interface
or
PIC / Port
vcp-0
vcp-1
1/0
1/1

show virtual-chassis
vc-port all-members

Type

Status

Dedicated
Dedicated
Configured
Configured

Up
Up
Down
Up

user@SWA-0> show virtual-chassis vc-port all-members

fpc0:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
1/0
Configured
Down
1/1
Configured
Up
fpc1:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc2:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc3:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc4:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc5:
Interface
or
PIC / Port

Type

Status

show virtual-chassis vc-port

253

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vcp-0
vcp-1

Dedicated
Dedicated

Up
Up

fpc6:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc7:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up
fpc8:
-------------------------------------------------------------------------Interface
Type
Status
or
PIC / Port
vcp-0
Dedicated
Up
vcp-1
Dedicated
Up

254

show virtual-chassis vc-port

Chapter 21: Operational Mode Commands for Virtual Chassis

show virtual-chassis vc-port statistics

Syntax
Release Information
Description

Options

show virtual-chassis vc-port statistics member member-id

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the traffic statistics of the Virtual Chassis ports for the selected Virtual Chassis
member.
member member-idDisplay the traffic statistics for the Virtual Chassis ports of the

specified Virtual Chassis member.

Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

clear virtual-chassis vc-port statistics on page 238

show virtual-chassis vc-port on page 252

Monitoring Virtual Chassis Configuration Status and Statistics on page 219

show virtual-chassis vc-port statistics member 0 on page 255

Table 44 on page 255 lists the output fields for the show virtual-chassis vc-port statistics
command. Output fields are listed in the approximate order in which they appear.

Table 44: show virtual-chassis vc-port statistics Output Fields

Field Name

Field Description

Member ID

ID of the specified member.

Port

RX (Receive) and TX (Transmit )statistics reported by the VCP subsystem for

internal ports and for the dedicated VCPs (vcp-0 and vcp-1).

show virtual-chassis
vc-port statistics
member 0

user@SWA-0>show virtual-chassis vc-port statistics member 0

Member ID: 0
Port: internal-0/24
RX
TX
Total octets:
0
0
Total packets:
0
0

Member ID: 0

Port: internal-0/27
RX
Total octets:
0
Total packets:
0

Port: internal-1/25
RX
Total octets:
0
Total packets:
0

TX
0
0

Member ID: 0

TX
0
0

show virtual-chassis vc-port statistics

255

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Member ID: 0

Port: internal-1/26
RX
Total octets:
0
Total packets:
0

Member ID: 0

Port: vcp-0

Total octets:
Total packets:

Member ID: 0

RX
586511032
2927355

TX
210691704
1987210

RX
0
0

TX
0
0

Port: vcp-1

Total octets:
Total packets:

256

TX
0
0

show virtual-chassis vc-port statistics

Part 7

Interfaces

Understanding Interfaces on page 259

Examples of Configuring Interfaces on page 267

Configuring Interfaces on page 289

Verifying Interfaces on page 299

Troubleshooting Interfaces on page 303

Configuration Statements for Interfaces on page 311

Operational Mode Commands for Interfaces on page 331

Interfaces

257

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

258

Interfaces

Chapter 22

Understanding Interfaces

EX-series Switches Interfaces Overview on page 259

Understanding Interface Naming Conventions on EX-series Switches on page 261

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Understanding Layer 3 Subinterfaces on page 265

EX-series Switches Interfaces Overview

EX-series switches have two types of interfaces: network and special interfaces. This
topic provides brief information on these interfaces. For additional information, see
the JUNOS Software Network Interfaces Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.

Network Interfaces on page 259

Special Interfaces on page 260

Network Interfaces
Network interfaces connect to the network and carry network traffic. EX-series
switches support the following types of network interfaces:

LAN access interfacesEX-series switches provide either 24 or 48 network ports,

depending on the switch model. These ports can be used to connect a personal
computer, laptop, file server, or printer to the network. When you power on an
EX-series switch and use the factory-default configuration, the software
automatically configures interfaces in access mode for each of the network ports.
The default configuration also enables auto-negotiation for both speed and for
link mode.

Trunk interfacesEX-series access switches can be connected to a distribution

switch or customer edge (CE) router. To use a port for this type of connection,
you must explicitly configure the port interface for trunk mode. The interfaces
from the distribution switch to the access switches should also be configured for
trunk mode.

Power over Ethernet (PoE) interfaces EX-series switches provide PoE network
ports with the various switch models providing either 8, 24, or 48 PoE ports.
These ports can be used to connect VoIP telephones, wireless access points,
video cameras, and point-of-sale devices to safely receive power from the same

EX-series Switches Interfaces Overview

259

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

access ports that are used to connect personal computers to the network. PoE
interfaces are enabled by default in the factory configuration.

Aggregated Ethernet interfacesEX 3200 and EX 4200 switches allow you to

group Ethernet interfaces at the physical layer to form a single link layer interface,
also known as a link aggregation group (LAG) or bundle. These aggregated Ethernet
interfaces help to balance traffic and increase the uplink bandwidth.

Special Interfaces
Special interfaces include:

260

Virtual chassis port (VCP) interfacesEach EX 4200 switch has two dedicated
virtual chassis ports (VCPs) on its rear panel. These ports can be used to
interconnect two to ten EX 4200 switches as a virtual chassis, which functions
as a single network entity. See Understanding the High-Speed Interconnection
of the Virtual Chassis Members on page 143. When you power on EX-series
switches that are interconnected in this manner, the software automatically
configures the VCP interfaces for the dedicated ports that have been
interconnected. These VCP interfaces, which are called vcp-0 and vcp-1, are not
configurable or modifiable. It is also possible to interconnect EX 4200 switches
across wider distances (up to 40 km) by using the EX-UM-2XFP uplink module
ports. To use an EX-UM-2XFP uplink module port as a virtual chassis port, you
must explicitly set the uplink VCP interface using the request virtual-chassis
vc-port on page 1160 command.

Management interfaceThe JUNOS software for EX-series switches automatically

creates the switch's management Ethernet interface, me0. The management
Ethernet interface provides an out-of-band method for connecting to the switch.
To use me0 as a management port, you must configure its logical port, me0.0,
with a valid IP address. You can connect to the management interface over the
network using utilities such as ssh and telnet. Simple Network Management
Protocol (SNMP) can use the management interface to gather statistics from the
switch. (The management interface me0 is analogous to the fxp0 interfaces on
JUNOS routers.)

Virtual Management Ethernet (VME) interfaceOn EX 4200 series switches,

there is a VME interface. This is a logical interface that is used for virtual chassis
configurations and allows you to manage all the members of the virtual chassis
through the master. For more information on VME, see Understanding Global
Management of a Virtual Chassis Configuration on page 141.

Console portEach EX-series switch has a serial port, labeled console, for
connecting tty-type terminals to the switch using standard PC-type tty cables.
The console port does not have a physical address or IP address associated with
it. However, it is an interface in the sense that it provide access to the switch.
On EX 4200 switches that are configured as a virtual chassis, you can access the
master and configure all members of the virtual chassis through any member's
console port. For more information on the console port in a virtual chassis, see
Understanding Global Management of a Virtual Chassis
Configuration on page 141.

LoopbackA software-only virtual interface that is always up. This interface

provides a stable and consistent interface and IP address on the switch.

EX-series Switches Interfaces Overview

Chapter 22: Understanding Interfaces

Related Topics

EX-series Switch Hardware Overview on page 19

PoE and EX-series Switches Overview on page 1087

Understanding Interface Naming Conventions on EX-series Switches on page 261

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Understanding Layer 3 Subinterfaces on page 265

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Understanding Interface Naming Conventions on EX-series Switches

EX-series switches use a naming convention that is similar to that of other platforms
running under JUNOS software for defining the interfaces. This topic provides brief
information on the naming conventions used for interfaces on EX-series switches.
For additional information, see the JUNOS Software Network Interfaces Configuration
Guide at http://www.juniper.net/techpubs/software/junos/junos90/index.html

Physical Part of an Interface Name on page 261

Logical Part of an Interface Name on page 262

Wildcard Characters in Interface Names on page 263

Physical Part of an Interface Name

When you define an interface in JUNOS software, you specify the interface type, the
FPC slot in which the Physical Interface Module (PIM) is installed, the PIC within the
FPC, and the port on that PIC. A hyphen (-) separates the interface type from the slot
number, and a slash (/) separates the slot number, PIC number, and port numbers:
type-slot/pic/port
The EX-series switches apply this convention as follows:

typeEX-series interfaces use the following media types:

geGigabit Ethernet interface

xe10 Gigabit Ethernet interface (These are the ports on the EX-UM-2XFP

uplink module.)

slot number/member-idEX-series interfaces use the following slot numbers

(equivalent to member ID):

EX 3200 switches have only one FPC slot for the network ports. It is slot
number 0.

An individual, standalone EX 4200 switch has only one FPC slot number. It
is slot number 0.

Understanding Interface Naming Conventions on EX-series Switches

261

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

If an EX 4200 switch is interconnected with other switches in a virtual chassis,

each individual switch that is included as a member of the virtual chassis is
identified with a member ID. The member ID functions as an FPC slot number.
When you are configuring interfaces for a virtual chassis, you specify the
appropriate member ID 0 through 9 as the slot of the interface name.

PIC numberEX-series interfaces use the following PIC numbers:

Use the number 0 to specify the PIC for any network port on the switch
itself.

If you are configuring a port on an uplink module, use the number 1 as the
PIC.

port numberEX-series interfaces use the following port numbers:

The network ports are on the front panel of the switch and are labeled from left
to right starting with 0 followed by the remaining even numbered ports in the
top row and 1 followed by the remaining odd numbered ports in the bottom
row. (On the partial PoE switches, port numbers 0 through 7 have a label that
is a different color from the labels on the remaining ports to indicate that these
first eight ports are PoE ports.)
Figure 14 on page 262 shows the network ports on a 24port EX-series switch.
Figure 14: Network Ports on the 24Port EX-series Switch
LCD panel Menu button
LEDs
1

10

11

12

13

14

15

16

17

18

19

20

21

22

23

ALM
SYS
MST

Network ports

Uplink module

g020054

EX 3200
0

Enter button

Figure 15 on page 262 shows the network ports on a 48port EX-series switch.
Figure 15: Network Ports on the 48-Port EX-series Switch

Logical Part of an Interface Name

The logical unit part of the interface name corresponds to the logical unit number,
which can be a number from 0 through 16384. In the virtual part of the name, a
period (.) separates the port and logical unit numbers: media-type-fpc/pic/port.logical.
For example, if you issue the show ethernet-switching interfaces command on a system

262

Understanding Interface Naming Conventions on EX-series Switches

Chapter 22: Understanding Interfaces

with a default VLAN, the resulting display shows the logical interfaces associated
with the VLAN:
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/10.0

State
down
down
down

VLAN members
remote-analyzer
default
default

Blocking
unblocked
unblocked
unblocked

When you configure aggregated Ethernet interfaces, you configure a logical interface
that is called a bundle or a LAG. Each LAG can include up to eight Ethernet interfaces.

Wildcard Characters in Interface Names

In the show interfaces and clear interfaces commands, you can use wildcard characters
in the interface-name option to specify groups of interface names without having to
type each name individually. You must enclose all wildcard characters except the
asterisk (*) in quotation marks (" ").
Related Topics

EX-series Switches Interfaces Overview on page 259

Understanding Aggregated Ethernet Interfaces and LACP

IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form a
single link layer interface, also known as a link aggregation group (LAG) or bundle.
Link aggregation can be used for point-to-point connections. It balances traffic across
the member links within an aggregated Ethernet bundle and effectively increases
the uplink bandwidth. Another advantage of link aggregation is increased availability,
because the LAG is composed of multiple member links. If one member link fails,
the LAG continues to carry traffic over the remaining links.

Link Aggregation Group (LAG) on page 263

Link Aggregation Control Protocol (LACP) on page 264

Link Aggregation Group (LAG)

You configure a LAG by specifying the link number as a physical device and then
associating a set of ports with the link. All the ports must have the same speed and
be in full-duplex mode. JUNOS software for EX-series switches assigns a unique ID
and port priority to each port. The ID and priority are not configurable. When
configuring LAG, consider the following guidelines:

Up to 8 Ethernet ports can be created in each bundle.

Up to 128 LAGs are supported in a virtual chassis configuration.

LAG must be configured on both sides of the link.

The ports on either side of the link must be set to the same speed.

Understanding Aggregated Ethernet Interfaces and LACP

263

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: The interfaces that are included within a bundle or LAG are sometimes referred
to as member interfaces. Do not confused this term with member switches, which
refers to EX 4200 switches that are interconnected as a virtual chassis. It is possible
to create a LAG that is composed of member interfaces that are located in different
member switches of a virtual chassis.
A typical deployment for LAG would be to aggregate trunk links between an access
switch and a distribution switch or customer edge (CE) router. LAG is not supported
on virtual chassis port links. LAG can only be used for a point-to-point connection.

Link Aggregation Control Protocol (LACP)

LACP, a subcomponent of IEEE 802.3ad, provides additional functionality for LAG.
When LACP is configured, it detects misconfigurations on the local end or the remote
end of the link.
About enabling LACP:

When LACP is not enabled, a local LAG might attempt to transmit packets to a
remote single interface, which causes the communication to fail.

When LACP is enabled, a local LAG cannot transmit packets unless a LAG with
LACP is also configured on the remote end of the link.

By default, Ethernet links do not exchange protocol data units (PDUs), which contain
information about the state of the link. You can configure Ethernet links to actively
transmit PDUs, or you can configure the links to passively transmit them, sending
out LACP PDUs only when they receive them from another link. The transmitting
link is known as the actor and the receiving link is known as the partner.
Related Topics

Understanding Virtual Chassis Configurations and Link Aggregation on page 144

Understanding Redundant Trunk Links on EX-series Switches on page 365

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

JUNOS Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

264

Understanding Aggregated Ethernet Interfaces and LACP

Chapter 22: Understanding Interfaces

Understanding Layer 3 Subinterfaces

A Layer 3 subinterface is a logical division of a physical interface that operates at the
network level and therefore can receive and forward 802.1Q VLAN tags. You can
use Layer 3 subinterfaces to route traffic among multiple VLANs along a single trunk
line that connects an EX-series switch to a Layer 2 switch. Only one physical
connection is required between the switches. This topology is often called a router
on a stick or a one-armed router when the Layer 3 device is a router.
To create Layer 3 subinterfaces on an EX-series switch, you enable VLAN tagging,
partition the physical interface into logical partitions, and bind the VLAN ID to the
logical interface.
You can partition one physical interface into up to 4094 different subinterfaces, one
for each VLAN. We recommend that you use the VLAN ID as the subinterface number
when you configure the subinterface. JUNOS software reserves VLAN IDs 0 and 4095.
VLAN tagging places the VLAN ID in the frame header, allowing each physical interface
to handle multiple VLANs. When you configure multiple VLANs on an interface, you
must also enable tagging on that interface. The JUNOS software on EX-series switches
supports a subset of the 802.1Q standard for receiving and forwarding routed or
bridged Ethernet frames with single VLAN tags and running Virtual Router Redundancy
Protocol (VRRP) over 802.1Q-tagged interfaces. Double-tagging is not supported.
Related Topics

EX-series Switches Interfaces Overview on page 259

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an

Access Switch on page 279

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

Understanding Layer 3 Subinterfaces

265

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

266

Understanding Layer 3 Subinterfaces

Chapter 23

Examples of Configuring Interfaces

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 267

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 273

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an

Access Switch on page 279

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle.
This example describes how to configure uplink LAGs to connect a virtual chassis
access switch to a virtual chassis distribution switch:

Requirements on page 267

Overview and Topology on page 268

Configuration on page 270

Verification on page 272

Troubleshooting on page 273

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches

Two EX-series 4200-48P switches

Two EX-series 4200-24F switches

Four EX-UM-2XFP uplink modules

Before you configure the LAGs, be sure you have:

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch

267

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configured the virtual chassis switches. See Example: Configuring a Virtual

Chassis with a Master and Backup in a Single Wiring Closet on page 147.

Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.

Overview and Topology

For maximum speed and resiliency, you can combine uplinks between an access
switch and a distribution switch into LAGs. Using LAGs can be particularly effective
when connecting a multi-member, virtual-chassis access switch to a multi-member
virtual-chassis distribution switch.
The virtual chassis access switch in this example is composed of two member
switches. Each member switch has an uplink module with two 10-Gigabit Ethernet
ports. These ports are configured as trunk ports, connecting the access switch with
the distribution switch.
Configuring the uplinks as LAGs has the following advantages:

It doubles the speed of each uplink from 10 Gbps to 20 Gbps.

If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.

The topology used in this example consists of one virtual chassis access switch and
one virtual chassis distribution switch. The access switch is composed of two
EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one VLAN.
The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second
LAG connection (ae1) to SWD-1. LAG ae1, which is used for another VLAN.

268

Overview and Topology

Chapter 23: Examples of Configuring Interfaces

Figure 16: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch

Table 1 details the topology used in this configuration example.

Table 45: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch
Switch

Hostname and
VCID

Base Hardware

Uplink Module

Member ID

Trunk Port

SWA-0

Host-A Access
switch

EX 4200-48P
switch

One EX-UM-2XFP
uplink module

xe-0/1/0 to SWD-0
xe-0/1/1 to SWD-1

VCID 1
SWA-1

Host-A Access
switch

EX 4200-48P
switch

One EX-UM-2XFP
uplink module

xe-1/1/0 to SWD-0
xe-1/1/1 to SWD-1

VCID 1

Overview and Topology

269

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 45: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch (continued)
SWD-0

Host-D
Distribution switch

EX-series EX 4200
L-24F switch

One EX-UM-2XFP
uplink module

xe-0/1/0 to SWA-0
xe-0/1/1 to SWA-1

VCID 4
SWD-1

Host-D
Distribution switch

EX-series EX 4200
L-24F switch

One EX-UM-2XFP
uplink module

xe-1/1/0 to SWA-0
xe-1/1/1 to SWA-1

VCID 4

Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual
chassis distribution switch:
CLI Quick Configuration

To quickly configure aggregated Ethernet high-speed uplinks between a virtual chassis

access switch and a virtual chassis distribution switch, copy the following commands
and paste them into the switch terminal window:
[edit]
set chassis aggregated-devices ethernet device-count 2
set interfaces ae0 aggregated-ether-options minimum-links 2
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae1 aggregated-ether-options minimum-links 2
set interfaces ae1 aggregated-ether-options link-speed 10g
set interfaces ae0 unit 0 family inet address 192.0.2.0/25
set interfaces ae1 unit 1 family inet address 192.0.2.128/25
set interfaces xe-0/1/0 ether-options 802.ad ae0
set interfaces xe-1/1/0 ether-options 802.ad ae0
set interfaces xe-0/1/1 ether-options 802.ad ae1
set interfaces xe-1/1/1 ether-options 802.ad ae1

Step-by-Step Procedure

To configure aggregated Ethernet high-speed uplinks between a virtual chassis access

switch and a virtual chassis distribution switch:
1.

Specify the number of LAGs to be created on the chassis:

[edit chassis]
user@Host-A# set aggregated-devices ethernet device-count 2

2.

Specify the number of links that need to be present for the ae0 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options minimum-links 2

3.

Specify the number of links that need to be present for the ae1 LAG interface
to be up:
[edit interfaces]
user@Host-A# set ae1 aggregated-ether-options minimum-links 2

270

Configuration

Chapter 23: Examples of Configuring Interfaces

4.

Specify the media speed of the ae0 link:

[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options link-speed 10g

5.

Specify the media speed of the ae1 link:

[edit interfaces]
user@Host-A# set ae1 aggregated-ether-options link-speed 10g

6.

Specify the interface ID of the uplinks to be included in LAG ae0:

[edit interfaces]
user@Host-A# set xe-0/1/0 ether-options 802.ad ae0
user@Host-A# set xe-1/1/0 ether-options 802.ad ae0

7.

Specify the interface ID of the uplinks to be included in LAG ae1:

[edit interfaces]
user@Host-A# set xe-0/1/1 ether-options 802.ad ae1
user@Host-A# set xe-1/1/1 ether-options 802.ad ae1

8.

Specify that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25

9.

Specify that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
user@Host-A# set ae1 unit 1 family inet address 192.0.2.128/25

Results

Display the results of the configuration:

[edit]
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ae0 {
aggregated-ether-options {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.0/25;

Configuration

271

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
}
ae1 {
aggregated-ether-options {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe0/1/0 {
ether-options {
802.ad ae0;
}
}
xe1/1/0 {
ether-options {
802.ad ae0;
}
}
xe0/1/1 {
ether-options {
802.ad ae1;
}
}
xe1/1/1 {
ether-options {
802.ad ae1;
}
}
}

Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:

Verifying That LAG ae0 Has Been Created on page 272

Verifying That LAG ae1 Has Been Created on page 273

Verifying That LAG ae0 Has Been Created

Purpose
Action

Verify that LAG ae0 has been created on the switch.

show interfaces ae0 terse
Interface
ae0
ae0.0

272

Verification

Admin
up
up

Link Proto
up
up

inet

Local

10.10.10.2/24

Remote

Chapter 23: Examples of Configuring Interfaces

Meaning

The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.

Verifying That LAG ae1 Has Been Created

Purpose
Action

Verify that LAG ae1 has been created on the switch

show interfaces ae1 terse
Interface
ae1
ae1.0

Meaning

Admin Link Proto

up
down
up
down inet

Local

Remote

The output shows that the ae1 link is down.

Troubleshooting
Troubleshooting a LAG That Is Down
Problem

The show interfaces terse command shows that the LAG is down:

Solution

Check the following:

Related Topics

Verify that there is no configuration mismatch.

Verify that all member ports are up.

Verify that a LAG is part of family ethernet switching (Layer 2 LAG) or family inet
(Layer 3 LAG).

Verify that the LAG member is connected to the correct LAG at the other end.

Verify that the LAG members belong to the same switch (or the same virtual
chassis).

Example: Configuring a Virtual Chassis with a Master and Backup in a Single

Wiring Closet on page 147

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Example: Connecting an Access Switch to a Distribution Switch on page 384.

Virtual Chassis Cabling Configuration Examples

Installing an Uplink Module in an EX-series Switch

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between

a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches

Verifying That LAG ae1 Has Been Created

273

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172:

Requirements on page 274

Overview and Topology on page 274

Configuring LACP for the LAGs on the Virtual Chassis Access Switch on page 275

Configuring LACP for the LAGs on the Virtual Chassis Distribution

Switch on page 275

Verification on page 276

Troubleshooting on page 277

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches

Two EX-series 4200-48P switches

Two EX-series 4200-24F switches

Four EX-series EX-UM-2XFP uplink modules

Before you configure LACP, be sure you have:

Installed your EX-series switches.

Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet on page 147.

Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces (CLI Procedure) on page 293.

Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed

Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 172

Overview and Topology

This example assumes that you are already familiar with the Example: Configuring
Aggregated Ethernet High-Speed Uplinks between Virtual Chassis Access Switch and
Virtual Chassis Distribution Switch. The topology in this example is exactly the same
as the topology in that other example. This example shows how to use LACP to
enhance the LAG functionality.
LACP exchanges are made between actors (the transmitting link) and partners (the
receiving link). The LACP mode can be either active or passive.

274

Requirements

Chapter 23: Examples of Configuring Interfaces

NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).

Configuring LACP for the LAGs on the Virtual Chassis Access Switch
To configure LACP for the access switch LAGs, perform these tasks:
CLI Quick Configuration

To quickly configure LACP for the access switch LAGs, copy the following commands
and paste them into the switch terminal window:
set interfaces ae0 aggregated-ether-options lacp active periodic fast
set interfaces ae1 aggregated-ether-options lacp active periodic fast

Step-by-Step Procedure

To configure LACP for Host-A LAGs ae0 and ae1:

1.

Specify the aggregated Ethernet options for both bundles:

[edit interfaces]
user@Host-A#set ae0 aggregated-ether-options lacp active periodic fast
user@Host-A#set ae1 aggregated-ether-options lacp active periodic fast

Results

Display the results of the configuration:

aggregated-ether-options{
lacp{
active;
periodic fast;
}
}

Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
To configure LACP for the two uplink LAGs from the virtual chassis access switch to
the virtual chassis distribution switch, perform these tasks:
CLI Quick Configuration

To quickly configure LACP for the distribution switch LAGs, copy the following
commands and paste them into the switch terminal window:
[edit interfaces]
set ae0 aggregated-ether-options lacp passive periodic fast
set ae1 aggregated-ether-options lacp passive periodic fast

Configuring LACP for the LAGs on the Virtual Chassis Access Switch

275

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Step-by-Step Procedure

To configure LACP for Host D LAGs ae0 and ae1:

1.

Specify the aggregated ethernet options for both bundles:

[edit interfaces]
user@Host-D#set ae0 aggregated-ether-options lacp passive periodic fast
user@Host-D#set ae1 aggregated-ether-options lacp passive periodic fast

Results

Display the results of the configuration:

aggregated-ether-options{
lacp{
passive;
periodic fast;
}
}

Verification
To verify that LACP packets are being exchanged, perform these tasks:

Verifying the LACP Settings on page 276

Verifying That the LACP Packets Are Being Exchanged on page 277

Verifying the LACP Settings

Purpose
Action

To verify that the LACP has been set up correctly.

Use the show lacp interfaces interface-name command to check that LACP has been
enabled as active on one end.
show lacp interfaces xe-0/1/0
show lacp interfaces xe-0/1/0
Aggregated interface: ae0
LACP state:

Role

Verification

Dist

Col

Syn

Aggr

Timeout

Activity

Actor

No

Yes

No

No

No

Yes

Fast

Active

xe-0/1/0

Partner

No

Yes

No

No

No

Yes

Fast

Passive

xe-0/1/0

276

Def

xe-0/1/0

LACP protocol:

Meaning

Exp

Receive State
Defaulted

Transmit State

Mux State

Fast periodic

Detached

The output indicates that the LACP has been set up correctly and is active at one
end.

Chapter 23: Examples of Configuring Interfaces

Verifying That the LACP Packets Are Being Exchanged

Purpose
Action

To verify that LACP packets are being exchanged.

Use the show interfaces lag-name statisticscommand to display LACP information.
show interfaces ae0 statistics
Physical interface: ae0, Enabled, Physical link is Down
Interface index: 153, SNMP ifIndex: 30
Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
Minimum bandwidth needed: 0
Device flags
: Present Running
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0
Last flapped
: Never
Statistics last cleared: Never
Input packets : 0
Output packets: 0
Input errors: 0, Output errors: 0
Logical interface ae0.0 (Index 71) (SNMP ifIndex 34)
Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2
Statistics
Packets
pps
Bytes
bps
Bundle:
Input :
0
0
0
0
Output:
0
0
0
0
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Meaning

The output here shows that the link is down and that no PDUs are being exchanged.

Troubleshooting
These are some tips for troubleshooting:

Troubleshooting Nonworking LACP Link

Problem

The LACP link is not working.

Solution

Check the following:

Related Topics

Remove the LACP configuration and verify whether the static LAG is up.

Verify that LACP is configured at both ends.

Verify that LACP is not passive at both ends.

Verify whether LACP protocol data units are being exchanged by running the
monitor traffic-interface lag-member detail command.

Example: Connecting an Access Switch to a Distribution Switch on page 384

Virtual Chassis Cabling Configuration Examples

Verifying That the LACP Packets Are Being Exchanged

277

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

278

Installing an Uplink Module in an EX-series Switch

Troubleshooting Nonworking LACP Link

Chapter 23: Examples of Configuring Interfaces

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access

Switch
In a large LAN, you commonly need to partition the network into multiple VLANs.
You can configure Layer 3 subinterfaces to route traffic between the VLANs. In one
common topology, known as a router on a stick or a one-armed router, you
connect a router to an access switch with connections to multiple VLANs.
This example describes how to create Layer 3 subinterfaces on trunk interfaces of a
distribution switch and access switch so that you can route traffic among multiple
VLANs:

Requirements on page 279

Overview and Topology on page 279

Configuring the Access Switch Subinterfaces on page 280

Configuring the Distribution Switch Subinterfaces on page 282

Verification on page 285

Requirements
This example uses the following hardware and software components:

For the distribution switch, one EX 4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1-Gigabit
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit
Ethernet XFP ports.

For the access switch, any Layer 2 switch that supports 802.1Q VLAN tags.

JUNOS Release 9.2 or later for EX-series switches.

Before you connect the switches, make sure you have:

Connected the two switches.

Configured the necessary VLANs. See Configuring VLANs for EX-series Switches
(CLI Procedure) on page 409 or Configuring VLANs for EX-series Switches (J-Web
Procedure) on page 407.

Overview and Topology

In a large office with multiple buildings and VLANs, you commonly aggregate traffic
from a number of access switches into a distribution switch. This configuration
example shows a simple topology to illustrate how to connect a single Layer 2 access
switch connected to multiple VLANs to a distribution switch, enabling traffic to pass
between those VLANs.
In the example topology, the LAN is segmented into five VLANs, all associated with
interfaces on the access switch. One 1-Gigabit Ethernet port on the access switch's
uplink module connects to one 1-Gigabit Ethernet port on the distribution switch.

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an Access Switch

279

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 46 on page 280 lists the settings for the example topology.
Table 46: Components of the Topology for Creating Layer 3 Subinterfaces on an Access Switch and a Distribution
Switch
Property

Settings

Access switch hardware

Any Layer 2 switch with multiple 1-Gigabit Ethernet ports and at least one 1-Gigabit
Ethernet uplink module

Distribution switch hardware

EX 4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23); one
2-port 10-Gigabit Ethernet XFP uplink module (EX-UM-4SFP)

VLAN names and tag IDs

vlan1, tag 101

vlan2, tag 102
vlan3, tag 103
vlan4, tag 104
vlan5, tag 105

VLAN subnets

vlan1: 1.1.1.0/24 (addresses 1.1.1.1 through 1.1.1.254)

vlan2: 2.1.1.0/24 (addresses 2.1.1.1 through 2.1.1.254)
vlan3: 3.1.1.0/24 (addresses 3.1.1.1 through 3.1.1.254)
vlan4: 4.1.1.0/24 (addresses 4.1.1.1 through 4.1.1.254)
vlan5: 5.1.1.0/24 (addresses 5.1.1.1 through 5.1.1.254)

Port interfaces

On the access switch: ge-0/1/0

On the distribution switch: ge-0/0/0

Configuring the Access Switch Subinterfaces

CLI Quick Configuration

To quickly create and configure subinterfaces on the access switch, copy the following
commands and paste them into the switch terminal window:
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces

280

ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0
ge-0/1/0

Configuring the Access Switch Subinterfaces

vlan-tagging
unit 0 vlan-id
unit 1 vlan-id
unit 2 vlan-id
unit 3 vlan-id
unit 4 vlan-id

101
102
103
104
105

family
family
family
family
family

inet
inet
inet
inet
inet

address
address
address
address
address

1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24

Chapter 23: Examples of Configuring Interfaces

Step-by-Step Procedure
Step-by-Step Procedure

To configure the subinterfaces on the access switch:

1.

On the trunk interface of the access switch, enable VLAN tagging:

[edit interfaces ge-0/1/0]
user@access-switch# set vlan-tagging

2.

Bind vlan1's VLAN ID to the logical interface:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 0 vlan-id 101

3.

Set vlan1's subinterface IP address:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 0 family inet address 1.1.1.1/24

4.

Bind vlan2's VLAN ID to the logical interface:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 1 vlan-id 102

5.

Set vlan2's subinterface IP address:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 1 family inet address 2.1.1.1/24

6.

Bind vlan3's VLAN ID to the logical interface:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 2 vlan-id 103

7.

Set vlan3's subinterface IP address:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 2 family inet address 3.1.1.1/24

8.

Bind vlan4's VLAN ID to the logical interface:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 3 vlan-id 104

9.

Set vlan4's subinterface IP address:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 3 family inet address 4.1.1.1/24

10.

Bind vlan5's VLAN ID to the logical interface:

Step-by-Step Procedure

281

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit interfaces ge-0/1/0]

user@access-switch# set unit 4 vlan-id 105

11.

Set vlan5's subinterface IP address:

[edit interfaces ge-0/1/0]
user@access-switch# set unit 4 family inet address 5.1.1.1/24

Results

Check the results of the configuration:

user@access-switch> show configuration
interfaces {
ge-0/1/0 {
vlan-tagging;
unit 0 {
vlan-id 101;
family inet {
address 1.1.1.1/24;
}
}
unit 1 {
vlan-id 102;
family inet {
address 2.1.1.1/24;
}
}
unit 2 {
vlan-id 103;
family inet {
address 3.1.1.1/24;
}
}
unit 3 {
vlan-id 104;
family inet {
address 4.1.1.1/24;
}
}
unit 4 {
vlan-id 105;
family inet {
address 5.1.1.1/24;
}
}
}

Configuring the Distribution Switch Subinterfaces

CLI Quick Configuration

282

To quickly create and configure subinterfaces on the distribution switch, copy the
following commands and paste them into the switch terminal window:

Configuring the Distribution Switch Subinterfaces

Chapter 23: Examples of Configuring Interfaces

[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces

Step-by-Step Procedure

ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0
ge-0/0/0

vlan-tagging
unit 0 vlan-id
unit 1 vlan-id
unit 2 vlan-id
unit 3 vlan-id
unit 4 vlan-id

101
102
103
104
105

family
family
family
family
family

inet
inet
inet
inet
inet

address
address
address
address
address

1.1.1.2/24
2.1.1.2/24
3.1.1.2/24
4.1.1.2/24
5.1.1.2/24

To configure subinterfaces on the distribution switch:

1.

On the trunk interface of the distribution switch, enable VLAN tagging:

[edit interfaces ge-0/0/0]
user@distribution-switch# set vlan-tagging

2.

Bind vlan1's VLAN ID to the logical interface:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 0 vlan-id 101

3.

Set vlan1's subinterface IP address:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 0 family inet address 1.1.1.2/24

4.

Bind vlan2's VLAN ID to the logical interface:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 1 vlan-id 102

5.

Set vlan2's subinterface IP address:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 1 family inet address 2.1.1.2/24

6.

Bind vlan3's VLAN ID to the logical interface:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 2 vlan-id 103

7.

Set vlan3's subinterface IP address:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 2 family inet address 3.1.1.2/24

8.

Bind vlan4's VLAN ID to the logical interface:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 3 vlan-id 104

9.

Set vlan4's subinterface IP address:

Configuring the Distribution Switch Subinterfaces

283

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit interfaces ge-0/0/0]

user@distribution-switch# set unit 3 family inet address 4.1.1.2/24

10.

Bind vlan5's VLAN ID to the logical interface:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 4 vlan-id 105

11.

Set vlan5's subinterface IP address:

[edit interfaces ge-0/0/0]
user@distribution-switch# set unit 4 family inet address 5.1.1.2/24

Results

284

user@distribution-switch> show configuration

interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 101;
family inet {
address 1.1.1.2/24;
}
}
unit 1 {
vlan-id 102;
family inet {
address 2.1.1.2/24;
}
}
unit 2 {
vlan-id 103;
family inet {
address 3.1.1.2/24;
}
}
unit 3 {
vlan-id 104;
family inet {
address 4.1.1.2/24;
}
}
unit 4 {
vlan-id 105;
family inet {
address 5.1.1.2/24;
}
}
}

Configuring the Distribution Switch Subinterfaces

Chapter 23: Examples of Configuring Interfaces

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying That Subinterfaces Were Created on page 285

Verifying That Traffic Passes Between VLANs on page 285

Verifying That Subinterfaces Were Created

Purpose

Action

Verify that the subinterfaces were properly created on the access switch and
distribution switch.
1.

Use the show interfaces command on the access switch:

user@access-switch> show interfaces ge-0/1/0 terse
Interface
ge-0/1/0
ge-0/1/0.0
ge-0/1/0.1
ge-0/1/0.2
ge-0/1/0.3
ge-0/1/0.4
ge-0/1/0.32767

2.

Admin
up
up
up
up
up
up
up

Link
up
up
up
up
up
up
up

Proto

Local

inet
inet
inet
inet
inet

1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24

Remote

Use the show interfaces command on the distribution switch:

user@distribution-switch> show interfaces ge-0/0/0 terse
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/0.1
ge-0/0/0.2
ge-0/0/0.3
ge-0/0/0.4
ge-0/0/0.32767

Meaning

Admin
up
up
up
up
up
up
up

Link
up
up
up
up
up
up
up

Proto

Local

inet
inet
inet
inet
inet

1.1.1.2/24
2.1.1.2/24
3.1.1.2/24
4.1.1.2/24
5.1.1.2/24

Remote

Each subinterface created is displayed as a ge-chassis/slot/port.x logical interface,

where x is the unit number in the configuration. The status is listed as up, indicating
the link is working.

Verifying That Traffic Passes Between VLANs

Purpose

Verify that the distribution switch is correctly routing traffic from one VLAN to another.

Verification

285

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Action

Ping from the access switch to the distribution switch on each subinterface.
1.

From the access switch, ping the address of the vlan1 subinterface on the
distribution switch:
user@access-switch> ping 1.1.1.2 count 4
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=64
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64

time=0.333
time=0.113
time=0.112
time=0.158

ms
ms
ms
ms

--- 1.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.112/0.179/0.333/0.091 ms

2.

From the access switch, ping the address of the vlan2 subinterface on the
distribution switch:
user@access-switch> ping 2.1.1.2 count 4
PING 2.1.1.2 (2.1.1.2): 56 data bytes
64 bytes from 2.1.1.2: icmp_seq=0 ttl=64
64 bytes from 2.1.1.2: icmp_seq=1 ttl=64
64 bytes from 2.1.1.2: icmp_seq=2 ttl=64
64 bytes from 2.1.1.2: icmp_seq=3 ttl=64

time=0.241
time=0.113
time=0.162
time=0.167

ms
ms
ms
ms

--- 2.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.113/0.171/0.241/0.046 ms

3.

From the access switch, ping the address of the vlan3 subinterface on the
distribution switch:
user@access-switch> ping 3.1.1.2 count 4
PING 3.1.1.2 (3.1.1.2): 56 data bytes
64 bytes from 3.1.1.2: icmp_seq=0 ttl=64
64 bytes from 3.1.1.2: icmp_seq=1 ttl=64
64 bytes from 3.1.1.2: icmp_seq=2 ttl=64
64 bytes from 3.1.1.2: icmp_seq=3 ttl=64

time=0.341
time=0.162
time=0.112
time=0.208

ms
ms
ms
ms

--- 3.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.112/0.206/0.341/0.085 ms

4.

From the access switch, ping the address of the vlan4 subinterface on the
distribution switch:
user@access-switch> ping 4.1.1.2 count 4
PING 4.1.1.2 (4.1.1.2): 56 data bytes
64 bytes from 4.1.1.2: icmp_seq=0 ttl=64
64 bytes from 4.1.1.2: icmp_seq=1 ttl=64
64 bytes from 4.1.1.2: icmp_seq=2 ttl=64
64 bytes from 4.1.1.2: icmp_seq=3 ttl=64

286

Verifying That Traffic Passes Between VLANs

time=0.226
time=0.166
time=0.107
time=0.221

ms
ms
ms
ms

Chapter 23: Examples of Configuring Interfaces

--- 4.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.107/0.180/0.226/0.048 ms

5.

From the access switch, ping the address of the vlan5 subinterface on the
distribution switch:
user@access-switch> ping 5.1.1.2 count 4
PING 5.1.1.2 (5.1.1.2): 56 data bytes
64 bytes from 5.1.1.2: icmp_seq=0 ttl=64
64 bytes from 5.1.1.2: icmp_seq=1 ttl=64
64 bytes from 5.1.1.2: icmp_seq=2 ttl=64
64 bytes from 5.1.1.2: icmp_seq=3 ttl=64

time=0.224
time=0.104
time=0.102
time=0.170

ms
ms
ms
ms

--- 5.1.1.2 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.102/0.150/0.224/0.051 ms

Meaning

Related Topics

If all the ping packets are transmitted and are received by the destination address,
the subinterfaces are up and working.

Example: Connecting an Access Switch to a Distribution Switch on page 384

Configuring a Layer 3 Subinterface (CLI Procedure)

Verifying That Traffic Passes Between VLANs

287

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

288

Verifying That Traffic Passes Between VLANs

Chapter 24

Configuring Interfaces

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 295

Configuring Link Aggregation (J-Web Procedure) on page 296

Configuring Aggregated Ethernet LACP (CLI Procedure) on page 297

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

An Ethernet interface must be configured for optimal performance in a high-traffic
network.
To configure properties on a Gigabit Ethernet interface or 10Gigabit Ethernet
interface on an EX-series switch:
1.

Select the Interfaces option from the Configure menu.

2.

Select the option Ports. The page lists all the Gigabit Ethernet and 10Gigabit
Ethernet interfaces and their link status. When you select a particular interface,
the interface details are displayed.
The properties you can configure on the interface are displayed.

3.

Configure the interface by selecting options in the Edit menu. See

Table 47 on page 290 for details on the options.
You can select multiple interfaces and modify their settings.

NOTE: When you select multiple interfaces at the same time, you cannot modify the
IP address and enable or disable the administrative status of the selected interfaces.

4.

Click Enable Port/Disable Port to enable or disable the administrative status on

the selected port.

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

289

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 47: Port Edit Options

Field

Function

Your Action

Specifies the role assigned to the port.

The options available are:

NOTE: Once a port role is configured on

the interface, you cannot specify VLAN
options and IP options.

DefaultThe default configuration

is applied.

Desktop

Port Role

Port Role

Select an existing VLAN

configuration or a new VLAN
configuration to be associated with
the port.

Depending on the profile selected, the

corresponding configuration is applied:

290

DefaultInterface family is set to

ethernet-switching, port mode is set
to access, and RSTP protocol is
enabled if redundant trunk groups
are not configured.
DesktopInterface family is set to
ethernet-switching, port mode is set
to access, RSTP is enabled with the
edge and point-to-point options if the
interfaces are not part of any
redundant trunk groups, and port
security parameters (MAC limit =1;
dynamic ARP Inspection and DHCP
snooping enabled) are set.
Desktop and PhoneInterface
family is set to ethernet-switching,
port mode is set to access, port
security parameters (MAC limit =1;
dynamic ARP Inspection, DHCP
snooping enabled) are set, and
recommended CoS parameters are
specified for forwarding classes,
schedulers, and classifiers. See
Table 48 on page 292 for more
information.
Wireless Access PointInterface
family is set to ethernet-switching,
port mode is set to access, RSTP is
enabled with the edge and
point-to-point options if the
interfaces are not part of any
redundant trunk groups.

Routed UplinkPort family is set

to inet, and recommended CoS
parameters are set for schedulers
and classifiers. See
Table 48 on page 292 for more
information.

Layer 2 UplinkInterface family is

set to ethernet-switching, port mode
is set to trunk, RSTP is enabled with
the edge and point-to-point options
if the interfaces are not part of any
redundant trunk groups, and port
security is set to dhcp-trusted.

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

Desktop and Phone

Select an existing VLAN
configuration or a new VLAN
configuration to be associated with
the port.
You can also select an existing VoIP
VLAN configuration or a new VoIP
VLAN configuration to be associated
with the port.

Wireless Access Point

Select an existing VLAN
configuration or a new VLAN
configuration to be associated with
the port. For a new VLAN, VLAN ID
is a mandatory options.

Routed Uplink
Specify the IP address and the
subnet mask.

Layer 2 Uplink
For this port role you can associate
a native VLAN. To create a
redundant trunk group, specify the
group name and select the
secondary interface.

NoneNo port role is configured

for the selected interface.

Select the option and click OK.

NOTE: Refer to Port Role Configuration
with the J-Web InterfaceCLI
Reference on page 304 for the CLI
command reference.

Chapter 24: Configuring Interfaces

Table 47: Port Edit Options (continued)

Field

Function

Your Action

Specifies the mode of operation for the

port: trunk or access.

If you select Trunk, you can:

VLAN Options

Port Mode

1.

Click Add to add a VLAN member.

2.

Select the VLAN and click OK.

3.

(Optional) Associate a native VLAN

with the interface.

If you select Access, you can:

1.

Select the VLAN member to be

associated with the interface.

2.

(Optional) Associate a VoIP VLAN

with the interface. Only a VLAN
with a VLAN ID can be associated
as a VoIP VLAN.

3.

Click OK.

Link Options

MTU (bytes)

Specifies the maximum transmission

unit size for the interface.

Type a value from 256 through 9216

bytes. The default MTU for Gigabit
Ethernet interfaces is 1514.

Speed

Specifies the speed for the mode.

Select one of the following values: 10

Mbps, 100 Mbps, 1000 Mbps, or 10
Gbps.

Duplex

Specifies the link mode.

Select one: automatic, half-duplex, or

full-duplex.

Description

Describes the link.

Enter a brief description for the link.

NOTE: If the port is part of an aggregate,

only the option Description is enabled.
Enable Auto Negotiation

Enables or disables autonegotiation.

Select the checkbox to enable

autonegotiation, or clear the checkbox
to disable it. By default, autonegotiation
is enabled.

Enable Flow Control

Enables or disables flow control.

Select the checkbox to enable flow

control to regulate the amount of traffic
sent out of the interface, or clear the
checkbox to disable flow control and
permit unrestricted traffic. Flow control
is disabled by default.

IP Options

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

291

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 47: Port Edit Options (continued)

Field

Function

Your Action

Enable IP Address

Specifies an IP address for the interface.

1.

Click the checkbox to enable IP

settings

NOTE: If the IP address is cleared, the

interface belongs to the inet family.

2.

Type an IP address, for example:

10.10.10.10

3.

Enter the subnet mask or address

prefix. For example, 24 bits
represents 255.255.255.0.

4.

Click OK.

Table 48: Recommended CoS Settings for Port Roles

CoS Parameter

Recommended Settings

Forwarding Classes

There are 4 forwarding classes:

Schedulers

voiceQueue number is set to 7.

expedited-forwardingQueue number is set to 5.

assured-forwardingQueue number is set to 1.

best-effortQueue number is set to 0.

The schedulers and their settings are:

Strict-priorityTransmission rate is set to 10 percent, buffer size to 5 percent, and priority

to strict-high

Expedited-schedulerTransmission rate is set to 30 percent, buffer size to 30 percent , and

priority is set to low.

Assured-schedulerTransmission rate is set to 25 percent, buffer size to 25 percent, and

priority is set to low.

Best-effort schedulerTransmission-rate is set to 35 percent, buffer size to 40 percent, and

priority is set to low.

Scheduler maps

When a desktop and phone, routed uplink, or layer 2 uplink roles are applied on interfaces, the
forwarding classes and schedulers are mapped using the scheduler map.

ieee-802.1 classifier

Imports the default ieee-802.1 classifier configuration, and sets loss-priority to low for the code
point 101 for the voice forwarding class.

dscp classifier

Imports the default dscp classifier configuration, and sets loss-priority to low for the code points
101110 for the voice forwarding class.

Related Topics

292

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

EX-series Switches Interfaces Overview on page 259

Monitoring Interface Status and Traffic on page 299

Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

Chapter 24: Configuring Interfaces

Configuring Gigabit Ethernet Interfaces (CLI Procedure)

An Ethernet interface must be configured for optimal performance in a high-traffic
network. EX-series switches include a factory default configuration that:

Enables all the network interfaces on the switch

Sets a default port mode (access)

Sets default link settings

Specifies a logical unit (unit 0) and assigns it to family ethernet-switching

Specifies Spanning Tree Protocol (STP) and Link Layer Discovery Protocol (LLDP)

This topic describes:

Configuring VLAN Options and Port Mode on page 293

Configuring the Link Settings on page 293

Configuring the IP Options on page 294

Configuring VLAN Options and Port Mode

The factory default configuration includes a default VLAN and enables interfaces for
the access port mode. Access interfaces typically connect to network devices such
as PCs, printers, IP telephones, and IP cameras.
If you are connecting a desktop phone or wireless access point or a security camera
to a PoE port, you can configure some parameters for the PoE interface. The PoE
interfaces are enabled by default. For detailed information on the PoE settings, see
Configuring PoE (CLI Procedure) on page 1099.
If you are connecting a device to other switches and to routers on the LAN, you need
to assign the interface to a logical port and you need to configure the logical port as
a trunk port. See Port Role Configuration with the J-Web InterfaceCLI
Reference on page 304 for more information about port configuration.
To configure a Gigabit Ethernet interface or 10-Gigabit Ethernet interface for trunk
port mode:
[edit]
user@switch#set interfaces interface-name unit logical-unit-number family
ethernet-switching port-mode trunk

Configuring the Link Settings

EX-series switches include a factory default configuration that enables interfaces with
the following link settings:

All the Gigabit Ethernet interfaces are set to auto-negotiation.

The speed for Gigabit Ethernet interfaces is set to auto, allowing the interface to
operate at 10m, 100m or 1g. The link operates at the highest possible speed,
depending on the capabilities of the remote end.

Configuring Gigabit Ethernet Interfaces (CLI Procedure)

293

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The flow control for Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces
is set to enabled.

The link mode is set to auto, allowing the interface to operate as either full duplex
or half duplex. The link operates as full duplex unless this mode is not supported
at the remote end.

The 10-Gigabit Ethernet interfaces (for the EX-UM-2XFP uplink module) default
to no auto-negotiation. The default speed is 10g and the default link mode is full
duplex.

To configure the link settings:

Set link settings for a Gigabit Ethernet interface:

[edit]
user@switch# set interfaces ge-fpc/pic/port ether-options

Set link settings for a 10-Gigabit Ethernet interface:

[edit]
user@switch# set interfaces xe-fpc/1/port ether-options

NOTE: An uplink module in an EX-series switch is always PIC 1. The 10-Gigabit

Ethernet interface is available only with the EX-UM-2XFP uplink module.

The ether-options statement allows you to modify the configuration for:

802.3adSpecify an aggregated Ethernet bundle. See Configuring Aggregated

Ethernet Interfaces (CLI Procedure) on page 295.

auto-negotiationEnable or disable auto-negotation of flow control, link mode,

and speed.

flow-controlEnable or disable flow control.

link-modeSpecify full-duplex, half-duplex, or automatic.

speedSpecify 10m, 100m, 1g, or autonegotiation.

Configuring the IP Options

To specify an IP address for the logical unit:
[edit]
user@switch# set interfaces interface-name unit logical-unit-number family inet
address ip-address

Related Topics

294

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Monitoring Interface Status and Traffic on page 299

Configuring the IP Options

Chapter 24: Configuring Interfaces

show interfaces on page 332

show interfaces on page 342

Understanding Interface Naming Conventions on EX-series Switches on page 261

Configuring Aggregated Ethernet Interfaces (CLI Procedure)

Use the link aggregation feature to aggregate one or more links to form a virtual link
or aggregation group. The MAC client can treat this virtual link as if it were a single
link. Link aggregation increases bandwidth, provides graceful degradation as failure
occurs, and increases availability.

NOTE: An interface with an already configured IP address cannot form part of the
aggregation group.
To configure aggregated Ethernet interfaces, using the CLI:
1.

Specify the number of aggregated Ethernet interfaces to be created:

[edit chassis]
user@switch#set aggregated-devices

2.

device-count

Specify the minimum number of links for the aggregated Ethernet interface (aex),
that is, the defined bundle, to be labeled up:

NOTE: By default only one link must be up for the bundle to be labeled up.

[edit interfaces]
user@switch#set ae0

3.

aggregated-ether-options

minimum-links 2

Specify the link speed for the aggregated Ethernet bundle:

[edit interfaces]
user@switch#set ae0 aggregated-ether-options link-speed 10g

4.

Specify the members to be included within the aggregated Ethernet bundle:

[edit interfaces]
user@switch#set xe-0/1/0 ether-options 802.ad ae0
user@switch#set xe-1/1/0 ether-options 802.ad ae0

5.

Specify an interface family for the aggregated Ethernet bundle:

[edit interfaces]
user@switch#set ae0 unit 0 family inet address 192.0.2.0/25

Configuring Aggregated Ethernet Interfaces (CLI Procedure)

295

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

For information about adding LACP to a LAG, see Configuring Aggregated Ethernet
LACP (CLI Procedure) on page 297.
Related Topics

Configuring Link Aggregation (J-Web Procedure) on page 296

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Verifying the Status of a LAG Interface on page 300

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Configuring Link Aggregation (J-Web Procedure)

Use the link aggregation feature to aggregate one or more links to form a virtual link
or aggregation group. The MAC client can treat this virtual link as if it were a single
link. Link aggregation increases bandwidth, provides graceful degradation as failure
occurs, and increases availability.

NOTE: Interfaces that are already configured with MTU, speed, duplex,
auto-negotiation, flow-control, and logical interfaces are not available for aggregation.
To configure link aggregation:
1.

From the Configure menu, select Interfaces > Link Aggregation.

The Aggregated Interfaces list is displayed.

2.

Click one:

AddCreates an aggregated interface.

Add a description for the aggregation. Click >> or << to move interfaces
between the Available Interfaces and Member Interfaces columns. Click
Activate Aggregated Link to activate the link.

Edit > Edit AggregationModifies an existing aggregation.

Edit > VLAN OptionsSpecifies VLAN options for the aggregation. See

Table 49 on page 297 for details on the options.

DeleteDeletes an aggregation.

Enable Port/Disable Port Enables or disables the administrative status on

the selected port.

296

Configuring Link Aggregation (J-Web Procedure)

Chapter 24: Configuring Interfaces

Table 49: VLAN Options

Field

Function

Your Action

Port Mode

Specifies the mode of operation for the

port: trunk or access.

If you select Trunk, you can:

1.

Click Add to add a VLAN member.

2.

Select the VLAN and click OK.

3.

(Optional) Associate a native VLAN

with the port.

If you select Access, you can:

Related Topics

1.

Select the VLAN member to be

associated with the port.

2.

(Optional) Associate a VoIP VLAN

with the interface. Only a VLAN
with a VLAN ID can be associated
as a VoIP VLAN.

3.

Click OK.

Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 295

Verifying the Status of a LAG Interface on page 300

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Configuring Aggregated Ethernet LACP (CLI Procedure)

For aggregated Ethernet interfaces on EX-series switches, you can configure the Link
Aggregation Control Protocol (LACP). LACP is one method of bundling several physical
interfaces to form one logical interface. You can configure aggregated Ethernet with
or without LACP enabled.
Before you configure LACP, be sure you have:

Configured the aggregated ethernet bundles. See Configuring Aggregated

Ethernet Interfaces (CLI Procedure) on page 295

When LACP is enabled, the local and remote sides of the aggregated Ethernet links
exchange protocol data units (PDUs), containing information about the state of the
link. You can configure Ethernet links to actively transmit PDUs, or you can configure
the links to passively transmit them, sending out LACP PDUs only when they receive
them from another link. One side of the link must be configured as active in order
for the link to be up.

Configuring Aggregated Ethernet LACP (CLI Procedure)

297

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To configure LACP:
1.

From the [edit interfaces interface-name aggregated-ether-options] hierarchy level,

enable one side of the link as active:

set ae x aggregated-ether-options lacp active

2.

Specify the interval at which the interfaces send LACP packets:

set ae x aggregated-ether-options lacp periodic fast

Related Topics

298

Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 295

Configuring Link Aggregation (J-Web Procedure) on page 296

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Verifying the Status of a LAG Interface on page 300

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Configuring Aggregated Ethernet LACP (CLI Procedure)

Chapter 25

Verifying Interfaces

Monitoring Interface Status and Traffic on page 299

Verifying the Status of a LAG Interface on page 300

Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets on page 300

Verifying That Layer 3 Subinterfaces Are Working on page 302

Monitoring Interface Status and Traffic

Purpose

Use the monitoring functionality to view interface status or to monitor interface

bandwidth utilization and traffic statistics on the EX-series switch.
The J-Web interface monitors interface bandwidth utilization and plots real-time
charts to display input and output rates in bytes per second. In addition, the Interface
monitoring page displays input and output error counters in the form of charts.
Alternatively, you can enter the show commands in the CLI to view interface status
and traffic statistics.

Action

To view general interface information in the J-Web interface such as available

interfaces, select Monitor>Interfaces. You can click any interface to view details about
its status.
Using the CLI:

Meaning

To view interface status for all the interfaces, enter show interfaces on page 342.

To view status and statistics for a specific interface, enter show interfaces on page
342 interface-name.

To view status and traffic statistics for all interfaces, enter either show
interfaces on page 342 detail or show interfaces on page 342 extensive.

In the J-Web interface the charts displayed are:

Bar chartsDisplay the input and output error counters.

Pie chartsDisplay the number of broadcast, unicast, and multicast packet

counters.

To clear the statistics in the J-Web Interface monitoring page, click Clear Statistics.

Monitoring Interface Status and Traffic

299

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

For details about output from the CLI commands, see show interfaces on page 332
(Gigabit Ethernet) or show interfaces on page 342 (10-Gigabit Ethernet).
Related Topics

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Verifying the Status of a LAG Interface

Purpose
Action

Verify that a LAG (ae0) has been created on the switch.

show interfaces aeo terse
Interface

Meaning

Related Topics

Admin

Link

ae0

up

up

ae0.0

up

up

Proto

inet

Local

Remote

10.10.10.2/24

The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.

Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 295

Configuring Link Aggregation (J-Web Procedure) on page 296

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets
To verify that LACP has been set up correctly and that the bundle members are
transmitting LACP protocol packets.
1. Verifying the LACP Setup on page 300
2. Verifying That the LACP Packets Are Being Exchanged on page 301

Verifying the LACP Setup

Purpose
Action

Verify that the LACP has been set up correctly.

Use the show lacp interfaces interface-name command to check that LACP has been
enabled as active on one end.
show lacp interfaces xe-0/1/0
show lacp interfaces xe-0/1/0
Aggregated interface: ae0

300

Verifying the Status of a LAG Interface

Chapter 25: Verifying Interfaces

LACP state:

Role

Def

Dist

Col

Syn

Aggr

Timeout

Activity

xe-0/1/0

Actor

No

Yes

No

No

No

Yes

Fast

Active

xe-0/1/0

Partner

No

Yes

No

No

No

Yes

Fast

Passive

LACP protocol:
xe-0/1/0

Meaning

Exp

Receive State
Defaulted

Transmit State

Mux State

Fast periodic

Detached

This example shows that LACP has been configured with one side as active and the
other as passive. When LACP is enabled, one side must be set as active in order for
the bundled link to be up.

Verifying That the LACP Packets Are Being Exchanged

Purpose
Action

Verify that LACP packets are being exchanged between interfaces.

Use the show interfaces aex statistics command to display LACP BPDU exchange
information.
show interfaces ae0 statistics
Physical interface: ae0, Enabled, Physical link is Down
Interface index: 153, SNMP ifIndex: 30
Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
Minimum bandwidth needed: 0
Device flags
: Present Running
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0
Last flapped
: Never
Statistics last cleared: Never
Input packets : 0
Output packets: 0
Input errors: 0, Output errors: 0
Logical interface ae0.0 (Index 71) (SNMP ifIndex 34)
Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2
Statistics
Packets
pps
Bytes
bps
Bundle:
Input :
0
0
0
0
Output:
0
0
0
0
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255

Meaning

Related Topics

The output here shows that the link is down and that no PDUs are being exchanged
(when there is no other traffic flowing on the link).

Configuring Aggregated Ethernet LACP (CLI Procedure) on page 297

Verifying the Status of a LAG Interface on page 300

Verifying That the LACP Packets Are Being Exchanged

301

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Verifying That Layer 3 Subinterfaces Are Working

Purpose

Action

After configuring Layer 3 subinterfaces, verify they are set up properly and
transmitting data.
1.

Use the show interfaces command to determine if you successfully created the
subinterfaces and the links are up:
user@switch> show interfaces ge-chassis/slot/port terse
Interface
ge-0/0/0
ge-0/0/0.0
ge-0/0/0.1
ge-0/0/0.2
ge-0/0/0.3
ge-0/0/0.4
ge-0/0/0.32767

2.

Admin
up
up
up
up
up
up
up

Link
up
up
up
up
up
up
up

Proto

Local

inet
inet
inet
inet
inet

1.1.1.1/24
2.1.1.1/24
3.1.1.1/24
4.1.1.1/24
5.1.1.1/24

Remote

Use the ping command from a device on one subnet to an address on another
subnet to determine if packets were transmitted correctly on the subinterface
VLANs:
user@switch> ping ip-address
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.157 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.238 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.255 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.128 ms
--- 1.1.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss

Meaning
Related Topics

302

The output confirms that the subinterfaces are created and the links are up.

Configuring a Layer 3 Subinterface (CLI Procedure)

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an

Access Switch on page 279

Verifying That Layer 3 Subinterfaces Are Working

Chapter 26

Troubleshooting Interfaces

Troubleshooting an Aggregated Ethernet Interface on page 303

Troubleshooting Disabled or Down Interfaces on page 303

Port Role Configuration with the J-Web InterfaceCLI Reference on page 304

Troubleshooting Interface Configuration and Cable Faults on page 309

Troubleshooting an Aggregated Ethernet Interface

Problem

The show interfaces terse command shows that the LAG is down.

Solution

Check the following:

Related Topics

Verify that there is no configuration mismatch.

Verify that all member ports are up.

Verify that a LAG is part of family ethernetswitching (Layer 2 LAG) or family

inet (Layer 3 LAG).

Verify that the LAG member is connected to the correct LAG at the other end.

Verify that the LAG members belong to the same switch (or the same virtual
chassis).

Verifying the Status of a LAG Interface on page 300

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Troubleshooting Disabled or Down Interfaces

This topic provides troubleshooting information for specific problems related to
interfaces.

Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module
(EX-UM-4SFP) installed on page 304

Troubleshooting an Aggregated Ethernet Interface

303

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP)
installed
Problem

One of the last four base ports (ge-0/0/20 through ge-0/0/23 on 24 port models or
ge-0/0/44 through ge-0/0/47 on 48 port models) of an EX 3200 switch is disabled.
The 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) is installed.
When you check status with the show interfaces on page 332 command or with the
J-Web user interface, the disabled port is not listed.

Cause

Solution

Related Topics

The last four base ports use the same ASIC as the 4-port Gigabit Ethernet uplink
module. Therefore, if you insert a transceiver in a 4-port Gigabit Ethernet uplink
module installed in an EX 3200 switch, a corresponding base port from the last four
base ports is disabled.
If you need to use the disabled base port, you should remove the transceiver from
the 4port Gigabit Ethernet uplink module. You can install the 2port 10Gigabit
Ethernet uplink module (EX-UM-2XFP) instead. There is no ASIC conflict with the
EX-UM-2XFP uplink module.

Monitoring Interface Status and Traffic on page 299

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Removing an SFP or XFP Transceiver from an EX-series Switch

Installing an SFP or XFP Transceiver in an EX-series Switch

EX-series Switch Hardware Overview on page 19

EX-series Switches Interfaces Overview on page 259

Port Role Configuration with the J-Web InterfaceCLI Reference

When you configure Gigabit Ethernet interface properties with the J-Web interface
(Configure > Interfaces) you can optionally select pre-configured port roles for those
interfaces. When you select a role from the Port Role field and apply it to a port, the
J-Web interface modifies the switch configuration using CLI commands.
Table 50 on page 304 lists the CLI commands applied for each port role.

NOTE: If there is an existing port role configuration, it is cleared before the new port
role configuration is applied.

Table 50: Port Role Configuration Summary

Configuration Description

CLI Commands

Default Port Role

304

Disabled port on EX 3200 switch with a 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) installed

Chapter 26: Troubleshooting Interfaces

Table 50: Port Role Configuration Summary (continued)

Configuration Description

CLI Commands

Set the port role to Default.

set interfaces interfaceapply-macro juniper-port-profile

Default

Set port family to ethernet-switching.

set interfaces interface unit 0 family ethernet-switching

port-mode access

Set port mode to access.

Enable RSTP if redundant trunk groups are not
configured.

delete protocols rstp interface interface disable

Disable RSTP if redundant trunk groups are

configured.

set protocols rstp interface interface disable

Desktop Port Role

Set the port role to desktop.

set interfaces interface apply-macro juniper-port-profile

Desktop

Set VLAN if new VLAN is specified.

set vlans <vlan name> vlan-id <vlan-id>

Set port family to ethernet-switching.

set interfaces interface unit 0 family ethernet-switching

port-mode access

Set Port Mode to Access.

Set VLAN if new VLAN is specified.

set interfaces interface unit 0 family ethernet-switching

vlan members vlan-members

Set port security parameters.

set ethernet-switching-options secure-access-port vlan

MacTest arp-inspection

Set RSTP protocol with edge option.

set protocols rstp interface interface edge

RSTP protocol is disabled if redundant trunk groups

are configured.

set protocols rstp interface interface disable

Desktop and Phone Port Role

Set the port role to desktop and phone.

set interfaces interfaceapply-macro juniper-port-profile

Desktop and Phone

Set data VLAN if new VLAN is specified.

set vlans vlan-namevlan-id vlan id

Set voice VLAN if new voice VLAN is specified.

Set port family to ethernet-switching.

set interfaces interfaceunit 0 family ethernet-switching

port-mode access

Set Port Mode to access.

Set data VLAN on port stanza.

set interfaces interface unit 0 family ethernet-switching

vlan members vlan-members

Set port security parameters.

set ethernet-switching-options secure-access-port vlan

MacTest arp-inspection

Set VOIP VLAN.

set ethernet-switching-options voip interface interface.0

vlan vlan vlan name

Port Role Configuration with the J-Web InterfaceCLI Reference

305

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 50: Port Role Configuration Summary (continued)

Configuration Description

CLI Commands

Set class of service parameters

set class-of-service interfaces interfacescheduler-map

juniper-port-profile-map
set class-of-service interfaces interface unit 0
classifiers ieee-802.1 juniper_ieee_classifier
set class-of-service interfaces interfaceunit 0
classifiers dscp juniper-dscp-classifier

SCHEDULER_MAP=juniper-port-profile-map
IEEE_CLASSIFIER=juniper-ieee-classifier
DSCP_CLASSIFIER=juniper-dscp-classifier

Set CoS Configuration

Refer Table 51 on page 307 for details.

Wireless Access Point Port Role

Set the port role to wireless access point.

set interfaces interface apply-macro juniper-port-profile

Wireless Access Point

Set VLAN on VLANs stanza.

set vlans vlan namevlan-id vlan-id

Set port family to ethernet-ewitching

set interfaces interface unit 0 family ethernet-switching

port-mode access

Set port mode to Access.

Set VLAN on port stanza.

set interfaces interface unit 0 family ethernet-switching

vlan members vlan-members

Set RSTP protocol with edge option.

set protocols rstp interface interface edge

RSTP protocol is disabled if redundant trunk groups

are configured.

set protocols rstp interface interface disable

Routed Uplink Port Role

Set the port role to Routed Uplink.

set interfaces interface apply-macro juniper-port-profile

Routed Uplink

Set port family to inet.

set interfaces interfaceunit 0 family inet address

ipaddress

Set IP address on the port.

Set class-of-service parameters
SCHEDULER_MAP=juniper-port-profile-map
IEEE_CLASSIFIER=juniper-ieee-classifier

set class-of-service interfaces interfacescheduler-map

juniper-port-profile-map
set class-of-service interfaces interface unit 0
classifiers ieee-802.1 juniper_ieee_classifier
set class-of-service interfaces interfaceunit 0
classifiers dscp juniper-dscp-classifier

DSCP_CLASSIFIER=juniper-dscp-classifier

Set CoS configuration

Refer Table 51 on page 307 for details.

Layer 2 Uplink Port Role

Set the port role to Layer 2 Uplink.

set interfaces interface apply-macro juniper-port-profile

Layer2 Uplink

Set port family to ethernet-switching

set interfaces interface unit 0 family ethernet-switching

port-mode trunk

Set port mode to trunk.

306

Port Role Configuration with the J-Web InterfaceCLI Reference

Chapter 26: Troubleshooting Interfaces

Table 50: Port Role Configuration Summary (continued)

Configuration Description

CLI Commands

Set Native VLAN name.

set interfaces interface unit 0 family ethernet-switching

native-vlan-id vlan-name

Set the port as part of all valid VLANs; valid" refers

to all VLANs except native VLAN and voice VLANs.

set interfaces interface unit 0 family ethernet-switching

vlan members vlan-members

Set port security parameter.

set ethernet-switching-options secure-access-port

dhcp-trusted

Set RSTP protocol with point-to-point option.

set protocols rstp interface interface mode point-to-point

Disable RSTP if redundant trunk groups are

configured.

set protocols rstp interface interface disable

Set class-of-service parameters.

set class-of-service interfaces interfacescheduler-map

juniper-port-profile-map
set class-of-service interfaces interface unit 0
classifiers ieee-802.1 juniper_ieee_classifier
set class-of-service interfaces interfaceunit 0
classifiers dscp juniper-dscp-classifier

SCHEDULER_MAP=juniper-port-profile-map
IEEE_CLASSIFIER=juniper_ieee_classifier
DSCP_CLASSIFIER=juniper_dscp_classifier

Set CoS configuration

Refer to Table 51 on page 307 for details.

Table 51 on page 307 lists the CLI commands for the recommended CoS settings that
are committed when the CoS configuration is set.
Table 51: Recommended CoS Settings for Port Roles
CoS Parameter

CLI Command

Forwarding Classes
voice

set class-of-service forwarding-classes class voice queue-num 7

expedited-forwarding

set class-of-service forwarding-classes class expedited-forwarding queue-num

5

assured-forwarding

set class-of-service forwarding-classes class assured-forwarding queue-num

1

best-effort

set class-of-service forwarding-classes class best-effort queue-num 0

Schedulers

Port Role Configuration with the J-Web InterfaceCLI Reference

307

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 51: Recommended CoS Settings for Port Roles (continued)

CoS Parameter

CLI Command

strict-priority-scheduler

The CLI commands are:

set class-of-service schedulers

strict-priority-scheduler transmit-rate
percent 10

set class-of-service schedulers

strict-priority-scheduler buffer-size percent
5

set class-of-service schedulers

strict-priority-scheduler priority strict-high

expedited-scheduler

The CLI commands are:

set class-of-service schedulers

expedited-scheduler transmit-rate percent 30

set class-of-service schedulers

expedited-scheduler buffer-size percent 30

set class-of-service schedulers

expedited-scheduler priority low

assured-scheduler

The CLI commands are:

set class-of-service schedulers assured-scheduler transmit-rate percent 25
set class-of-service schedulers strict-priority-scheduler buffer-size percent
25
set class-of-service schedulers strict-priority-scheduler priority low

best-effort-scheduler

The CLI commands are:

set class-of-service schedulers best-effort-scheduler transmit-rate percent
35
set class-of-service schedulers best-effort-scheduler buffer-size percent 40
set class-of-service schedulers best-effort-scheduler priority low

Classifiers

The classifiers are:

set class-of-service classifiers ieee-802.1 juniper_ieee_classifier import
default forwarding-class voice loss-priority low code-points 101
set class-of-service classifiers dscp juniper_dscp_classifier import default
forwarding-class voice loss-priority low code-points 101110

Related Topics

308

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Port Role Configuration with the J-Web InterfaceCLI Reference

Chapter 26: Troubleshooting Interfaces

Troubleshooting Interface Configuration and Cable Faults

Troubleshooting interface configuration and connectivity on the EX-series switch:
1. Interface Configuration or Connectivity Is Not Working on page 309

Interface Configuration or Connectivity Is Not Working

Problem

You encounter errors when you attempt to configure an interface on the switch, or
the interface is exhibiting connectivity problems.

Solution

Use the port troubleshooter feature in the J-Web interface to identify and rectify port
configuration and connectivity related problems.
To use the J-Web interface port troubleshooter:
1.

Select the option Troubleshoot from the main menu.

2.

Click Troubleshoot Port. The Port Troubleshooting wizard is displayed. Click Next.

3.

Select the ports to troubleshoot.

4.

Select the test cases to be executed on the selected port. Click Next.
When the selected test cases are executed, the final result and the recommended
action is displayed.

If there is a cable fault, the port troubleshooter displays details and the recommended
action. For example, the cable must be replaced.
If the port configuration needs to be modified, the port troubleshooter displays details
and the recommended action.
Related Topics

Monitoring Interface Status and Traffic on page 299

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Connecting and Configuring the EX-series Switch (CLI Procedure) on page 57

Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 58

Troubleshooting Interface Configuration and Cable Faults

309

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

310

Interface Configuration or Connectivity Is Not Working

Chapter 27

Configuration Statements for Interfaces

Interface Configuration Statement Hierarchy on page 311

Individual Interface Configuration Statements on page 312

Interface Configuration Statement Hierarchy

[edit interfaces] Configuration Statement Hierarchy on page 311

[edit interfaces] Configuration Statement Hierarchy

interfaces {
ae-x {

aggregated-ether-options {
lacp mode {
periodic interval;
}
}
}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
mtu bytes;
unit logical-unit-number {
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
vlan-id vlan-id-number;

Interface Configuration Statement Hierarchy

311

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
vlan-tagging;
}
}
Related Topics

EX-series Switches Interfaces Overview on page 259

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring a Layer 3 Subinterface (CLI Procedure)

Individual Interface Configuration Statements

802.3ad
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics

802.3ad aex;
[edit interfaces interface-name ether-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the aggregated Ethernet logical interface number.
aexAggregated Ethernet logical interface number.

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

JUNOS Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

312

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 172

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Configuring Aggregated Ethernet Interfaces (CLI Procedure) on page 295

Configuring Aggregated Ethernet LACP (CLI Procedure) on page 297

Understanding Aggregated Ethernet Interfaces and LACP on page 263

Individual Interface Configuration Statements

Chapter 27: Configuration Statements for Interfaces

auto-negotiation
Syntax
Hierarchy Level
Release Information
Description

(auto-negotiation | no-auto-negotiation);
[edit interfaces interface-name ether-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Explicitly enable or disable autonegotiation.

auto-negotiationEnable autonegotiation.

no-auto-negotiationDisable autonegotiation. When autonegotiation is disabled,

you must explicitly configure link mode, and speed options.

Default

Required Privilege Level

Related Topics

Autonegotiation is automatically enabled. No explicit action is taken after the

autonegotiation is complete or if the negotiation fails.
interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

auto-negotiation

313

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

description
Syntax
Hierarchy Level
Release Information
Description

description text;
[edit interfaces ge-chassis/slot/port]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Provide a textual description of the interface or the logical unit. Any descriptive text
you include is displayed in the output of the show interfaces commands, and is also
exposed in the ifAlias Management Information Base (MIB) object. It has no effect
on the operation of the interface or the switch.

Default

No textual description is configured

Options

textText to describe the interface. If the text includes spaces, enclose the entire
text in straight quotation marks.

Required Privilege Level

Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

314

description

Chapter 27: Configuration Statements for Interfaces

ether-options
Syntax

Hierarchy Level
Release Information
Description

ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed
}
[edit interfaces interface-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure ether-options properties for Gigabit-Ethernet interface on EX-series switch.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

Enabled.
interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

EX-series Switches Interfaces Overview on page 259

ether-options

315

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

family
Syntax

Hierarchy Level
Release Information
Description

family ethernet-switching {
filter input filter-name
filter output filter-name
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id;
port-mode mode;
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
}
[edit interfaces ge-chassis/slot/port unit logical-unit-number]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure protocol family information for the logical interface.

Default

You must configure a logical interface to be able to use the physical device.

Options

ethernet-switchingEthernet switch protocol family.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

316

family

Chapter 27: Configuration Statements for Interfaces

filter
Syntax
Hierarchy Level
Release Information
Description

filter (input | output) filter-name;

[edit interfaces ge-chassis/slot/port unit logical-unit-number family family-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the
Layer 3 interface.

Default

All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.

Options

filter-nameName of a firewall filter defined in the filter statement.

Required Privilege Level

Related Topics

inputApply a firewall filter to traffic entering the port or Layer 3 interface.

outputApply a firewall filter to traffic exiting the Layer 3 interface.

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filters for EX-series Switches Overview on page 899

JUNOS Software Network Interfaces Configuration Guide at

www.juniper.net/techpubs/software/junos/

filter

317

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

flow-control
Syntax
Hierarchy Level
Release Information
Description

(flow-control | no-flow-control);
[edit interfacesinterface-name ether-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Explicitly enable flow control, which regulates the flow of packets from the switch
to the remote side of the connection, or disable it.

flow-controlEnable flow control is useful when the remote device is a Gigabit

Ethernet switch.

Default
Required Privilege Level
Related Topics

no-flow-controlDisable flow control.

Flow control enabled.

interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

l3-interface
Syntax
Hierarchy Level
Release Information
Description

[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk
ports to allow the interface to transfer traffic between multiple VLANs. Within a
VLAN, traffic is bridged, while across VLANs, traffic is routed.

Default

No Layer 3 (routing) interface is associated with the VLAN.

Options

interface-namelogical-unit-numberName of a logical interface.

Required Privilege Level

318

l3-interface interface-name-logical-unit-number;

flow-control

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Chapter 27: Configuration Statements for Interfaces

lacp
Syntax

Hierarchy Level
Release Information
Description

lacp mode {
periodic interval;
}
[edit interfaces ae-chassis/slot/port aggregated-ether-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the Link Aggregation Control Protocol (LACP).

Default

LACP is not enabled.

Options

modeLACP mode:

activeInitiate transmission of LACP packets

passiveRespond to LACP packets

The remaining statement is explained separately.

Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Configuring Aggregated Ethernet LACP (CLI Procedure) on page 297

Configuring Link Aggregation (J-Web Procedure) on page 296

Understanding Aggregated Ethernet Interfaces and LACP on page 263

lacp

319

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

link-mode
Syntax
Hierarchy Level
Release Information
Description

link-mode mode;
[edit interfaces interface-name ether-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Set the devices link-connection characteristic.

Default

The automatic mode is enabled.

Options

modeLink characteristic:

full-duplexConnection is full duplex.

half-duplexConnection is half duplex.

automaticLink mode is negotiated.

If no-auto-negotiation is specified in ether-options, you can select only full-duplex or

half-duplex. If auto-negotiation is specified in ether-options, you can select any
mode.
Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

320

link-mode

Chapter 27: Configuration Statements for Interfaces

members
Syntax
Hierarchy Level

Release Information
Description
Options

members [ (names | vlan-ids) ];

[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching
vlan]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For trunk interfaces, configure the VLANs for which the interface can carry traffic.
namesName of one or more VLANs.
vlan-idsNumeric identifier of one or more VLANs. For a series of tagged VLANs,
specify a range; for example, 10-20.

Required Privilege Level

Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Example: Connecting an Access Switch to a Distribution Switch on page 384

Creating a Series of Tagged VLANs (CLI Procedure) on page 412

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

members

321

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

mtu
Syntax
Hierarchy Level
Release Information
Description

mtu bytes;
[edit interfaces interface-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Maximum transmission unit (MTU) size for the media. Changing the media MTU
causes an interface to be deleted and added again.

Default

1514 bytes

Options

bytesMTU size.

Range: 64 through 9216 bytes

Default: 1514 bytes
Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

native-vlan-id
Syntax
Hierarchy Level
Release Information
Description

Options
Required Privilege Level
Related Topics

native-vlan-id vlan-id;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the VLAN identifier to associate with untagged packets received on the
interface.
vlan-idNumeric identifier of the VLAN.
Range: 0 through 4095
interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

322

mtu

Chapter 27: Configuration Statements for Interfaces

periodic
Syntax
Hierarchy Level
Release Information
Description

periodic interval;
[edit interfaces ae-chassis/slot/port aggregated-ether-options lacp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the interval for periodic transmission of LACP packets.

Default

fast

Options

intervalInterval at which to periodically transmit LACP packets:

Required Privilege Level

Related Topics

fastTransmit packets every second. This is the default.

slowTransmit packets every 30 seconds.

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP

Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch on page 178

Configuring Aggregated Ethernet LACP (CLI Procedure) on page 297

Understanding Aggregated Ethernet Interfaces and LACP on page 263

periodic

323

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

port-mode
Syntax
Hierarchy Level
Release Information
Description

port-mode mode;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure whether an interface on the switch operates in access or trunk mode.

Default

All switch interfaces are in access mode.

Options

accessHave the interface operate in access mode. In this mode, the interface can

be in a single VLAN only. Access interfaces typically connect to network devices

such as PCs, printers, IP telephones, and IP cameras.
trunkHave the interface operate in trunk mode. In this mode, the interface can be

in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.
Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

324

port-mode

Example: Connecting an Access Switch to a Distribution Switch on page 384

Chapter 27: Configuration Statements for Interfaces

speed
Syntax
Hierarchy Level
Release Information
Description
Default

Options

speed (speed | auto-negotiation) ;

[edit interfaces interface-name ether-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the interfaces speed:
If the auto-negotiation statement at the [edit interfaces interface-name ether-options]
hierarchy level is enabled, the auto-negotiation option is enabled by default.

speedSpecify the interface speed. If the auto-negotiation statement at the [edit

interfaces interface-name ether-options] hierarchy level is disabled, you must

specify a specific value. This value sets the speed that is used on the link. If the
auto-negotiation statement is enabled, you might want to configure a specific
speed value to advertise the desired speed to the remote end.

10m10 Mbps

100m100 Mbps

1g1 Gbps

auto-negotiationAutomatically negotiate the speed based on the speed of the

other end of the link. This option is available only when the auto-negotiation
statement at the [edit interfaces interface-name ether-options] hierarchy level is
enabled.
Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

speed

325

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

translate
Syntax
Hierarchy Level
Release Information
Description

Options

translate vlan-id1 vlan-id2;

[edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching vlan]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For trunk interfaces, have the interface change the VLAN identifier on received
packets to a different identifier.
vlan-id1Number of the VLAN identifier in received packets. This identifier is removed

from packets received on the interface.

vlan-id2New VLAN identifier. This identifier replaces the one removed from packets

received on the interface.

Required Privilege Level
Related Topics

326

translate

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show ethernet-switching interfaces on page 545

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Understanding Bridging and VLANs on EX-series Switches on page 359

Chapter 27: Configuration Statements for Interfaces

unit
Syntax

Hierarchy Level
Release Information
Description

unit logical-unit-number {
family ethernet-switching {
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id;
port-mode mode;
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
}
vlan-id vlan-id-number;
}
[edit interfaces ge-chassis/slot/port]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a logical interface on the physical device. You must configure a logical
interface to be able to use the physical device.

Default

You must configure a logical interface to be able to use the physical device.

Options

logical-unit-numberNumber of the logical unit.

Range: 0 through 16,384
The remaining statements are explained separately.

Required Privilege Level

Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

unit

327

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan
Syntax

Hierarchy Level
Release Information
Description

vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Gigabit Ethernet and aggregated Ethernet interfaces, binds an 802.1Q VLAN tag
ID to a logical interface.
The statements are explained separately.

Required Privilege Level

Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

JUNOS Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

328

vlan

Chapter 27: Configuration Statements for Interfaces

vlan-id
Syntax
Hierarchy Level
Release Information
Description

Options
Required Privilege Level
Related Topics

vlan-id vlan-id-number;
[edit interfaces ge-chassis/slot/port unit logical-unit-number]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

For Gigabit Ethernet and aggregated Ethernet interfaces only, bind an 802.1Q VLAN
tag ID to a logical interface.
vlan-id-numberA valid VLAN identifier.
Range: 1 through 4094.
interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.

vlan-tagging

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an

Access Switch on page 279

Configuring a Layer 3 Subinterface (CLI Procedure)

vlan-id

329

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan-tagging
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

vlan-tagging;
[edit interfaces ge-chassis/pic/port ]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Enable VLAN tagging. The platform will receive and forward single-tag frames with
802.1Q VLAN tags.
VLAN tagging is disabled by default.
interfaceTo view this statement in the configuration.
interface-controlTo add this statement to the configuration.

vlan-id

Example: Configuring Layer 3 Subinterfaces for a Distribution Switch and an

Access Switch on page 279

Configuring a Layer 3 Subinterface (CLI Procedure)

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

330

vlan-tagging

Chapter 28

Operational Mode Commands for

Interfaces

331

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show interfaces
Syntax

Release Information
Description
Options

show interfaces ge-fpc/pic/port

<brief | detail | extensive | terse>
<descriptions>
<media>
<snmp-index snmp-index>
<statistics>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display status information about the specified Gigabit Ethernet interface.
ge-fpc/pic/portDisplay standard information about the specified Gigabit Ethernet

interface.
brief | detail | extensive | terse(Optional) Display the specified level of output.
descriptions(Optional) Display interface description strings.
media(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index(Optional) Display information for the specified SNMP index

of the interface.
statistics(Optional) Display static interface statistics.
Required Privilege Level
Related Topics

view

Monitoring Interface Status and Traffic on page 299

Troubleshooting an Aggregated Ethernet Interface on page 303

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

List of Sample Output

Output Fields

show
show
show
show

interfaces
interfaces
interfaces
interfaces

(Gigabit Ethernet) on page 338

brief (Gigabit Ethernet) on page 339
detail (Gigabit Ethernet) on page 339
extensive (Gigabit Ethernet) on page 340

Table 52 on page 332 lists the output fields for the show interfaces command. Output
fields are listed in the approximate order in which they appear.

Table 52: Gigabit Ethernet show interfaces Output Fields

Field Name

Field Description

Level of Output

Physical interface

Name of the physical interface.

All levels

Enabled

State of the interface: Enabled or Disabled.

All levels

Physical Interface

332

show interfaces

Chapter 28: Operational Mode Commands for Interfaces

Table 52: Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Interface index

Index number of the physical interface, which reflects its initialization sequence.

detail extensive none

SNMP ifIndex

SNMP index number for the physical interface.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Description

Optional user-specified description.

brief detail extensive

Link-level type

Encapsulation being used on the physical interface.

All levels

MTU

Maximum transmission unit size on the physical interface. Default is 1514.

All levels

Speed

Speed at which the interface is running.

All levels

Loopback

Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback:

Local or Remote.

All levels

Source filtering

Source filtering status: Enabled or Disabled.

All levels

Flow control

Flow control status: Enabled or Disabled.

All levels

Auto-negotiation

Autonegotiation status: Enabled or Disabled.

All levels

Remote-fault

Remote fault status:

All levels

OnlineAutonegotiation is manually configured as online.

OfflineAutonegotiation is manually configured as offline.

Device flags

Information about the physical device.

All levels

Interface flags

Information about the interface.

All levels

Link flags

Information about the link.

All levels

CoS queues

Number of CoS queues configured.

detail extensive none

Hold-times

Current interface hold-time up and hold-time down, in milliseconds.

detail extensive

Current address

Configured MAC address.

detail extensive none

Hardware address

MAC address of the hardware.

detail extensive none

Last flapped

Date, time, and how long ago the interface went from down to up. The format
is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second
ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago).

detail extensive none

Statistics last
cleared

Time when the statistics for the interface were last set to zero.

detail extensive

show interfaces

333

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 52: Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Traffic statistics

Number and rate of bytes and packets received and transmitted on the physical
interface.

detail extensive

Input bytesNumber of bytes received on the interface.

Output bytesNumber of bytes transmitted on the interface.

Input packetsNumber of packets received on the interface

Output packetsNumber of packets transmitted on the interface.

NOTE: The bandwidth bps counter is not enabled on this platform.

Input errors

Input errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:

ErrorsSum of the incoming frame aborts and FCS errors.

DropsNumber of packets dropped by the input queue of the I/O Manager

ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.

Framing errorsNumber of packets received with an invalid frame

checksum (FCS).

RuntsNumber of frames received that are smaller than the runt threshold.

Policed discardsNumber of frames that the incoming packet match code

discarded because they were not recognized or not of interest. Usually,

this field reports protocols that the JUNOS software does not handle.

L3 incompletesNumber of incoming packets discarded because they

failed Layer 3 sanity checks of the headers. For example, a frame with
less than 20 bytes of available IP header is discarded.

L2 channel errorsNumber of times the software did not find a valid logical

interface for an incoming frame.

L2 mismatch timeoutsNumber of malformed or short packets that caused

the incoming packet handler to discard the frame as unreadable.

FIFO errorsNumber of FIFO errors in the receive direction that are

reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.

334

Resource errorsSum of transmit drops.

show interfaces

extensive

Chapter 28: Operational Mode Commands for Interfaces

Table 52: Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Output errors

Output errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:

extensive

Carrier transitionsNumber of times the interface has gone from down to

up. This number does not normally increment quickly, increasing only

when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.

ErrorsSum of the outgoing frame aborts and FCS errors.

DropsNumber of packets dropped by the output queue of the I/O

Manager ASIC. If the interface is saturated, this number increments once

for every packet that is dropped by the ASIC's RED mechanism.

CollisionsNumber of Ethernet collisions. The Gigabit Ethernet PIC

supports only full-duplex operation, so for Gigabit Ethernet PICs, this

number should always remain 0. If it is nonzero, there is a software bug.

Aged packetsNumber of packets that remained in shared packet SDRAM

so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.

FIFO errorsNumber of FIFO errors in the send direction as reported by

the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.

HS link CRC errorsNumber of errors on the high-speed links between

the ASICs responsible for handling the router interfaces.

MTU errorsNumber of packets whose size exceeded the MTU of the

interface.

Resource errorsSum of transmit drops.

Egress queues

Total number of egress queues supported on the specified interface.

detail extensive

Queue counters
(Egress )

CoS queue number and its associated user-configured forwarding class name.

detail extensive

Queued packetsNumber of queued packets.

Transmitted packetsNumber of transmitted packets.

Dropped packetsNumber of packets dropped by the ASIC's RED

mechanism.
Active alarms and
Active defects

Ethernet-specific defects that can prevent the interface from passing packets.
When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the switch configuration, an alarm can ring the red or yellow alarm
bell on the switch, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.

NoneThere are no active defects or alarms.

LinkInterface has lost its link state, which usually means that the cable

detail extensive none

is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.

show interfaces

335

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 52: Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

MAC statistics

Receive and Transmit statistics reported by the PIC's MAC subsystem.

extensive

Total octets and total packetsTotal number of octets and packets. For

Gigabit Ethernet IQ PICs, the received octets count varies by interface

type.

Unicast packets, Broadcast packets, and Multicast packetsNumber of

unicast, broadcast, and multicast packets.

CRC/Align errorsTotal number of packets received that had a length

(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).

FIFO errorNumber of FIFO errors that are reported by the ASIC on the

PIC. If this value is ever nonzero, the PIC is probably malfunctioning.

MAC control framesNumber of MAC control frames.

MAC pause framesNumber of MAC control frames with pause operational

code.

Oversized framesNumber of frames that exceed 1518 octets.

Jabber framesNumber of frames that were longer than 1518 octets

(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.

Fragment framesTotal number of packets that were less than 64 octets

in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.

VLAN tagged framesNumber of frames that are VLAN tagged. The system

uses the TPID of 0x8100 in the frame to determine whether a frame is

tagged or not.

Code violationsNumber of times an event caused the PHY to indicate

Data reception error or invalid data symbol error.

Filter Statistics

Receive and Transmit statistics reported by the PIC's MAC address filter

subsystem.

336

show interfaces

extensive

Chapter 28: Operational Mode Commands for Interfaces

Table 52: Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Autonegotiation
information

Information about link autonegotiation.

extensive

Negotiation status:

IncompleteEthernet interface has the speed or link mode configured.

No autonegotiationRemote Ethernet interface has the speed or link

mode configured, or does not perform autonegotiation.

CompleteEthernet interface is connected to a device that performs

autonegotiation and the autonegotiation process is successful.

Link partner statusOK when Ethernet interface is connected to a device

that performs autonegotiation and the autonegotiation process is

successful.

Link partner:

Link modeDepending on the capability of the attached Ethernet

device, either Full-duplex or Half-duplex.

Flow controlTypes of flow control supported by the remote Ethernet

device. For Gigabit Ethernet interfaces, types are Symmetric (link
partner supports PAUSE on receive and transmit), Asymmetric (link
partner supports PAUSE on transmit), and Symmetric/Asymmetric (link
partner supports both PAUSE on receive and transmit or only PAUSE

receive).

Remote faultRemote fault information from the link partnerFailure

indicates a receive link error. OK indicates that the link partner is
receiving. Negotiation error indicates a negotiation error. Offline

indicates that the link partner is going offline.

Link partner speedSpeed of the link partner.

Local resolutionInformation from the link partner:

Flow controlTypes of flow control supported by the remote Ethernet

device. For Gigabit Ethernet interfaces, types are Symmetric (link
partner supports PAUSE on receive and transmit), Asymmetric (link
partner supports PAUSE on transmit), and Symmetric/Asymmetric (link
partner supports both PAUSE on receive and transmit or only PAUSE

receive).

Remote faultRemote fault information. Link OK (no error detected

on receive), Offline (local interface is offline), and Link Failure (link

error detected on receive).

Packet Forwarding
Engine
configuration

Information about the configuration of the Packet Forwarding Engine:

extensive

Destination slotFPC slot number.

Logical Interface
Logical interface

Name of the logical interface.

All levels

Index

Index number of the logical interface, which reflects its initialization sequence.

detail extensive none

SNMP ifIndex

SNMP interface index number for the logical interface.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Flags

Information about the logical interface.

All levels

show interfaces

337

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 52: Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Encapsulation

Encapsulation on the logical interface.

All levels

Protocol

Protocol family.

detail extensive none

MTU

This field is not supported for logical interfaces on EX-series switches.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Route Table

Route table in which the logical interface address is located. For example, 0
refers to the routing table inet.0.

detail extensive none

Flags

Information about protocol family flags.

detail extensive

If unicast Reverse Path Forwarding (uRPF) is explicitly configured on the

specified interface, the uRPF flag displays. If uRPF was configured on a different
interface (and therefore is enabled on all switch interfaces) but was not explicitly
configured on the specified interface, the uRPF flag does not display even
though uRPF is enabled.
protocol-family

Protocol family configured on the logical interface. If the protocol is inet, the
IP address of the interface is also displayed.

brief

Flags

Information about address flag.

detail extensive none

Destination

IP address of the remote side of the connection.

detail extensive none

Local

IP address of the logical interface.

detail extensive none

Broadcast

Broadcast address of the logical interlace.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

show interfaces (Gigabit

Ethernet)

user@host> show interfaces ge-0/0/0

Physical interface: ge-0/0/0, Enabled, Physical link is Down
Interface index: 129, SNMP ifIndex: 21
Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled
Remote fault: Online
Device flags
: Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:3f:41, Hardware address: 00:19:e2:50:3f:41
Last flapped
: 2008-01-16 11:40:53 UTC (4d 02:30 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 0 bps (0 pps)
Ingress rate at Packet Forwarding Engine
: 0 bps (0 pps)
Ingress drop rate at Packet Forwarding Engine : 0 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 22)

338

show interfaces

Chapter 28: Operational Mode Commands for Interfaces

Flags: SNMP-Traps
Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol eth-switch, MTU: 0
Flags: None

show interfaces brief

(Gigabit Ethernet)

user@host> show interfaces ge-0/0/0 brief

Physical interface: ge-0/0/0, Enabled, Physical link is Down
Description: voice priority and tcp and icmp traffic rate-limiting filter at i
ngress port
Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Link flags
: None
Logical interface ge-0/0/0.0
Flags: Device-Down SNMP-Traps Encapsulation: ENET2
eth-switch

show interfaces detail

(Gigabit Ethernet)

user@host> show interfaces ge-0/0/0 detail

Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 21, Generation: 130
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:a8:a1, Hardware address: 00:19:e2:50:a8:a1
Last flapped
: 2008-01-29 10:54:31 UTC (01:36:47 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
368613240000
0 bps
Output bytes :
368642493760
0 bps
Input packets:
5759581881
0 pps
Output packets:
5760038969
0 pps
Egress queues: 8 supported, 0 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort

5760782572

1 assured-forw

5 expedited-fo

7 network-cont
Active alarms : None
Active defects : None

Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes :
60
Output bytes :
0
Input packets:
1
Output packets:
0

show interfaces

339

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Local statistics:
Input bytes :
60
Output bytes :
0
Input packets:
1
Output packets:
0
Transit statistics:
Input bytes :
0
0
Output bytes :
0
0
Input packets:
0
0
Output packets:
0
0
Protocol eth-switch, MTU: 0, Generation: 143, Route table:
Flags: Is-Primary

show interfaces
extensive (Gigabit
Ethernet)

bps
bps
pps
pps
0

user@host> show interfaces ge-0/0/0 extensive

Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 21, Generation: 130
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:a8:a1, Hardware address: 00:19:e2:50:a8:a1
Last flapped
: 2008-01-29 10:54:31 UTC (01:40:54 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
386327695808
0 bps
Output bytes :
386356949568
0 bps
Input packets:
6036370253
0 pps
Output packets:
6036827341
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 0 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort
0
6036979415
0
1 assured-forw
0
0
0
5 expedited-fo
0
0
0
7 network-cont
0
0
0
Active alarms : None
Active defects : None
MAC statistics:
Receive
Transmit
Total octets
386327695808
386356949568
Total packets
6036370253
6036827341
Unicast packets
6036370252
6036827341
Broadcast packets
0
0
Multicast packets
1
0
CRC/Align errors
0
0
FIFO errors
0
0
MAC control frames
0
0

340

show interfaces

Chapter 28: Operational Mode Commands for Interfaces

MAC pause frames

0
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
0
Output packet pad count
0
Output packet error count
0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK,
Link partner Speed: 1000 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0
Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes :
60
Output bytes :
0
Input packets:
1
Output packets:
0
Local statistics:
Input bytes :
60
Output bytes :
0
Input packets:
1
Output packets:
0
Transit statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Protocol eth-switch, MTU: 0, Generation: 143, Route table: 0
Flags: Is-Primary

show interfaces

341

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show interfaces
Syntax

Release Information
Description
Options

show interfaces xe-fpc/pic/port

<brief | detail | extensive | terse>
<descriptions>
<media>
<snmp-index snmp-index>
<statistics>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display status information about the specified 10-Gigabit Ethernet interface.
xe-fpc/pic/portDisplay standard information about the specified 10-Gigabit Ethernet

interface.
brief | detail | extensive | terse(Optional) Display the specified level of output.
descriptions(Optional) Display interface description strings.
media(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index(Optional) Display information for the specified SNMP index

of the interface.
statistics(Optional) Display static interface statistics.
Required Privilege Level
Related Topics

view

Monitoring Interface Status and Traffic on page 299

Troubleshooting an Aggregated Ethernet Interface on page 303

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

List of Sample Output

Output Fields

show
show
show
show

interfaces
interfaces
interfaces
interfaces

(10-Gigabit Ethernet) on page 349

brief (10-Gigabit Ethernet) on page 349
detail (10-Gigabit Ethernet) on page 349
extensive (10-Gigabit Ethernet) on page 350

Table 53 on page 342 lists the output fields for the show interfaces command. Output
fields are listed in the approximate order in which they appear.

Table 53: 10-Gigabit Ethernet show interfaces Output Fields

Field Name

Field Description

Level of Output

Name of the physical interface.

All levels

Physical Interface
Physical interface

342

show interfaces

Chapter 28: Operational Mode Commands for Interfaces

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Enabled

State of the interface.

All levels

Interface index

Index number of the physical interface, which reflects its initialization sequence.

detail extensive none

SNMP ifIndex

SNMP index number for the physical interface.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Link-level type

Encapsulation being used on the physical interface.

All levels

MTU

Maximum transmission unit size on the physical interface.

All levels

Speed

Speed at which the interface is running.

All levels

Loopback

Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback:

Local or Remote.

All levels

Source filtering

Source filtering status: Enabled or Disabled.

All levels

LAN-PHY mode

10-Gigabit Ethernet interface operating in Local Area Network Physical Layer

Device (LAN PHY) mode. LAN PHY allows 10-Gigabit Ethernet wide area links
to use existing Ethernet applications.

All levels

Unidirectional

Unidirectional link mode status for 10-Gigabit Ethernet interface: Enabled or

Disabled for parent interface; Rx-only or Tx-only for child interfaces.

All levels

Flow control

Flow control status: Enabled or Disabled.

All levels

Auto-negotiation

Autonegotiation status: Enabled or Disabled.

All levels

Remote-fault

Remote fault status:

All levels

OnlineAutonegotiation is manually configured as online.

OfflineAutonegotiation is manually configured as offline.

Device flags

Information about the physical device.

All levels

Interface flags

Information about the interface.

All levels

Link flags

Information about the link.

All levels

Wavelength

Configured wavelength, in nanometers (nm).

All levels

Frequency

Frequency associated with the configured wavelength, in terahertz (THz).

All levels

CoS queues

Number of CoS queues configured.

detail extensive none

Schedulers

Number of CoS schedulers configured.

extensive

Hold-times

Current interface hold-time up and hold-time down, in milliseconds.

detail extensive

Current address

Configured MAC address.

detail extensive none

Hardware address

Hardware MAC address.

detail extensive none

show interfaces

343

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Last flapped

Date, time, and how long ago the interface went from down to up. The format
is Last flapped: year-month-day hour: :minute:second:timezone ( hour:minute:second
ago). For example, Last flapped: 20080116 10:52:40 UTC (3d 22:58 ago).

detail extensive none

Input Rate

Input rate in bits per second (bps) and packets per second (pps).

None specified

Output Rate

Output rate in bps and pps.

None specified

Statistics last
cleared

Time when the statistics for the interface were last set to zero.

detail extensive

Traffic statistics

Number and rate of bytes and packets received and transmitted on the physical
interface.

detail extensive

Input bytesNumber of bytes received on the interface.

Output bytesNumber of bytes transmitted on the interface.

Input packetsNumber of packets received on the interface

Output packetsNumber of packets transmitted on the interface.

NOTE: The bandwidth bps counter is not enabled on this platform.

Input errors

Input errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:

ErrorsSum of the incoming frame aborts and FCS errors.

DropsNumber of packets dropped by the input queue of the I/O Manager

ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.

Framing errorsNumber of packets received with an invalid frame

checksum (FCS).

RuntsNumber of frames received that are smaller than the runt threshold.

Policed discardsNumber of frames that the incoming packet match code

discarded because they were not recognized or not of interest. Usually,

this field reports protocols that the JUNOS software does not handle.

L3 incompletesNumber of incoming packets discarded because they

failed Layer 3 sanity checks of the header. For example, a frame with less
than 20 bytes of available IP header is discarded. L3 incomplete errors
can be ignored by if you configure the ignore-l3-incompletes statement.

L2 channel errorsNumber of times the software did not find a valid logical

interface for an incoming frame.

L2 mismatch timeoutsNumber of malformed or short packets that caused

the incoming packet handler to discard the frame as unreadable.

FIFO errorsNumber of FIFO errors in the receive direction that are

reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.

344

Resource errorsSum of transmit drops.

show interfaces

extensive

Chapter 28: Operational Mode Commands for Interfaces

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Output errors

Output errors on the interface. The following paragraphs explain the counters
whose meaning might not be obvious:

extensive

Carrier transitionsNumber of times the interface has gone from down to

up. This number does not normally increment quickly, increasing only

when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.

ErrorsSum of the outgoing frame aborts and FCS errors.

DropsNumber of packets dropped by the output queue of the I/O

Manager ASIC. If the interface is saturated, this number increments once

for every packet that is dropped by the ASIC's RED mechanism.

CollisionsNumber of Ethernet collisions. The Gigabit Ethernet PIC

supports only full-duplex operation, so for Gigabit Ethernet PICs, this

number should always remain 0. If it is nonzero, there is a software bug.

Aged packetsNumber of packets that remained in shared packet SDRAM

so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.

FIFO errorsNumber of FIFO errors in the send direction as reported by

the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.

HS link CRC errorsNumber of errors on the high-speed links between

the ASICs responsible for handling the router interfaces.

MTU errorsNumber of packets whose size exceeded the MTU of the

interface.

Resource errorsSum of transmit drops.

Egress queues

Total number of egress queues supported on the specified interface.

detail extensive

Queue counters
(Egress)

CoS queue number and its associated user-configured forwarding class name.

detail extensive

Queued packetsNumber of queued packets.

Transmitted packetsNumber of transmitted packets.

Dropped packetsNumber of packets dropped by the ASIC's RED

mechanism.
Ingress queues

Total number of ingress queues supported on the specified interface.

extensive

Queue counters
(Ingress)

CoS queue number and its associated user-configured forwarding class name.

extensive

Queued packetsNumber of queued packets.

Transmitted packetsNumber of transmitted packets.

Dropped packetsNumber of packets dropped by the ASIC's RED

mechanism.

show interfaces

345

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Active alarms and

Active defects

Ethernet-specific defects that can prevent the interface from passing packets.
When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the router configuration, an alarm can ring the red or yellow alarm
bell on the router, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.

detail extensive none

NoneThere are no active defects or alarms.

LinkInterface has lost its link state, which usually means that the cable

is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.
PCS statistics

Physical Coding Sublayer (PCS) fault conditions from the LAN PHY device.

detail extensive

MAC statistics

Receive and Transmit statistics reported by the PIC's MAC subsystem.

extensive

Total octets and total packetsTotal number of octets and packets. For

Gigabit Ethernet IQ PICs, the received octets count varies by interface

type.

Unicast packets, Broadcast packets, and Multicast packetsNumber of

unicast, broadcast, and multicast packets.

CRC/Align errorsTotal number of packets received that had a length

(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).

FIFO errorNumber of FIFO errors that are reported by the ASIC on the

PIC. If this value is ever nonzero, the PIC is probably malfunctioning.

MAC control framesNumber of MAC control frames.

MAC pause framesNumber of MAC control frames with pause operational

code.

Oversized framesNumber of frames that exceed 1518 octets.

Jabber framesNumber of frames that were longer than 1518 octets

(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.

Fragment framesTotal number of packets that were less than 64 octets

in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.

VLAN tagged framesNumber of frames that are VLAN tagged. The system

uses the TPID of 0x8100 in the frame to determine whether a frame is

tagged or not.

Code violationsNumber of times an event caused the PHY to indicate

Data reception error or invalid data symbol error.

Filter statistics

Receive and Transmit statistics reported by the PIC's MAC address filter

subsystem.

346

show interfaces

extensive

Chapter 28: Operational Mode Commands for Interfaces

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Autonegotiation
information

Information about link autonegotiation.

extensive

Negotiation status:

IncompleteEthernet interface has the speed or link mode configured.

No autonegotiationRemote Ethernet interface has the speed or link

mode configured, or does not perform autonegotiation.

CompleteEthernet interface is connected to a device that performs

autonegotiation and the autonegotiation process is successful.

Link partner statusOK when Ethernet interface is connected to a device

that performs autonegotiation and the autonegotiation process is

successful.

Link partner:

Link modeDepending on the capability of the attached Ethernet

device, either Full-duplex or Half-duplex.

Flow controlTypes of flow control supported by the remote Ethernet

device. For Fast Ethernet interfaces, the type is None. For Gigabit
Ethernet interfaces, types are Symmetric (link partner supports PAUSE
on receive and transmit), Asymmetric (link partner supports PAUSE
on transmit), and Symmetric/Asymmetric (link partner supports both
PAUSE on receive and transmit or only PAUSE receive).

Remote faultRemote fault information from the link partnerFailure

indicates a receive link error. OK indicates that the link partner is
receiving. Negotiation error indicates a negotiation error. Offline

indicates that the link partner is going offline.

Local resolutionInformation from the link partner:

Flow controlTypes of flow control supported by the remote Ethernet

device. For Gigabit Ethernet interfaces, types are Symmetric (link
partner supports PAUSE on receive and transmit), Asymmetric (link
partner supports PAUSE on transmit), and Symmetric/Asymmetric (link
partner supports both PAUSE on receive and transmit or only PAUSE

receive).

Remote faultRemote fault information. Link OK (no error detected

on receive), Offline (local interface is offline), and Link Failure (link

error detected on receive).

show interfaces

347

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

Packet Forwarding
Engine
configuration

Information about the configuration of the Packet Forwarding Engine:

extensive

Destination slotFPC slot number.

CoS transmit queueQueue number and its associated user-configured

forwarding class name.

Bandwidth %Percentage of bandwidth allocated to the queue.

Bandwidth bpsBandwidth allocated to the queue (in bps).

Buffer %Percentage of buffer space allocated to the queue.

Buffer usecAmount of buffer space allocated to the queue, in

microseconds. This value is nonzero only if the buffer size is configured

in terms of time.

PriorityQueue priority: low or high.

LimitDisplayed if rate limiting is configured for the queue. Possible values

are none and exact. If exact is configured, the queue transmits only up to
the configured bandwidth, even if excess bandwidth is available. If none

is configured, the queue transmits beyond the configured bandwidth if

bandwidth is available.
Logical Interface
Logical interface

Name of the logical interface.

All levels

Index

Index number of the logical interface, which reflects its initialization sequence.

detail extensive none

SNMP ifIndex

SNMP interface index number for the logical interface.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Flags

Information about the logical interface.

All levels

Encapsulation

Encapsulation on the logical interface.

All levels

Protocol

Protocol family.

detail extensive none

MTU

This field is not supported for logical interfaces on EX-series switches.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

Route Table

Route table in which the logical interface address is located. For example, 0
refers to the routing table inet.0.

detail extensive none

Flags

Information about protocol family flags.

detail extensive

If unicast Reverse Path Forwarding (uRPF) is explicitly configured on the

specified interface, the uRPF flag displays. If uRPF was configured on a different
interface (and therefore is enabled on all switch interfaces) but was not explicitly
configured on the specified interface, the uRPF flag does not display even
though uRPF is enabled.
Addresses, Flags

348

Information about the address flags.

show interfaces

detail extensive none

Chapter 28: Operational Mode Commands for Interfaces

Table 53: 10-Gigabit Ethernet show interfaces Output Fields (continued)

Field Name

Field Description

Level of Output

protocol-family

Protocol family configured on the logical interface. If the protocol is inet, the
IP address of the interface is also displayed.

brief

Flags

Information about address flag.

detail extensive none

Destination

IP address of the remote side of the connection.

detail extensive none

Local

IP address of the logical interface.

detail extensive none

Broadcast

Broadcast address of the logical interlace.

detail extensive none

Generation

Unique number for use by Juniper Networks technical support only.

detail extensive

show interfaces
(10-Gigabit Ethernet)

user@host> show interfaces xe-0/1/0

Physical interface: xe-0/1/0, Enabled, Physical link is Up
Interface index: 153, SNMP ifIndex: 69
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99
Last flapped
: 2008-02-25 05:28:08 UTC (00:12:49 ago)
Input rate
: 0 bps (0 pps)
Output rate
: 0 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70)
Flags: SNMP-Traps Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol eth-switch, MTU: 0
Flags: None

show interfaces brief

(10-Gigabit Ethernet)

user@host> show interfaces brief xe-0/1/0

Physical interface: xe-0/1/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
Logical interface xe-0/1/0.0
Flags: SNMP-Traps Encapsulation: ENET2
eth-switch

show interfaces detail

(10-Gigabit Ethernet)

user@host> show interfaces detail xe-0/1/0

Physical interface: xe-0/1/0, Enabled, Physical link is Up
Interface index: 153, SNMP ifIndex: 69, Generation: 154
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled

show interfaces

349

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99
Last flapped
: 2008-02-25 05:28:08 UTC (00:16:29 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Egress queues: 8 supported, 0 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort

1 assured-forw

5 expedited-fo

7 network-cont

Active alarms : None

Active defects : None
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Protocol eth-switch, MTU: 0, Generation: 166, Route table: 0
Flags: None

show interfaces
extensive (10-Gigabit
Ethernet)

350

show interfaces

user@host> show interfaces extensive xe-0/1/0

Physical interface: xe-0/1/0, Enabled, Physical link is Up
Interface index: 153, SNMP ifIndex: 69, Generation: 154
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Device flags
: Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags
: None
CoS queues
: 8 supported, 8 maximum usable queues
Hold-times
: Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99
Last flapped
: 2008-02-25 05:28:08 UTC (00:17:30 ago)
Statistics last cleared: Never

Chapter 28: Operational Mode Commands for Interfaces

Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 0 in use
Queue counters:
Queued packets Transmitted packets
Dropped packets
0 best-effort

1 assured-forw

5 expedited-fo

7 network-cont

Active alarms : None

Active defects : None
MAC statistics:
Receive
Total octets
0
Total packets
0
Unicast packets
0
Broadcast packets
0
Multicast packets
0
CRC/Align errors
0
FIFO errors
0
MAC control frames
0
MAC pause frames
0
Oversized frames
0
Jabber frames
0
Fragment frames
0
VLAN tagged frames
0
Code violations
0
Filter statistics:
Input packet count
0
Input packet rejects
0
Input DA rejects
0
Input SA rejects
0
Output packet count
Output packet pad count
Output packet error count
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 0
Direction : Output
CoS transmit queue
Bandwidth
Limit
%
bps
%
0 best-effort
95
950000000
95
none
7 network-control
5
50000000
5

Transmit
0
0
0
0
0
0
0
0
0

0
0
0

Buffer Priority
usec
0

low

low

show interfaces

351

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

none
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Local statistics:
Input bytes :
0
Output bytes :
0
Input packets:
0
Output packets:
0
Transit statistics:
Input bytes :
0
0 bps
Output bytes :
0
0 bps
Input packets:
0
0 pps
Output packets:
0
0 pps
Protocol eth-switch, MTU: 0, Generation: 166, Route table: 0
Flags: None

352

show interfaces

Chapter 28: Operational Mode Commands for Interfaces

show interfaces diagnostics optics

Syntax
Release Information
Description

show interfaces diagnostics optics interface-name

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display diagnostics data and alarms for 10-Gigabit Ethernet dense wavelength-division
multiplexing (DWDM) interfaces.
Thresholds that trigger a high alarm, low alarm, high warning, or low warning are
set by the transponder vendors. Generally, a high alarm or low alarm indicates that
the optics module is not operating properly. This information can be used to diagnose
why a PIC is not working.

Options
Required Privilege Level
Related Topics

interface-nameInterface name: ge-fpc/pic/port or xe-fpc/pic/port.

view

Monitoring Interface Status and Traffic on page 299

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

List of Sample Output

Output Fields

show interfaces diagnostics optics (XFP Optics) on page 356

Table 54 on page 353 lists the output fields for the show interfaces diagnostics optics
command when the switch is operating with XFP optics. Output fields are listed in
the approximate order in which they appear.

Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields
Field Name

Field Description

Physical interface

Name of the physical interface.

Laser bias current

Magnitude of the laser bias power setting current, in milliamperes. The laser bias provides direct
modulation of laser diodes and modulates currents.

Laser output power

Laser output power, in milliwatts (mW) and decibels, referenced to 1.0 mW (dBm). This is a software
equivalent to the LsPOWMON pin in hardware.

Module temperature

Temperature of the XFP optics module, in Celsius and Fahrenheit.

Laser rx power

Laser received optical power, in mW and dBm.

Laser bias current high

alarm

Laser bias power setting high alarm. Displays on or off.

Laser bias current low

alarm

Laser bias power setting low alarm. Displays on or off.

Laser bias current high

warning

Laser bias power setting high warning. Displays on or off.

show interfaces diagnostics optics

353

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Field Name

Field Description

Laser bias current low

warning

Laser bias power setting low warning. Displays on or off.

Laser output power high

alarm

Laser output power high alarm. Displays on or off.

Laser output power low

alarm

Laser output power low alarm. Displays on or off.

Laser output power high

warning

Laser output power high warning. Displays on or off.

Laser output power low

warning

Laser output power low warning. Displays on or off.

Module temperature
high alarm

Module temperature high alarm. Displays on or off.

Module temperature low

alarm

Module temperature low alarm. Displays on or off.

Module temperature
high warning

Module temperature high warning. Displays on or off.

Module temperature low

warning

Module temperature low warning. Displays on or off.

Laser rx power high

alarm

Receive laser power high alarm. Displays on or off.

Laser rx power low

alarm

Receive laser power low alarm. Displays on or off.

Laser rx power high

warning

Receive laser power high warning. Displays on or off.

Laser rx power low

warning

Receive laser power low warning. Displays on or off.

Module not ready alarm

Module not ready alarm. When on, indicates the module has an operational fault. Displays on or off.

Module power down

alarm

Module power down alarm. When on, module is in a limited power mode, low for normal operation.
Displays on or off.

Tx data not ready alarm

Any condition leading to invalid data on the transmit path. Displays on or off.

Tx not ready alarm

Any condition leading to invalid data on the transmit path. Displays on or off.

Tx laser fault alarm

Laser fault condition. Displays on or off.

Tx CDR loss of lock

alarm

Transmit clock and data recovery (CDR) loss of lock. Loss of lock on the transmit side of the CDR.
Displays on or off.

Rx not ready alarm

Any condition leading to invalid data on the receive path. Displays on or off.

354

show interfaces diagnostics optics

Chapter 28: Operational Mode Commands for Interfaces

Table 54: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Field Name

Field Description

Rx loss of signal alarm

Receive Loss of Signal alarm. When on, indicates insufficient optical input power to the module.
Displays on or off.

Rx CDR loss of lock

alarm

Receive CDR loss of lock. Loss of lock on the receive side of the CDR. Displays on or off.

Laser bias current high

alarm threshold

Vendor-specified threshold for the laser bias current high alarm: 130.000 mA.

Laser bias current low

alarm threshold

Vendor-specified threshold for the laser bias current low alarm: 10.000 mA.

Laser bias current high

warning threshold

Vendor-specified threshold for the laser bias current high warning: 120.000 mA.

Laser bias current low

warning threshold

Vendor-specified threshold for the laser bias current low warning: 12.000 mA.

Laser output power high

alarm threshold

Vendor-specified threshold for the laser output power high alarm: 0.8910 mW or -0.50 dBm.

Laser output power low

alarm threshold

Vendor-specified threshold for the laser output power low alarm: 0.2230 mW or -6.52 dBm.

Laser output power high

warning threshold

Vendor-specified threshold for the laser output power high warning: 0.7940 mW or -100 dBm.

Laser output power low

warning threshold

Vendor-specified threshold for the laser output power low warning: 0.2510 mW or -600 dBm.

Module temperature
high alarm threshold

Vendor-specified threshold for the module temperature high alarm: 90 C or 194 F.

Module temperature low

alarm threshold

Vendor-specified threshold for the module temperature low alarm: -5 C or 23 F.

Module temperature
high warning threshold

Vendor-specified threshold for the module temperature high warning: 85 C or 185 F.

Module temperature low

warning threshold

Vendor-specified threshold for the module temperature low warning: 0 C or 32 F.

Laser rx power high

alarm threshold

Vendor-specified threshold for the laser Rx power high alarm: 1.2589 mW or 1.00 dBm.

Laser rx power low

alarm threshold

Vendor-specified threshold for the laser Rx power low alarm: 0.0323 mW or -14.91 dBm.

Laser rx power high

warning threshold

Vendor-specified threshold for the laser Rx power high warning: 1.1220 mW or 0.50 dBm.

Laser rx power low

warning threshold

Vendor-specified threshold for the laser Rx power low warning: 0.0363 mW or -14.40 dBm.

show interfaces diagnostics optics

355

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show interfaces
diagnostics optics
(XFP Optics)

356

user@host> show interfaces diagnostics optics

Physical interface: xe-2/1/0
Laser bias current
Laser output power
Module temperature
Laser rx power
Laser bias current high alarm
Laser bias current low alarm
Laser bias current high warning
Laser bias current low warning
Laser output power high alarm
Laser output power low alarm
Laser output power high warning
Laser output power low warning
Module temperature high alarm
Module temperature low alarm
Module temperature high warning
Module temperature low warning
Laser rx power high alarm
Laser rx power low alarm
Laser rx power high warning
Laser rx power low warning
Module not ready alarm
Module power down alarm
Tx data not ready alarm
Tx not ready alarm
Tx laser fault alarm
Tx CDR loss of lock alarm
Rx not ready alarm
Rx loss of signal alarm
Rx CDR loss of lock alarm
Laser bias current high alarm threshold
Laser bias current low alarm threshold
Laser bias current high warning threshold
Laser bias current low warning threshold
Laser output power high alarm threshold
Laser output power low alarm threshold
Laser output power high warning threshold
Laser output power low warning threshold
Module temperature high alarm threshold
Module temperature low alarm threshold
Module temperature high warning threshold
Module temperature low warning threshold
Laser rx power high alarm threshold
Laser rx power low alarm threshold
Laser rx power high warning threshold
Laser rx power low warning threshold

show interfaces diagnostics optics

xe-2/1/0
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

52.060 mA
0.5640 mW / -2.49 dBm
31 degrees C / 88 degrees F
0.0844 mW / -10.74 dBm
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
Off
130.000 mA
10.000 mA
120.000 mA
12.000 mA
0.8910 mW / -0.50 dBm
0.2230 mW / -6.52 dBm
0.7940 mW / -1.00 dBm
0.2510 mW / -6.00 dBm
90 degrees C / 194 degrees F
-5 degrees C / 23 degrees F
85 degrees C / 185 degrees F
0 degrees C / 32 degrees F
1.2589 mW / 1.00 dBm
0.0323 mW / -14.91 dBm
1.1220 mW / 0.50 dBm
0.0363 mW / -14.40 dBm

Part 8

Layer 2 Bridging, VLANs, and Spanning

Trees

Understanding Layer 2 Bridging, VLANs, and GVRP on page 359

Examples of Configuring Layer 2 Bridging, VLANs, and GVRP on page 369

Configuring Layer 2 Bridging, VLANs, and GVRP on page 407

Verifying Layer 2 Bridging, VLANs, and GVRP on page 417

Understanding Spanning Trees on page 419

Examples of Configuring Spanning Trees on page 427

Configuration Statements for Bridging, VLANs, and Spanning Trees on page 483

Operational Mode Commands for Bridging, VLANs, and Spanning

Trees on page 541

Layer 2 Bridging, VLANs, and Spanning Trees

357

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

358

Layer 2 Bridging, VLANs, and Spanning Trees

Chapter 29

Understanding Layer 2 Bridging, VLANs,

and GVRP

Understanding Bridging and VLANs on EX-series Switches on page 359

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding Bridging and VLANs on EX-series Switches

Network switches use Layer 2 bridging protocols to discover the topology of their
LAN and to forward traffic toward destinations on the LAN.
This topic explains the following concepts regarding bridging and VLANs on EX-series
switches:

Ethernet LANs, Transparent Bridging, and VLANs on page 359

How Bridging Works on page 360

Types of Switch Ports on page 361

IEEE 802.1Q Encapsulation and Tags on page 362

Assignment of Traffic to VLANs on page 362

Ethernet switching tables on page 363

Layer 2 and Layer 3 Forwarding of VLAN Traffic on page 363

GVRP on page 363

Routed VLAN Interface on page 364

Ethernet LANs, Transparent Bridging, and VLANs

Ethernet is a data link layer technology, as defined by Layer 2 of the Open Systems
Interconnection (OSI) model of communications protocols. Ethernet was first
standardized by the IEEE in 1982, in IEEE 802.3. Ethernet is used to create LANs.
The network devices, called nodes, on the LAN transmit data in bundles that are
generally called frames or packets.
Each node on a LAN has a unique identifier so that it can be unambiguously located
on the network. Ethernet uses the Layer 2 media access control (MAC) address for
this purpose. MAC addresses are hardware addresses that are programmed (burned)
into the Ethernet processor in the node.

Understanding Bridging and VLANs on EX-series Switches

359

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

A characteristic of Ethernet is that nodes on a LAN can transmit data frames at any
time. However, the physical connecting cable between the nodeseither coaxial,
copper-based (Category 5), or optical cablecan carry only a single stream of data
at a time. One result of this design is that when two nodes transmit at the same time,
their frames can collide on the cable and generate an error. Ethernet uses a protocol
called carrier-sense multiple access with collision detection (CSMA/CD) to detect
frame collisions. If a node receives a collision error message, it stops transmitting
immediately and waits for a period of time before trying to send the frame again. If
the node continues to detect collisions, it progressively increases the time between
retransmissions in an attempt to find a time when no other data is being transmitted
on the LAN. The node uses a backoff algorithm to calculate the increasing
retransmission time intervals.
Ethernet LANs were originally implemented for small, simple networks that carried
primarily text. Over time, LANs have become larger and more complex; the type of
data they carry has grown to include voice, graphics, and video; and the increased
speed of Ethernet interfaces on LANs has resulted in exponential increases in traffic
on the network.
The IEEE 802.1D-2004 standard addresses some of the problems caused by the
increase in LAN and complexity. This standard defines transparent bridging (generally
called simply bridging). Bridging divides a single physical LAN (a single broadcast
domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network
nodes that are grouped together to form separate broadcast domains. On an Ethernet
network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On
VLANs, frames whose origin and destination are in the same VLAN are forwarded
only within the local VLAN. Frames that are not destined for the local VLAN are the
only ones forwarded to other broadcast domains. VLANs thus limit the amount of
traffic flowing across the entire LAN, reducing the possible number of collisions and
packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same
network. On VLANs, the physical location of the nodes is not important, so you can
group network devices in any way that makes sense for your organization, such as
by department or business function, types of network nodes, or even physical location.
Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q
encapsulation (discussed below).

How Bridging Works

The transparent bridging protocol allows a switch to learn information about all the
nodes on the LAN, including nodes on all the different VLANs. The switch uses this
information to create address-lookup tables, called Ethernet switching tables that it
consults when forwarding traffic to or toward a destination on the LAN.
Transparent bridging uses five mechanisms to create and maintain Ethernet switching
tables on the switch:

360

Learning

Forwarding

Flooding

Understanding Bridging and VLANs on EX-series Switches

Chapter 29: Understanding Layer 2 Bridging, VLANs, and GVRP

Filtering

Aging

The first bridging mechanism is learning. When a switch is first connected to an

Ethernet LAN or VLAN, it has no information about other nodes on the network. The
switch goes through a learning process to obtain the MAC addresses of all the nodes
on the network. It stores these in the Ethernet switching table. To learn MAC
addresses, the switch reads all packets that it detects on the LAN or on the local
VLAN, looking for MAC addresses of sending nodes. It places these addresses into
its Ethernet switching table, along with two other pieces of informationthe interface
(or port) on which the traffic was received and the time when the address was learned.
The second bridging mechanism is forwarding. Switches forward traffic, passing it
from an incoming interface to an outgoing interface that leads to or toward the
destination. To forward frames, the switch consults the Ethernet switching table to
see whether the table contains the MAC address corresponding to the frames'
destination. If the Ethernet switching table contains an entry for the desired
destination address, the switch sends the traffic out the interface associated with the
MAC address. The switch also consults the Ethernet switching table in the same way
when transmitting frames that originate on devices connected directly to the switch.
If the Ethernet switching table does not contain an entry for the desired destination
address, the switch uses flooding, which is the third bridging mechanism.
Flooding is how the switch learns about destinations not in its Ethernet switching
table. If this table has no entry for a particular destination MAC address, the switch
floods the traffic out all interfaces except the interface on which it was received. (If
traffic originates on the switch, the switch floods it out all interfaces.) When the
destination node receives the flooded traffic, it sends an acknowledgment packet
back to the switch, allowing it to learn the MAC address of the node and to add the
address to its Ethernet switching table.
Filtering, the fourth bridging mechanism, is how broadcast traffic is limited to the
local VLAN whenever possible. As the number of entries in the Ethernet switching
table grows, the switch pieces together an increasingly complete picture of the VLAN
and the larger LANof which nodes are in the local VLAN and which are on other
network segments. The switch uses this information to filter traffic. Specifically, for
traffic whose source and destination MAC addresses are in the local VLAN, filtering
prevents the switch from forwarding this traffic to other network segments.
Finally, the switch uses aging, the fifth bridging mechanism, to keep the entries in
the Ethernet switching table current. For each MAC address in the Ethernet switching
table, the switch records a timestamp of when the information about the network
node was learned. Each time the switch detects traffic from a MAC address, it updates
the timestamp. A timer on the switch periodically checks the timestamp, and if it is
older than a user-configured value, the switch removes the node's MAC address from
the Ethernet switching table. This aging process ensures that the switch tracks only
active nodes on the network and that it is able to flush out network nodes that are
no longer available.

Types of Switch Ports

The ports, or interfaces, on a switch operate in either access mode or trunk mode.

Understanding Bridging and VLANs on EX-series Switches

361

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

An interface in access mode connects to a network device, such as a desktop

computer, an IP telephone, a printer, a file server, or a security camera. The interface
itself belongs to a single VLAN. The frames transmitted over an access interface are
normal Ethernet frames. By default, when you boot a switch and use the
factory-default configuration, or when you boot the switch and do not explicitly
configure a port mode, all interfaces on the switch are in access mode.
Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all
those VLANs over the same physical connection. Trunk interfaces are generally used
to interconnect switches to one another.

IEEE 802.1Q Encapsulation and Tags

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are
identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged
and are encapsulated with 802.1Q tags.
For a simple network that has only a single VLAN, all traffic has the same 802.1Q
tag.
When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique
802.1Q tag. The tag is applied to all frames so that the network nodes receiving the
frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic
among a number of VLANs, use the tag to determine to origin of frames and where
to forward them.
EX-series 3200 switches support a maximum of 4096 VLANs. VLANs 0 and 4095 are
reserved by the JUNOS software, so you cannot use them in your network.

Assignment of Traffic to VLANs

You assign traffic to a particular VLAN in one of the following ways:

362

By interface (port) on the switch. You specify that all traffic received on a
particular interface on the switch is assigned to a specific VLAN. If you use the
default factory switch settings, all traffic received on an access interface is
untagged. This traffic is part of a default VLAN, but it is not tagged with an 802.1Q
tag. When configuring the switch, you specify which VLAN to assign the traffic
to. You configure the VLAN either by using a VLAN number (called a VLAN ID)
or by using a name, which the switch translates into a numeric VLAN ID.

By MAC address. You can specify that all traffic received from a specific MAC
address be forwarded to a specific egress interface (next hop) on the switch. This
method is administratively cumbersome to configure manually, but it can be
useful when you are using automated databases to manage the switches on your
network.

Understanding Bridging and VLANs on EX-series Switches

Chapter 29: Understanding Layer 2 Bridging, VLANs, and GVRP

NOTE: If an EX 4200 switch is interconnected with other switches in a Virtual Chassis

configuration, each individual switch that is included as a member of the configuration
is identified with a member ID. The member ID functions as an FPC slot number.
When you are configuring interfaces for a Virtual Chassis configuration, you specify
the appropriate member ID (0 through 9) as the slot element of the interface name.
The default factory settings for a Virtual Chassis configuration include FPC 0 as a
member of the default VLAN because FPC 0 is configured as part of the
ethernet-switching family. In order to include FPC 1 through FPC 9 in the default
VLAN, add the ethernet-switching family to the configurations for those interfaces.

Ethernet switching tables

As EX-series switches learn the MAC addresses of the devices on local VLANs, they
store them in the bridge on the switch. With each MAC address, the Ethernet switching
table stores and associates the name of the interface (or port) on which the switch
learned that address. The switch uses the information in this table when forwarding
packets toward their destination.

Layer 2 and Layer 3 Forwarding of VLAN Traffic

To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including
IEEE 802.1Q, Spanning Tree Protocol (STP), and GARP VLAN Registration Protocol
(GVRP).
To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols,
such as static routing, OSPF, and RIP. On EX-series switches, the same interfaces
that support Layer 2 bridging protocols also support Layer 3 routing protocols,
providing multilayer switching.

GVRP
The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic
Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard.
GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding
trunk port to the VLAN if the advertised VLAN is preconfigured on the switch.
The VLAN registration information sent by GVRP includes the current VLANs
membershipthat is, which switches are members of which VLANsand which
switch ports are in which VLAN. GVRP shares all VLAN information configured
manually on a local switch.
As part of ensuring that VLAN membership information is current, GVRP removes
switches and ports from the VLAN information when they become unavailable.
Pruning VLAN information:

Limits the network VLAN configuration to active participants only, reducing

network overhead.

Understanding Bridging and VLANs on EX-series Switches

363

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to
interested devices only.

Routed VLAN Interface

In a traditional network, broadcast domains consist of either physical ports connected
to a single switch or logical ports connected to one or more switches through VLAN
configurations. Switches send traffic to hosts that are part of the same broadcast
domain, but routers are needed to route traffic from one broadcast domain to another
and to perform other Layer 3 functions such as traffic engineering. EX-series switches
use a routed VLAN interface (RVI) to perform these routing functions, using it to route
data to other Layer 3 interfaces. This functionality eliminates the need for having
both a switch and a router.
The RVI interface must be configured as part of a broadcast domain or VPLS routing
instance in order for Layer 3 traffic to be routed out of it. The RVI interface supports
IPv4, IPv6, MPLS, and ISIS traffic. At least one Layer 2 logical interface should be
operationally up in order for the RVI interface to be operationally up. You must
configure an RVI broadcast domain or VPLS routing instance just as you would
configure a VLAN on a switch. Multicast data, broadcast data, or unicast data is
switched between ports within the same RVI broadcast domain or VPLS routing
instance. The RVI interface routes data that is destined for the routers media access
control (MAC) address.
To learn more about configuring routing protocols and policies, see the JUNOS Routing
Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos90/.
Related Topics

364

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Example: Connecting an Access Switch to a Distribution Switch on page 384

Understanding Bridging and VLANs on EX-series Switches

Chapter 29: Understanding Layer 2 Bridging, VLANs, and GVRP

Understanding Redundant Trunk Links on EX-series Switches

In a typical enterprise network comprised of distribution and access layers, a
redundant trunk link provides a simple solution for network recovery when a trunk
port goes down. Traffic is routed to another trunk port, keeping network convergence
time to a minimum. You can configure a maximum of 16 redundant trunk groups
on a standalone switch or on a virtual chassis.
To configure a redundant trunk link, create a redundant trunk group. The redundant
trunk group is configured on the access switch, and contains two links: a primary or
active link, and a secondary link. If the active link fails, the secondary link
automatically starts forwarding data traffic without waiting for normal STP
convergence.
Data traffic is forwarded only on the active link. Data Traffic on the secondary link
is dropped and shown as dropped packets when you issue the operational mode
command show interfaces on page 342 interface-name extensive.
While data traffic is blocked on the secondary link, Layer 2 control traffic is still
permitted. For example, an LLDP session can be run between two EX-series switches
on the secondary link.
STP is enabled by default on EX-series switches to create a loop-free topology. When
trunk links are placed in a redundant group, they cannot be part of an STP topology.
The JUNOS software for EX-series switches does not allow an interface to be in a
redundant trunk group and in an STP topology at the same time. However, STP can
continue operating in other parts of the network. For example, STP may continue
operating between the distribution switches and linking them to the enterprise core.
Figure 17 on page 366 shows three switches in a basic topology for redundant trunk
links. Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up
the access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2). Link 1 and Link 2 are in a redundant
trunk group called group1. Link 1 is designated as the primary link. Traffic flows
between Switch 3 in the access layer and Switch 1 in the distribution layer through
Link 1. While Link 1 is active, Link 2 blocks traffic.

Understanding Redundant Trunk Links on EX-series Switches

365

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 17: Redundant Trunk Group, Link 1 Active

Figure 18 on page 366 illustrates how the redundant trunk link topology works when
the primary link goes down.
Figure 18: Redundant Trunk Group, Link 2 Active

366

Understanding Redundant Trunk Links on EX-series Switches

Chapter 29: Understanding Layer 2 Bridging, VLANs, and GVRP

Link 1 is down between Switch 3 and Switch 1. Link 2 takes over as the active link.
Traffic between the access layer and the distribution layer is automatically switched
to Link 2 between Switch 1 and Switch 2.
Related Topics

Example: Configuring Redundant Trunk Links for Faster Recovery on page 400

redundant-trunk-group

Understanding Storm Control on EX-series Switches

A traffic storm is generated when messages are broadcast on a network and each
message prompts a receiving node to respond by broadcasting its own messages on
the network. This, in turn, prompts further responses, creating a snowball effect.
The LAN is suddenly flooded with packets, creating unnecessary traffic that leads to
poor network performance or even a complete loss of network service. Enable storm
control to permit the switch to monitor traffic levels and drop packets when a specified
traffic level is exceeded, thus preventing packets from proliferating and degrading
the LAN.
Broadcast, multicast, and unicast packets are part of normal LAN operation, so to
recognize a storm, you must be able to identify when traffic has reached a level that
is abnormal for your LAN. Suspect a storm when operations begin timing out and
network response times slow down. As more packets flood the LAN, network users
might be unable to access servers or e-mail.
Monitor the percentage of broadcast and unknown unicast traffic in the LAN when
it is operating normally. This data can then be used as a benchmark to determine
when traffic levels are too high. You can then use storm control to set the level at
which you want to drop broadcast traffic, unknown unicast traffic, or both.
Related Topics

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Understanding Storm Control on EX-series Switches

367

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

368

Understanding Storm Control on EX-series Switches

Chapter 30

Examples of Configuring Layer 2 Bridging,

VLANs, and GVRP

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Connecting an Access Switch to a Distribution Switch on page 384

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Example: Configuring Redundant Trunk Links for Faster Recovery on page 400

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch

EX-series switches use bridging and virtual LANs (VLANs) to connect network devices
in a LANdesktop computers, IP telephones, printers, file servers, wireless access
points, and othersand to segment the LAN into smaller bridging domains. The
switch's default configuration provides a quick setup of bridging and a single VLAN.
This example describes how to configure basic bridging and VLANs for an EX-series
switch:

Requirements on page 369

Overview and Topology on page 370

Configuration on page 371

Verification on page 375

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches

One EX-series 4200 virtual chassis switch

Before you set up bridging and a VLAN, be sure you have:

Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch

369

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Overview and Topology

EX-series switches connect network devices in an office LAN or a data center LAN
to provide sharing of common resources such as printers and file servers and to
enable wireless devices to connect to the LAN through wireless access points. Without
bridging and VLANs, all devices on the Ethernet LAN are in a single broadcast domain,
and all the devices detect all the packets on the LAN. Bridging creates separate
broadcast domains on the LAN, creating VLANs, which are independent logical
networks that group together related devices into separate network segments. The
grouping of devices on a VLAN is independent of where the devices are physically
located in the LAN.
To use an EX-series switch to connect network devices on a LAN, you must, at a
minimum, configure bridging and VLANs. If you simply power on the switch and
perform the initial switch configuration using the factory-default settings, bridging
is enabled on all the switch's interfaces, all interfaces are in access mode, and all
interfaces belong to a VLAN called default, which is automatically configured. When
you plug access devicessuch as desktop computers, Avaya IP telephones, file
servers, printers, and wireless access pointsinto the switch, they are joined
immediately into the default VLAN and the LAN is up and running.
The topology used in this example consists of one EX 4200-24T switch, which has
a total of 24 ports. Eight of the ports support Power over Ethernet (PoE), which means
they provide both network connectivity and electric power for the device connecting
to the port. To these ports, you can plug in devices requiring PoE, such as Avaya
VoIP telephones, wireless access points, and some IP cameras. (Avaya phones have
a built-in hub that allows you to connect a desktop PC to the phone, so the desktop
and phone in a single office require only one port on the switch.) The remaining 16
ports provide only network connectivity. You use them to connect devices that have
their own power sources, such as desktop and laptop computers, printers, and servers.
Table 1 details the topology used in this configuration example.
Table 55: Components of the Basic Bridging Configuration Topology
Property

Settings

Switch hardware

EX 4200-24T switch, with 24 Gigabit Ethernet ports: 8 PoE

ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports
(ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to wireless access point (requires PoE)

ge-0/0/0

Connections to Avaya IP telephonewith integrated hub, to

connect phone and desktop PC to a single port (requires PoE)

ge-0/0/1 through ge-0/0/7

Direct connections to desktop PCs (no PoE required)

ge-0/0/8 through ge-0/0/12

370

Overview and Topology

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

Table 55: Components of the Basic Bridging Configuration Topology (continued)

Connections to file servers (no PoE required)

ge-0/0/17 and ge-0/0/18

Connections to integrated printer/fax/copier machines (no PoE

required)

ge-0/0/19 through ge-0/0/20

Unused ports (for future expansion)

ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through

ge-0/0/23

Configuration
CLI Quick Configuration

By default, after you perform the initial configuration on the EX 4200 switch, switching
is enabled on all interfaces, a VLAN named default is created, and all interfaces are
placed into this VLAN. You do not need to perform any other configuration on the
switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP
phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs,
file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and
ge-0/0/17 through ge-0/0/20.

Step-by-Step Procedure

To configure bridging and VLANs:

Results

1.

Make sure the switch is powered on.

2.

Connect the wireless access point to switch port ge-0/0/0.

3.

Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.

4.

Connect the five PCs to ports ge-0/0/8 through ge-0/0/12.

5.

Connect the two file servers to ports ge-0/0/17 and ge-0/0/18.

6.

Connect the two printers to ports ge-0/0/19 and ge-0/0/20.

Check the results of the configuration:

[edit]
user@switch> show configuration
## Last commit: 2008-03-06 00:11:22 UTC by triumph
version 9.0;
system {
root-authentication {
encrypted-password "$1$urmA7AFM$x5SaGEUOdSI3u1K/iITGh1"; ##
SECRET-DATA
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;

Configuration

371

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {

372

Configuration

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/20 {
unit 0 {

Configuration

373

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
}
protocols {
lldp {
interface all;
}
rstp;
}
poe {

374

Configuration

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

interface all;
}

Verification
To verify that switching is operational and that a VLAN has been created, perform
these tasks:

Verifying That the VLAN Has Been Created on page 375

Verifying That Interfaces Are Associated with the Proper VLANs on page 375

Verifying That the VLAN Has Been Created

Purpose

Action

Verify that the VLAN named default has been created on the switch.
List all VLANs configured on the switch:
user@switch> show vlans on page 570
Name
default

Tag

Interfaces
ge-0/0/0.0*,
ge-0/0/4.0,
ge-0/0/8.0*,
ge-0/0/12.0,
ge-0/0/16.0,
ge-0/0/20.0,
ge-0/1/0.0*,

ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,

ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0*,
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0*,
ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0,
ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*

mgmt
me0.0*

Meaning

The show vlans command lists the VLANs configured on the switch. This output shows
that the VLAN default has been created.

Verifying That Interfaces Are Associated with the Proper VLANs

Purpose

Action

Verify that Ethernet switching is enabled on switch interfaces and that all interfaces
are included in the VLAN.
List all interfaces on which switching is enabled:
user@switch> show ethernet-switching interfaces on page 545
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/9.0
ge-0/0/10.0

State
up
down
down
down
down
down
down
down
up
down
down

VLAN members
default
default
default
default
default
default
default
default
default
default
default

Blocking
unblocked
blocked blocked blocked blocked blocked blocked blocked unblocked
blocked blocked -

blocked
blocked
blocked
blocked
blocked
blocked
blocked

by
by
by
by
by
by
by

STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG

blocked by STP/RTG
blocked by STP/RTG

Verification

375

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0
ge-0/0/16.0
ge-0/0/17.0
ge-0/0/18.0
ge-0/0/19.0
ge-0/0/20.0
ge-0/0/21.0
ge-0/0/22.0
ge-0/0/23.0
ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0
me0.0

Meaning

Related Topics

up
down
down
down
down
down
down
down
up
down
down
down
down
up
up
up
up
up

default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
default
mgmt

unblocked
blocked blocked blocked blocked blocked blocked blocked unblocked
blocked blocked blocked blocked unblocked
unblocked
unblocked
unblocked
unblocked

blocked
blocked
blocked
blocked
blocked
blocked
blocked

by
by
by
by
by
by
by

STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG
STP/RTG

blocked
blocked
blocked
blocked

by
by
by
by

STP/RTG
STP/RTG
STP/RTG
STP/RTG

The show ethernet-switching interfaces command lists all interfaces on which switching
is enabled (in the Interfaces column), along with the VLANs that are active on the
interfaces (in the VLAN members column). The output in this example shows all the
connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20
and that they are all part of VLAN default. Notice that the interfaces listed are the
logical interfaces, not the physical interfaces. For example, the output shows
ge-0/0/0.0 instead of ge-0/0/0. This is because JUNOS software creates VLANs on
logical interfaces, not directly on physical interfaces.

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Connecting an Access Switch to a Distribution Switch on page 384

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Setting Up Bridging with Multiple VLANs for EX-series Switches

To segment traffic on a LAN into separate broadcast domains, you create separate
virtual LANs (VLANs) on an EX-series switch. Each VLAN is a collection of network
nodes. When you use VLANs, frames whose origin and destination are in the same
VLAN are forwarded only within the local VLAN, and only frames not destined for
the local VLAN are forwarded to other broadcast domains. VLANs thus limit the
amount of traffic flowing across the entire LAN, reducing the possible number of
collisions and packet retransmissions within the LAN.
This example describes how to configure bridging for an EX-series switch and how
to create two VLANs to segment the LAN:

376

Requirements on page 377

Overview and Topology on page 377

Configuration on page 378

Verification on page 382

Example: Setting Up Bridging with Multiple VLANs for EX-series Switches

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

Requirements
This example uses the following hardware and software components:

One EX 4200-48P virtual chassis switch

JUNOS Release 9.0 or later for EXseries switches

Before you set up bridging and VLANs, be sure you have:

Installed the EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Overview and Topology

EX-series switches connect all devices in an office or data center into a single LAN
to provide sharing of common resources such as printers and file servers and to
enable wireless devices to connect to the LAN through wireless access points. The
default configuration creates a single VLAN, and all traffic on the switch is part of
that broadcast domain. Creating separate network segments reduces the span of the
broadcast domain and allows you to group related users and network resources
without being limited by physical cabling or by the location of a network device in
the building or on the LAN.
This example shows a simple configuration to illustrate the basic steps for creating
two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing
group, and a second, called support, is for the customer support team. The sales and
support groups each have their own dedicated file servers, printers, and wireless
access points. For the switch ports to be segmented across the two VLANs, each
VLAN must have its own broadcast domain, identified by a unique name and tag
(VLAN ID). In addition, each VLAN must be on its own distinct IP subnet.
The topology for this example consists of one EX 4200-48P switch, which has a total
of 48 Gigabit Ethernet ports, all of which support Power over Ethernet (PoE). Most
of the switch ports connect to Avaya IP telephones. The remainder of the ports
connect to wireless access points, file servers, and printers.
Table 56: Components of the Multiple VLAN Topology
Property

Settings

Switch hardware

EX 4200-48P, 48 Gigabit Ethernet ports, all PoE-enabled

(ge-0/0/0 through ge-0/0/47)

VLAN names and tag IDs

sales, tag 100

support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

support: 192.0.2.128/25 (addresses 192.0.2.129 through
192.0.2.254)

Requirements

377

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 56: Components of the Multiple VLAN Topology (continued)

Interfaces in VLAN sales

Avaya IP telephones: ge-0/0/3 through ge-0/0/19

Wireless access points: ge-0/0/0 and ge-0/0/1
Printers: ge-0/0/22 and ge-0/0/23
File servers: ge-0/0/20 and ge-0/0/21

Interfaces in VLAN support

Avaya IP telephones: ge-0/0/25 through ge-0/0/43

Wireless access points: ge-0/0/24
Printers: ge-0/0/44 and ge-0/0/45
File servers: ge-0/0/46 and ge-0/0/47

Unused interfaces

ge-0/0/2 and ge-0/0/25

This configuration example creates two IP subnets, one for the sales VLAN and the
second for the support VLAN. The switch bridges traffic within a VLAN. For traffic
passing between two VLANs, the switch routes the traffic using a Layer 3 routing
interface on which you have configured the address of the IP subnet.
To keep the example simple, the configuration steps show only a few devices in each
of the VLANs. Use the same configuration procedure to add more LAN devices.

Configuration
Configure Layer 2 switching for two VLANs:
CLI Quick Configuration

To quickly configure Layer 2 switching for the two VLANs (sales and support) and to
quickly configure Layer 3 routing of traffic between the two VLANs, copy the following
commands and paste them into the switch terminal window:
[edit]
set interfaces ge-0/0/0 unit 0 description Sales wireless access point port
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/3 unit 0 description Sales phone port
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/22 unit 0 description Sales printer port
set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/20 unit 0 description Sales file server port
set interfaces ge-0/0/20 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/24 unit 0 description Support wireless access point port
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/26 unit 0 description Support phone port
set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/44 unit 0 description Support printer port
set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/46 unit 0 description Support file server port
set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support
set interfaces vlan unit 0 family inet address 192.0.2.0/25
set interfaces vlan unit 1 family inet address 192.0.2.128/25
set vlans sales l3interface vlan.0
set vlans sales vlan-id 100
set vlans support vlan-id 200
set vlans support l3-interface vlan.1

378

Configuration

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

Step-by-Step Procedure

Configure the switch interfaces and the VLANs to which they belong. By default, all
interfaces are in access mode, so you do not have to configure the port mode.
1.

Configure the interface for the wireless access point in the sales VLAN:
[edit interfaces ge-0/0/0 unit 0]
user@switch# set description Sales wireless access point port
user@switch# set family ethernet-switching vlan members sales

2.

Configure the interface for the Avaya IP phone in the sales VLAN:
[edit interfaces ge-0/0/3 unit 0]
user@switch# set description Sales phone port
user@switch# set family ethernet-switching vlan members sales

3.

Configure the interface for the printer in the sales VLAN:

[edit interfaces ge-0/0/22 unit 0]
user@switch# set description Sales printer port
user@switch# set family ethernet-switching vlan members sales

4.

Configure the interface for the file server in the sales VLAN:
[edit interfaces ge-0/0/20 unit 0]
user@switch# set description Sales file server port
user@switch# set family ethernet-switching vlan members sales

5.

Configure the interface for the wireless access point in the support VLAN:
[edit interfaces ge-0/0/24 unit 0]
user@switch# set description Support wireless access point port
user@switch# set family ethernet-switching vlan members support

6.

Configure the interface for the Avaya IP phone in the support VLAN:
[edit interfaces ge-0/0/26 unit 0]
user@switch# set description Support phone port
user@switch# set family ethernet-switching vlan members support

7.

Configure the interface for the printer in the support VLAN:

[edit interfaces ge-0/0/44 unit 0]
user@switch# set description Support printer port
user@switch# set family ethernet-switching vlan members support

8.

Configure the interface for the file server in the support VLAN:
[edit interfaces ge-0/0/46 unit 0]
user@switch# set description Support file server port
user@switch# set family ethernet-switching vlan members support

9.

Create the subnet for the sales broadcast domain:

Configuration

379

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit interfaces]
user@switch# set vlan unit 0 family inet address 192.0.2.1/25

10.

Create the subnet for the support broadcast domain:

[edit interfaces]
user@switch# set vlan unit 1 family inet address 192.0.2.129/25

11.

Configure the VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@switch# set sales vlan-id 100
user@switch# set support vlan-id 200

12.

To route traffic between the sales and support VLANs, define the interfaces that
are members of each VLAN and associate a Layer 3 interface:
[edit vlans]
user@switch# set sales l3-interface vlan.0
user@switch# set support l3-interface vlan.1

Display the results of the configuration:

user@switch> show configuration
interfaces {
ge-0/0/0 {
unit 0 {
description Sales wireless access point port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/3 {
unit 0 {
description Sales phone port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/22 {
unit 0 {
description Sales printer port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/20 {
unit 0 {
description Sales file server port;

380

Configuration

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {
description Support wireless access point port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/26 {
unit 0 {
description Support phone port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/44 {
unit 0 {
description Support printer port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/46 {
unit 0 {
description Support file server port;
family ethernet-switching {
vlan members support;
}
}
vlans {
unit 0 {
family inet address 192.0.2.0/25;
}
unit 1 {
family inet address 192.0.2.128/25;
}
}
}
}
vlans {
sales {
vlan-id 100;
interface ge-0/0/0.0:
interface ge-0/0/3/0;
interface ge-0/0/20.0;
interface ge-0/0/22.0;
l3-interface vlan 0;
}
support {

Configuration

381

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan-id 200;
interface ge-0/0/24.0:
interface ge-0/0/26.0;
interface ge-0/0/44.0;
interface ge-0/0/46.0;
l3-interface vlan 1;
}
}
Tip

To quickly configure the sales and support VLAN interfaces, issue the load merge
terminal command, then copy the hierarchy and paste it into the switch terminal
window.

Verification
Verify that the sales and support VLANs have been created and are operating
properly, perform these tasks:

Verifying That the VLANs Have Been Created and Associated to the Correct
Interfaces on page 382

Verifying That Traffic Is Being Routed Between the Two VLANs on page 383

Verifying That Traffic Is Being Switched Between the Two VLANs on page 383

Verifying That the VLANs Have Been Created and Associated to the Correct
Interfaces
Purpose

Action

Verify that the VLANs sales and support have been created on the switch and that
all connected interfaces on the switch are members of the correct VLAN.
List all VLANs configured on the switch:
Use the operational mode commands:
user@switch> show vlans on page 570
Name
Tag
Interfaces
default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0,
ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0*,
ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0,
ge-0/0/18.0, ge-0/0/19.0, ge-0/0/21.0, ge-0/0/23.0*,
ge-0/0/25.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0,
ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0,
ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0,
ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0,
ge-0/0/42.0, ge-0/0/43.0, ge-0/0/45.0, ge-0/0/47.0,
ge-0/1/0.0*, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
sales

100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0

support

200
ge-0/0/0.24, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0*

mgmt
me0.0*

382

Verification

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. This command output shows that the sales and support
VLANs have been created. The sales VLAN has a tag ID of 100 and is associated with
interfaces ge-0/0/0.0, ge-0/0/3.0, ge-0/0/20.0, and ge-0/0/22.0. VLAN support has
a tag ID of 200 and is associated with interfaces ge-0/0/24.0, ge-0/0/26.0,
ge-0/0/44.0, and ge-0/0/46.0.

Verifying That Traffic Is Being Routed Between the Two VLANs

Purpose
Action

Verify routing between the two VLANs.

List the Layer 3 routes in the switch's Address Resolution Protocol (ARP) table:
user@switch> show arp
MAC Address
Address
00:00:0c:06:2c:0d
00:13:e2:50:62:e0

Meaning

Name
192.0.2.3
192.0.2.11

Flags
vlan.0
vlan.1

None
None

Sending IP packets on a multiaccess network requires mapping from an IP address

to a MAC address (the physical or hardware address). The ARP table displays the
mapping between the IP address and MAC address for both vlan.0 (associated with
sales) and vlan.1 (associated with support). These VLANs can route traffic to each
other.

Verifying That Traffic Is Being Switched Between the Two VLANs

Purpose
Action

Verify that learned entries are being added to the Ethernet switching table.
List the contents of the Ethernet switching table:
user@switch> show ethernet-switching table
Ethernet-switching table: 8 entries, 5 learned
VLAN
MAC address
Type
default
*
Flood
default
00:00:05:00:00:01 Learn
default
00:00:5e:00:01:09 Learn
default
00:19:e2:50:63:e0 Learn
sales
*
Flood
sales
00:00:5e:00:07:09 Learn
support
*
Flood
support
00:00:5e:00:01:01 Learn

Meaning

Age

Interfaces
All-members
ge-0/0/10.0
ge-0/0/13.0
ge-0/0/23.0
All-members
ge-0/0/0.0
Allmembers
ge-0/0/46.0

The output shows that learned entries for the sales and support VLANs have been
added to the Ethernet switching table, and are associated with interfaces ge-0/0/0.0
and ge-0/0/46.0. Even though the VLANs were associated with more than one
interface in the configuration, these interfaces are the only ones that are currently
operating.

Verifying That Traffic Is Being Routed Between the Two VLANs

383

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Connecting an Access Switch to a Distribution Switch on page 384

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Connecting an Access Switch to a Distribution Switch

In large local area networks (LANs), you commonly need to aggregate traffic from a
number of access switches into a distribution switch.
This example describes how to connect an access switch to a distribution switch:

Requirements on page 384

Overview and Topology on page 384

Configuring the Access Switch on page 385

Configuring the Distribution Switch on page 390

Verification on page 392

Requirements
This example uses the following hardware and software components:

For the distribution switch, one EX 4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1-Gigabit
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10-Gigabit
Ethernet XFP ports.

For the access switch, one EX 3200-24P, which has twenty-four 1-Gigabit Ethernet
ports, all of which support Power over Ethernet (PoE), and an uplink module
with four 1-Gigabit Ethernet ports.

JUNOS Release 9.0 or later for EX-series switches

Before you connect an access switch to a distribution switch, be sure you have:

Installed the two switches. See Installing and Connecting an EX-series Switch.

Performed the initial software configuration on both switches. See Connecting

and Configuring the EX-series Switch (J-Web Procedure) on page 58.

Overview and Topology

In a large office that is spread across several floors or buildings, or in a data center,
you commonly aggregate traffic from a number of access switches into a distribution
switch. This configuration example shows a simple topology to illustrate how to
connect a single access switch to a distribution switch.

384

Example: Connecting an Access Switch to a Distribution Switch

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

In the topology, the LAN is segmented into two VLANs, one for the sales department
and the second for the support team. One 1-Gigabit Ethernet port on the access
switch's uplink module connects to the distribution switch, to one 1-Gigabit Ethernet
port on the distribution switch.
Table 57 on page 385 explains the components of the example topology.
Table 57: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property

Settings

Access switch hardware

EX 3200-24P, 24 1-Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through

ge-0/0/23); one 4-port 1Gigabit Ethernet uplink module (EX-UM-4SFP)

Distribution switch hardware

EX 4200-24F, 24 1-Gigabit Ethernet fiber SPF ports (ge-0/0/0 through ge-0/0/23);

one 2port 10Gigabit Ethernet XFP uplink module (EX-UM-4SFP)

VLAN names and tag IDs

sales, tag 100

support, tag 200

VLAN subnets

sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Trunk port interfaces

On the access switch: ge-0/1/0

On the distribution switch: ge-0/0/0

Access port interfaces in VLAN sales (on

access switch)

Avaya IP telephones: ge-0/0/3 through ge-0/0/19

Wireless access points: ge-0/0/0 and ge-0/0/1
Printers: ge-0/0/22 and ge-0/0/23
File servers: ge-0/0/20 and ge-0/0/21

Access port interfaces in VLAN support (on

access switch)

Avaya IP telephones: ge-0/0/25 through ge-0/0/43

Wireless access points: ge-0/0/24
Printers: ge-0/0/44 and ge-0/0/45
File servers: ge-0/0/46 and ge-0/0/47

Unused interfaces on access switch

ge-0/0/2 and ge-0/0/25

Configuring the Access Switch

To configure the access switch:
CLI Quick Configuration

To quickly configure the access switch, copy the following commands and paste
them into the switch terminal window:
[edit]
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces
set interfaces

ge-0/0/0 unit 0 description Sales Wireless access point port

ge-0/0/0 unit 0 family ethernet-switching vlan members sales
ge-0/0/3 unit 0 description Sales phone port
ge-0/0/3 unit 0 family ethernet-switching vlan members sales
ge-0/0/22 unit 0 description Sales printer port
ge-0/0/22 unit 0 family ethernet-switching vlan members sales
ge-0/0/20 unit 0 description Sales file server port
ge-0/0/20 unit 0 family ethernet-switching vlan members sales
ge-0/0/24 unit 0 description Support wireless access point port
ge-0/0/24 unit 0 family ethernet-switching vlan members support

Configuring the Access Switch

385

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

set interfaces ge-0/0/26 unit 0 description Support phone port

set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/44 unit 0 description Support printer port
set interfaces ge-0/0/44 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/46 unit 0 description Support file server port
set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/1/0 unit 0 description Uplink module port connection to
distribution switch
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching native-vlan-id 1
set interfaces ge-0/1/0 unit 0 family ethernet switching vlan members [sales
support]
set interfaces vlan unit 0 family inet address 192.0.2.1/25
set interfaces vlan unit 1 family inet address 192.0.2.129/25
set vlans sales interface ge-0/0/0.0
set vlans sales interface ge-0/0/3.0
set vlans sales interface ge-0/0/22.0
set vlans sales interface ge-0/0/20.0
set vlans sales l3-interface vlan.0
set vlans sales vlan-id 100
set vlans sales vlan-description Sales VLAN
set vlans support interface ge-0/0/24.0
set vlans support interface ge-0/0/26.0
set vlans support interface ge-0/0/44.0
set vlans support interface ge-0/0/46.0
set vlans support vlan-id 200
set vlans support l3interface vlan.1
set vlans support vlan-description Support VLAN

Step-by-Step Procedure

To configure the access switch:

1.

Configure the 1-Gigabit Ethernet interface on the uplink module to be the trunk
port that connects to the distribution switch:
[edit interfaces ge-0/1/0 unit 0]
user@access-switch# set description Uplink module port connection to
distribution switch
user@access-switch# set ethernet-switching port-mode trunk

2.

Specify the VLANs to be aggregated on the trunk port:

[edit interfaces ge-0/1/0 unit 0]
user@access-switch# set ethernet-switching vlan
]

3.

members

Configure the VLAN ID to use for packets that are received with no dot1q tag
(untagged packets):
[edit interfaces ge-0/1/0 unit 0]
user@access-switch# set ethernet-switching native-vlan-id 1

4.

Configure the sales VLAN:

[edit vlans sales]
user@access-switch# set vlan-description Sales VLAN
user@access-switch# set vlan-id 100

386

[ sales support

Configuring the Access Switch

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

user@access-switch# set l3-interface vlan.0

5.

Configure the support VLAN:

[edit vlans support]
user@access-switch# set vlan-description Support VLAN
user@access-switch# set vlan-id 200
user@access-switch# set l3-interface vlan.1

6.

Create the subnet for the sales broadcast domain:

[edit interfaces]
user@access-switch# set vlan unit 0 family inet address 192.0.2.0/25

7.

Create the subnet for the support broadcast domain:

[edit interfaces]
user@access-switch# set vlan unit 1 family inet address 192.0.2.128/25

8.

Configure the interfaces in the sales VLAN:

[edit interfaces]
user@accessswitch#
point port
user@accessswitch#
members sales
user@accessswitch#
user@access-switch#
members sales
user@access-switch#
port
user@accessswitch#
members sales
user@access-switch#
user@access-switch#
members sales

9.

set ge-0/0/0 unit 0 description Sales wireless access

set ge-0/0/0 unit 0 family ethernet-switching vlan
set ge-0/0/3 unit 0 description Sales phone port
set ge-0/0/3 unit 0 family ethernet-switching vlan
set ge-0/0/20 unit 0 description Sales file server
set ge-0/0/20 unit 0 family ethernet-switching vlan
set ge-0/0/22 unit 0 description Sales printer port
set ge-0/0/22 unit 0 family ethernet-switching vlan

Configure the interfaces in the support VLAN:

[edit interfaces]
user@access-switch#
access point port
user@access-switch#
members support
user@access-switch#
user@accessswitch#
members support
user@access-switch#
port
user@access-switch#
members support
user@access-switch#
port
user@access-switch#
members support

set ge-0/0/24 unit 0 description Support wireless

set ge-0/0/24 unit 0 family ethernet-switching vlan
set ge-0/0/26 unit 0 description Support phone port
set ge-0/0/26 unit 0 family ethernet-switching vlan
set ge-0/0/44 unit 0 description Support printer
set ge-0/0/44 unit 0 family ethernet-switching vlan
set ge-0/0/46 unit 0 description Support file server
set ge-0/0/46 unit 0 family ethernet-switching vlan

Configuring the Access Switch

387

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

10.

Configure descriptions and VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@access-switch#
user@access-switch#
user@access-switch#
user@access-switch#

11.

set
set
set
set

sales vlan-description Sales VLAN

sales vlan-id 100
support vlan-description Support VLAN
support vlan-id 200

To route traffic between the sales and support VLANs and associate a Layer 3
interface with each VLAN:
[edit vlans]
user@switch# set sales l3-interface vlan.0
user@switch# set support l3-interface vlan.1

Results

Display the results of the configuration:

user@access-switch> show
interfaces {
ge-0/0/0 {
unit 0 {
description Sales wireless access point port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/3 {
unit 0 {
description Sales phone port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/20 {
unit 0 {
description Sales file server port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/22 {
unit 0 {
description Sales printer port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {

388

Configuring the Access Switch

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

description Support wireless access point port;

family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/26 {
unit 0 {
description Support phone port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/0/44 {
unit 0 {
description Support printer port;
family ethernet-switching {
vlan members sales;
}
}
}
ge-0/0/46 {
unit 0 {
description Support file server port;
family ethernet-switching {
vlan members support;
}
}
}
ge-0/1/0 {
unit 0 {
description Uplink module port connection to distribution switch;
family ethernet-switching {
port-mode trunk;
vlan members [ sales support ];
native-vlan-id 1;
}
}
}
vlan {
unit 0 {
family inet address 192.0.2.1/25;
}
unit 1 {
family inet address 192.0.2.129/25;
}
}
}
vlans {
sales {
vlan-id 100;
vlan-description Sales VLAN;
l3-interface vlan.0;
}
support {

Configuring the Access Switch

389

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan-id 200;
vlan-description Support VLAN;
l3-interface vlan.1;
}
}
Tip

To quickly configure the distribution switch, issue the load merge terminal command,
then copy the hierarchy and paste it into the switch terminal window.

Configuring the Distribution Switch

To configure the distribution switch:
CLI Quick Configuration

To quickly configure the distribution switch, copy the following commands and paste
them into the switch terminal window:
set
set
set
set
set
set
set
set
set
set
set
set

Step-by-Step Procedure

interfaces ge-0/0/0 description Connection to access switch

interfaces ge-0/0/0 ethernet-switching port-mode trunk
interfaces ge-0/0/0 ethernet-switching vlan members [ sales support ]
interfaces ge-0/0/0 ethernet-switching native-vlan-id 1
interfaces vlan unit 0 family inet address 192.0.2.2/25
interfaces vlan unit 1 family inet address 192.0.2.130/25
vlans sales vlan-description Sales VLAN
vlans sales vlan-id 100
vlans sales l3-interface vlan.0
vlans support vlan-description Support VLAN
vlans support vlan-id 200
vlans support l3-interface vlan.1

To configure the distribution switch:

1.

Configure the interface on the switch to be the trunk port that connects to the
access switch:
[edit interfaces ge-0/0/0 unit 0]
user@distribution-switch# set description Connection to access switch
user@distribution-switch# set ethernet-switching port-mode trunk

2.

Specify the VLANs to be aggregated on the trunk port:

[edit interfaces ge-0/0/0 unit 0]
user@distribution-switch# set ethernet-switching vlan
support ]

3.

members

[ sales

Configure the VLAN ID to use for packets that are received with no dot1q tag
(untagged packets):
[edit interfaces]
user@distribution-switch# set ge-0/0/0 ethernet-switching native-vlan-id

4.

Configure the sales VLAN:

[edit vlans sales]
user@distribution-switch# set vlan-description Sales VLAN

390

Configuring the Distribution Switch

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

user@distribution-switch# set vlan-id 100

user@distribution-switch# set l3-interface vlan.0

5.

Configure the support VLAN:

[edit vlans support]
user@distribution-switch# set vlan-description Support VLAN
user@distribution-switch# set vlan-id 200
user@distribution-switch# set l3-interface vlan.1

6.

Create the subnet for the sales broadcast domain:

[edit interfaces]
user@distribution-switch# set vlan unit 0 family inet address 192.0.2.2/25

7.

Create the subnet for the support broadcast domain:

[edit interfaces]
user@distribution-switch# set vlan unit 1 family inet address
192.0.2.130/25

Results

Display the results of the configuration:

user@distribution-switch> show
interfaces {
ge-0/0/0 {
description Connection to access switch;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan members [ sales support ];
native-vlan-id 1;
}
}
}
vlan {
unit 0 {
family inet address 192.0.2.2/25;
}
unit 1 {
family inet address 192.0.2.130/25;
}
}
}
vlans {
sales {
vlan-id 100;
vlan-description Sales VLAN;
l3-interface vlan.0;
}
support {
vlan-id 200;

Configuring the Distribution Switch

391

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan-description Support VLAN;

l3-interface vlan.1;
}
}
Tip

To quickly configure the distribution switch, issue the load merge terminal command,
then copy the hierarchy and paste it into the switch terminal window.

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying the VLAN Members and Interfaces on the Access Switch on page 392

Verifying the VLAN Members and Interfaces on the Distribution Switch on page 392

Verifying the VLAN Members and Interfaces on the Access Switch

Purpose

Action

Verify that the sales and support have been created on the switch.
List all VLANs configured on the switch:
user@switch> show vlans on page 570
Name
default

Tag

Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0*, ge-0/0/9.0,
ge-0/0/10.0,
ge-0/0/14.0,
ge-0/0/18.0,
ge-0/0/25.0,
ge-0/0/30.0,
ge-0/0/34.0,
ge-0/0/38.0,
ge-0/0/42.0,
ge-0/1/1.0*,

sales

ge-0/0/11.0*, ge-0/0/12.0, ge-0/0/13.0,

ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0,
ge-0/0/19.0*,ge-0/0/21.0, ge-0/0/23.0,
ge-0/0/27.0*,ge-0/0/28.0, ge-0/0/29.0,
ge-0/0/31.0*,ge-0/0/32.0, ge-0/0/33.0,
ge-0/0/35.0*,ge-0/0/36.0, ge-0/0/37.0,
ge-0/0/39.0*,ge-0/0/40.0, ge-0/0/41.0,
ge-0/0/43.0*,ge-0/0/45.0, ge-0/0/47.0,
ge-0/1/2.0*, ge-0/1/3.0*

100
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0,
ge-0/1/0.0*,

support

200
ge-0/0/24.0*, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0,

mgmt
me0.0*

Meaning

The output shows the sales and support VLANs and the interfaces associated with
them.

Verifying the VLAN Members and Interfaces on the Distribution Switch

Purpose

392

Verification

Verify that the sales and support have been created on the switch.

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

Action

List all VLANs configured on the switch:

user@switch> show vlans on page 570
Name
default

Tag

Interfaces
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0*, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0,
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0*, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0*, ge-0/0/23.0, ge-0/1/1.0*,
ge-0/1/2.0*, ge-0/1/3.0*

sales

100
ge-0/0/0.0*

support

200
ge-0/0/0.0*

mgmt
me0.0*

Meaning

Related Topics

The output shows the sales and support VLANs associated to interface ge-0/0/0.0.
Interface ge-0/0/0.0 is the trunk interface connected to the access switch.

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Configure Automatic VLAN Administration Using GVRP

As a network expands and the number of clients and VLANs increases, VLAN
administration becomes complex, and the task of efficiently configuring VLANs on
multiple switches becomes increasingly difficult. To automate VLAN administration,
you can enable GARP VLAN Registration Protocol (GVRP) on the network.
GVRP learns VLANs on a particular 802.1Q trunk port, and adds the corresponding
trunk port to the VLAN if the advertised VLAN is preconfigured or existing already
on the switch. For example, a VLAN named sales is advertised to trunk port 1 on
the GVRP-enabled switch. The switch adds trunk port 1 to the sales VLAN if the sales
VLAN already exists on the switch.
As individual ports become active and send a request to join a VLAN, the VLAN
configuration is updated and propagated among the switches. Limiting the VLAN
configuration to active participants reduces the network overhead. GVRP also provides
the benefit of pruning VLANs to limit the scope of broadcast, unknown unicast, and
multicast (BUM) traffic to interested devices only.

Example: Configure Automatic VLAN Administration Using GVRP

393

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

This example describes how to statically configure VLANs on a single switch, then
enable GVRP on another switch to dynamically propagate the configuration:

Requirements on page 394

Overview and Topology on page 394

Configuring VLANs and GVRP on Switch 1 on page 395

Configuring GVRP on Switch 2 on page 397

Verification on page 398

Requirements
This example uses the following hardware and software components:

One EX 4200 distribution switch

One EX 3200 access switch

JUNOS Release 9.0 or later for EX-series switches

Before you configure the GVRP network on the access switch and the distribution
switch, be sure you have:

Installed the access switch and the distribution switch. See Installing and
Connecting an EX-series Switch.

Performed the initial software configuration on the switches. See Connecting

and Configuring the EX-series Switch (J-Web Procedure) on page 58.

Overview and Topology

This example shows a simple configuration to illustrate the basic steps for creating
five VLANs on a single distribution switch. After the static VLAN configuration is
created, GVRP is enabled on the access switch in the topology to dynamically
distribute the VLAN configuration.

Topology
The topology for this example consists of a GVRP network configured on one access
switch and one distribution switch.
Table 58: Components of the GVRP Network Topology
Property

Settings

Switch hardware

Switch 1EX 4200 distribution switch

Switch 2EX 3200 access switch

VLAN names and tag IDs

394

Requirements

voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
analyzer-vlan, tag 999

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

This configuration example creates a static VLAN configuration on an EX 4200

distribution switch (Switch 1). There are five VLANs in the configuration, each serving
a different purpose in the network.
After the VLANs are configured, GVRP is enabled on Switch 1 and Switch 2. GVRP
will dynamically distribute the VLAN configuration on Switch 1 to Switch 2.

Configuring VLANs and GVRP on Switch 1

To create a static VLAN configuration on a distribution switch, and enable GVRP on
all switches, perform these tasks:
CLI Quick Configuration

To quickly configure the voice-vlan, employee-vlan, guest-vlan, camera-vlan, and

analyzer-vlan VLANs on Switch 1 and enable GVRP, copy the following commands
and paste them into the switch terminal window:
[edit]
set interfaces ge-0/0/0 family ethernet-switching vlan members voice-vlan
set interfacs ge-0/0/0 family ethernet-switching vlan members employee-vlan
set interfaces ge-0/0/0 family ethernet-switching vlan members guest-vlan
set interfaces ge-0/0/0 family ethernet-switching vlan members camera-vlan
set interfaces ge-0/0/0 family ethernet-switching vlan members analyzer-vlan
set vlans voice-vlan vlan-id 10
set vlans employee-vlan vlanid 20
set vlans guest-vlan vlan-id 30
set vlans camera-vlan vlan-id 40
set vlans analyzer-vlan vlan-id 999
set protocols gvrp enable join-timer 40
set protocols gvrp enable leave-timer 120
set protocols gvrp enable leaveall-timer 2000
set protocols gvrp interface all enable

Step-by-Step Procedure

To configure the VLANs and VLAN tag identifiers, then configure the VLANs on
interface ge-0/0/0, enable GVRP on all interfaces, and set the GVRP timers (optional):
1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, camera-vlan, and

analyzer-vlan:
[edit vlans]
user@switch#
user@switch#
user@switch#
user@switch#
user@switch#

2.

set
set
set
set
set

voice-vlan vlan-id 10
employee-vlan vlan-id 20
guest-vlan vlan-id 30
camera-vlan vlan-id 40
analyzer-vlan vlan-id 999

Configure the voice-vlan, employee-vlan, guest-vlan, camera-vlan, and analyzer-vlan

VLANs on interface ge-0/0/0:
[edit interfaces
user@switch# set
user@switch# set
user@switch# set
user@switch# set
user@switch# set

ge-0/0/0 family ethernet-switching]

vlan members voice-vlan
vlan members employee-vlan
vlan members guest-vlan
vlan members camera-vlan
vlan-members analyzer-vlan

Configuring VLANs and GVRP on Switch 1

395

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

3.

Globally enable GVRP networking:

[edit protocols gvrp]
user@switch# set enable

4.

Set the join-timer to specify the maximum number of milliseconds the interfaces
wait before sending VLAN advertisements:
[edit protocols gvrp]
user@switch# set join-timer 40

5.

Set the leave-timer to configure the number of milliseconds an interface must

wait after receiving a leave message to remove the interface from the VLAN
specified in the message:
[edit protocols gvrp]
user@switch# set leave-timer 120

6.

Set the leaveall-timer to configure the interval at which Leave All messages are
sent on interfaces. Leave All messages help to maintain current GVRP VLAN
membership information in the network.:
[edit protocols gvrp]
user@switch# set leaveall-timer 2000

NOTE: Default values are associated with each timer: 200 ms for the join-timer, 600
ms for the leave-timer, and 1000 ms for the leaveall-timer. Modifying timers to
inappropriate values may cause and imbalance in the operation of GVRP. Refer to
IEEE 802.1D [2004] Clause 12 for more information.

7.

Apply GVRP networking on all interfaces:

[edit protocols gvrp]
user@switch# set interface all enable

Results

Display the results of the configuration:

user@switch# show
interfaces {
ge-0/0/0 {
unit 0 {
family-ethernet-switching {
vlan members voice-vlan;
vlan members employee-vlan;
vlan members guest-vlan;
vlan members camera-vlan;
vlan members analyzer-vlan;
}

396

Configuring VLANs and GVRP on Switch 1

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

}
}
}
protocols {
gvrp {
enable {
join-timer 40;
leave-timer 120;
leaveall-timer 2000;
interface all;
}
}
}
vlans {
analyzer-vlan {
vlan-id 999;
}
camera-vlan {
vlan-id 40;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
voice-vlan {
vlan-id 10;
}
}

Configuring GVRP on Switch 2

CLI Quick Configuration

To quickly enable GVRP on Switch 2, copy the following commands and paste them
into the switch terminal window:
[edit]
set protocols
set protocols
set protocols
set protocols

Step-by-Step Procedure

gvrp
gvrp
gvrp
gvrp

enable join-timer 40
enable leave-timer 120
enable leaveall-timer 2000
interface all enable

Enable GVRP networking on all interfaces on Switch 2 and set the GVRP timers:
1.

Globally enable GVRP networking:

[edit protocols gvrp]
user@switch# set enable

2.

Set the join-timer to specify the maximum number of milliseconds the interfaces
wait before sending VLAN advertisements:
[edit protocols gvrp]

Configuring GVRP on Switch 2

397

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch# set join-timer 40

3.

Set the leave-timer to configure the number of milliseconds an interface must

wait after receiving a leave message to remove the interface from the VLAN
specified in the message:
[edit protocols gvrp]
user@switch# set leave-timer 120

4.

Set the leaveall-timer to configure the interval at which Leave All messages are
sent on interfaces. Leave All messages help to maintain current GVRP VLAN
membership information in the network:
[edit protocols gvrp]
user@switch# set leaveall-timer 2000

5.

Apply GVRP networking on all interfaces:

[edit protocols gvrp]
user@switch# set interface all enable

Results

Display the results of the configuration:

user@switch# show
protocols {
gvrp {
enable {
join-timer 40;
leave-timer 120;
leaveall-timer 2000;
interface all;
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying VLANs and GVRP Configuration on Switch 1 on page 398

Verifying GVRP Configuration on Switch 2 on page 399

Verifying VLANs and GVRP Configuration on Switch 1

Purpose

Action

398

Verification

Verify that the VLANs voice-vlan, employee-vlan, guest-vlan, camera-vlan, and

analyzer-vlan have been created on the switch and that GVRP is enabled.
Use the operational mode commands:

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

user@switch1> show vlans on page 570

Name
Tag
analyzervlan 999

Interfaces
ge-0/0/0.0

cameravlan

40
ge-0/0/0.0

default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0,
ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0,
ge-0/0/13.0*,ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0 ge-0/0/23.0*, ge-0/0/0.24,
ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0, ge-0/0/28.0,
ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0,
ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0,
ge-0/0/37.0, ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0,
ge-0/0/41.0, ge-0/0/42.0, ge-0/0/43.0, ge-0/0/45.0,
ge-0/0/44.0, ge-0/0/46.0*, ge-0/0/47.0, ge-0/1/0.0*
ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
employeevlan

20

guestvlan

30

voicevlan

10

ge-0/0/0.0
ge-0/0/0.0
ge-0/0/0.0
mgmt
me0.0*
user@switch1> show gvrp on page 555
Global GVRP configuration
GVRP status
: Enabled
GVRP timers (ms)
Join
: 40
Leave
: 120
Leaveall
: 2000
Interface based configuration:
Interface GVRP status
---------- ----------ge-0/0/0.0 Enabled

Meaning

The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. The show gvrp command shows that GVRP is enabled
on the switch.

Verifying GVRP Configuration on Switch 2

Purpose
Action

Verify that GVRP is enabled on the switch.

Use the operational mode command:
user@switch> show gvrp on page 555
Global GVRP configuration
GVRP status
: Enabled
GVRP timers (ms)

Verifying GVRP Configuration on Switch 2

399

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Join
Leave
Leaveall

: 40
: 120
: 2000

Interface based configuration:

Interface GVRP status
---------- ----------ge-0/0/0.0 Enabled

Meaning
Related Topics

The show gvrp command shows that GVRP is enabled on the switch.

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Configuring Redundant Trunk Links for Faster Recovery

Simplify the convergence configuration in a typical enterprise network by configuring
a primary link and a secondary link on trunk ports. If the primary link fails, the
secondary link automatically takes over without waiting for normal STP convergence.
This example describes how to create a redundant trunk group:

Requirements on page 400

Overview and Topology on page 401

Configuration on page 402

Verification on page 403

Requirements
This example uses the following hardware and software components:

Two EX-series 4200 distribution switches.

One EX-series 3200 access switch.

JUNOS Release 9.0 or later for EX-series switches

Before you configure the redundant trunk links network on the access and distribution
switches, be sure you have:

400

Installed the access switch. See Installing and Connecting an EX-series Switch.

Installed the two distribution switches. See Installing and Connecting an EX-series
Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Example: Configuring Redundant Trunk Links for Faster Recovery

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

Overview and Topology

This example shows a simple configuration to illustrate the basic steps for creating
a redundant trunk group.
Configuring redundant trunk links places the primary link and the secondary link in
a redundant group. However, a primary link need not be configured. If a primary
link is not specified, the software compares the two links and selects the link with
the highest port number as the active link. For example, if the two interfaces are
ge-0/1/0 and ge-0/1/1, the software assigns ge-0/1/1 as the active link..
Whether a primary link is specified as the active link, or whether it is calculated by
the software, traffic is handled in the same manner. Traffic passes through the active
link but is blocked on the secondary link. If the active link goes down or is disabled
administratively, the secondary link becomes active and begins forwarding traffic.
However, there is a difference between the behavior of a primary, active link and
an active link that is calculated to be active by the software. If an active link goes
down, the secondary link begins forwarding traffic. If the old, active link comes up
again, the following occurs:

If the old, active link was configured as the primary link, then it resumes the role
of active link and the other link is blocked. An interface configured as primary
continues to carry with it the primary role whenever it becomes active.

If no primary link was configured, and the active link was calculated by the
software when the redundant group was formed, then the old, active link will
not preempt the other interface (new active).

NOTE: The JUNOS software for EX-series switches does not allow an interface to be
in a redundant trunk group and in an STP topology at the same time.
Figure 19 on page 402 displays an example topology containing three switches.
Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the
access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2).
Table 59 on page 402 lists the components used in this redundant trunk group.

Overview and Topology

401

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 19: Topology for Configuring the Redundant Trunk Links

Table 59: Components of the Redundant Trunk Link Topology

Property

Settings

Switch hardware

Switch 11 EX-series 4200 distribution switch

Switch 21 EX-series 4200 distribution switch

Switch 31 EX-series 3200 access switch

Trunk port interfaces

On Switch 3 (access switch): ge-0/0/9.0 and ge-0/0/10.0

Redundant trunk group

group1

This configuration example creates a redundant trunk group called group1 on Switch 3.
The trunk ports ge-0/0/9.0 and ge-0/0/10.0 are the two links in group1. The trunk
port ge-0/0/9.0 will be configured administratively as the primary link. The trunk
port ge-0/0/10.0 will be the secondary link.

Configuration
CLI Quick Configuration

To quickly configure the redundant trunk group group1 on Switch 3, copy the following
commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options redundant-trunk-group group-name group1
set ethernet-switching-options redundant-trunk-group group-name group1 interface
ge-0/0/9.0 primary

402

Configuration

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

set ethernet-switching-options redundant-trunk-group group-name group1 interface

ge-0/0/10.0

Step-by-Step Procedure

Configure the redundant trunk group group1 on Switch 3 and specify the primary
and secondary links.
1.

Configure the redundant trunk group group1:

[edit ethernet-switching-options]
user@switch# set redundant-trunk-group group-name group1

2.

Configure the trunk port ge-0/0/9.0 as the primary link and ge-0/0/10 as the
secondary link:
[edit ethernet-switching-options]
user@switch# set redundant-trunk-group group-name group1 interface ge-0/0/9.0
primary
user@switch# set redundant-trunk-group group-name group1 interface
ge-0/0/10.0

Results

Display the results of the configuration:

user@switch# show
ethernet-switching-options {
redundant-trunk-group {
group-name group1 {
interface ge-0/0/9.0 primary;
interface ge-0/0/10.0;
}
}
}
}

Verification
Verify that the redundant trunk group group1 has been created and is operating
properly:

Verifying That the Redundant Group Has Been Created on page 403

Verifying That the Redundant Group Has Been Created

Purpose

Action

Verify that the redundant trunk group group1 has been created on the switch and
that trunk ports are members of the redundant trunk group.
List all redundant trunk groups configured on the switch:
user@switch> show redundant-trunk-group on page 559 group1
Redundant-trunk-group: group1
Interfaces
: ge-0/0/9.0 (P) , DOWN
: ge-0/0/10.0 (A) , UP
Bandwidth
: 1000 Mbps, 1000 Mbps

Verification

403

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Last Time of Flap

#Flaps

Meaning

Related Topics

: 1970-01-01 00:19:12 UTC (00:00:06 ago), Never

: 1, 0

The show redundant-trunk-group command lists all redundant trunk groups configured
on the switch and which trunk links are members of the group. For this configuration
example, the output shows that the redundant trunk group group1 is configured on
the switch. The (P) beside trunk port ge-0/0/9.0 indicates that it is configured as the
primary link. The (A) beside the ge-0/0/10.0 trunk port indicates that it is the active
link.

Understanding Redundant Trunk Links on EX-series Switches on page 365

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches
Storm control enables you to prevent network outage caused by broadcast storms
on the LAN. You can configure storm control on the EX-series switch to rate limit
broadcast traffic and unknown unicast traffic at a specified level and to drop packets
when the specified traffic level is exceeded, thus preventing packets from proliferating
and degrading the LAN.
This example shows how to configure storm control on a single EX-series switch:

Requirements on page 404

Overview and Topology on page 404

Configuration on page 405

Requirements
This example uses the following hardware and software components:

One Juniper Networks EX-series 3200 switch

JUNOS Release 9.1 or later for EX-series switches

Overview and Topology

A storm is generated when messages are broadcast on a network and each message
prompts a receiving node to respond by broadcasting its own messages on the
network. This, in turn, prompts further responses, creating a snowball effect and
resulting in a broadcast storm that can cause network outages.
You can use storm control to prevent broadcast storms by specifying the amount,
also known as level, of broadcast traffic or unknown unicast traffic or both to be
allowed on a port interface. This level is a percentage of the total available bandwidth
of the port. For example, if the level is set to 20, up to 20 (plus or minus two) percent
of the total available bandwidth of the port can be used for transmitting broadcast
traffic or unknown unicast traffic or both.

404

Example: Configuring Storm Control to Prevent Network Outages on EX-series Switches

Chapter 30: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP

NOTE: If you do not specify the level, the default level will be applied. The default
level is 80.
Storm control monitors the incoming broadcast traffic or unknown unicast traffic or
both and compares it with the level that you specify. If broadcast traffic or unknown
unicast traffic or both exceed the specified level, packets for the controlled traffic
types are dropped.
The topology used in this example consists of one EX 3200 switch with 24 ports.
The switch is connected to various network devices. In this example, storm control
is configured to rate limit both broadcast and unknown unicast traffic on port interface
ge-0/0/0. The rate limit level is set to 40. Therefore, if broadcast traffic or unknown
unicast traffic or both exceed 40 (plus or minus two) percent of the total available
bandwidth of the port, packets for the controlled traffic types are dropped to prevent
network outage.

NOTE: When you configure storm control on an interface, both broadcast traffic and
unknown unicast traffic are rate limited, by default. You can exempt either type of
traffic from rate limiting by using the no-broadcast or no-unknown-unicast statement.

Configuration
CLI Quick Configuration

To quickly configure storm control, copy the following commands and paste them
into the switch terminal window:
[edit]
set ethernet-switching-options storm-control interface ge-0/0/0 level 40

Step-by-Step Procedure

To configure storm control:

1.

Enable storm control on the interface and specify the level of allowed broadcast
traffic and unknown unicast traffic:
[edit ethernet-switching-options]
user@switch# set storm-control interface ge-0/0/0 level 40

Results

Display the results of the configuration:

[edit ethernet-switching-options]
user@switch# show storm-control
storm-control {
interface ge-0/0/0.0 {
level 40;
}
}

Related Topics

Understanding Storm Control on EX-series Switches on page 367

Configuration

405

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

406

Configuration

Chapter 31

Configuring Layer 2 Bridging, VLANs, and

GVRP

Configuring VLANs for EX-series Switches (J-Web Procedure) on page 407

Configuring VLANs for EX-series Switches (CLI Procedure) on page 409

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Creating a Series of Tagged VLANs (CLI Procedure) on page 412

Configuring MAC Table Aging (CLI Procedure) on page 414

Configuring the Native VLAN Identifier (CLI Procedure) on page 414

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 415

Configuring VLANs for EX-series Switches (J-Web Procedure)

You can use the VLAN configuration page to add a new VLAN or to edit or delete an
existing VLAN.
To access the VLAN configuration page:
1.

From the Configure menu, select Switching > VLAN.

The VLAN Configuration page displays a list of existing VLANs. If you select a
specific VLAN, the specific VLAN details are displayed in the Details section.

2.

Click one:

Add creates a VLAN.

Edit edits an existing VLAN configuration.

Delete deletes an existing VLAN.

NOTE: If you delete a VLAN, the VLAN configuration for all the associated interfaces
is also deleted.

When you are adding or editing a VLAN, enter information as described in

Table 60 on page 408.

Configuring VLANs for EX-series Switches (J-Web Procedure)

407

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 60: VLAN Configuration Details

Field

Function

Your Action

VLAN Name

Specifies a unique name for the VLAN.

Enter a name.

VLAN Id/Range

Specifies the identifier or range for the VLAN.

Select one:

General tab

VLAN IDType a unique identification number

from 1 through 4094. If no value is specified, it
defaults to 0

VLAN RangeType a number range to create

VLANs with IDs corresponding to the range. For
example, the range 23 will create two VLANs
with the ID 2 and 3.

VLAN Description

Describes the VLAN.

Enter a brief description for the VLAN.

MAC Table Aging

Time

Specifies the maximum time that an entry can

remain in the forwarding table before it 'ages
out'.

Type the number of seconds from 60 through

1000000.

Filter Input

Specifies the VLAN firewall filter that is applied

to incoming packets.

To apply an input firewall filter, select the firewall

filter from the list.

Filter Output

Specifies the VLAN firewall filter that is applied

to outgoing packets.

To apply an output firewall filter, select the firewall

filter from the list.

Specifies the ports to be associated with this

VLAN for data traffic. You can also remove the
port association.

Click one:

Port Association tab

Ports

Add Select the ports from the available list.

Remove Select the port that you don't want

associated with the VLAN.

IP Address tab
Enable IP Address

Specifies IP address options for the VLAN.

Select to enable the IP address options.

IP Address

Specifies the IP address of the VLAN.

Enter the IP address.

Subnet Mask

Specifies the range of logical addresses within

the address space that is assigned to an
organization.

Enter the address, for example, 255.255.255.0 You

can also specify the address prefix.

Filter Input

Specifies the VLAN interface firewall filter that

is applied to incoming packets.

To apply an input firewall filter to an interface, select

the firewall filter from the list.

Filter Output

Specifies the VLAN interface firewall filter that

is applied to outgoing packets.

To apply an output firewall filter to an interface, select

the firewall filter from the list.

ARP/MAC Details

Specifies the details for configuring the static

IP address and MAC.

Click the ARP/MAC Details button. Enter the static IP

address and MAC address in the window that is
displayed.

VoIP tab

408

Configuring VLANs for EX-series Switches (J-Web Procedure)

Chapter 31: Configuring Layer 2 Bridging, VLANs, and GVRP

Table 60: VLAN Configuration Details (continued)

Field

Function

Your Action

Ports

Specifies the ports to be associated with this

VLAN for voice traffic. You can also remove the
port association.

Click one:

Add Select the ports from the available list.

Remove Select the port that you don't want

associated with the VLAN.

Related Topics

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Configuring VLANs for EX-series Switches (CLI Procedure)

EX-series switches use VLANs to make logical groupings of network nodes with their
own broadcast domains. You can use VLANs to limit the traffic flowing across the
entire LAN and reduce collisions and packet retransmissions.
For each endpoint on the VLAN, configure the following VLAN parameters on the
corresponding interface:
1.

Set the description of the VLAN:

[edit interfaces ge-chassis/pic/port unit 0]
user@switch# set description vlan-description

2.

Set the unique name of the VLAN:

[edit interfaces ge-chassis/pic/port unit 0]
user@switch# set family ethernet-switching vlan membersvlan-name

3.

Create the subnet for the VLAN:

[edit interfaces]
user@switch# set vlan unit 0 family inet

4.

address

ip-address

Configure the VLAN tag ID or VLAN ID range for the VLAN:

[edit vlans]
user@switch# set vlan-name vlan-id vlan-id-number

or
[edit vlans]
user@switch# set vlan-name vlan-range vlan-id-low-vlan-id-high

Configuring VLANs for EX-series Switches (CLI Procedure)

409

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

5.

To specify the maximum time that an entry can remain in the forwarding table
before it ages out:
[edit vlans]
user@switch# set vlan-name mac-table-aging-time time

6.

To specify a VLAN firewall filter to be applied to incoming or outgoing packets:

[edit vlans]
user@switch# set vlan-name filter (input | output) filter-name

Related Topics

Configuring VLANs for EX-series Switches (J-Web Procedure) on page 407

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Creating a Series of Tagged VLANs (CLI Procedure) on page 412

Understanding Bridging and VLANs on EX-series Switches on page 359

Configuring Routed VLAN Interfaces (CLI Procedure)

Routed VLAN interfaces (RVIs) enable the EX-series switch to recognize which packets
are being sent to local addresses so that they are bridged whenever possible and are
routed only when needed. Whenever packets can be switched instead of routed,
several layers of processing are eliminated. Switching also reduces the number of
address look-ups. For redundancy purposes, RVI can be combined with
implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging
and VPLS environments.
To configure the routed VLAN interface:
1.

Create the VLAN by assigning it a name and a VLAN ID:

[edit]
user@switch# set vlans support vlan-id 111

2.

Assign an interface to the VLAN by specifying the logical interface (with the unit
statement) and specifying the VLAN name as the member:
[edit]
user@switch# set interfaces ge-0/0/18 unit 0 family ethernet-switching
vlan members support

3.

Create the subnet for the VLANs broadcast domain:

[edit]
user@switch# set interfaces vlan unit 111 family inet address
111.111.111.1/24

4.

410

Bind a Layer 3 interface with the VLAN:

Configuring Routed VLAN Interfaces (CLI Procedure)

Chapter 31: Configuring Layer 2 Bridging, VLANs, and GVRP

[edit]
user@switch# set vlans support l3-interface vlan.111

NOTE: Layer 3 interfaces on trunk ports allow the interface to transfer traffic between
multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is
routed.
You can display the configuration settings:
user@switch> show interfaces vlan terse
regress@tp-robin# run show interfaces vlan terse
Interface
Admin Link Proto
Local
vlan
up
up
vlan.111
up
up
inet
111.111.111.1/24

Remote

user@switch> show vlans on page 570

Name
default

Tag

employee-vlan

20

Interfaces
None
ge-1/0/0.0, ge-1/0/1.0, ge-1/0/2.0

hurricane-pubs 40
ge-1/0/10.0, ge-1/0/20.0, ge-1/0/30.0
support

111
ge-0/0/18.0

mgmt
bme0.32769, bme0.32771*
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 1 entries, 0 learned
VLAN
MAC address
Type
support
00:19:e2:50:95:a0 Static

Related Topics

Age Interfaces
- Router

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Connecting an Access Switch to a Distribution Switch on page 384

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Configuring Routed VLAN Interfaces (CLI Procedure)

411

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Creating a Series of Tagged VLANs (CLI Procedure)

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are
identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged
and are encapsulated with 802.1Q tags. For a simple network that has only a single
VLAN, all traffic has the same 802.1Q tag.
Instead of configuring VLANS and 802.1Q tags one at a time for a trunk interface,
you can configure a VLAN range to create a series of tagged VLANs.
When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique
802.1Q tag. The tag is applied to all frames so that the network nodes receiving the
frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic
among a number of VLANs, use the tag to determine the origin of frames and where
to forward them.
For example, you could configure the VLAN employee and specify a tag range of
10-12. This creates the following VLANs and tags:

VLAN employee-10, tag 10

VLAN employee-11, tag 11

VLAN employee-12, tag 12

Creating tagged VLANs in a series has the following limitations:

412

Layer 3 interfaces do not support this feature.

Because an access interface can only support one VLAN member, access
interfaces also do not support this feature.

Voice over IP (VoIP) configurations do not support a range of tagged VLANs.

Creating a Series of Tagged VLANs (CLI Procedure)

Chapter 31: Configuring Layer 2 Bridging, VLANs, and GVRP

To configure a series of tagged VLANs using the CLI (here, the VLAN is employee):
a.

Configure the series (here, a VLAN series from 120 through 130):
[edit]
user@switch# set vlans employee vlan-range 120-130

b.

Associate a series of tagged VLANs when you configure an interface in one of

two ways:

Include the name of the series:

[edit interfaces]
user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan
members employee

Include the VLAN range:

[edit interfaces]
user@switch# set interfaces ge-0/0/22.0 family ethernet-switching vlan
members 120130

Associating a series of tagged VLANS to an interface by name or by VLAN range have

the same result: VLANs __employee_120__ through __employee_130__ are created.

NOTE: When a series of VLANs are created using the vlan-range command, the VLAN
names are prefixed and suffixed with a double underscore.
Related Topics

Verifying That a Series of Tagged VLANs Has Been Created on page 417

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Connecting an Access Switch to a Distribution Switch on page 384

Understanding Bridging and VLANs on EX-series Switches on page 359

Creating a Series of Tagged VLANs (CLI Procedure)

413

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring MAC Table Aging (CLI Procedure)

The aging process ensures that the EX-series switch tracks only active nodes on the
network and that it is able to flush out network nodes that are no longer available.
To manage MAC entries more efficiently, you can configure an entry's aging time,
which is the maximum time that an entry can remain in the Ethernet Switching table
before it ages out.
To configure how long entries remain in the Ethernet Switching table before expiring,
using the CLI (here, the VLAN is employee-vlan):
[edit vlans employee-vlan]
user@switch# set mac-table-aging-time 200

Related Topics

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Connecting an Access Switch to a Distribution Switch on page 384

Configuring the Native VLAN Identifier (CLI Procedure)

EX-series switches support receiving and forwarding routed or bridged Ethernet
frames with 802.1Q VLAN tags. The logical interface on which untagged packets are
to be received must be configured with the same native VLAN ID as that configured
on the physical interface.
To configure the native VLAN ID using the CLI:
1.

Configure the port mode so that the interface is in multiple VLANs and can
multiplex traffic between different VLANs. Trunk interfaces typically connect to
other switches and to routers on the LAN. Configure the port mode as trunk:
[edit interfaces ge-0/0/3 unit 0 family ethernet-switching]
user@switch# set port-mode trunk

2.

Configure the native VLAN ID:

[edit interfaces ge-0/0/3 unit 0 family ethernet-switching]
user@switch# set native-vlan-id 3

Related Topics

414

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Configuring MAC Table Aging (CLI Procedure)

Chapter 31: Configuring Layer 2 Bridging, VLANs, and GVRP

Example: Connecting an Access Switch to a Distribution Switch on page 384

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure)

EX-series switches use bridge protocol data unit (BPDU) protection on interfaces to
prevent them from receiving BPDUs that could trigger a spanning-tree
misconfiguration. If BPDUs are received on a BPDU-protected interface, the interface
transitions to a blocking state and stops forwarding frames.
After the misconfiguration that triggered the BPDUs being sent to an interface is
fixed in the topology, the interface can be unblocked and returned to service.
To unblock an interface and return it to service using the CLI:

Automatically unblock an interface by configuring a timer that expires (here, the

interface is ge-0/0/6):
[edit ethernet-switching-options]
user@switch# set bpdu-block disable-timeout 30 interface ge-0/0/6

Manually unblock an interface using the operational mode command:

user@switch> clear ethernet-switching bpdu-error on page 542 interface ge-0/0/6

Related Topics

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure)

415

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

416

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure)

Chapter 32

Verifying Layer 2 Bridging, VLANs, and

GVRP

Verifying That a Series of Tagged VLANs Has Been Created on page 417

Verifying That a Series of Tagged VLANs Has Been Created

Purpose

Action

Verify that a series of tagged VLANs is created on the switch.

Display the VLANs in the ascending order of their VLAN ID:
user@switch> show vlans on page 570 sort-by tag
Name
Tag
__employee_120__ 120

Interfaces
ge-0/0/22.0*

__employee_121__

121

__employee_122__

122

__employee_123__

123

__employee_124__

124

__employee_125__

125

__employee_126__

126

__employee_127__

127

__employee_128__

128

__employee_129__

129

__employee_130__

130

ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*
ge-0/0/22.0*

Display the VLANs by the alphabetical order of the VLAN name:

user@switch> show vlans on page 570 sort-by name
Name

Tag

Interfaces

__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121

Verifying That a Series of Tagged VLANs Has Been Created

417

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*

Display the VLANs by specifying the VLAN-range name (here, the VLAN-range name
is employee):
user@switch> show vlans on page 570 employee
Name

Tag

Interfaces

__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*

Meaning

The sample output shows the VLANs configured on the switch. The series of tagged
VLANs is displayed: __employee__120__ through __employee_130__. Each of the
tagged VLANs is configured on the trunk interface ge-0/0/22.0. The asterisk (*)
beside the interface name indicates that the interface is UP.
When a series of VLANs is created using the vlan-range statement, the VLAN names
are prefixed and suffixed with a double underscore.

Related Topics

418

Creating a Series of Tagged VLANs (CLI Procedure) on page 412

Verifying That a Series of Tagged VLANs Has Been Created

Chapter 33

Understanding Spanning Trees

Understanding STP for EX-series Switches on page 420

Understanding RSTP for EX-series Switches on page 421

Understanding MSTP for EX-series Switches on page 422

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series

Switches on page 423

Understanding Root Protection for STP, RSTP, and MSTP on EX-series

Switches on page 424

419

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding STP for EX-series Switches

EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). RSTP and MSTP are both based upon STP. RSTP provides faster convergence
times than STP. MSTP is used to create a loop-free topology in networks with a
number of VLANs that require multiple spanning-tree regions to efficiently provide
a loop-free topology.
STP is the simplest loop prevention protocol. It is a Layer 2 protocol that calculates
the best path through a switched network that contains redundant paths. STP uses
bridge protocol data unit (BPDU) packets to exchange information with other switches.
There are two types of BPDUs: configuration BPDUs and topology change notification
(TCN) BPDUs. BPDUs send hello packets out at regular intervals to exchange
information across bridges and detect loops in a network topology. Configuration
BPDUs determine the tree topology of a LAN. STP uses the information provided by
the BPDUs to elect a root bridge, identify root ports for each switch, identify
designated ports for each physical LAN segment, and prune specific redundant links
to create a loop-free tree topology. All leaf devices calculate the best path to the root
device and place their ports in blocking or forwarding states based on the best path
to the root. The resulting tree topology provides a single active Layer 2 data path
between any two end stations.
The original Spanning Tree Protocol is defined in the IEEE 802.1D 1998 specification.
EX-series switches use a version of STP based on IEEE802.1D-2004, with a force
version of 0, running RSTP in STP mode. For EX-series switches, the configuration
command set protocol stp is equivalent to the configuration command set protocol
rstp force-version stp for MX-series switches. In this way, STP inherits RSTP features,
and commands available through CLI are identical to the RSTP CLI. .This version of
STP is compatible with the IEEE 802.1D 1998 specification.
RSTP was originally defined in the IEEE 802.1w draft specification and later
incorporated into the IEEE 802.1D-2004 specification.
MSTP was originally defined in the IEEE 802.1s draft specification and later
incorporated into the IEEE 802.1Q-2003 specification.
Related Topics

420

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches

Chapter 33: Understanding Spanning Trees

Understanding RSTP for EX-series Switches

EX-series switches use Rapid Spanning Tree Protocol (RSTP) to provide better
reconvergence time than the original STP. RSTP identifies certain links as point to
point. When a point-to-point link fails, the alternate link can transition to the
forwarding state.
Although STP provides basic loop prevention functionality, it does not provide fast
network convergence when there are topology changes. STP's process to determine
network state transitions is slower than RSTP's because it is timer-based. A device
must reinitialize every time a topology change occurs. The device must start in the
listening state and transition to the learning state and eventually to a forwarding or
blocking state. When default values are used for the maximum age (20 seconds) and
forward delay (15 seconds), it takes 50 seconds for the device to converge. RSTP
converges faster because it uses a handshake mechanism based on point-to-point
links instead of the timer-based process used by STP.
An RSTP domain running on an EX-series switch has the following components:

A root port, which is the best path to the root device.

A designated port, indicating that the switch is the designated bridge for the other
switch connecting to this port.

An alternate port, which provides an alternate root port.

A backup port, which provides an alternate designated port.

Port assignments change through messages exchanged throughout the domain. An

RSTP device generates configuration messages once every hello time interval. If an
RSTP device does not receive a configuration message from its neighbor after an
interval of three hello times, it determines it has lost connection with that neighbor.
When a root port or a designated port fails on a device, the device generates a
configuration message with the proposal bit set. Once its neighbor device receives
this message, it verifies that this configuration message is better than the one saved
for that port and then it starts a synchronizing operation to ensure that all of its ports
are in sync with the new information.
Similar waves of proposal agreement handshake messages propagate toward the
leaves of the network, restoring the connectivity very quickly after a topology change
(in a well-designed network that uses RSTP, network convergence can take as little
as 0.5 seconds). If a device does not receive an agreement to a proposal message it
has sent, it returns to the original IEEE 802.D convention.
RSTP was originally defined in the IEEE 802.1w draft specification and later
incorporated into the IEEE 802.1D-2004 specification.
Related Topics

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding STP for EX-series Switches on page 420

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches

421

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding MSTP for EX-series Switches

Although RSTP provides faster convergence time than STP, it still does not solve a
problem inherent in STP: All VLANs within a LAN must share the same spanning
tree. To solve this problem, EX-series switches use Multiple Spanning Tree Protocol
(MSTP) to create a loop-free topology in networks with multiple spanning-tree regions.
An MSTP region allows a group of bridges to be modeled as a single bridge. An MSTP
region contains multiple spanning tree instances (MSTIs). MSTIs provide different
paths for different VLANs. This functionality facilitates better load sharing across
redundant links.
MSTP region can support up to 64 MSTIs and each instance can support anywhere
from 1 through 4094 vlans.
MSTP was originally defined in the IEEE 802.1s draft specification and later
incorporated into the IEEE 802.1Q-2003 specification.
Related Topics

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding STP for EX-series Switches on page 420

Understanding RSTP for EX-series Switches on page 421

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). BPDU protection can help prevent STP misconfigurations that can lead to
network outages.
A loop-free network is supported through the exchange of a special type of frame
called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in
an STP, RSTP, or MSTP topology, however, can lead to network outages. Enable
BPDU protection on those interfaces to prevent these outages.
Peer STP applications running on the switch interfaces use BPDUs to communicate.
Ultimately, the exchange of BPDUs determines which interfaces block traffic and
which interfaces become root ports and forward traffic.
However, a user bridge application running on a PC can also generate BPDUs. If
these BPDUs are picked up by STP applications running on the switch, they can
trigger STP miscalculations, and those miscalculations can lead to network outages.
Enable BPDU protection on switch interfaces connected to user devices or on
interfaces on which no BPDUs are expected, such as edge ports. If BPDUs are received
on a protected interface, the interface is disabled and stops forwarding frames.
Not only can you configure BPDU protection on a switch with a spanning tree, but
also on a switch without a spanning tree. This type of topology typically consists of
a non-STP switch connected to an STP switch through a trunk interface.

422

Understanding MSTP for EX-series Switches

Chapter 33: Understanding Spanning Trees

To configure BPDU protection on a switch with a spanning tree, include the

bpdu-block-on-edge statement at the [edit protocols (stp | mstp | rstp )] hierarchy level.
To configure BPDU protection on a switch without a spanning tree, include the
bpdu-block statement at the [edit ethernet-switching-options interface interface-name]
hierarchy level.
After the misconfiguration that triggered the BPDUs being sent to an interface is
fixed in the topology, the interface can be unblocked in one of two ways:

If the disable-timeout statement has been included in the BPDU configuration,

the interface automatically returns to service after the timer expires.

Use the operational mode command clear ethernet-switching bpdu-error.

Disabling the BPDU protection configuration does not unblock the interface.
Related Topics

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series

Switches on page 423

Understanding Root Protection for STP, RSTP, and MSTP on EX-series

Switches on page 424

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by
preventing ports from moving into a forwarding state that would result in a loop
opening up in the network.
A loop-free network in spanning-tree topologies is supported through the exchange
of a special type of frame called bridge protocol data unit (BPDU). Peer STP
applications running on the switch interfaces use BPDUs to communicate. Ultimately,
the exchange of BPDUs determines which interfaces block traffic (preventing loops)
and which interfaces become root ports and forward traffic.
However, a blocking interface can transition to the forwarding state in error if the
interface stops receiving BPDUs from its designated port on the segment. Such a
transition error can occur when there is a hardware error on the switch or software
configuration error between the switch and its neighbor.
When loop protection is enabled, the spanning-tree topology detects root ports and
blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled
interface stops receiving BPDUs from its designated port, it reacts as it would react

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series Switches

423

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

to a problem with the physical connection on this interface. It doesn't transition the
interface to a forwarding state, but instead transitions it to a loop-inconsistent state.
The interface recovers and then it transitions back to the spanning-tree blocking state
as soon as it receives a BPDU.
We recommend that you enable loop protection on all switch interfaces that have a
chance of becoming root or designated ports. Loop protection is most effective when
enabled in the entire switched network. When you enable loop protection, you must
configure at least one action (alarm, block, or both).
An interface can be configured for either loop protection or root protection, but not
for both.
Related Topics

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Understanding Root Protection for STP, RSTP, and MSTP on EX-series

Switches on page 424

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). A loop-free network is supported through the exchange of a special type of
frame called bridge protocol data unit (BPDU). Peer STP applications running on the
switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs
determines which interfaces block traffic and which interfaces become root ports
and forward traffic.
However, a root port elected through this process has the possibility of being wrongly
elected. A user bridge application running on a PC can generate BPDUs, too, and
interfere with root port election. Root protection allows network administrators to
manually enforce the root bridge placement in the network.
Enable root protection on interfaces that should not receive superior BPDUs from
the root bridge and should not be elected as the root port. These interfaces become
designated ports and are typically located on an administrative boundary. If the
bridge receives superior STP BPDUs on a port that has root protection enabled, that
port transitions to a root-prevented STP state (inconsistency state) and the interface
is blocked. This blocking prevents a bridge that should not be the root bridge from
being elected the root bridge. After the bridge stops receiving superior STP BPDUs
on the interface with root protection, the interface returns to a listening state, followed
by a learning state, and ultimately back to a forwarding state. Recovery back to the
forwarding state is automatic.

424

Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches

Chapter 33: Understanding Spanning Trees

When root protection is enabled on an interface, it is enabled for all the STP instances
on that interface. The interface is blocked only for instances for which it receives
superior BPDUs. Otherwise, it participates in the spanning-tree topology.
An interface can be configured for either root protection or loop protection, but not
for both.
Related Topics

Example: Configuring Root Protection to Enforce Root Bridge Placement in

Spanning Trees on EX-series Switches on page 476

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches

425

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

426

Understanding Root Protection for STP, RSTP, and MSTP on EX-series Switches

Chapter 34

Examples of Configuring Spanning Trees

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Example: Configuring Root Protection to Enforce Root Bridge Placement in

Spanning Trees on EX-series Switches on page 476

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches
EX-series switches use Rapid Spanning Tree Protocol (RSTP) to provide a loop-free
topology. RSTP identifies certain links as point to point. When a point-to-point link
fails, the alternate link can transition to the forwarding state. RSTP provides better
reconvergence time than original STP because it uses protocol handshake messages
rather than fixed timeouts. Eliminating the need to wait for timers to expire makes
RSTP more efficient than STP.
This example describes how to configure RSTP on four EX-series switches:

Requirements on page 428

Overview and Topology on page 428

Configuring RSTP on Switch 1 on page 430

Configuring RSTP on Switch 2 on page 432

Configuring RSTP on Switch 3 on page 434

Configuring RSTP on Switch 4 on page 437

Verification on page 439

Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches

427

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

Four EX-series switches

Before you configure the switches for RSTP, be sure you have:

Installed the four switches. See Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58.

Performed the initial software configuration on all switches. See Installing and
Connecting an EX-series Switch.

Overview and Topology

In this example, four EX-series switches are connected in the topology displayed in
Figure 20 on page 428 to create a loop-free topology.
Figure 20: Network Topology for RSTP

The interfaces shown in Table 61 on page 429 will be configured for RSTP.

428

Requirements

Chapter 34: Examples of Configuring Spanning Trees

Table 61: Components of the Topology for Configuring RSTP on EX-series Switches
Property

Settings

Switch 1

The following ports on Switch 1 are connected in this way:

Switch 2

ge-0/0/9 is connected to Switch 2

ge-0/0/13 is connected to Switch 4

ge-0/0/11 is connected to Switch 3

The following ports on Switch 2 are connected in this way:

Switch 3

ge-0/0/14 is connected to Switch 1

ge-0/0/18 is connected to Switch 3

The following ports on Switch 3 are connected in this way:

Switch 4

ge-0/0/26 is connected to Switch 1

ge-0/0/28 is connected to Switch 2

ge-0/0/24 is connected to Switch 4

The following ports on Switch 4 are connected in this way:

VLAN names and tag IDs

ge-0/0/19 is connected to Switch 1

ge-0/0/23 is connected to Switch 3

voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40

This configuration example creates a loop-free topology between four EX-series

switches using RSTP.
An RSTP topology contains ports that have specific roles:

The root port is responsible for forwarding data to the root bridge.

The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.

The designated port forwards data to the downstream network segment or

device.

The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.

NOTE: You also can create a loop-free topology between the aggregation layer and
the distribution layer using redundant trunk links. For more information about
configuring redundant trunk links, see Example: Configuring Redundant Trunk Links
for Faster Recovery on page 400.

Overview and Topology

429

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring RSTP on Switch 1

To configure RSTP on Switch 1, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and RSTP on Switch 1, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/11 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 16k
set protocols rstp interface ge-0/0/13.0 cost 1000
set protocols rstp interface ge-0/0/13.0 mode point-to-point
set protocols rstp interface ge-0/0/9.0 cost 1000
set protocols rstp interface ge-0/0/9.0 mode point-to-point
set protocols rstp interface ge-0/0/11.0 cost 1000
set protocols rstp interface ge-0/0/11.0 mode point-to-point

Step-by-Step Procedure

To configure interfaces and RSTP on Switch 1:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members
[10 20 30 40]

430

Configuring RSTP on Switch 1

Chapter 34: Examples of Configuring Spanning Trees

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching port-mode
trunk
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode
trunk
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode
trunk

4.

Configure RSTP on the switch:

[edit protocols]
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp
user@switch1# rstp

Results

bridge-priority 16k
interface ge-0/0/13.0 cost 1000
interface ge-0/0/13.0 mode point-to-point
interface ge-0/0/9.0 cost 1000
interface ge-0/0/9.0 mode point-to-point
interface ge-0/0/11.0 cost 1000
interface ge-0/0/11.0 mode point-to-point

Check the results of the configuration:

user@switch1> show configuration
interfaces {
ge-0/0/13 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}

Configuring RSTP on Switch 1

431

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
protocols {
rstp {
bridge-priority 16k;
interface ge-0/0/13.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/9.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/11.0 {
cost 1000;
mode point-to-point;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

Configuring RSTP on Switch 2

To configure RSTP on switch 2, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and RSTP on Switch 2, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30
40]

432

Configuring RSTP on Switch 2

Chapter 34: Examples of Configuring Spanning Trees

set
set
set
set
set
set
set

Step-by-Step Procedure

interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk

interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk
protocols rstp bridge-priority 32k
protocols rstp interface ge-0/0/14.0 cost 1000
protocols rstp interface ge-0/0/14.0 mode point-to-point
protocols rstp interface ge-0/0/18.0 cost 1000
protocols rstp interface ge-0/0/18.0 mode point-to-point

To configure interfaces and RSTP on Switch 2:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan vlan-description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch2# set ge-0/0/14 unit 0 family ethernet-switching port-mode
trunk
user@switch2# set ge-0/0/18 unit 0 family ethernet-switching port-mode
trunk

4.

Configure RSTP on the switch:

[edit protocols]
user@switch2# rstp
user@switch2# rstp
user@switch2# rstp
user@switch2# rstp
user@switch2# rstp

Results

bridge-priority 32k
interface ge-0/0/14.0
interface ge-0/0/14.0
interface ge-0/0/18.0
interface ge-0/0/18.0

cost
mode
cost
mode

1000
point-to-point
1000
point-to-point

Check the results of the configuration:

user@switch2> show configuration
interfaces {
ge-0/0/14 {
unit 0 {
family ethernet-switching {

Configuring RSTP on Switch 2

433

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
bridge-priority 32k;
interface ge-0/0/14.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/18.0 {
cost 1000;
mode point-to-point;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

Configuring RSTP on Switch 3

To configure RSTP on switch 3, perform these tasks:
CLI Quick Configuration

434

To quickly configure interfaces and RSTP on Switch 3, copy the following commands
and paste them into the switch terminal window:

Configuring RSTP on Switch 3

Chapter 34: Examples of Configuring Spanning Trees

[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/26 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/28 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk
set protocols rstp bridge-priority 8k
set protocols rstp interface ge-0/0/26.0 cost 1000
set protocols rstp interface ge-0/0/26.0 mode point-to-point
set protocols rstp interface ge-0/0/28.0 cost 1000
set protocols rstp interface ge-0/0/28.0 mode point-to-point
set protocols rstp interface ge-0/0/24.0 cost 1000
set protocols rstp interface ge-0/0/24.0 mode point-to-point

Step-by-Step Procedure

To configure interfaces and RSTP on Switch 3:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch3# set ge-0/0/26 unit 0 family ethernet-switching port-mode
trunk

Configuring RSTP on Switch 3

435

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch3# set ge-0/0/28 unit 0 family ethernet-switching port-mode

trunk
user@switch3# set ge-0/0/24 unit 0 family ethernet-switching port-mode
trunk

4.

Configure RSTP on the switch:

[edit protocols]
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp
user@switch3# rstp

Results

bridge-priority 8k
interface ge-0/0/26.0
interface ge-0/0/26.0
interface ge-0/0/28.0
interface ge-0/0/28.0
interface ge-0/0/24.0
interface ge-0/0/24.0

Check the results of the configuration:

user@switch3> show configuration
interfaces {
ge-0/0/26 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/28 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
}
protocols {
rstp {

436

Configuring RSTP on Switch 3

cost
mode
cost
mode
cost
mode

1000
point-to-point
1000
point-to-point
1000
point-to-point

Chapter 34: Examples of Configuring Spanning Trees

bridge-priority 8k;
interface ge-0/0/26.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/28.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/24.0 {
cost 1000;
mode point-to-point;
}
}
bridge-priority 8k;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

Configuring RSTP on Switch 4

To configure RSTP on switch 4, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and RSTP on Switch 4, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/23 unit 0 family ethernet-switching port-mode trunk

Configuring RSTP on Switch 4

437

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

set
set
set
set
set
set

Step-by-Step Procedure

interfaces ge-0/0/19 unit 0 family ethernet-switching port-mode trunk

protocols rstp bridge-priority 16k
protocols rstp interface ge-0/0/23.0 cost 1000
protocols rstp interface ge-0/0/23.0 mode point-to-point
protocols rstp interface ge-0/0/19.0 cost 1000
protocols rstp interface ge-0/0/19.0 mode point-to-point

To configure interfaces and RSTP on Switch 4:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch4# set ge-0/0/23 unit 0 family ethernet-switching port-mode
trunk
user@switch4# set ge-0/0/19 unit 0 family ethernet-switching port-mode
trunk

4.

Configure RSTP on the switch:

[edit protocols]
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp
user@switch4# rstp

Results

bridge-priority 16k
interface all cost 1000
interface ge-0/0/23.0 cost
interface ge-0/0/23.0 mode
interface ge-0/0/19.0 cost
interface ge-0/0/19.0 mode

Check the results of the configuration:

user@switch4> show configuration
interfaces {
ge-0/0/23 {
unit 0 {
family ethernet-switching {

438

Configuring RSTP on Switch 4

1000
point-to-point
1000
point-to-point

Chapter 34: Examples of Configuring Spanning Trees

port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [10 20 30 40];
}
}
}
}
}
protocols {
rstp {
bridge-priority 16k;
interface ge-0/0/23.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/19.0 {
cost 1000;
mode point-to-point;
}
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying RSTP Configuration on Switch 1 on page 440

Verifying RSTP Configuration on Switch 2 on page 440

Verification

439

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verifying RSTP Configuration on Switch 3 on page 440

Verifying RSTP Configuration on Switch 4 on page 441

Verifying RSTP Configuration on Switch 1

Purpose

Action

Verify the RSTP configuration on Switch 1.

Use the operational mode command:
user@switch1> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0

Meaning

Port ID
128:527
128:529
128:531

Designated
port ID
128:525
128:513
128:513

Designated
bridge ID
16384.0019e25040e0
32768.0019e2503d20
8192.0019e25051e0

Port
Cost
1000
1000
1000

State

Role

BLK
BLK
FWD

ALT
ALT
ROOT

Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that ge-0/0/13.0 is in a forwarding state. The other
interfaces on Switch 1 are blocking.

Verifying RSTP Configuration on Switch 2

Purpose

Action

Verify the RSTP configuration on Switch 2.

Use the operational mode command:
user@switch2> show spanning-tree interface on page 564

Spanning tree interface parameters for instance 0

Interface
ge-0/0/14.0
ge-0/0/18.0

Meaning

Port ID

Designated
port ID
128:513
128:513
128:519
128:515

Designated
bridge ID
32768.0019e2503d20
8192.0019e25051e0

Action

Verify the RSTP configuration on Switch 3.

Use the operational mode commands:
user@switch3> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0

440

Role
DESG
ROOT

Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that ge-0/0/18.0 is in a forwarding state and the root
port. The other interface on Switch 2 is blocking.

Verifying RSTP Configuration on Switch 3

Purpose

Port
State
Cost
1000 BLK
1000 FWD

Verifying RSTP Configuration on Switch 1

Chapter 34: Examples of Configuring Spanning Trees

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0

Meaning

Port ID

Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517

Designated
bridge ID
8192.0019e25051e0
8192.0019e25051e0
8192.0019e25051e0

Port
State
Cost
1000 FWD
1000 FWD
1000 FWD

Role
DESG
DESG
DESG

Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that no interface is the root interface.

Verifying RSTP Configuration on Switch 4

Purpose

Action

Verify the RSTP configuration on Switch 4.

Use the operational mode commands:
user@switch4> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface

ge-0/0/23.0
ge-0/0/19.0

Meaning

Related Topics

Port ID

128:523
128:525

Designated
port ID
128:517
128:525

Designated
bridge ID
8192.0019e25051e0
16384.0019e25040e0

Port
Cost
1000
1000

State

Role

FWD
FWD

ROOT
DESG

Refer to the topology in Figure 20 on page 428. The operational mode command show
spanning-tree interface shows that interface ge-0/0/23.0 is the root interface and
forwarding.

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding RSTP for EX-series Switches on page 421

Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches
Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in
networks using multiple spanning tree regions, each region containing multiple
spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs.
This functionality facilitates better load sharing across redundant links.
MSTP supports up to 64 regions, each one capable of supporting 4094 MSTIs.
This example describes how to configure MSTP on four EX-series switches:

Requirements on page 442

Overview and Topology on page 442

Configuring MSTP on Switch 1 on page 445

Configuring MSTP on Switch 2 on page 448

Configuring MSTP on Switch 3 on page 451

Verifying RSTP Configuration on Switch 4

441

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring MSTP on Switch 4 on page 454

Verification on page 457

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

Four EX-series switches

Before you configure the switches for MSTP, be sure you have:

Installed the four switches. See Connecting and Configuring the EX-series Switch
(J-Web Procedure) on page 58.

Performed the initial software configuration on all switches. See Installing and
Connecting an EX-series Switch.

Overview and Topology

When the number of VLANs grows in a network, MSTP provides a more efficient
way of creating a loop-free topology using MSTIs. Each MSTI in the spanning tree
domain maintains its own tree. Each tree can be mapped to different links, utilizing
bandwidth that would be unavailable to a single tree. MSTIs reduce demand on
system resources.

442

Requirements

Chapter 34: Examples of Configuring Spanning Trees

Figure 21: Network Topology for MSTP

The interfaces shown in Table 62 on page 443 will be configured for MSTP.
Table 62: Components of the Topology for Configuring MSTP on EX-series Switches
Property

Settings

Switch 1

The following ports on Switch 1 are connected in this way:

Switch 2

ge-0/0/9 is connected to Switch 2

ge-0/0/13 is connected to Switch 4

ge-0/0/11 is connected to Switch 3

The following ports on Switch 2 are connected in this way:

ge-0/0/14 is connected to Switch 1

ge-0/0/18 is connected to Switch 3

Overview and Topology

443

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 62: Components of the Topology for Configuring MSTP on EX-series Switches (continued)
Property

Settings

Switch 3

The following ports on Switch 3 are connected in this way:

Switch 4

ge-0/0/26 is connected to Switch 1

ge-0/0/28 is connected to Switch 2

ge-0/0/24 is connected to Switch 4

The following ports on Switch 4 are connected in this way:

ge-0/0/19 is connected to Switch 1

ge-0/0/23 is connected to Switch 3

VLAN names and tag IDs

voice-vlan, tag 10
employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40

MSTIs

1
2

The topology in Figure 21 on page 443 shows a Common Internal Spanning Tree
(CIST). The CIST is a single spanning tree connecting all devices in the network. The
switch with the highest priority is elected as the root bridge of the CIST.
Also in an MSTP topology are ports that have specific roles:

The root port is responsible for forwarding data to the root bridge.

The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.

The designated port forwards data to the downstream network segment or

device.

The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.

In this example, one MSTP region, region1, contains Switch 1, Switch 2, Switch 3,
and Switch 4. Within the region, four VLANs are created:

The voice-vlan supports voice traffic and has a VLAN tag identifier of 10.

employee-vlan supports data traffic and has a VLAN tag identifier of 20.

The guest-vlan supports guest VLAN traffic (for supplicants that fail 802-1X
authentication) and has a VLAN tag identifier of 30.

The camera-vlan supports video traffic and has a VLAN tag identifier of 40.

The VLANs are associated with specific interfaces on each of the four switches. Two
MSTIs, 1 and 2, are then associated with the VLAN tag identifiers, and some MSTP
parameters, such as cost, are configured on each switch.

444

Overview and Topology

Chapter 34: Examples of Configuring Spanning Trees

Configuring MSTP on Switch 1

To configure MSTP on Switch 1, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and MSTP on Switch 1, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/9 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/11 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface ge-0/0/13.0 cost 1000
set protocols mstp interface ge-0/0/13.0 mode point-to-point
set protocols mstp interface ge-0/0/9.0 cost 1000
set protocols mstp interface ge-0/0/9.0 mode point-to-point
set protocols mstp interface ge-0/0/11.0 cost 1000
set protocols mstp interface ge-0/0/11.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 1 interface ge-0/0/11.0 cost 4000
set protocols mstp msti 2 bridge-priority 8k
set protocols mstp msti 2 vlan [30 40]

Step-by-Step Procedure

To configure interfaces and MSTP on Switch 1:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#
user@switch1#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]

Configuring MSTP on Switch 1

445

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch1# set ge0/0/13 unit 0 family ethernet-switching vlan members

[10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch1# set ge0/0/13 unit 0 family ethernet-switching port-mode
trunk
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode
trunk
user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode
trunk

4.

Configure MSTP on the switch, including the two MSTIs:

[edit protocols]
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp
user@switch1# mstp

Results

configuration-name region1
bridge-priority 16k
interface ge-0/0/13.0 cost 1000
interface ge-0/0/13.0 mode point-to-point
interface ge-0/0/9.0 cost 1000
interface ge-0/0/9.0 mode point-to-point
interface ge-0/0/11.0 cost 4000
interface ge-0/0/11.0 mode point-to-point
msti 1 bridge-priority 16k
msti 1 vlan [10 20]
msti 1 interface ge-0/0/11.0 cost 4000
msti 2 bridge-priority 8k
msti 2 vlan [30 40]

Check the results of the configuration:

user@switch1> show configuration
interfaces {
ge-0/0/13 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {

446

Configuring MSTP on Switch 1

Chapter 34: Examples of Configuring Spanning Trees

port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 16k;
interface ge-0/0/13.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/9.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/11.0 {
cost 4000;
mode point-to-point;
}
msti 1 {
bridge-priority 16k;
vlan [ 10 20 ];
interface ge-0/0/11.0 {
cost 4000;
}
}
msti 2 {
bridge-priority 8k;
vlan [ 30 40 ];
}
}
vlans {
voice-vlan {
vlan-id 10;
}

Configuring MSTP on Switch 1

447

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

Configuring MSTP on Switch 2

To configure on Switch 2, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and MSTP on Switch 2, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlan-id 40
set interfaces ge0/0/14 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/18 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/14 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 32k
set protocols mstp interface ge-0/0/14.0 cost 1000
set protocols mstp interface ge-0/0/14.0 mode point-to-point
set protocols mstp interface ge-0/0/18.0 cost 1000
set protocols mstp interface ge-0/0/18.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 32k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 4k
set protocols mstp msti 2 vlan [30 40]

448

Configuring MSTP on Switch 2

Chapter 34: Examples of Configuring Spanning Trees

Step-by-Step Procedure

To configure interfaces and MSTP on Switch 2:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#
user@switch2#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan vlan-description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch2# set ge-0/0/14 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch2# set ge-0/0/18 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch2# set ge-0/0/14 unit 0 family ethernet-switching port-mode
trunk
user@switch2# set ge-0/0/18 unit 0 family ethernet-switching port-mode
trunk

4.

Configure MSTP on the switch, including the two MSTIs:

[edit protocols]
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp
user@switch2# mstp

Results

configuration-name region1
bridge-priority 32k
interface ge-0/0/14.0 cost
interface ge-0/0/14.0 mode
interface ge-0/0/18.0 cost
interface ge-0/0/18.0 mode
interface all cost 1000
msti 1 bridge-priority 32k
msti 1 vlan [10 20]
msti 2 bridge-priority 4k
msti 2 vlan [30 40]

1000
point-to-point
1000
point-to-point

Check the results of the configuration:

user@switch2> show configuration
interfaces {
ge-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {

Configuring MSTP on Switch 2

449

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

members
members
members
members

10;
20;
30;
40;

}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 32k;
interface ge-0/0/14.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/18.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 32k;
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 4k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;

450

Configuring MSTP on Switch 2

Chapter 34: Examples of Configuring Spanning Trees

}
}

Configuring MSTP on Switch 3

To configure MSTP on Switch 3, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and MSTP on Switch 3, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voice-vlan description Voice VLAN
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description Employee VLAN
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description Guest VLAN
set vlans guest-vlan vlan-id 30
set vlans camera-vlan description Camera VLAN
set vlans camera-vlan vlanid 40
set interfaces ge0/0/26 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/28 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/24 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/26 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/28 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/24 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 8k
set protocols mstp interface ge-0/0/26.0 cost 1000
set protocols mstp interface ge-0/0/26.0 mode point-to-point
set protocols mstp interface ge-0/0/28.0 cost 1000
set protocols mstp interface ge-0/0/28.0 mode point-to-point
set protocols mstp interface ge-0/0/24.0 cost 1000
set protocols mstp interface ge-0/0/24.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 4k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 16k
set protocols mstp msti 2 vlan [30 40]

Step-by-Step Procedure

To configure interfaces and MSTP on Switch 3:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#
user@switch3#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlan-id 10
employee-vlan description Employee VLAN
employee-vlan vlan-id 20
guest-vlan description Guest VLAN
guest-vlan vlan-id 30
camera-vlan description Camera VLAN
guest-vlan vlan-id 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:

Configuring MSTP on Switch 3

451

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit interfaces]
user@switch3# set ge-0/0/26 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/28 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch3# set ge-0/0/24 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch3# set ge-0/0/26 unit 0 family ethernet-switching port-mode
trunk
user@switch3# set ge-0/0/28 unit 0 family ethernet-switching port-mode
trunk
user@switch3# set ge-0/0/24 unit 0 family ethernet-switching port-mode
trunk

4.

Configure MSTP on the switch, including the two MSTIs:

[edit protocols]
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp
user@switch3# mstp

Results

configuration-name region1
bridge-priority 8k
interface ge-0/0/26.0 cost
interface ge-0/0/26.0 mode
interface ge-0/0/28.0 cost
interface ge-0/0/28.0 mode
interface ge-0/0/24.0 cost
interface ge-0/0/24.0 mode
interface all cost 1000
msti 1 bridge-priority 4k
msti 1 vlan [10 20]
msti 2 bridge-priority 16k
msti 2 vlan [30 40]

Check the results of the configuration:

user@switch3> show configuration
interfaces {
ge-0/0/26 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/28 {
unit 0 {

452

Configuring MSTP on Switch 3

1000
point-to-point
1000
point-to-point
1000
point-to-point

Chapter 34: Examples of Configuring Spanning Trees

family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 8k;
interface ge-0/0/26.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/28.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/24.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 4k;
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 16k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}

Configuring MSTP on Switch 3

453

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

Configuring MSTP on Switch 4

To configure MSTP on Switch 4, perform these tasks:
CLI Quick Configuration

To quickly configure interfaces and MSTP on Switch 4, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans voicevlan description Voice VLAN
set vlans voice-vlan vlanid 10
set vlans employeevlan description Employee VLAN
set vlans employeevlan vlanid 20
set vlans guestvlan description Guest VLAN
set vlans guestvlan vlanid 30
set vlans cameravlan description Camera VLAN
set vlans cameravlan vlanid 40
set interfaces ge-0/0/23 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge-0/0/19 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge0/0/23 unit 0 family ethernet-switching port-mode trunk
set interfaces ge0/0/19 unit 0 family ethernet-switching port-mode trunk
set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface ge0/0/23.0 cost 1000
set protocols mstp interface ge0/0/23.0 mode point-to-point
set protocols mstp interface ge0/0/19.0 cost 1000
set protocols mstp interface ge0/0/19.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 2 bridge-priority 32k
set protocols mstp msti 2 vlan [30 40]

454

Configuring MSTP on Switch 4

Chapter 34: Examples of Configuring Spanning Trees

Step-by-Step Procedure

To configure interfaces and MSTP on Switch 4:

1.

Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:

[edit vlans]
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#
user@switch4#

2.

set
set
set
set
set
set
set
set

voice-vlan description Voice VLAN

voice-vlan vlanid 10
employee-vlan description Employee VLAN
employee-vlan vlanid 20
guest-vlan description Guest VLAN
guest-vlan vlanid 30
camera-vlan description Camera VLAN
guest-vlan vlanid 40

Configure the VLANs on the interfaces, including support for the Ethernet
Switching protocol:
[edit interfaces]
user@switch4# set ge-0/0/23 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch4# set ge-0/0/19 unit 0 family ethernet-switching vlan members
[10 20 30 40]

3.

Configure the port mode for the interfaces:

[edit interfaces]
user@switch4# set ge0/0/23 unit 0 family ethernet-switching port-mode
trunk
user@switch4# set ge0/0/19 unit 0 family ethernet-switching port-mode
trunk

4.

Configure MSTP on the switch, including the two MSTIs:

[edit protocols]
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp
user@switch4# mstp

Results

configuration-name region1
bridge-priority 16k
interface all cost 1000
interface ge0/0/23.0 cost
interface ge0/0/23.0 mode
interface ge0/0/19.0 cost
interface ge0/0/19.0 mode
msti 1 bridge-priority 16k
msti 1 vlan [10 20]
msti 2 bridge-priority 32k
msti 2 vlan [30 40]

1000
point-to-point
1000
point-to-point

Check the results of the configuration:

user@switch4> show configuration
interfaces {
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {

Configuring MSTP on Switch 4

455

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

members
members
members
members

10;
20;
30;
40;

}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 16k;
interface ge-0/0/23.0 {
cost 1000;
mode point-to-point;
}
interface ge-0/0/19.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 16k;
vlan [ 10 20 ];
}
msti 2 {
bridge-priority 32k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;

456

Configuring MSTP on Switch 4

Chapter 34: Examples of Configuring Spanning Trees

}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying MSTP Configuration on Switch 1 on page 457

Verifying MSTP Configuration on Switch 2 on page 458

Verifying MSTP Configuration on Switch 3 on page 460

Verifying MSTP Configuration on Switch 4 on page 461

Verifying MSTP Configuration on Switch 1

Purpose

Action

Verify the MSTP configuration on Switch 1.

Use the operational mode commands:
user@switch1> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0

Port ID
128:527
128:529
128:531

Designated
port ID
128:525
128:513
128:513

Designated
bridge ID
16384.0019e25040e0
32768.0019e2503d20
8192.0019e25051e0

Port
Cost
1000
1000
4000

State

Role

FWD
BLK
BLK

ROOT
ALT
ALT

Port
Cost
1000
1000
4000

State

Role

FWD
BLK
BLK

ROOT
ALT
ALT

Port
Cost
1000
1000
1000

State

Role

FWD
FWD
FWD

DESG
ROOT
DESG

Spanning tree interface parameters for instance 1

Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0

Port ID
128:527
128:529
128:531

Designated
port ID
128:525
128:513
128:513

Designated
bridge ID
16385.0019e25040e0
32769.0019e2503d20
4097.0019e25051e0

Spanning tree interface parameters for instance 2

Interface
ge-0/0/13.0
ge-0/0/9.0
ge-0/0/11.0

Port ID
128:527
128:529
128:531

Designated
port ID
128:527
128:513
128:531

Designated
bridge ID
8194.0019e25044e0
4098.0019e2503d20
8194.0019e25044e0

user@switch1> show spanning-tree bridge on page 560

STP bridge parameters
Context ID
: 0
Enabled protocol
: MSTP
STP bridge parameters for CIST
Root ID
Root cost
Root port
CIST regional root
CIST internal root cost
Hello time
Maximum age

:
:
:
:
:
:
:

8192.00:19:e2:50:51:e0
0
ge-0/0/13.0
8192.00:19:e2:50:51:e0
2000
2 seconds
20 seconds

Verification

457

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Forward delay
Hop count
Message age
Number of topology changes
Time since last topology change
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 1
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 2
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID

Meaning

:
:
:
:
:

15 seconds
18
0
3
921 seconds

: 16384.00:19:e2:50:44:e0
: 0
: 0

:
:
:
:
:
:
:

4097.00:19:e2:50:51:e0
2000
ge-0/0/13.0
2 seconds
20 seconds
15 seconds
18

: 16385.00:19:e2:50:44:e0
: 0
: 1

:
:
:
:
:
:
:

4098.00:19:e2:50:3d:20
1000
ge-0/0/9.0
2 seconds
20 seconds
15 seconds
19

: 8194.00:19:e2:50:44:e0
: 0
: 2

The operational mode command show spanning-tree interface displays spanning-tree

domain information such as the designated port and the port roles.
The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.

Verifying MSTP Configuration on Switch 2

Purpose

Action

Verify the MSTP configuration on Switch 2.

Use the operational mode commands:
user@switch2> show spanning-tree interface on page 564

Spanning tree interface parameters for instance 0

Interface
ge-0/0/14.0

458

Port ID

Designated
port ID
128:513
128:513

Verifying MSTP Configuration on Switch 2

Designated
bridge ID
32768.0019e2503d20

Port
State
Cost
1000 FWD

Role
DESG

Chapter 34: Examples of Configuring Spanning Trees

ge-0/0/18.0

128:519

128:515

8192.0019e25051e0

1000

FWD

ROOT

Spanning tree interface parameters for instance 1

Interface
ge-0/0/14.0
ge-0/0/18.0

Port ID

Designated
port ID
128:513
128:513
128:519
128:515

Designated
bridge ID
32769.0019e2503d20
4097.0019e25051e0

Port
State
Cost
1000 FWD
1000 FWD

Role

Port
State
Cost
1000 FWD

Role

DESG
ROOT

Spanning tree interface parameters for instance 2

Interface

Port ID

ge-0/0/14.0

Designated
port ID
128:513
128:513

Designated
bridge ID
4098.0019e2503d20

ge-0/0/18.0

128:519

4098.0019e2503d20

128:519

1000

DESG

FWD

DESG

user@switch2> show spanning-tree bridge on page 560

STP bridge parameters
Context ID
: 0
Enabled protocol
: MSTP
STP bridge parameters for CIST
Root ID
Root cost
Root port
CIST regional root
CIST internal root cost
Hello time
Maximum age
Forward delay
Hop count
Message age
Number of topology changes
Time since last topology change
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 1
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 2
MSTI regional root
Hello time
Maximum age
Forward delay
Local parameters
Bridge ID

:
:
:
:
:
:
:
:
:
:
:
:

8192.00:19:e2:50:51:e0
0
ge-0/0/18.0
8192.00:19:e2:50:51:e0
1000
2 seconds
20 seconds
15 seconds
19
0
1
782 seconds

: 32768.00:19:e2:50:3d:20
: 0
: 0

:
:
:
:
:
:
:

4097.00:19:e2:50:51:e0
1000
ge-0/0/18.0
2 seconds
20 seconds
15 seconds
19

: 32769.00:19:e2:50:3d:20
: 0
: 1

:
:
:
:

4098.00:19:e2:50:3d:20
2 seconds
20 seconds
15 seconds

: 4098.00:19:e2:50:3d:20

Verifying MSTP Configuration on Switch 2

459

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Extended system ID
Internal instance ID

Meaning

: 0
: 2

The operational mode command show spanning-tree interface displays spanning-tree

domain information such as the designated port and the port roles.
The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.

Verifying MSTP Configuration on Switch 3

Purpose

Action

Verify the MSTP configuration on Switch 3.

Use the operational mode commands:
user@switch3> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0

Port ID

Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517

Designated
bridge ID
8192.0019e25051e0
8192.0019e25051e0
8192.0019e25051e0

Port
State
Cost
1000 FWD
1000 FWD
1000 FWD

Role

Port
State
Cost
1000 FWD
1000 FWD
1000 FWD

Role

Port
State
Cost
1000 BLK
1000 FWD
1000 FWD

Role

DESG
DESG
DESG

Spanning tree interface parameters for instance 1

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0

Port ID

Designated
port ID
128:513
128:513
128:515
128:515
128:517
128:517

Designated
bridge ID
4097.0019e25051e0
4097.0019e25051e0
4097.0019e25051e0

DESG
DESG
DESG

Spanning tree interface parameters for instance 2

Interface
ge-0/0/26.0
ge-0/0/28.0
ge-0/0/24.0

Port ID

Designated
port ID
128:513
128:531
128:515
128:519
128:517
128:517

Designated
bridge ID
8194.0019e25044e0
4098.0019e2503d20
16386.0019e25051e0

user@switch3> show spanning-tree bridge on page 560

STP bridge parameters
Context ID
: 0
Enabled protocol
: MSTP
STP bridge parameters for CIST
Root ID
CIST regional root
CIST internal root cost
Hello time
Maximum age
Forward delay
Number of topology changes
Time since last topology change
Local parameters

460

Verifying MSTP Configuration on Switch 3

:
:
:
:
:
:
:
:

8192.00:19:e2:50:51:e0
8192.00:19:e2:50:51:e0
0
2 seconds
20 seconds
15 seconds
3
843 seconds

ALT
ROOT
DESG

Chapter 34: Examples of Configuring Spanning Trees

Bridge ID
Extended system ID
Internal instance ID

: 8192.00:19:e2:50:51:e0
: 0
: 0

STP bridge parameters for MSTI 1

MSTI regional root
Hello time
Maximum age
Forward delay
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 2
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID

Meaning

:
:
:
:

4097.00:19:e2:50:51:e0
2 seconds
20 seconds
15 seconds

: 4097.00:19:e2:50:51:e0
: 0
: 1

:
:
:
:
:
:
:

4098.00:19:e2:50:3d:20
1000
ge-0/0/28.0
2 seconds
20 seconds
15 seconds
19

: 16386.00:19:e2:50:51:e0
: 0
: 2

The operational mode command show spanning-tree interface displays spanning-tree

domain information such as the designated port and the port roles.
The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.

Verifying MSTP Configuration on Switch 4

Purpose

Action

Verify the MSTP configuration on Switch 4.

Use the operational mode commands:
user@switch4> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface

ge-0/0/23.0
ge-0/0/19.0

Port ID

128:523
128:525

Designated
port ID
128:517
128:525

Designated
bridge ID
8192.0019e25051e0
16384.0019e25040e0

Port
Cost
1000
1000

State

Role

FWD
FWD

ROOT
DESG

State

Role

FWD
FWD

ROOT
DESG

Spanning tree interface parameters for instance 1

Interface
ge-0/0/23.0
ge-0/0/19.0

Port ID
128:523
128:525

Designated
port ID
128:517
128:525

Designated
bridge ID
4097.0019e25051e0
16385.0019e25040e0

Port
Cost
1000
1000

Spanning tree interface parameters for instance 2

Verifying MSTP Configuration on Switch 4

461

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Interface
ge-0/0/23.0
ge-0/0/19.0

Port ID
128:523
128:525

Designated
port ID
128:517
128:527

Designated
bridge ID
16386.0019e25051e0
8194.0019e25044e0

Port
Cost
1000
1000

State

Role

BLK
FWD

ALT
ROOT

user@switch4> show spanning-tree bridge on page 560

STP bridge parameters
Context ID
: 0
Enabled protocol
: MSTP
STP bridge parameters for CIST
Root ID
Root cost
Root port
CIST regional root
CIST internal root cost
Hello time
Maximum age
Forward delay
Hop count
Message age
Number of topology changes
Time since last topology change
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 1
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 2
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID

Meaning

462

:
:
:
:
:
:
:
:
:
:
:
:

8192.00:19:e2:50:51:e0
0
ge-0/0/23.0
8192.00:19:e2:50:51:e0
1000
2 seconds
20 seconds
15 seconds
19
0
4
887 seconds

: 16384.00:19:e2:50:40:e0
: 0
: 0

:
:
:
:
:
:
:

4097.00:19:e2:50:51:e0
1000
ge-0/0/23.0
2 seconds
20 seconds
15 seconds
19

: 16385.00:19:e2:50:40:e0
: 0
: 1

:
:
:
:
:
:
:

4098.00:19:e2:50:3d:20
2000
ge-0/0/19.0
2 seconds
20 seconds
15 seconds
18

: 32770.00:19:e2:50:40:e0
: 0
: 2

The operational mode command show spanning-tree interface displays spanning-tree

domain information such as the designated port and the port roles.

Verifying MSTP Configuration on Switch 4

Chapter 34: Examples of Configuring Spanning Trees

The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.
Related Topics

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Configure BPDU protection on interfaces to prevent them from receiving
BPDUs that could result in STP misconfigurations, which could lead to network
outages.
This example describes how to configure BPDU protection on access interfaces on
an EX-series switch in an RSTP topology:

Requirements on page 463

Overview and Topology on page 463

Configuration on page 465

Verification on page 466

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches

Two EX-series switches in an RSTP topology

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you
have:

RSTP operating on the switches.

NOTE: By default, RSTP is enabled on all EX-series switches.

Overview and Topology

A loop-free network is supported through the exchange of a special type of frame
called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in
an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering
an STP misconfiguration. To prevent such outages, enable BPDU protection on those
interfaces that should not receive BPDUs.

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX-series Switches

463

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Enable BPDU protection on switch interfaces connected to user devices or on

interfaces on which no BPDUs are expected, such as edge ports. If a BPDU is received
on a BPDU-protected interface, the interface is disabled and stops forwarding frames.
Two EX-series switches are displayed in Figure 22 on page 464. In this example,
Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The
interfaces on Switch 2 are access ports.
This example shows you how to configure interface ge-0/0/5 and interface ge-0/0/6
as edge ports and to configure BPDU protection. When BPDU protection is enabled,
the interfaces will transition to a blocking state when BPDUs are received on them.
Figure 22: BPDU Protection Topology

Table 63 on page 469 shows the components that will be configured for BPDU
protection.
Table 63: Components of the Topology for Configuring BPDU Protection on EX-series Switches
Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 on a trunk interface.

464

Overview and Topology

Chapter 34: Examples of Configuring Spanning Trees

Table 63: Components of the Topology for Configuring BPDU Protection on EX-series Switches (continued)
Property

Settings

Switch 2 (Access Layer)

Switch 2 has these access ports that require BPDU protection:

ge-0/0/5

ge-0/0/6

This configuration example is using an RSTP topology. You also can configure BPDU
protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.

Configuration
To configure BPDU protection on two access interfaces:
CLI Quick Configuration

To quickly configure BPDU protection on Switch 2, copy the following commands

and paste them into the switch terminal window:
[edit]
set protocols rstp interface ge-0/0/5 edge
set protocols rstp interface ge-0/0/6 edge
set protocols rstp bpdu-block-on-edge

Step-by-Step Procedure

To configure BPDU protection:

1.

Configure interface ge-0/0/5 and interface ge-0/0/6 on Switch 2 as edge ports:

[edit protocols rstp]
user@switch# set interface ge-0/0/5 edge
user@switch#set interface ge-0/0/6 edge

2.

Configure BPDU protection on all edge ports:

[edit protocols rstp]
user@switch# set bpdu-block-on-edge

Results

Check the results of the configuration:

user@switch> show configuration protocols rstp
interface ge-0/0/5.0 {
edge;
}
interface ge-0/0/6.0 {
edge;
}
bpdu-block-on-edge;

Configuration

465

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verification
To confirm that the configuration is working properly:

Displaying the Interface State Before BPDU Protection Is Triggered on page 466

Verifying That BPDU Protection is Working Correctly on page 466

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Action

Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and
interface ge-0/0/6, confirm the interface state.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface

Port ID

ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
[output truncated]

Meaning

Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:519

Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00

Port
Cost
20000
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
FWD
FWD
FWD

DIS
DIS
DIS
DESG
DESG
DESG
DESG

The output from the operational mode command show spanning-tree interface shows
that ge-0/0/5.0 and interface ge-0/0/6.0 are designated ports in a forwarding state.

Verifying That BPDU Protection is Working Correctly

Purpose

Action

In this example, the PCs connected to Switch 2 start sending BPDUs to interface
ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is configured on
the interfaces.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
(BpduIncon)
ge-0/0/6.0
(BpduIncon)
ge-0/0/7.0

466

Verification

Port ID
128:513
128:514
128:515
128:516
128:517
128:518

Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518

Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00

Port
Cost
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
FWD
BLK

DIS
DIS
DIS
DESG
DESG
DIS

128:519

128:519

32768.0019e2503f00

20000

BLK

DIS

128:520

128:1

16384.00aabbcc0348

20000

FWD

ROOT

Chapter 34: Examples of Configuring Spanning Trees

ge-0/0/8.0
128:521
[output truncated]

Meaning

128:521

32768.0019e2503f00

20000

FWD

DESG

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0
on Switch 2, the output from the operational mode command show spanning-tree
interface shows that the interfaces have transitioned to a BPDU inconsistent state.
The BPDU inconsistent state makes the interfaces block and prevents them from
forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the
interface. If the disable-timeout statement has been included in the BPDU
configuration, the interface automatically returns to service after the timer expires.
Otherwise, use the operational mode command clear ethernet-switching
bpdu-error on page 542 to unblock the interface.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection
is triggered once more and the interfaces transition back to the BPDU inconsistent
state. In such cases, you need to find and repair the misconfiguration on the PCs
that is triggering BPDUs being sent to Switch 2.

Related Topics

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Example: Configuring Root Protection to Enforce Root Bridge Placement in

Spanning Trees on EX-series Switches on page 476

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Configure BPDU protection on non-STP interfaces that are connected to
switches with spanning trees to prevent the non-STP interfaces from receiving BPDUs.
When non-STP interfaces receive BPDUs, it can result in an STP misconfiguration,
which could lead to network outages.
This example describes how to configure BPDU protection on non-STP interfaces on
an EX-series switch:

Requirements on page 468

Overview and Topology on page 468

Configuration on page 470

Verification on page 470

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX-series Switches

467

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches

One EX-series switch in an RSTP topology

One EX-series switch that is not in a spanning-tree topology

Before you configure the interface for BPDU protection, be sure you have:

RSTP operating on Switch 1.

Disabled RSTP on Switch 2.

NOTE: By default, RSTP is enabled on all EX-series switches.

Overview and Topology

A loop-free network is supported through the exchange of a special type of frame
called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces can
lead to network outages by triggering an STP miscalculation. Enable BPDU protection
on those interfaces that should not receive BPDUs to prevent network outages.
BPDU protection for non-STP interfaces can be enabled on interfaces on a non-STP
switch connected to an STP switch through a trunk interface. Enable BPDU protection
on interfaces on which no BPDUs are expected, such as access ports connected to
user devices. If BPDUs are received on a BPDU-protected interface, the interface
transitions to a blocking state and stops forwarding frames.
Two EX-series switches are displayed in Figure 23 on page 469. In this example,
Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured
for RSTP, but Switch 2 has no spanning tree. Switch 2 has two access ports: interface
ge-0/0/5 and interface ge-0/0/6.
This example shows you how to configure BPDU protection on interface ge-0/0/5
and interface ge-0/0/6. When BPDU protection is enabled, the interfaces will
transition to a blocking state if BPDUs are received.

468

Requirements

Chapter 34: Examples of Configuring Spanning Trees

Figure 23: BPDU Protection Topology

Table 63 on page 469 shows the components that will be configured for BPDU
protection.
Table 64: Components of the Topology for Configuring BPDU Protection on EX-series Switches
Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured

for RSTP.

Switch 2 (Access Layer)

Switch 2 has RSTP disabled and has these access ports that require BPDU
protection:

ge-0/0/5

ge-0/0/6

CAUTION: When configuring BPDU protection on a non-STP configured switch

connected to an STP-configured switch, be careful that you do not configure BPDU
protection on all interfaces. Doing so could prevent BPDUs being received on
interfaces (such as a trunk interface) that should be receiving BPDUs from an
STP-configured switch.

Overview and Topology

469

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuration
To configure BPDU protection on the interfaces:
CLI Quick Configuration

To quickly configure BPDU protection on Switch 2, copy the following commands

and paste them into the switch terminal window:
[edit]
set ethernet-switching-options bpdu-block interface ge-0/0/5
set ethernet-switching-options bpdu-block interface ge-0/0/6

Step-by-Step Procedure

To configure BPDU protection:

1.

Configure interface ge-0/0/5 and interface ge-0/0/6 on Switch 2:

[edit ethernet-switching-options]
user@switch# set bpdu-block interface ge-0/0/5
user@switch# set bpdu-block interface ge-0/0/6

Results

Check the results of the configuration:

user@switch> show ethernet-switching-options
bpdu-block {
interface ge-0/0/5.0;
interface ge-0/0/6.0;
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Displaying the Interface State Before BPDU Protection Is Triggered on page 470

Verifying That BPDU Protection Is Working Correctly on page 471

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Action

Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and
interface ge-0/0/6, confirm the interface state.
Use the operational mode command:
user@switch> show ethernet-switching interfaces on page 545
Interface
State
ge-0/0/0.0 down
ge-0/0/1.0 down
ge-0/0/2.0 down
ge-0/0/3.0 up
ge-0/0/4.0 up
ge-0/0/5.0 up
ge-0/0/6.0 up
[output truncated]

470

Configuration

VLAN members
default
default
default
default
v1
v1
default

Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked

Chapter 34: Examples of Configuring Spanning Trees

Meaning

The output from the operational mode command show ethernet-switching interfaces
shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.

Verifying That BPDU Protection Is Working Correctly

Purpose

Action

In this example, the PCs connected to Switch 2 start sending BPDUs to interface
ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is configured on
the interfaces.
Use the operational mode command:
user@switch> show ethernet-switching interfaces on page 545
Interface
State
ge-0/0/0.0 down
ge-0/0/1.0 down
ge-0/0/2.0 down
ge-0/0/3.0 up
ge-0/0/4.0 up
ge-0/0/5.0 up
ge-0/0/6.0 up
[output truncated]

Meaning

VLAN members
default
default
default
default
v1
v1
default

Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
blocked - blocked by bpdu-control
blocked - blocked by bpdu-control

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0
on Switch 2, the output from the operational mode command show spanning-tree
interface shows that the interfaces have transitioned to a BPDU inconsistent state.
The BPDU inconsistent state makes the interfaces block and prevents them from
forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the
interface. If the disable-timeout statement has been included in the BPDU
configuration, the interface automatically returns to service after the timer expires.
Otherwise, use the operational mode command clear ethernet-switching
bpdu-error on page 542 to unblock the interface.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection
is triggered once more and the interfaces transition back to the BPDU inconsistent
state. In such cases, you need to find and repair the misconfiguration on the PCs
that is triggering BPDUs being sent to Switch 2.

Related Topics

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Example: Configuring Root Protection to Enforce Root Bridge Placement in

Spanning Trees on EX-series Switches on page 476

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Verifying That BPDU Protection Is Working Correctly

471

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by
preventing interfaces from moving into a forwarding state that would result in a loop
opening up in the network.
This example describes how to configure loop protection for an interface on an
EX-series switch in an RSTP topology:

Requirements on page 472

Overview and Topology on page 472

Configuration on page 474

Verification on page 474

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches

Three EX-series switches in an RSTP topology

Before you configure the interface for loop protection, be sure you have:

RSTP operating on the switches.

NOTE: By default, RSTP is enabled on all EX-series switches.

Overview and Topology

A loop-free network in spanning-tree topologies is supported through the exchange
of a special type of frame called bridge protocol data unit (BPDU). Peer STP
applications running on the switch interfaces use BPDUs to communicate. Ultimately,
the exchange of BPDUs determines which interfaces block traffic (preventing loops)
and which interfaces become root ports and forward traffic.
A blocking interface can transition to the forwarding state in error if the interface
stops receiving BPDUs from its designated port on the segment. Such a transition
error can occur when there is a hardware error on the switch or software configuration
error between the switch and its neighbor. When this happens, a loop opens up in
the spanning tree. Loops in a Layer 2 topology cause broadcast, unicast, and multicast
frames to continuously circle the looped network. As a switch processes a flood of
frames in a looped network, its resources become depleted and the ultimate result
is a network outage.

472

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning
Tree on EX-series Switches

Chapter 34: Examples of Configuring Spanning Trees

CAUTION: An interface can be configured for either loop protection or root protection,
but not for both.
Three EX-series switches are displayed in Figure 24 on page 473. In this example,
they are configured for RSTP and create a loop-free topology. Interface ge-0/0/6 is
blocking traffic between Switch 3 and Switch 1; thus, traffic is forwarded through
interface ge-0/0/7 on Switch 2. BPDUs are being sent from the root bridge on Switch
1 to both of these interfaces.
This example shows how to configure loop protection on interface ge-0/0/6 to prevent
it from transitioning from a blocking state to a forwarding state and creating a loop
in the spanning-tree topology.
Figure 24: Network Topology for Loop Protection

Table 65 on page 473 shows the components that will be configured for loop
protection.
Table 65: Components of the Topology for Configuring Loop Protection on EX-series Switches
Property

Settings

Switch 1

Switch 1 is the root bridge.

Switch 2

Switch 2 has the root port ge-0/0/7.

Switch 3

Switch 3 is connected to Switch 1 through interface ge-0/0/6.

A spanning-tree topology contains ports that have specific roles:

Overview and Topology

473

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The root port is responsible for forwarding data to the root bridge.

The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.

The designated port forwards data to the downstream network segment or

device.

This configuration example uses an RSTP topology. However, you also can configure
loop protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.

Configuration
To configure loop protection on an interface:
CLI Quick Configuration

To quickly configure loop protection on interface ge-0/0/6:

[edit]
set protocols rstp interface ge-0/0/6 bpdu-timeout-action block

Step-by-Step Procedure

To configure loop protection:

1.

Configure interface ge-0/0/6 on Switch 3:

[edit protocols rstp]
user@switch# set interface ge-0/0/6 bpdu-timeout-action block

Results

Check the results of the configuration:

user@switch> show configuration protocols rstp
interface ge-0/0/6.0 {
bpdu-timeout-action {
block;
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Displaying the Interface State Before Loop Protection Is Triggered on page 474

Verifying That Loop Protection Is Working on an Interface on page 475

Displaying the Interface State Before Loop Protection Is Triggered

Purpose

Action

474

Configuration

Before loop protection is triggered on interface ge-0/0/6, confirm that the interface
is blocking.
Use the operational mode command:

Chapter 34: Examples of Configuring Spanning Trees

user@switch> show spanning-tree interface on page 564

Spanning tree interface parameters for instance 0
Interface

Port ID

ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
[output truncated]

Meaning

Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:2

Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348

Port
Cost
20000
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
FWD
FWD
BLK

DIS
DIS
DIS
DESG
DESG
DESG
ALT

The output from the operational mode command show spanning-tree interface shows
that ge-0/0/6.0 is the alternate port and in a blocking state.

Verifying That Loop Protection Is Working on an Interface

Purpose

Action

Verify the loop protection configuration on interface ge-0/0/6. RSTP has been disabled
on interface ge-0/0/4 on Switch 1. This will stop BPDUs from being sent to interface
ge-0/0/6 and trigger loop protection on the interface.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface

Port ID

ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
(Loop-Incon)
[output truncated]

Meaning

Related Topics

Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:518
128:519

Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00

Port
Cost
20000
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
FWD
FWD
BLK

DIS
DIS
DIS
DESG
DESG
DESG
DIS

The operational mode command show spanning-tree interface shows that interface
ge-0/0/6.0 has detected that BPDUs are no longer being forwarded to it and has
moved into a loop-inconsistent state. The loop-inconsistent state prevents the interface
from transitioning to a forwarding state. The interface recovers and transitions back
to its original state as soon as it receives BPDUs.

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring Root Protection to Enforce Root Bridge Placement in

Spanning Trees on EX-series Switches on page 476

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Verifying That Loop Protection Is Working on an Interface

475

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series

Switches on page 423

Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning

Trees on EX-series Switches
EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). Root protection increases the efficiency of STP, RSTP, and MSTP by allowing
network administrators to manually enforce the root bridge placement in the network.
This example describes how to configure root protection on an interface on an
EX-series switch:

Requirements on page 476

Overview and Topology on page 476

Configuration on page 479

Verification on page 479

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches

Four EX-series switches in an RSTP topology

Before you configure the interface for root protection, be sure you have:

RSTP operating on the switches.

NOTE: By default, RSTP is enabled on all EX-series switches.

Overview and Topology

Peer STP applications running on switch interfaces exchange a special type of frame
called a bridge protocol data unit (BPDU). Switches communicate interface information
using BPDUs to create a loop-free topology that ultimately determines the root bridge
and which interfaces block or forward traffic in the spanning tree.
However, a root port elected through this process has the possibility of being wrongly
elected. A user bridge application running on a PC can generate BPDUs, too, and
interfere with root port election.
To prevent this from happening, enable root protection on interfaces that should not
receive superior BPDUs from the root bridge and should not be elected as the root

476

Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX-series Switches

Chapter 34: Examples of Configuring Spanning Trees

port. These interfaces are typically located on an administrative boundary and are
designated ports.
When root protection is enabled on an interface:

The interface is blocked from becoming the root port.

Root protection is enabled for all STP instances on that interface.

The interface is blocked only for instances for which it receives superior BPDUs.
Otherwise, it participates in the spanning-tree topology.

CAUTION: An interface can be configured for either root protection or loop protection,
but not for both.
Four EX-series switches are displayed in Figure 25 on page 478. In this example, they
are configured for RSTP and create a loop-free topology. Interface ge-0/0/7 on Switch
1 is a designated port on an administrative boundary. It connects to Switch 4. Switch
3 is the root bridge. Interface ge-0/0/6 on Switch 1 is the root port.
This example shows how to configure root protection on interface ge-0/0/7 to prevent
it from transitioning to become the root port.

Overview and Topology

477

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 25: Network Topology for Root Protection

Table 66 on page 478 shows the components that will be configured for root protection.
Table 66: Components of the Topology for Configuring Root Protection on EX-series Switches
Property

Settings

Switch 1

Switch 1 is connected to Switch 4 through interface ge-0/0/7.

Switch 2

Switch 2 is connected to Switch 1 and Switch 3. Interface ge-0/0/4 is the alternate port in the
RSTP topology.

Switch 3

Switch 3 is the root bridge and is connected to Switch 1 and Switch 2.

Switch 4

Switch 4 is connected to Switch 1. After loop protection is configured on interface ge-0/0/7,

Switch 4 will send superior BPDUs that will trigger loop protection on interface ge-0/0/7.

A spanning tree topology contains ports that have specific roles:

478

Overview and Topology

Chapter 34: Examples of Configuring Spanning Trees

The root port is responsible for forwarding data to the root bridge.

The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.

The designated port forwards data to the downstream network segment or

device.

This configuration example uses an RSTP topology. However, you also can configure
root protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy
level.

Configuration
To configure root protection on an interface:
CLI Quick Configuration

To quickly configure root protection on interface ge-0/0/7, copy the following

command and paste it into the switch terminal window:
[edit]
set protocols rstp interface ge-0/0/7 no-root-port

Step-by-Step Procedure

To configure root protection:

1.

Configure interface ge-0/0/7:

[edit protocols rstp]
user@switch#
set interface ge-0/0/7 no-root-port

Results

Check the results of the configuration:

user@switch> show configuration protocols rstp
interface ge-0/0/7.0 {
no-root-port;
}

Verification
To confirm that the configuration is working properly:

Displaying the Interface State Before Root Protection Is Triggered on page 479

Verifying That Root Protection Is Working on the Interface on page 480

Displaying the Interface State Before Root Protection Is Triggered

Purpose

Action

Before root protection is triggered on interface ge-0/0/7, confirm the interface state.
Use the operational mode command:

Configuration

479

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch> show spanning-tree interface on page 564

Spanning tree interface parameters for instance 0
Interface

Port ID

ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
ge-0/0/7.0
128:520
[output truncated]

Meaning

Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:2
128:1
128:520

Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
16384.00aabbcc0348
32768.0019e2503f00

Port
Cost
20000
20000
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
FWD
BLK
FWD
FWD

DIS
DIS
DIS
DESG
DESG
ALT
ROOT
DESG

The output from the operational mode command show spanning-tree interface shows
that ge-0/0/7.0 is a designated port in a forwarding state.

Verifying That Root Protection Is Working on the Interface

Purpose

Action

A configuration change takes place on Switch 4. A smaller bridge priority on the

Switch 4 causes it to send superior BPDUs to interface ge-0/0/7. Receipt of superior
BPDUs on interface ge-0/0/7 will trigger root protection. Verify that root protection
is operating on interface ge-0/0/7.
Use the operational mode command:
user@switch> show spanning-tree interface on page 564
Spanning tree interface parameters for instance 0
Interface

Port ID

ge-0/0/0.0
128:513
ge-0/0/1.0
128:514
ge-0/0/2.0
128:515
ge-0/0/3.0
128:516
ge-0/0/4.0
128:517
ge-0/0/5.0
128:518
ge-0/0/6.0
128:519
ge-0/0/7.0
128:520
(RootIncon)
[output truncated]

Meaning

480

Designated
port ID
128:513
128:514
128:515
128:516
128:517
128:2
128:1
128:520

Designated
bridge ID
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
32768.0019e2503f00
16384.00aabbcc0348
16384.00aabbcc0348
32768.0019e2503f00

Port
Cost
20000
20000
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
FWD
BLK
FWD
BLK

DIS
DIS
DIS
DESG
DESG
ALT
ROOT
DIS

The operational mode command show spanning-tree interface on page 564 shows that
interface ge-0/0/7.0 has transitioned to a loop inconsistent state. The loop
inconsistent state makes the interface block and prevents the interface from becoming
a candidate for the root port. When the root bridge no longer receives superior STP
BPDUs from the interface, the interface will recover and transition back to a
forwarding state. Recovery is automatic.

Verifying That Root Protection Is Working on the Interface

Chapter 34: Examples of Configuring Spanning Trees

Related Topics

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding Root Protection for STP, RSTP, and MSTP on EX-series

Switches on page 424

Verifying That Root Protection Is Working on the Interface

481

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

482

Verifying That Root Protection Is Working on the Interface

Chapter 35

Configuration Statements for Bridging,

VLANs, and Spanning Trees

[edit vlans] Configuration Statement Hierarchy on page 483

[edit interfaces] Configuration Statement Hierarchy on page 483

[edit protocols] Configuration Statement Hierarchy on page 484

[edit vlans] Configuration Statement Hierarchy

vlans {
vlan-name {
mac-limit action;
description text-description;
filter input filter-name;
filter output filter-name;
l3-interface vlan.logical-interface-number;
mac-table-aging-time seconds;
vlan-id number;
vlan-range vlan-id-low-vlan-id-high;
}
}
Related Topics

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Example: Connecting an Access Switch to a Distribution Switch on page 384

Understanding Bridging and VLANs on EX-series Switches on page 359

[edit interfaces] Configuration Statement Hierarchy

interfaces {
ae-x {

aggregated-ether-options {
lacp mode {
periodic interval;

[edit vlans] Configuration Statement Hierarchy

483

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
}
ge-chassis/pic/port {
description text;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
mtu bytes;
unit logical-unit-number {
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
vlan-id vlan-id-number;
}
vlan-tagging;
}
}
Related Topics

EX-series Switches Interfaces Overview on page 259

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring a Layer 3 Subinterface (CLI Procedure)

[edit protocols] Configuration Statement Hierarchy

protocols {
dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
interface (all | interface-name) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;

484

[edit protocols] Configuration Statement Hierarchy

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;

[edit protocols] Configuration Statement Hierarchy

485

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;

486

[edit protocols] Configuration Statement Hierarchy

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
Related Topics

802.1X for EX-series Switches Overview on page 639

Example: Configure Automatic VLAN Administration Using GVRP on page 393

[edit protocols] Configuration Statement Hierarchy

487

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

IGMP Snooping on EX-series Switches Overview on page 581

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

alarm
Syntax
Hierarchy Level

Release Information
Description

Required Privilege Level

Related Topics

488

alarm

alarm;
[edit protocols mstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols rstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols stp interface (all | interface-name) bpdu-timeout-action]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

For interfaces configured for loop protection, configure the software to generate a
message to be sent to the system log file to record the loop-protection event.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series

Switches on page 423

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

block
Syntax
Hierarchy Level

Release Information
Description
Required Privilege Level
Related Topics

block;
[edit protocols mstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols rstp interface (all | interface-name) bpdu-timeout-action],
[edit protocols stp interface (all | interface-name) bpdu-timeout-action]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure loop protection on a specific interface.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series

Switches on page 423

block

489

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

bpdu-block
Syntax

Hierarchy Level
Release Information
Description

bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
[edit ethernet-switching-options]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure BPDU protection on an interface. If the interface receives BPDUs, it is
disabled.
The statements are explained separately.

Required Privilege Level

Related Topics

490

bpdu-block

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

clear ethernet-switching bpdu-error on page 542

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Unblocking an Interface That Receives BPDUs in Error (CLI Procedure) on page 415

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

bpdu-block-on-edge
Syntax
Hierarchy Level

Release Information
Description
Required Privilege Level
Related Topics

bpdu-block-on-edge;
[edit protocols mstp],
[edit protocols rstp]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure bridge protocol data unit (BPDU) protection on all edge ports of a switch.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

clear ethernet-switching bpdu-error on page 542

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

bpdu-block-on-edge

491

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

bpdu-timeout-action
Syntax

Hierarchy Level

Release Information
Description

bpdu-timeout-action {
block;
alarm;
}
[edit protocols mstp interface (all | interface-name)],
[edit protocols rstp interface (all | interface-name)],
[edit protocols stp interface (all | interface-name)]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure the BPDU timeout action on a specific interface. You must configure at
least one action (alarm, block, or both).
The statements are explained separately.

Required Privilege Level

Related Topics

492

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring Loop Protection to Prevent Interfaces from Transitioning

from Blocking to Forwarding in a Spanning Tree on EX-series Switches on page 472

Understanding Loop Protection for STP, RSTP, and MSTP on EX-series

Switches on page 423

bpdu-timeout-action

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

bridge-priority
Syntax
Hierarchy Level

Release Information
Description

bridge-priority priority;
[edit
[edit
[edit
[edit

protocols
protocols
protocols
protocols

mstp],
mstp msti msti-id],
rstp],
stp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the bridge priority. The bridge priority determines which bridge is elected
as the root bridge. If two bridges have the same path cost to the root bridge, the
bridge priority determines which bridge becomes the designated bridge for a LAN
segment.

Default

32,768

Options

priorityBridge priority. It can be set only in increments of 4096.

Range: 0 through 61,440

Default: 32,768
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding MSTP for EX-series Switches on page 422

bridge-priority

493

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

configuration-name
Syntax
Hierarchy Level
Release Information
Description

Required Privilege Level

Related Topics

494

configuration-name configuration-name;
[edit protocols mstp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the configuration name. The configuration name is the MSTP region name
carried in the MSTP BPDUs.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

configuration-name

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

cost
Syntax
Hierarchy Level

Release Information
Description

cost cost;
[edit
[edit
[edit
[edit

protocols
protocols
protocols
protocols

mstp interface (all | interface-name)],

mstp msti msti-id interface interface-name],
rstp interface (all | interface-name)],
stp interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), configure link cost to control which bridge is the
designated bridge and which interface is the designated interface.

Default

The link cost is determined by the link speed.

Options

costLink cost associated with the port.

Range: 1 through 200,000,000

Default: Link cost is determined by the link speed.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Understanding STP for EX-series Switches on page 420

Understanding MSTP for EX-series Switches on page 422

cost

495

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

description
Syntax
Hierarchy Level
Release Information

description text-description;
[edit vlans vlan-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Description

Provide a textual description of the VLAN. The text has no effect on the operation of
the VLAN or switch.

Options

text-descriptionText to describe the interface. It can contain letters, numbers, and

hyphens (-) and can be up to 255 characters long. If the text includes spaces,
enclose the entire text in quotation marks.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show vlans on page 570

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Understanding Bridging and VLANs on EX-series Switches on page 359

disable
Syntax
Hierarchy Level

Release Information
Description
Default

Required Privilege Level

Related Topics

496

description

disable;
[edit protocols gvrp],
[edit protocols gvrp interface (all | [interface-name])

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Disable the GVRP configuration on the switch on one or more interfaces.
If you do not configure GVRP, it is disabled on the switch and on specific switch
interfaces.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show gvrp on page 555

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

disable
Syntax
Hierarchy Level

Release Information
Description
Required Privilege Level
Related Topics

disable;
[edit protocols mstp],
[edit protocols mstp interface interface-name],
[ edit protocols mstp msti msti-id vlan (vlan-id | vlan-name) interface interface-name,
[edit protocols rstp],
[edit protocols rstp interface interface-name],
[edit protocols stp]
[edit protocols stp interface interface-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Disable STP, MSTP, or RSTP on the switch or on a specific interface.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

disable

497

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

disable-timeout
Syntax
Hierarchy Level
Release Information
Description

disable-timeout timeout;
[edit ethernet-switching-options bpdu-block]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

For interfaces configured for BPDU protection, specify the amount of time an interface
receiving BPDUs is disabled.

Default

The disable timeout is not enabled.

Options

timeoutAmount of time, in seconds, the interface receiving BPDUs is disabled.

Once the timeout expires, the interface is brought back into service.
Range: 10 through 3600 seconds
Required Privilege Level
Related Topics

498

disable-timeout

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

edge
Syntax
Hierarchy Level

Release Information
Description

Default
Required Privilege Level
Related Topics

edge;
[edit
[edit
[edit
[edit

protocols
protocols
protocols
protocols

mstp interface (all | interface-name)],

mstp msti msti-id interface interface-name],
rstp interface (all | interface-name)],
stp interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), configure interfaces as edge interfaces. Edge interfaces
immediately transition to a forwarding state.
Edge interfaces are not enabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

edge

499

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ethernet-switching-options
Syntax

500

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;

ethernet-switching-options

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Hierarchy Level
Release Information
Description

[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Support for storm control and BPDU protection added in JUNOS Release 9.1.
Configure Ethernet switching options.
The statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Port Mirroring on EX-series Switches Overview on page 1123

Port Security for EX-series Switches Overview on page 654

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding 802.1X and VoIP on EX-series Switches on page 652

ethernet-switching-options

501

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

filter
Syntax
Hierarchy Level
Release Information
Description

filter

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Apply a firewall filter to traffic coming into or exiting from the VLAN.
All incoming traffic is accepted unmodified to the VLAN, and all outgoing traffic is
sent unmodified from the VLAN.

Options

filter-nameName of a firewall filter defined in a filter statement.

Related Topics

[edit vlans vlan-name]

Default

Required Privilege Level

502

filter (input | output) filter-name;

inputApply a firewall filter to VLAN ingress traffic.

outputApply a firewall filter to VLAN egress traffic.

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filters for EX-series Switches Overview on page 899

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

forward-delay
Syntax
Hierarchy Level

Release Information
Description

forward-delay seconds;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), specify how long a bridge interface remains in the
listening and learning states before transitioning to the forwarding state.

Default

15 seconds

Options

secondsNumber of seconds the bridge interface remains in the listening and learning

states.
Range: 4 through 30 seconds
Default: 15 seconds
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

forward-delay

503

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

group-name
Syntax

Hierarchy Level
Release Information
Description
Options

group-name name {
interface interface-name <primary>;
interface interface-name;
}
[edit ethernet-switching-options redundant-trunk-group]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Create a redundant trunk group.
nameThe name of the redundant trunk group. The group name must start with a

letter and can consist of letters, numbers, dashes, and underscores.

The remaining options are explained separately.
Required Privilege Level
Related Topics

504

group-name

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Example: Configuring Redundant Trunk Links for Faster Recovery on page 400

Understanding Redundant Trunk Links on EX-series Switches on page 365

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

gvrp
Syntax

Hierarchy Level
Release Information
Description

gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer milliseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure GARP VLAN Registration Protocol (GVRP). GVRP configured in the network
allows switches to declare and register VLAN information. You can configure one
switch manually with all the VLANs needed in a network, and from that single switch,
all VLAN information will be learned dynamically by the other switches in the Layer 2
network.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

GVRP is disabled by default.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show gvrp on page 555

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

gvrp

505

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

hello-time
Syntax
Hierarchy Level

Release Information
Description

hello-time seconds;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), the time interval at which the root bridge transmits
configuration BPDUs.

Default

2 seconds

Options

secondsNumber of seconds between transmissions of configuration BPDUs.

Range: 1 through 10 seconds

Default: 2 seconds
Required Privilege Level
Related Topics

506

hello-time

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

interface
Syntax
Hierarchy Level
Release Information
Description
Options

interface (all | [interface-name]);

[edit ethernet-switching-options bpdu-block]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Apply BPDU protection to all interfaces or one or more interfaces.
allAll interfaces.
interface-nameName of a Gigabit Ethernet interface.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 467

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

interface

507

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface
Syntax

Hierarchy Level
Release Information
Description

interface (all | [interface-name]) {

<enable | disable>;
}
[edit protocols gvrp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure GARP VLAN Registration Protocol (GVRP) for one or more interfaces.

Default

By default, GVRP is disabled.

Options

allAll interfaces.
interface-nameThe list of interfaces to be configured for GVRP.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

508

interface

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show gvrp on page 555

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

interface
Syntax

Hierarchy Level
Release Information
Description

Options

interface interface-name <primary>;

interface interface-name;
[edit ethernet-switching-options redundant-trunk-group group-name name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a primary link and secondary link on trunk ports. If the primary link fails,
the secondary link automatically takes over as the primary link without waiting for
normal STP convergence.
interface interface-nameA logical interface or an aggregated interface containing

multiple ports.
primary(Optional) Specify one of the interfaces in the redundant group as the

primary link. The interface without this option is the secondary link in the
redundant group. If a link is not specified as primary, the software compares the
two links and selects the link with the highest port number as the active link.
For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software
assigns ge-0/1/1 as the active link.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Example: Configuring Redundant Trunk Links for Faster Recovery on page 400

Understanding Redundant Trunk Links on EX-series Switches on page 365

interface

509

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface
Syntax

Hierarchy Level
Release Information
Description

interface (all | interface-name) {

level level;
no-broadcast;
no-unknown-unicast;
}
[edit ethernet-switching-options storm-control]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Apply storm control to all interfaces or to the specified interface.
The statements are explained separately.

Default

Storm control is disabled.

Options

allApply storm control to all interfaces.

interface-nameApply storm control to the specified interface.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

510

interface

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Understanding Storm Control on EX-series Switches on page 367

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

interface
Syntax

Hierarchy Level

Release Information
Description

Options

interface interface-name {
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
[edit
[edit
[edit
[edit

protocols
protocols
protocols
protocols

mstp],
mstp msti],
rstp],
stp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), configure an interface.
interface-nameName of a Gigabit Ethernet interface.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

interface

511

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

join-timer
Syntax
Hierarchy Level
Release Information
Description

join-timer milliseconds;
[edit protocols gvrp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For GARP VLAN Registration Protocol (GVRP), configure the maximum number of
milliseconds interfaces must wait before sending VLAN advertisements.

Default

20 centiseconds

Options

millisecondsNumber of milliseconds.

Default: 20 centiseconds
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show gvrp on page 555

Example: Configure Automatic VLAN Administration Using GVRP on page 393

l3-interface
Syntax
Hierarchy Level
Release Information
Description

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk
ports to allow the interface to transfer traffic between multiple VLANs. Within a
VLAN, traffic is bridged, while across VLANs, traffic is routed.
No Layer 3 (routing) interface is associated with the VLAN.

Options

vlan.logical-interface-numberNumber of the logical interface defined with a set

interfaces vlan unit command. For the logical interface number, use the same
number you configure in the unit statement.

Related Topics

[edit vlans vlan-name]

Default

Required Privilege Level

512

l3-interface vlan.logical-interface-number;

join-timer

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show ethernet-switching interfaces on page 545

show vlans on page 570

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Understanding Bridging and VLANs on EX-series Switches on page 359

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

leaveall-timer
Syntax
Hierarchy Level
Release Information
Description

leaveall-timer milliseconds;
[edit protocols gvrp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For GARP VLAN Registration Protocol (GVRP), configure the interval at which Leave
All messages are sent on the interfaces. Leave All messages maintain current GVRP
VLAN membership information in the network. A Leave All message instructs the
port to change the GVRP state for all its VLANs to a leaving state and remove them
unless a Join message is received before the leave timer expires.

Default

1000 centiseconds

Options

millisecondsNumber of milliseconds.
Range: 5 times leave-timer value

Default: 1000 centiseconds

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show gvrp on page 555

Example: Configure Automatic VLAN Administration Using GVRP on page 393

leaveall-timer

513

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

leave-timer
Syntax
Hierarchy Level
Release Information
Description

leave-timer milliseconds;
[edit protocols gvrp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For GARP VLAN Registration Protocol (GVRP), configure the number of milliseconds
an interface must wait after receiving a leave message to remove the interface from
the VLAN specified in the message. If the interface receives a join message before
the timer expires, the software keeps the interface in the VLAN.

Default

60 centiseconds

Options

millisecondsNumber of milliseconds. At a minimum, the leave timer interval should

be twice the join timer interval.

Default: 60 centiseconds
Required Privilege Level
Related Topics

514

leave-timer

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show gvrp on page 555

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

level
Syntax
Hierarchy Level
Release Information
Description

level level;
[edit ethernet-switching-options storm-control interface (all | interface-name)]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

For interfaces configured for storm control, configure the storm control level as a
percentage of the combined broadcast and unknown unicast streams. The level set
to 100% means no traffic storm control.

Default

When storm control is enabled on an interface, the storm control level is 80%.

Options

levelPercentage of the combined broadcast and unknown unicast streams.

Range: 0 through 100 %

Default: 80 %
The remaining statements are explained separately.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Understanding Storm Control on EX-series Switches on page 367

level

515

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

mac-limit
Syntax
Hierarchy Level
Release Information
Description

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the number of MAC addresses allowed on a VLAN.
MAC limit is disabled.

Options

numberMaximum number of MAC addresses.

Range: 1 through 32768

Related Topics

[edit vlans vlan-name]

Default

Required Privilege Level

516

mac-limit number;

mac-limit

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show vlans on page 570

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Configuring MAC Table Aging (CLI Procedure) on page 414

Understanding Bridging and VLANs on EX-series Switches on page 359

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

mac-table-aging-time
Syntax
Hierarchy Level
Release Information
Description

mac-table-aging-time seconds;
[edit vlans vlan-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define how long entries remain in the Ethernet switching table before expiring.

Default

300 seconds

Options

secondsTime that entries remain in the Ethernet switching table before being
removed.

Required Privilege Level

Related Topics

Range15 to 1,000,000 seconds.

Default300 seconds.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Understanding Bridging and VLANs on EX-series Switches on page 359

mac-table-aging-time

517

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

max-age
Syntax
Hierarchy Level

Release Information
Description

max-age seconds;
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), specify the maximum age of received protocol
BPDUs.

Default

20 seconds

Options

secondsThe maximum age of received protocol BPDUs.

Range: 6 through 40 seconds

Default: 20 seconds
Required Privilege Level
Related Topics

518

max-age

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

max-hops
Syntax
Hierarchy Level
Release Information
Description

max-hops hops;
[edit protocols mstp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Multiple Spanning Tree Protocol (MSTP), configure the maximum number of
hops a BPDU can be forwarded in the MSTP region.

Default

20 hops

Options

hops Number of hops the BPDU can be forwarded.

Range: 1 through 255 hops

Default: 20 hops
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding MSTP for EX-series Switches on page 422

max-hops

519

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

members
Syntax
Hierarchy Level

Release Information
Description
Options

members [ (names | vlan-ids) ];

[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching
vlan]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For trunk interfaces, configure the VLANs for which the interface can carry traffic.
namesName of one or more VLANs.
vlan-idsNumeric identifier of one or more VLANs. For a series of tagged VLANs,
specify a range; for example, 10-20.

Required Privilege Level

Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

Example: Connecting an Access Switch to a Distribution Switch on page 384

Creating a Series of Tagged VLANs (CLI Procedure) on page 412

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

520

members

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

mode
Syntax
Hierarchy Level

Release Information
Description

mode mode;
[edit
[edit
[edit
[edit

protocols
protocols
protocols
protocols

mstp interface (all | interface-name)],

mstp msti msti-id interface interface-name],
rstp interface (all | interface-name)],
stp interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), configure the link mode to identify point-to-point
links.

Default

For a full-duplex link, the default link mode is point-to-point. For a half-duplex link,
the default link mode is shared.

Options

modeLink mode:

Required Privilege Level

Related Topics

point-to-pointLink is point to point.

sharedLink is shared media.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

mode

521

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

msti
Syntax

Hierarchy Level
Release Information
Description

msti msti-id {
vlan[vlan-id ];
interface interface-name {
disable;
cost cost;
priority priority;
}
}
[edit protocols mstp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the Multiple Spanning Tree Instance (MSTI) identifier for Multiple Spanning
Tree Protocol (MSTP). MSTI IDs are local to each region, so you can reuse the same
MSTI ID in different regions.

Default

MSTI is disabled.

Options

msti-idMSTI identifer.

Range: 1 through 4094. The Common Instance Spanning Tree (CIST) is always
MSTI 0.
The remaining statements are explained separately.
Required Privilege Level
Related Topics

522

msti

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding MSTP for EX-series Switches on page 422

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

mstp
Syntax

Hierarchy Level
Release Information
Description

mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface ( all | interface-name {
bpdu-timeout-action {
block;
alarm;
}
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
priority priority;
}
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
revision-level revision-level;
}
[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Multiple Spanning Tree Protocol (MSTP). MSTP is defined in the IEEE
802.1Q-2003 specification and is used to create a loop-free topology in networks
with multiple spanning tree regions.
The statements are explained separately.

Default
Required Privilege Level

MSTP is disabled.
routingTo view this statement in the configuration.

mstp

523

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

routing-controlTo add this statement to the configuration.

Related Topics

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding MSTP for EX-series Switches on page 422

native-vlan-id
Syntax

native-vlan-id vlan-id;

Hierarchy Level

[edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching]

Release Information

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Description

Options

Configure the VLAN identifier to associate with untagged packets received on the
interface.
vlan-idNumeric identifier of the VLAN.

Range: 0 through 4095

Required Privilege Level
Related Topics

524

native-vlan-id

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show vlans on page 570

show ethernet-switching interfaces on page 545

Understanding Bridging and VLANs on EX-series Switches on page 359

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

no-broadcast
Syntax
Hierarchy Level
Release Information
Description

Default

Required Privilege Level

Related Topics

no-broadcast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

For interfaces configured for storm control, disable broadcast traffic storm control
on the interface.
When storm control is enabled on an interface, it is enabled for both unknown unicast
traffic and broadcast traffic.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Understanding Storm Control on EX-series Switches on page 367

no-broadcast

525

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

no-root-port
Syntax
Hierarchy Level

Release Information
Description

Required Privilege Level

Related Topics

526

no-root-port

no-root-port;
[edit protocols mstp interface (all | interface-name)],
[edit protocols rstp interface (all | interface-name)],
[edit protocols stp interface (all | interface-name)]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure an interface to be a spanning tree designated port. If the bridge receives
superior STP bridge protocol data units (BPDUs) on a root-protected interface, that
interface transitions to a root-prevented STP state (inconsistency state) and the
interface is blocked. This blocking prevents a bridge that should not be the root bridge
from being elected the root bridge. When the bridge stops receiving superior STP
BPDUs on the root-protected interface, interface traffic is no longer blocked.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Root Protection to Enforce Root Bridge Placement in

Spanning Trees on EX-series Switches on page 476

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

no-unknown-unicast
Syntax
Hierarchy Level
Release Information
Description

Default

Required Privilege Level

Related Topics

no-unknown-unicast;
[edit ethernet-switching-options storm-control interface (all | interface-name)]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

For interfaces configured for storm control, disable unknown unicast traffic storm
control on the interface.
When storm control is enabled on an interface, it is enabled for both unknown unicast
traffic and broadcast traffic.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Understanding Storm Control on EX-series Switches on page 367

no-unknown-unicast

527

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

port-mode
Syntax
Hierarchy Level
Release Information
Description

port-mode mode;
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure whether an interface on the switch operates in access or trunk mode.

Default

All switch interfaces are in access mode.

Options

accessHave the interface operate in access mode. In this mode, the interface can

be in a single VLAN only. Access interfaces typically connect to network devices

such as PCs, printers, IP telephones, and IP cameras.
trunkHave the interface operate in trunk mode. In this mode, the interface can be

in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.
Required Privilege Level
Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Interfaces on EX-series Switches (CLI Procedure)

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

528

port-mode

Example: Connecting an Access Switch to a Distribution Switch on page 384

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

priority
Syntax
Hierarchy Level

Release Information
Description

priority priority;
[edit
[edit
[edit
[edit

protocols
protocols
protocols
protocols

mstp interface (all | interface-name)],

mstp msti msti-id interface interface-name],
rstp interface (all | interface-name)],
stp interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), the interface priority to control which interface is
elected as the root port.

Default

The default value is 128.

Options

priorityInterface priority. The interface priority must be set in increments of 16.

Range: 0 through 240

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding STP for EX-series Switches on page 420

priority

529

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

redundant-trunk-group
Syntax

Hierarchy Level
Release Information
Description

Options
Required Privilege Level
Related Topics

530

redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
[edit ethernet-switching-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a primary link and secondary link on trunk ports. If the primary link fails,
the secondary link automatically takes over without waiting for normal STP
convergence.
The statements are explained separately.
routingTo view this statement in the configuration.
routingcontrolTo add this statement to the configuration.

Example: Configuring Redundant Trunk Links for Faster Recovery on page 400

Understanding Redundant Trunk Links on EX-series Switches on page 365

redundant-trunk-group

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

rstp
Syntax

Hierarchy Level
Release Information
Description

rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
bpdu-timeout-action {
block;
alarm;
}
disable;
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Rapid Spanning Tree Protocol (RSTP). RSTP is defined in the IEEE
802.1D-2004 specification and is used to prevent loops in Layer 2 networks, providing
shorter convergence times than those provided with basic STP.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

RSTP is enabled on all Ethernet switching interfaces.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding RSTP for EX-series Switches on page 421

rstp

531

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

storm-control
Syntax

Hierarchy Level
Release Information
Description

storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
[edit ethernet-switching-options]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Apply storm control to all interfaces or to the specified interfaces.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

532

storm-control

Storm control is disabled.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Storm Control to Prevent Network Outages on EX-series

Switches on page 404

Understanding Storm Control on EX-series Switches on page 367

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

stp
Syntax

Hierarchy Level
Release Information
Description

stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Spanning Tree Protocol (STP). STP is used to prevent loops in Layer 2
networks and is defined in the specification IEEE 802.1D.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

STP is enabled on all Ethernet switching ports.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring BPDU Protection on STP Interfaces to Prevent STP

Miscalculations on EX-series Switches on page 463

Understanding STP for EX-series Switches on page 420

stp

533

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

traceoptions
Syntax

Hierarchy Level

Release Information
Description

traceoptions {
file name <replace> <size size> <files number> <no-stamp>
<(world-readable | no-world-readable)>;
flag flag <flag-modifier> <disable>;
}
[edit protocols mstp],
[edit protocols rstp],
[edit protocols stp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Set STP protocol-level tracing options.

Default

Traceoptions is disabled.

Options

disable(Optional) Disable the tracing operation. One use of this option is to disable

a single operation when you have defined a broad group of tracing operations,
such as all.
file nameName of the file to receive the output of the tracing operation. Enclose

the name in quotation marks. We recommend that you place STP tracing output
in the file /var/log/stp-log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,

and so on, until the maximum number of trace files is reached. Then, the oldest
trace file is overwritten.
If you specify a maximum number of files, you must also specify a maximum file
size with the size option.
Range: 2 through 1000 files
Default: 1 trace file only
flagTracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. These are the STP-specific tracing options:

534

traceoptions

allTrace all operations.

all-failuresTrace all failure conditions.

bpduTrace BPDU reception and transmission.

bridge-detection-state-machineTrace the bridge detection state machine.

eventsTrace events of the protocol state machine.

port-information-state-machineTrace the port information state machine.

port-migration-state-machineTrace the port migration state machine.

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

port-receive-state-machineTrace the port receive state machine.

port-role-select-state-machineTrace the port role selection state machine.

port-role-transit-state-machineTrace the port role transit state machine.

port-transmit-state-machineTrace the port transmit state machine

port-state-transit-state-machineTrace the port state transit state machine.

ppmdTrace the state and events for the ppmd process

state-machine-variablesTrace when the state machine variables change

timersTrace protocol timers

topology-change-state-machineTrace the topology change state machine.

The following are the global tracing options:

allAll tracing operations

config-internalTrace configuration internals.

generalTrace general events.

normalAll normal events.

Default: If you do not specify this option, only unusual or abnormal operations
are traced.

parseTrace configuration parsing.

policyTrace policy operations and actions.

regex-parseTrace regular-expression parsing.

routeTrace routing table changes.

stateTrace state transitions.

taskTrace protocol task processing.

timerTrace protocol task timer processing.

no-stamp(Optional) Do not place timestamp information at the beginning of each

line in the trace file.

Default: If you omit this option, timestamp information is placed at the beginning
of each line of the tracing output.
no-world-readable(Optional) Prevent any user from reading the log file.

traceoptions

535

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

replace(Optional) Replace an existing trace file if there is one.

Default: If you do not include this option, tracing output is appended to an

existing trace file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB) or megabytes
(MB). When a trace file named trace-file reaches this size, it is renamed trace-file.0.
When the trace-file again reaches its maximum size, trace-file.0 is renamed
trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues

until the maximum number of trace files is reached. Then the oldest trace file
is overwritten.
If you specify a maximum file size, you must also specify a maximum number of
trace files with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through the maximum file size supported on your system
Default: 1 MB
world-readable(Optional) Allow any user to read the log file.
Required Privilege Level
Related Topics

536

traceoptions

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Example: Configuring Faster Convergence and Improving Network Stability with

RSTP on EX-series Switches on page 427

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

translate
Syntax
Hierarchy Level
Release Information
Description

Options

translate vlan-id1 vlan-id2;

[edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching vlan]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For trunk interfaces, have the interface change the VLAN identifier on received
packets to a different identifier.
vlan-id1Number of the VLAN identifier in received packets. This identifier is removed

from packets received on the interface.

vlan-id2New VLAN identifier. This identifier replaces the one removed from packets

received on the interface.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show ethernet-switching interfaces on page 545

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Understanding Bridging and VLANs on EX-series Switches on page 359

translate

537

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan
Syntax

Hierarchy Level
Release Information
Description

vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
[edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Gigabit Ethernet and aggregated Ethernet interfaces, binds an 802.1Q VLAN tag
ID to a logical interface.
The statements are explained separately.

Required Privilege Level

Related Topics

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

JUNOS Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

vlan
Syntax
Hierarchy Level

vlan (vlan-id | vlan-name);

[edit protocols mstp msti msti-id ]

Release Information

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Description

Configure the VLANs for a Multiple Spanning Tree Instance (MSTI).

Default

not enabled

Options

vlan-idNumeric VLAN identifer.

vlan-nameName of the VLAN.

Required Privilege Level

Related Topics

538

vlan

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Understanding MSTP for EX-series Switches on page 422

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Chapter 35: Configuration Statements for Bridging, VLANs, and Spanning Trees

vlan-id
Syntax
Hierarchy Level
Release Information
Description

vlan-id number;
[edit vlans vlan-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure an 802.1Q tag to apply to all traffic that originates on the VLAN.

Default

If you use the default factory configuration, all traffic originating on the VLAN is
untagged and has a VLAN identifier of 0.

Options

numberVLAN tag identifier.

Range: 0 through 4093.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Understanding Bridging and VLANs on EX-series Switches on page 359

vlan-range
Syntax
Hierarchy Level
Release Information
Description

vlan-range vlan-id-low-vlan-id-high;
[edit vlans vlan-name]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Configure multiple VLANs. Each VLAN is assigned a VLAN ID number from the range.

Default

None.

Options

vlan-id-low-vlan-id-highSpecify the first and last VLAN ID number for the group of

VLANs.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Configuring VLANs for EX-series Switches (CLI Procedure) on page 409

Configuring VLANs for EX-series Switches (J-Web Procedure) on page 407

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Understanding Bridging and VLANs on EX-series Switches on page 359

vlan-id

539

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlans
Syntax

Hierarchy Level
Release Information
Description

vlans {
vlan-name {
description text-description;
filter input filter-name;
filter output filter-name;
interface interface-name;
l3-interface vlan.logical-interface-number;
mac-limit number;
mac-table-aging-time seconds;
vlan-id number;
vlan-range vlan-id-low-vlan-id-high;
}
}
[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure VLAN properties on EX-series switches.

Default

If you use the default factory configuration, all switch interfaces become part of the
VLAN default.

Options

vlan-nameName of the VLAN. The name can contain letters, numbers, and hyphens

(-) and can be up to 255 characters long.

The remaining statements are described separately.
Required Privilege Level
Related Topics

540

vlans

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Configuring VLANs for EX-series Switches (CLI Procedure) on page 409

Configuring VLANs for EX-series Switches (J-Web Procedure) on page 407

Creating a Series of Tagged VLANs (CLI Procedure) on page 412

Configuring Routed VLAN Interfaces (CLI Procedure) on page 410

Understanding Bridging and VLANs on EX-series Switches on page 359

Chapter 36

Operational Mode Commands for Bridging,

VLANs, and Spanning Trees

541

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear ethernet-switching bpdu-error

Syntax
Release Information
Description

Options
Required Privilege Level
Related Topics

List of Sample Output

clear ethernet-switching
bpdu-error interface
ge-0/0/1.0

542

clear ethernet-switching bpdu-error interface interface-name

Command introduced in JUNOS Release 9.1 for EX-series switches.

Clear bridge protocol data unit (BPDU) errors from an interface and unblock the
interface.
interface-nameClear BPDU errors on the specified interface.

clear

show spanning-tree statistics on page 569

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

clear ethernet-switching bpdu-error interface ge-0/0/1.0 on page 542

user@switch> clear ethernet-switching bpdu-error interface ge-0/0/1.0

clear ethernet-switching bpdu-error

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

clear gvrp statistics

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

clear gvrp statistics

clear gvrp statistics

Command introduced in JUNOS Release 9.0 for EX-series switches.

Clear GARP VLAN Registration Protocol (GVRP) statistics.
clear

show spanning-tree statistics on page 569

Example: Configure Automatic VLAN Administration Using GVRP on page 393

clear gvrp statistics on page 543

user@switch> clear gvrp statistics

clear gvrp statistics

543

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear spanning-tree statistics

Syntax

Release Information
Description
Options

clear spanning-tree statistics

<interface interface-name unit logical-unit-number>;

Command introduced in JUNOS Release 9.0 for EX-series switches.

Reset STP statistics for the all interfaces or a specified interface.
noneReset STP counters for all interfaces.
interface-name(Optional) The name of the interface for which statistics should be

reset.
logical-unit-number(Optional) The logical unit number of the interface.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields
clear spanning-tree
statistics

544

clear

show spanning-tree bridge on page 560

show spanning-tree interface on page 564

Understanding STP for EX-series Switches on page 420

clear spanning-tree statistics on page 544

This command produces no output.
user@switch> clear spanningtree statistics

clear spanning-tree statistics

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show ethernet-switching interfaces

Syntax

Release Information
Description
Options

show ethernet-switching interfaces

<brief | detail | summary>
<interface interface-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display information about switched Ethernet interfaces.
none(Optional) Display brief information for Ethernet-switching interfaces.
brief | detail | summary(Optional) Display the specified level of output.
interface interface-name(Optional) Display Ethernet-switching information for a

specific interface.
Required Privilege Level

view

List of Sample Output

show
show
show
show
show

Output Fields

ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching

interfaces on page 545

interfaces summary on page 546
interfaces brief on page 546
interfaces detail on page 546
interfaces ge-0/0/0.0 on page 547

Table 67 on page 545 lists the output fields for the show ethernet-switching interfaces
command. Output fields are listed in the approximate order in which they appear.

Table 67: show ethernet-switching interfaces Output Fields

Field Name

Field Description

Level of Output

Interface

Name of a switching interface.

All levels

State

Interface state. Values are up or down.

none, brief, detail,

summary

VLAN members

Name of a VLAN.

none, brief, detail,

summary

Blocking

The forwarding state of the interface:

none, brief, detail,

blockedTraffic is not being forwarded on the interface.

unblockedTraffic is forwarded on the interface.

summary

Index

The VLAN index internal to JUNOS software.

detail

untagged | tagged

Specifies whether the interface forwards 802.1Q-tagged or untagged traffic.

detail

show ethernet-switching
interfaces

user@switch> show ethernet-switching interfaces

show ethernet-switching interfaces

545

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/9.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0
ge-0/0/16.0
ge-0/0/17.0
ge-0/0/18.0
ge-0/0/19.0
ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0

State
up
down
down
down
down
down
down
down
down
up
down
down
down
down
down
down
down
down
down
up
down
down
down
down

VLAN members
T1122
default
default
default
default
default
default
default
default
T111
default
default
default
default
default
default
default
default
default
T111
default
default
default
default

Blocking
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked
unblocked

show ethernet-switching
interfaces summary

user@switch> show ethernet-switching interfaces summary

ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0

show ethernet-switching
interfaces brief

user@switch> show ethernet-switching interfaces brief

Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/2.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked

show ethernet-switching
interfaces detail

user@switch> show ethernet-switching interfaces detail

Interface: ge-0/0/0.0 Index: 65
State: down
VLANs:
default
untagged
unblocked

546

Interface: ge-0/0/1.0 Index: 66

State: down
VLANs:
employee-vlan
untagged

unblocked

Interface: ge-0/0/2.0 Index: 67

State: down
VLANs:
employee-vlan
untagged

unblocked

show ethernet-switching interfaces

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show ethernet-switching
interfaces ge-0/0/0.0

Interface: ge-0/0/3.0 Index: 68

State: down
VLANs:
employee-vlan
untagged

unblocked

Interface: ge-0/0/8.0 Index: 69

State: down
VLANs:
employee-vlan
untagged

unblocked

Interface: ge-0/0/10.0 Index: 70

State: down
VLANs:
default
untagged

unblocked

Interface: ge-0/0/11.0 Index: 71

State: down
VLANs:
employee-vlan
tagged

unblocked

user@switch> show ethernet-switching interfaces ge-0/0/0.0

Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked

show ethernet-switching interfaces

547

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show ethernet-switching mac-learning-log

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show ethernet-switching mac-learning-log

Command introduced in JUNOS Release 9.0 for EX-series switches.

Displays the event log of learned MAC addresses.
view

show ethernet-switching table on page 550

show ethernet-switching interfaces on page 545

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Example: Connecting an Access Switch to a Distribution Switch on page 384

show ethernet-switching mac-learning-log on page 548

Table 68 on page 548 lists the output fields for the show ethernet-switching
mac-learning-log command. Output fields are listed in the approximate order in which
they appear.

Table 68: show ethernet-switching mac-learning-log Output Fields

Field Name

Field Description

Date and Time

Timestamp when the MAC address was added or deleted from the log.

VLAN-IDX

VLAN index. An internal value assigned by the JUNOS software for each VLAN .

MAC

Learned MAC address.

Deleted | Added

MAC address deleted or added to the MAC learning log.

Blocking

The forwarding state of the interface:

blockedTraffic is not being forwarded on the interface.

unblockedTraffic is forwarded on the interface.

show ethernet-switching
mac-learning-log

548

user@switch> show ethernet-switching mac-learning-log

Mon Feb 25 08:07:05 2008
vlan_idx 7 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 9 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008

show ethernet-switching mac-learning-log

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

vlan_idx 10 mac 00:00:00:00:00:00 was deleted

Mon Feb 25 08:07:05 2008
vlan_idx 11 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 12 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 13 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 14 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 15 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 16 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
vlan_idx 4 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 6 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 7 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 9 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 10 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 11 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 12 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 13 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 14 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 15 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 16 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 5 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
vlan_idx 18 mac 00:00:05:00:00:05 was learned
Mon Feb 25 08:07:05 2008
vlan_idx 5 mac 00:30:48:90:54:89 was learned
Mon Feb 25 08:07:05 2008
vlan_idx 6 mac 00:00:5e:00:01:00 was learned
Mon Feb 25 08:07:05 2008
vlan_idx 16 mac 00:00:5e:00:01:08 was learned
Mon Feb 25 08:07:05 2008
vlan_idx 7 mac 00:00:5e:00:01:09 was learned
Mon Feb 25 08:07:05 2008
vlan_idx 8 mac 00:19:e2:50:ac:00 was learned
Mon Feb 25 08:07:05 2008
vlan_idx 12 mac 00:00:5e:00:01:04 was learned
[output truncated]

show ethernet-switching mac-learning-log

549

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show ethernet-switching table

Syntax

Release Information
Description
Options

show ethernet-switching table

<brief | detail | extensive>
<interface interface-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Displays the Ethernet switching table.
none(Optional) Display brief information about the Ethernet-switching table.
brief | detail | extensive(Optional) Display the specified level of output.
interface-name(Optional) Display the Ethernet-switching table for a specific interface.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

show
show
show
show
show

ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching
ethernet-switching

table on page 551

table brief on page 551
table detail on page 552
table extensive on page 553
table interface ge-0/0/1 on page 554

Table 69 on page 550 lists the output fields for the show ethernet-switching table
command. Output fields are listed in the approximate order in which they appear.

Table 69: show ethernet-switching table Output Fields

Field Name

Field Description

Level of Output

VLAN

The name of a VLAN.

All levels

MAC address

The MAC address associated with the VLAN.

All levels

Type

The type of MAC address. Values are:

All levels

staticThe MAC address is manually created.

learnThe MAC address is learned dynamically from a packet's source

MAC address.

The time remaining before the entry ages out and is removed from the Ethernet
switching table.

Age

550

floodThe MAC address is unknown and flooded to all members.

show ethernet-switching table

All levels

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

Table 69: show ethernet-switching table Output Fields (continued)

Field Name

Field Description

Level of Output

Interfaces

Interface associated with learned MAC addresses or All-members (flood entry).

All levels

Learned

For learned entries, the time which the entry was added to the
Ethernet-switching table.

detail, extensive

show ethernet-switching
table

show ethernet-switching
table brief

user@switch> show ethernet-switching table

Ethernet-switching table: 57 entries, 17 learned
VLAN
MAC address
Type
F2
*
Flood
F2
00:00:05:00:00:03 Learn
F2
00:19:e2:50:7d:e0 Static
Linux
*
Flood
Linux
00:19:e2:50:7d:e0 Static
Linux
00:30:48:90:54:89 Learn
T1
*
Flood
T1
00:00:05:00:00:01 Learn
T1
00:00:5e:00:01:00 Static
T1
00:19:e2:50:63:e0 Learn
T1
00:19:e2:50:7d:e0 Static
T10
*
Flood
T10
00:00:5e:00:01:09 Static
T10
00:19:e2:50:63:e0 Learn
T10
00:19:e2:50:7d:e0 Static
T111
*
Flood
T111
00:19:e2:50:63:e0 Learn
T111
00:19:e2:50:7d:e0 Static
T111
00:19:e2:50:ac:00 Learn
T2
*
Flood
T2
00:00:5e:00:01:01 Static
T2
00:19:e2:50:63:e0 Learn
T2
00:19:e2:50:7d:e0 Static
T3
*
Flood
T3
00:00:5e:00:01:02 Static
T3
00:19:e2:50:63:e0 Learn
T3
00:19:e2:50:7d:e0 Static
T4
*
Flood
T4
00:00:5e:00:01:03 Static
T4
00:19:e2:50:63:e0 Learn
[output truncated]
user@switch> show ethernet-switching table brief
Ethernet-switching table: 57 entries, 17 learned
VLAN
MAC address
Type
F2
*
Flood
F2
00:00:05:00:00:03 Learn
F2
00:19:e2:50:7d:e0 Static
Linux
*
Flood
Linux
00:19:e2:50:7d:e0 Static
Linux
00:30:48:90:54:89 Learn
T1
*
Flood
T1
00:00:05:00:00:01 Learn
T1
00:00:5e:00:01:00 Static
T1
00:19:e2:50:63:e0 Learn
T1
00:19:e2:50:7d:e0 Static

Age
0
0
0
0
0
0
0
0
0
0

Interfaces
All-members
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0

Age
0
0
0
0
-

Interfaces
All-members
ge-0/0/44.0
Router
All-members
Router
ge-0/0/47.0
All-members
ge-0/0/46.0
Router
ge-0/0/46.0
Router

show ethernet-switching table

551

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

T10
T10
T10
T10
T111
T111
T111
T111
T2
T2
T2
T2
T3
T3
T3
T3
T4
T4
T4
[output truncated]

show ethernet-switching
table detail

*
00:00:5e:00:01:09
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
00:19:e2:50:ac:00
*
00:00:5e:00:01:01
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:02
00:19:e2:50:63:e0
00:19:e2:50:7d:e0
*
00:00:5e:00:01:03
00:19:e2:50:63:e0

Flood
Static
Learn
Static
Flood
Learn
Static
Learn
Flood
Static
Learn
Static
Flood
Static
Learn
Static
Flood
Static
Learn

user@switch> show ethernet-switching table detail

Ethernet-switching table: 57 entries, 17 learned
F2, *
Interface(s): ge-0/0/44.0
Type: Flood
F2, 00:00:05:00:00:03
Interface(s): ge-0/0/44.0
Type: Learn, Age: 0, Learned: 2:03:09
F2, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, *
Interface(s): ge-0/0/47.0
Type: Flood
Linux, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, 00:30:48:90:54:89
Interface(s): ge-0/0/47.0
Type: Learn, Age: 0, Learned: 2:03:08
T1, *
Interface(s): ge-0/0/46.0
Type: Flood
T1, 00:00:05:00:00:01
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:00:5e:00:01:00
Interface(s): Router
Type: Static
T1, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0

552

show ethernet-switching table

0
0
0
0
0
0

All-members
Router
ge-0/0/46.0
Router
All-members
ge-0/0/15.0
Router
ge-0/0/15.0
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0
Router
All-members
Router
ge-0/0/46.0

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

Type: Learn, Age: 0, Learned: 2:03:07

T1, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T10, *
Interface(s): ge-0/0/46.0
Type: Flood
T10, 00:00:5e:00:01:09
Interface(s): Router
Type: Static
T10, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:08
T10, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T111, *
Interface(s): ge-0/0/15.0
Type: Flood
[output truncated]

show ethernet-switching
table extensive

user@switch> show ethernet-switching table extensive

Ethernet-switching table: 57 entries, 17 learned
F2, *
Interface(s): ge-0/0/44.0
Type: Flood
F2, 00:00:05:00:00:03
Interface(s): ge-0/0/44.0
Type: Learn, Age: 0, Learned: 2:03:09
F2, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, *
Interface(s): ge-0/0/47.0
Type: Flood
Linux, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, 00:30:48:90:54:89
Interface(s): ge-0/0/47.0
Type: Learn, Age: 0, Learned: 2:03:08
T1, *
Interface(s): ge-0/0/46.0
Type: Flood
T1, 00:00:05:00:00:01
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07

show ethernet-switching table

553

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

T1, 00:00:5e:00:01:00
Interface(s): Router
Type: Static
T1, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:07
T1, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T10, *
Interface(s): ge-0/0/46.0
Type: Flood
T10, 00:00:5e:00:01:09
Interface(s): Router
Type: Static
T10, 00:19:e2:50:63:e0
Interface(s): ge-0/0/46.0
Type: Learn, Age: 0, Learned: 2:03:08
T10, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
T111, *
Interface(s): ge-0/0/15.0
Type: Flood
[output truncated]

show ethernet-switching
table interface ge-0/0/1

554

user@switch> show ethernet-switching table interface ge-0/0/1

Ethernet-switching table: 1 unicast entries
VLAN
MAC address
Type
Age Interfaces
V1
*
Flood
- All-members
V1
00:00:05:00:00:05 Learn
0 ge-0/0/1.0

show ethernet-switching table

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show gvrp
Syntax
Release Information
Description
Options

show gvrp

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display GARP VLAN Registration Protocol (GVRP) information.
noneDisplays all GVRP configuration attributes.
interface interface-name(Optional) Displays GVRP statistics for a specific interface

only.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

show gvrp statistics on page 557

Example: Configure Automatic VLAN Administration Using GVRP on page 393

show gvrp on page 555

Table 70 on page 555 lists the output fields for the show gvrp command. Output fields
are listed in the approximate order in which they appear.

Table 70: show gvrp Output Fields

Field Name

Field Description

Global GVRP
Configuration

Displays global GVRP information:

GVRP statusDisplays whether GVRP is enabledor disabled.

JoinThe maximum number of milliseconds the interfaces must wait before sending VLAN

advertisements.

Leave The number of milliseconds an interface must wait after receiving a Leave message

to remove the interface from the VLAN specified in the message.

LeaveallThe interval at which Leave All messages are sent on interfaces. Leave all messages

maintain current GVRP VLAN membership information in the network.

Interface based
configuration

Displays interface-specific GVRP information:

InterfaceThe interface on which GVRP is configured..

GVRP statusDisplays whether GVRP is enabled or disabled.

show gvrp

user@switch> show gvrp

Global GVRP configuration
GVRP status
: Enabled
GVRP timers (ms)
Join
: 40
Leave
: 120
Leaveall
: 2000

show gvrp

555

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Interface based configuration:

Interface GVRP status
---------- ----------ge-0/0/0.0 Enabled

556

show gvrp

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show gvrp statistics

Syntax
Release Information
Description

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

show gvrp statistics

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display Generic VLAN Registration Protocol (GVRP) statistics in the form of GARP
Information Propagation (GIP) messages.
clear

show gvrp on page 555

Example: Configure Automatic VLAN Administration Using GVRP on page 393

show gvrp statistics on page 557

Table 71 on page 557 lists the output fields for the show gvrp statistics command.
Output fields are listed in the approximate order in which they appear.

Table 71: show gvrp statistics Output Fields

Field Name

Field Description

Join Empty received

Number of GIP Join Empty messages received on the switch.

Join In received

Number of GIP Join In messages received on the switch.

Empty received

Number of GIP Empty messages received on the switch.

Leave In received

Number of GIP Leave In messages received on the switch.

Leave Empty received

Number of GIP Leave Empty messages received on the switch.

Leave All received

Number of GIP Leave All messages received on the switch.

Join Empty
transmitted

Number of GIP Join Empty messages sent from the switch.

Join In transmitted

Number of GIP Join In messages sent from the switch.

Empty transmitted

Number of GIP Empty messages sent from the switch.

Leave In transmitted

Number of GIP Leave In messages sent from the switch.

Leave Empty
transmitted

Number of GIP Leave Empty messages sent from the switch.

Leave All transmitted

Number of GIP Leave All messages sent from the switch.

show gvrp statistics

user@switch> show gvrp statistics

show gvrp statistics

557

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

GVRP statistics
Join Empty received
Join In received
Empty received
Leave In received
Leave Empty received
Leave All received
Join Empty transmitted
Join In transmitted
Empty transmitted
Leave In transmitted
Leave Empty transmitted
Leave All transmitted

558

show gvrp statistics

:
:
:
:
:
:
:
:
:
:
:
:

0
12
0
0
0
0
0
48
4
0
0
4

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show redundant-trunk-group
Syntax
Release Information
Description
Options

show redundant-trunk-group <group-name group-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display information about redundant trunk groups.
group-name group-nameDisplay information about the specified redundant trunk

group.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

Example: Configuring Redundant Trunk Links for Faster Recovery on page 400

Understanding Redundant Trunk Links on EX-series Switches on page 365

show redundant-trunk-group group-name Group1 on page 559

Table 72 on page 559 lists the output fields for the show redundant-trunk-group
command. Output fields are listed in the approximate order in which they appear.

Table 72: show redundant-trunk-group Output Fields

Field Name

Field Description

Group Name

Name of the redundant trunk port group.

Interface

Name of an interface belonging to the trunk port group.

(P) denotes a primary interface.

(A) denotes an active interface.

Lack of (A) denotes a blocking interface.

State

Operating state of the interface: UP or DOWN.

Last Time of Flap

Date and time at which the advertised link became unavailable, and then, available again.

# Flaps

Total number of flaps since the last switch reboot.

show
redundant-trunk-group
group-name Group1

user@switch> show redundanttrunk-group group-name Group1

show redundant-trunk-group group-name Group1
Group Name Interface
Group1
ge-0/0/45.0 (P)
ge-0/0/47.0

State
UP
UP

Last Time of Flap

Fri Jan 2 04:10:58
Fri Jan 2 04:10:58

# Flaps
0
0

show redundant-trunk-group

559

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show spanning-tree bridge

Syntax

Release Information
Description
Options

show spanning-tree bridge

<brief | detail>
<msti msti-id>
<vlan vlan-id>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the configured or calculated Spanning Tree Protocol (STP) parameters.
none(Optional) Display brief STP bridge information for all Multiple Spanning Tree

Instances (MSTIs).
brief | detail(Optional) Display the specified level of output.
msti msti-id(Optional) Display STP bridge information for the specified MSTP instance
ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a
value from 1 through 4094 for an MSTI.
vlan vlan-id(Optional) Display STP bridge information for the specified VLAN. Specify
a VLAN tag identifier from 1 through 4094.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

show spanning-tree interface on page 564

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding MSTP for EX-series Switches on page 422

show spanning-tree bridge on page 561

show spanning-tree bridge brief on page 562
show spanning-tree bridge detail on page 562
Table 73 on page 560 lists the output fields for the show spanning-tree bridge command.
Output fields are listed in the approximate order in which they appear.
Table 73: show spanning-tree bridge Output Fields

560

Field Name

Field Description

Routing instance
name

Name of the routing instance under which the bridging domain is configured.

Context ID

An internally generated identifier.

Enabled protocol

Spanning Tree Protocol type enabled.

Root ID

Bridge ID of the elected spanning tree root bridge. The bridge ID consists of a
configurable bridge priority and the MAC address of the bridge.

show spanning-tree bridge

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

Table 73: show spanning-tree bridge Output Fields (continued)

show spanning-tree
bridge

Field Name

Field Description

Root cost

Calculated cost to reach the root bridge from the bridge where the command
is entered.

Root port

Interface that is the current elected root port for this bridge.

CIST regional root

Bridge ID of the elected MSTP regional root bridge.

CIST internal root

cost

Calculated cost to reach the regional root bridge from the bridge where the
command is entered.

Hello time

Configured number of seconds between transmissions of configuration BPDUs.

Maximum age

Maximum age of received protocol BPDUs.

Forward delay

Configured time an STP bridge port remains in the listening and learning states
before transitioning to the forwarding state.

Hop count

Configured maximum number of hops a BPDU can be forwarded in the MSTP

region.

Message age

Number of elapsed seconds since the most recent BPDU was received.

Number of topology
changes

Total number of STP topology changes detected since the switch last booted.

Time since last

topology change

Number of elapsed seconds since the most recent topology change.

Bridge ID (Local)

Locally configured bridge ID. The bridge ID consists of a configurable bridge

priority and the MAC address of the bridge.

Extended system ID

Internally generated system identifier.

MSTI regional root

Bridge ID of the elected MSTP regional root bridge.

user@switch> show spanning-tree bridge

STP bridge parameters
Context ID
: 0
Enabled protocol
: MSTP
STP bridge parameters for CIST
Root ID
Root cost
Root port
CIST regional root
CIST internal root cost
Hello time
Maximum age
Forward delay
Hop count
Message age
Number of topology changes

:
:
:
:
:
:
:
:
:
:
:

8192.00:19:e2:50:51:e0
0
ge-0/0/13.0
8192.00:19:e2:50:51:e0
2000
2 seconds
20 seconds
15 seconds
18
0
3

show spanning-tree bridge

561

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Time since last topology change

Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 1
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID
STP bridge parameters for MSTI 2
MSTI regional root
Root cost
Root port
Hello time
Maximum age
Forward delay
Hop count
Local parameters
Bridge ID
Extended system ID
Internal instance ID

: 16384.00:19:e2:50:44:e0
: 0
: 0

:
:
:
:
:
:
:

4097.00:19:e2:50:51:e0
2000
ge-0/0/13.0
2 seconds
20 seconds
15 seconds
18

: 16385.00:19:e2:50:44:e0
: 0
: 1

:
:
:
:
:
:
:

4098.00:19:e2:50:3d:20
1000
ge-0/0/9.0
2 seconds
20 seconds
15 seconds
19

: 8194.00:19:e2:50:44:e0
: 0
: 2

show spanning-tree
bridge brief

user@switch> show spanning-tree bridge brief

STP bridge parameters
Context ID
: 0
Enabled protocol
: RSTP
Root ID
: 32768.00:19:e2:50:95:a0
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Message age
: 0
Number of topology changes
: 0
Local parameters
Bridge ID
: 32768.00:19:e2:50:95:a0
Extended system ID
: 0
Internal instance ID
: 0

show spanning-tree
bridge detail

user@switch> show spanning-tree bridge detail

STP bridge parameters
Context ID
Enabled protocol
Root ID
Hello time
Maximum age
Forward delay
Message age
Number of topology changes
Local parameters
Bridge ID

562

: 921 seconds

show spanning-tree bridge

:
:
:
:
:
:
:
:

0
RSTP
32768.00:19:e2:50:95:a0
2 seconds
20 seconds
15 seconds
0
0

: 32768.00:19:e2:50:95:a0

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

Extended system ID
Internal instance ID
Hello time
Maximum age
Forward delay
Path cost method

:
:
:
:
:
:

0
0
2 seconds
20 seconds
15 seconds
32 bit

show spanning-tree bridge

563

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show spanning-tree interface

Syntax

show spanning-tree interface

<brief | detail>
<interface-name interface-name>
<msti msti-id>
<vlan-id vlan-id>

Release Information

Command introduced in JUNOS Release 9.0 for EX-series switches.

Description

Display the configured or calculated interface-level STP parameters.

Options

noneDisplay brief STP interface information.

brief | detail(Optional) Display the specified level of output.
interface-name interface-name(Optional) Name of an interface.
msti msti-id(Optional) For MSTP interfaces, display information for the specified
MSTP instance ID. Specify a value from 0 through 64. Specify 0 for CIST.
vlan-id vlan-id(Optional) For MSTP interfaces, display interface information for the
specified VLAN. Specify a value from 0 through 4094.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

show spanning-tree bridge on page 560

Example: Configuring Network Regions for VLANs with MSTP on EX-series

Switches on page 441

Understanding MSTP for EX-series Switches on page 422

show
show
show
show

spanning-tree
spanning-tree
spanning-tree
spanning-tree

interface on page 565

interface brief on page 565
interface detail on page 566
interface ge-1/0/0 on page 566

Table 74 on page 564 lists the output fields for the show spanning-tree Interface
command. Output fields are listed in the approximate order in which they appear.

Table 74: show spanning-tree interface Output Fields

Field Name

Field Description

Interface name

Interface configured to participate in the STP, RSTP, or MSTP instance.

Port ID

Logical interface identifier configured to participate in the MSTP instance.

Designated port ID

Port ID of the designated port for the LAN segment this interface is attached to.

Designated bridge ID

Bridge ID of the designated bridge for the LAN segment this interface is attached to.

564

show spanning-tree interface

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

Table 74: show spanning-tree interface Output Fields (continued)

Field Name

Field Description

Port Cost

Configured cost for the interface.

Port State

STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled.

Port Role

MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), or root.

Link type

MSTP or RSTP link type. Shared or point-to-point (pt-pt) and edge or non edge.

Alternate

Identifies the interface as an MSTP or RSTP alternate root port (yes) or nonalternate
root port (no).

Boundary Port

Identifies the interface as an MSTP regional boundary port (yes) or nonboundary port
(no).

show spanning-tree
interface

user@switch> show spanning-tree interface

Spanning tree interface parameters for instance 0
Interface
ge-0/0/0.0
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/23.0

Port ID
128:513
128:515
128:517
128:536

Designated
port ID
128:513
128:515
128:517
128:536

Designated
bridge ID
8192.0019e2500340
8192.0019e2500340
8192.0019e2500340
8192.0019e2500340

Port
Cost
1000
1000
1000
1000

State

Role

FWD
BLK
FWD
FWD

DESG
DIS
DESG
DESG

Port
Cost
1000
1000
1000
1000

State

Role

FWD
BLK
FWD
FWD

DESG
DIS
DESG
DESG

Port
Cost
1000
4000
1000
1000

State

Role

FWD
BLK
BLK
FWD

ROOT
DIS
ALT
DESG

Port
Cost
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
BLK

DIS
DIS
DIS
DIS

Spanning tree interface parameters for instance 1

Interface
ge-0/0/0.0
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/23.0

Port ID
128:513
128:515
128:517
128:536

Designated
port ID
128:513
128:515
128:517
128:536

Designated
bridge ID
8193.0019e2500340
8193.0019e2500340
8193.0019e2500340
8193.0019e2500340

Spanning tree interface parameters for instance 2

Interface
ge-0/0/0.0
ge-0/0/2.0
ge-0/0/4.0
ge-0/0/23.0

show spanning-tree
interface brief

Port ID
128:513
128:515
128:517
128:536

Designated
port ID
128:1
128:515
128:1
128:536

Designated
bridge ID
8194.001b549fd000
32770.0019e2500340
16386.001b54013080
32770.0019e2500340

user@switch> show spanning-tree interface brief

Spanning tree interface parameters for instance 0
Interface
ge-1/0/0.0
ge-1/0/1.0
ge-1/0/2.0
ge-1/0/10.0

Port ID
128:625
128:626
128:627
128:635

Designated
port ID
128:625
128:626
128:627
128:635

Designated
bridge ID
32768.0019e25095a0
32768.0019e25095a0
32768.0019e25095a0
32768.0019e25095a0

show spanning-tree interface

565

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-1/0/20.0
ge-1/0/30.0

show spanning-tree
interface detail

show spanning-tree
interface ge-1/0/0

128:645
128:655

32768.0019e25095a0
32768.0019e25095a0

20000
20000

BLK
BLK

DIS
DIS

State

Role

user@switch> show spanning-tree interface detail

Spanning tree interface parameters for instance 0
Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port

:
:
:
:
:
:
:
:

Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port

:
:
:
:
:
:
:
:

Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port

:
:
:
:
:
:
:
:

Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port

:
:
:
:
:
:
:
:

Interface name
Port identifier
Designated port ID
Port cost
Port state
Designated bridge ID
Port role
Link type
Boundary port
[output truncated]

:
:
:
:
:
:
:
:

ge-1/0/0.0
128.625
128.625
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/EDGE
: NA
ge-1/0/1.0
128.626
128.626
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
ge-1/0/2.0
128.627
128.627
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
ge-1/0/10.0
128.635
128.635
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA
ge-1/0/20.0
128.645
128.645
20000
Blocking
32768.00:19:e2:50:95:a0
Disabled
Pt-Pt/NONEDGE
: NA

user@switch> show spanning-tree interface ge-1/0/0

Interface

566

128:645
128:655

show spanning-tree interface

Port ID

Designated

Designated

Port

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

ge-1/0/0.0

128:625

port ID
128:625

bridge ID
32768.0019e25095a0

Cost
20000

BLK

show spanning-tree interface

DIS

567

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show spanning-tree mstp configuration

Syntax

Release Information
Description
Options

show spanning-tree mstp configuration

<brief | detail>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the MSTP configuration.
noneDisplay MSTP configuration information.
brief | detail(Optional) Display the specified level of output.

Required Privilege Level

List of Sample Output
Output Fields

view
show spanning-tree mstp configuration on page 568
Table 75 on page 568 lists the output fields for the show spanning-tree mstp configuration
command. Output fields are listed in the approximate order in which they appear.

Table 75: show spanning-tree mstp configuration Output Fields

Field Name

Field Description

Context identifier

Internally generated identifier.

Region name

MSTP region name carried in the MSTP BPDUs.

Revision

Revision number of the MSTP configuration.

Configuration digest

Numerical value derived from the VLAN-to-instance mapping table.

MSTI

MSTI instance identifier.

Member VLANs

Identifiers for VLANs associated with the MSTI.

show spanning-tree
mstp configuration

user@host> show spanning-tree mstp configuration

MSTP configuration information
Context identifier
: 0
Region name
: region1
Revision
: 0
Configuration digest
: 0xc92e7af9febb44d8df928b87f16b

MSTI
Member VLANs
0 0-100,105-4094
1 101-102
2 103-104

568

show spanning-tree mstp configuration

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show spanning-tree statistics

Syntax

Release Information
Description
Options

show spanning-tree statistics

interface interface-name
<brief | detail>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display STP statistics.
noneDisplay brief STP statistics.
brief | detail(Optional) Display the specified level of output.

Required Privilege Level

List of Sample Output
Output Fields

view
show spanning-tree statistics interface on page 569
Table 76 on page 569 lists the output fields for the show spanning-tree statistics
command. Output fields are listed in the approximate order in which they appear.

Table 76: show spanning-tree statistics Output Fields

Field Name

Field Description

BPDUs sent

Total number of BPDUs sent.

BPDUs received

Total number of BPDUs received.

Interface

Interface for which the statistics are being displayed.

Next BPDU transmission

Number of seconds until the next BPDU is scheduled to be sent.

show spanning-tree
statistics interface

user@switch> show spanning-tree statistics interface ge-0/0/4

Interface
BPDUs sent
BPDUs received
Next BPDU
transmission
ge-0/0/4
7
190
0

show spanning-tree statistics

569

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show vlans
Syntax

Release Information

Description

show vlans
<brief | detail | extensive>
<sort-by (tag | name)>
<vlan-range-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Modified in JUNOS Release 9.2 for EX-series switches to display support for MAC-based
VLANs and new sort-by (tag | name) and vlan-range-name options.
Display information about VLANs configured on bridged Ethernet interfaces.

NOTE: When a series of VLANs is created using the vlan-range statement, such VLAN
names are prefixed and suffixed with a double underscore. For example, a series of
VLANs using the VLAN range 13 and the base VLAN name marketing would be
displayed as __marketing_1__, __marketing_2__, and __marketing_3__.

Options

noneDisplay information for all VLANs. VLAN information is displayed by VLAN

name in ascending order.

brief | detail | extensive(Optional) Display the specified level of output.
sort-by (tag | name)(Optional) Display VLANs in ascending order of VLAN IDs or

VLAN names.
vlan-range-name(Optional) Display VLANs in ascending order of VLAN-range names.
Required Privilege Level
Related Topics

List of Sample Output

570

show vlans

view

show ethernet-switching interfaces on page 545

Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 369

Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376

Example: Configure Automatic VLAN Administration Using GVRP on page 393

Example: Connecting an Access Switch to a Distribution Switch on page 384

Understanding Bridging and VLANs on EX-series Switches on page 359

show
show
show
show
show
show
show

vlans on page 572

vlans brief on page 572
vlans detail on page 572
vlans extensive (MAC-based) on page 573
vlans extensive (Port-based) on page 573
vlans sort-by tag on page 574
vlans sort-by employee (vlan-range-name) on page 575

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

show vlans employee (vlan-range-name) on page 575

Output Fields

Table 77 on page 891 lists the output fields for the show vlans command. Output fields
are listed in the approximate order in which they appear.

Table 77: show vlans Output Fields

Field Name

Field Description

Level of Output

Name

Name of a VLAN.

none, brief

Tag

The 802.1Q tag applied to this VLAN. If none is displayed, no tag is applied.

All levels

Interfaces

Interface associated with learned MAC addresses or all-members (flood entry).

An asterisk (*) beside the interface indicates that the interface is UP.

All levels

Address

The IP address.

none, brief

Ports Active / Total

The number of interfaces associated with a VLAN. The Active column indicates
interfaces that are UP, and the Total column indicates interfaces that are active
and inactive.

brief

VLAN

Name of a VLAN.

detail, extensive

Admin state

The state of the interface. Values are:

detail,extensive

enabledThe interface is turned on, and the physical link is operational and

can pass packets.

Description

A description for the VLAN.

detail,extensive

Primary IP

Primary IP address associated with a VLAN.

detail

Number of interfaces

The number of interfaces associated with a VLAN. Both the total number of
interfaces and the number of active interfaces associated with a VLAN are
displayed.

detail, extensive

STP

The spanning tree associated with a VLAN.

detail,extensive

RTG

The redundant trunk group associated with a VLAN.

detail,extensive

Tagged interfaces

The tagged interfaces to which a VLAN is associated.

detail,extensive

Untagged interfaces

The untagged interfaces to which a VLAN is associated.

detail. extensive

Interrnal Index

VLAN index internal to JUNOS software.

extensive

Origin

The manner in which the VLAN was created. Values are static or learn.

extensive

Protocol

Port-based VLAN or MAC-based VLAN. MAC-based protocol is displayed when

VLAN assignment is done either statically or dynamically through 802.1X,

extensive

IP addresses

IP address associated with a VLAN.

extensive

Number of MAC
entries

For MAC-based VLANs created either statically or dynamically, the MAC

addresses associated with an interface.

extensive

show vlans

571

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show vlans

user@switch>
Name
default

show vlans
Tag
None

Interfaces
ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,
ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0,
ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0,
ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0,
ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0

v0001

v0002

v0003

v0004

v0005

ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0

None
None
None
None

show vlans brief

user@switch> show vlans brief

Name
default
v0001
v0002
v0003
v0004
v0005
v0006
v0007
v0008
v0009
v0010
v0011
v0012
v0013
v0014
v0015
v0016

show vlans detail

Tag
None
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Address

Ports
Active/Total
0/23
0/4
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/0
0/2
0/0
0/0
0/0
0/0
0/0
0/0

user@switch> show vlans detail

VLAN: default, Tag: Untagged, Admin state: Enabled
Description: None
Primary IP: None, Number of interfaces: 23 (Active = 0)
STP: None, RTG: None
Untagged interfaces: ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,
ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0,
ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0, ge-0/0/17.0, ge-0/0/16.0,
ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0,
Tagged interfaces: None
VLAN: v0001, Tag: 802.1Q Tag 1, Admin state: Enabled
Description: None
Primary IP: None, Number of interfaces: 4 (Active = 0)
STP: None, RTG: None
Untagged interfaces: None
Tagged interfaces: ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0,

572

show vlans

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

VLAN: v0002, Tag: 802.1Q Tag 2, Admin state: Enabled

Description: None
Primary IP: None, Number of interfaces: 0 (Active = 0)
STP: None, RTG: None
Untagged interfaces: None
Tagged interfaces: None
VLAN: v0003, Tag: 802.1Q Tag 3, Admin state: Enabled
Description: None
Primary IP: None, Number of interfaces: 0 (Active = 0)
STP: None, RTG: None
Untagged interfaces: None
Tagged interfaces: None

show vlans extensive

(MAC-based)

user@switch> show vlans extensive

VLAN: default, Created at: Thu May 15 13:43:09 2008
Internal index: 3, Admin State: Enabled, Origin: Static
Protocol: Port Mode
Number of interfaces: Tagged 0 (Active = 0), Untagged 2 (Active = 2)
ge-0/0/0.0*, untagged, access
ge-0/0/14.0*, untagged, access
VLAN: vlan_dyn, Created at: Thu May 15 13:43:09 2008
Internal index: 4, Admin State: Enabled, Origin: Static
Protocol: Port Mode
Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0)
Protocol: MAC Based
Number of MAC entries: 6
ge-0/0/0.0*
00:00:00:00:00:02 (untagged)
00:00:00:00:00:03 (untagged)
00:00:00:00:00:04 (untagged)
00:00:00:00:00:05 (untagged)
00:00:00:00:00:06 (untagged)
00:00:00:00:00:07 (untagged)

show vlans extensive

(Port-based)

user@switch> show vlans extensive

VLAN: default, created at Mon Feb 4 12:13:47 2008
Tag: None, Internal index: 0, Admin state: Enabled, Origin: static
Description: None
Protocol: Port based, Layer 3 interface: None
IP addresses: None
STP: None, RTG: None.
Number of interfaces: Tagged 0 (Active = 0), Untagged 23 (Active = 0)
ge-0/0/34.0 (untagged, access)
ge-0/0/33.0 (untagged, access)
ge-0/0/32.0 (untagged, access)
ge-0/0/31.0 (untagged, access)
ge-0/0/30.0 (untagged, access)
ge-0/0/29.0 (untagged, access)
ge-0/0/28.0 (untagged, access)
ge-0/0/27.0 (untagged, access)
ge-0/0/26.0 (untagged, access)
ge-0/0/25.0 (untagged, access)
ge-0/0/19.0 (untagged, access)
ge-0/0/18.0 (untagged, access)
ge-0/0/17.0 (untagged, access)
ge-0/0/16.0 (untagged, access)
ge-0/0/15.0 (untagged, access)
ge-0/0/14.0 (untagged, access)
ge-0/0/13.0 (untagged, access)

show vlans

573

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-0/0/11.0 (untagged, access)

ge-0/0/9.0 (untagged, access)
ge-0/0/8.0 (untagged, access)
ge-0/0/3.0 (untagged, access)
ge-0/0/2.0 (untagged, access)
ge-0/0/1.0 (untagged, access)
VLAN: v0001, created at Mon Feb 4 12:13:47 2008
Tag: 1, Internal index: 1, Admin state: Enabled, Origin: static
Description: None
Protocol: Port based, Layer 3 interface: None
IP addresses: None
STP: None, RTG: None.
Number of interfaces: Tagged 4 (Active = 0), Untagged 0 (Active = 0)
ge-0/0/24.0 (tagged, trunk)
ge-0/0/23.0 (tagged, trunk)
ge-0/0/22.0 (tagged, trunk)
ge-0/0/21.0 (tagged, trunk)
VLAN: v0002, created at Mon Feb 4 12:13:47 2008
Tag: 2, Internal index: 2, Admin state: Enabled, Origin: static
Description: None
Protocol: Port based, Layer 3 interface: None
IP addresses: None
STP: None, RTG: None.
Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0)
None
VLAN: v0003, created at Mon Feb 4 12:13:47 2008
Tag: 3, Internal index: 3, Admin state: Enabled, Origin: static
Description: None
Protocol: Port based, Layer 3 interface: None
IP addresses: None
STP: None, RTG: None.
Number of interfaces: Tagged 0 (Active = 0), Untagged 0 (Active = 0)
None

show vlans sort-by tag

574

show vlans

user@switch> show vlans sort-by tag

Name
Tag
Interfaces
default
None
__vlan-x_1__
1
None
__vlan-x_2__
2
None
__vlan-x_3__
3
None
__vlan-x_4__
4
None
__vlan-x_5__
5
None
__vlan-x_6__
6
None
__vlan-x_7__
7
None
__vlan-x_8__
8
None
__vlan-x_9__
9
None
__vlan-x_10__ 10
None
__vlan-x_11__ 11

Chapter 36: Operational Mode Commands for Bridging, VLANs, and Spanning Trees

None
__vlan-x_12__

12

__vlan-x_13__

13

__vlan-x_14__

14

__vlan-x_15__

15

__vlan-x_16__

16

__vlan-x_17__

17

__vlan-x_18__

18

__vlan-x_19__

19

__vlan-x_20__

20

None
None
None
None
None
None
None
None
None

show vlans sort-by

employee
(vlan-range-name)

user@switch> show vlans sort-by employee

Name

Tag

Interfaces

__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*
__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*

show vlans employee

(vlan-range-name)

user@switch> show vlans employee

Name

Tag

Interfaces

__employee_120__ 120
ge-0/0/22.0*
__employee_121__ 121
ge-0/0/22.0*
__employee_122__ 122
ge-0/0/22.0*
__employee_123__ 123
ge-0/0/22.0*
__employee_124__ 124
ge-0/0/22.0*

show vlans

575

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

__employee_125__ 125
ge-0/0/22.0*
__employee_126__ 126
ge-0/0/22.0*
__employee_127__ 127
ge-0/0/22.0*
__employee_128__ 128
ge-0/0/22.0*
__employee_129__ 129
ge-0/0/22.0*
__employee_130__ 130
ge-0/0/22.0*

576

show vlans

Part 9

Layer 3 Protocols

Understanding Layer 3 Protocols on page 579

Examples of Configuring Layer 3 Protocols on page 585

Configuring Layer 3 Protocols on page 589

Verifying Layer 3 Protocols on page 603

Configuration Statements for Layer 3 Protocols on page 613

Operational Mode Commands for Layer 3 Protocols on page 627

Layer 3 Protocols

577

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

578

Layer 3 Protocols

Chapter 37

Understanding Layer 3 Protocols

DHCP Services for EX-series Switches Overview on page 579

DHCP/BOOTP Relay for EX-series Switches Overview on page 580

IGMP Snooping on EX-series Switches Overview on page 581

DHCP Services for EX-series Switches Overview

A Dynamic Host Configuration Protocol (DHCP) server can automatically allocate IP
addresses and also deliver configuration settings to client hosts on a subnet. DHCP
is particularly useful for managing a pool of IP addresses among hosts. An IP address
can be leased to a host for a limited period of time, allowing the DHCP server to
share a limited number of IP addresses among a group of hosts that do not need
permanent IP addresses.
To configure DHCP access service for an EX-series switch, you can use either the
JUNOS command line interface (CLI ) or the J-Web user interface.
For detailed information about configuring DHCP services, see the JUNOS Software
System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.The configuration for
DHCP service on the EX-series switch includes the dhcp statement at the [edit system
services] hierarchy level. The commands and statements are the same as those used
to configure DHCP for J-series Services Routers.
You can monitor DHCP services for the switch by using either operational-mode CLI
commands or the J-Web interface.
Related Topics

For information about configuring DHCP services with the CLI, see the JUNOS
Software System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.

Configuring DHCP Services (J-Web Procedure) on page 590

Monitoring DHCP Services on page 605

DHCP Services for EX-series Switches Overview

579

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

DHCP/BOOTP Relay for EX-series Switches Overview

You can configure the EX-series switch to act as a Dynamic Host Configuration
Protocol (DHCP) or Bootstrap Protocol (BOOTP) relay agent. This means that a locally
attached host can issue a DHCP or BOOTP request as a broadcast message. If the
switch sees this broadcast message, it relays the message to a specified DHCP or
BOOTP server. You should configure the switch to be a DHCP/BOOTP relay agent if
you have locally attached hosts and a distant DHCP or BOOTP server.
For detailed information about configuring a DHCP/BOOTP relay agent, see the JUNOS
Software Policy Framework Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos91/index.html. The configuration of
the switch to act as a DHCP/BOOTP relay agent includes the bootp statement at the
[edit forwarding-options helpers] hierarchy level. The commands and statements are
the same as those used to configure a DHCP/BOOTP relay agent on Juniper Networks
routing platforms that run under JUNOS software.

NOTE: Because DHCP/BOOTP messages are broadcast and are not directed to a
specific server, switch, or router, EX-series switches cannot function as both a DHCP
server and a DHCP/BOOTP relay agent at the same time. JUNOS software generates
a commit error if both options are configured at the same time, and the commit will
not succeed until one of the options is removed.
Related Topics

580

For information about configuring the switch as a DHCP/BOOTP relay agent, see
the JUNOS Software Policy Framework Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos91/index.html.

DHCP Services for EX-series Switches Overview on page 579

DHCP/BOOTP Relay for EX-series Switches Overview

Chapter 37: Understanding Layer 3 Protocols

IGMP Snooping on EX-series Switches Overview

Internet Group Management Protocol (IGMP) snooping regulates multicast traffic in
a switched network. With IGMP snooping enabled, a LAN switch monitors the IGMP
transmissions between a host (a network device) and a multicast router, keeping
track of the multicast groups and associated member ports. The switch uses that
information to make intelligent multicast-forwarding decisions and forward traffic
to the intended destination interfaces. EX-series switches support IGMPv1 and IGMPv2.
For details on IGMPv1 and IGMPv2, see the following standards:

For IGMPv1, see RFC 1112, Host extensions for IP multicasting at

http://www.faqs.org/rfcs/rfc1112.html

For IGMPv2, see RFC 2236, Internet Group Management Protocol, Version 2 at
http://www.faqs.org/rfcs/rfc2236.html

This IGMP snooping topic covers:

How IGMP Snooping Works on page 581

How IGMP Snooping Works with Routed VLAN Interfaces on page 582

How Hosts Join and Leave Multicast Groups on page 584

How IGMP Snooping Works

An EX-series switch usually learns unicast MAC addresses by checking the source
address field of the frames it receives. However, a multicast MAC address can never
be the source address for a packet. As a result, the switch floods multicast traffic on
the VLAN, consuming significant amounts of bandwidth.
IGMP snooping regulates multicast traffic on a VLAN to avoid flooding. When IGMP
snooping is enabled, the switch intercepts IGMP packets and uses the content of the
packets to build a multicast cache table. The cache table is a database of multicast
groups and their corresponding member ports. The cache table is then used to
regulate multicast traffic on the VLAN.
When the switch receives multicast packets, it uses the cache table to selectively
forward the packets only to the ports that are members of the destination multicast
group. Figure 26 on page 582 shows an example of IGMP traffic flow with IGMP
snooping enabled.

IGMP Snooping on EX-series Switches Overview

581

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 26: IGMP Traffic Flow with IGMP Snooping Enabled

How IGMP Snooping Works with Routed VLAN Interfaces

Switches send traffic to hosts that are part of the same broadcast domain, but routers
are needed to route traffic from one broadcast domain to another. EX-series switches
use a routed VLAN interface (RVI) to perform these routing functions. IGMP snooping
works with Layer 2 interfaces and RVIs to regulate multicast traffic in a switched
network.
When an EX-series switch receives a multicast packet, the Packet Forwarding Engines
in the switch perform an IP multicast lookup on the multicast packet to determine
how to forward the packet to its local ports. From the results of the IP multicast
lookup, each Packet Forwarding Engine extracts a list of Layer 3 interfaces (which
can include VLAN interfaces) that have ports local to the Packet Forwarding Engine.
If an RVI is part of this list, the switch provides a bridge multicast group ID for each
RVI to the Packet Forwarding Engine.

582

IGMP Snooping on EX-series Switches Overview

Chapter 37: Understanding Layer 3 Protocols

A bridge multicast ID is assigned to direct Layer 3 interfaces and to RVIs. For VLANs
that include multicast receivers, the bridge multicast ID includes a sub-next-hop ID.
The sub-next-hop ID identifies the multicast Layer 2 interfaces in that VLAN that are
interested in receiving the multicast stream. The switch ultimately assigns a next-hop
after it does a route lookup. The next-hop includes all direct Layer 3 interfaces and
RVIs. The Packet Forwarding Engine then forwards multicast traffic to the bridge
multicast ID that includes all Layer 3 interfaces and RVIs that are multicast receivers
for a given multicast group.
Figure 27 on page 583 shows how multicast traffic is forwarded on a multilayer switch.
In this illustration, multicast traffic is coming in through the xe-0/1/0.0 interface. A
multicast group has been formed by the Layer 3 interface ge-0/0/2.0, vlan.0 and
vlan.1. The ge-2/0/0.0 interface is a common trunk interface that belongs to both
vlan.0 and vlan.1. The letter R next to an interface name in the illustration indicates
that a multicast receiver host is associated with that interface.

NOTE: Traffic sent to an access interface is untagged; traffic sent to a trunk interface
is tagged. For more information on VLAN tagging, see Understanding Bridging and
VLANs on EX-series Switches on page 359.

Figure 27: IGMP Traffic Flow with Routed VLAN Intefaces

The following table shows the bridge multicast IDs and next-hops that are created.
The term subnh refers to a sub-next-hop. The Packet Forwarding Engine will forward
multicast traffic to bridge multicast ID9.

ID Number

Type of Next-Hop

Next Hop

Tag Information

ID1

RHN_UNICAST

ge-0/0/0.0

tag=off

IGMP Snooping on EX-series Switches Overview

583

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ID Number

Type of Next-Hop

Next Hop

Tag Information

ID2

RHN_UNICAST

ge-2/0/0.0

tag=on

ID3

RHN_FLOOD

[ID1, ID2]

ID4

RHN_UNICAST

ge-0/0/1.0

ID5

RHN_FLOOD

[ID4, ID2]

ID6

RHN_UNICAST

vlan.0

subnh=ID3

ID7

RHN_UNICAST

VLAN.1

subnh=ID5

ID8

RHN_UNICAST

ge-0/0/2.0

ID9

RHN_FLOOD

[ID6, ID7, ID8]

tag=off

How Hosts Join and Leave Multicast Groups

Hosts can join multicast groups in either of two ways:

By sending an unsolicited IGMP join message to a multicast router that specifies

the IP multicast that the host is attempting to join.

By sending an IGMP join message in response to a general query from a multicast

router.

A multicast router continues to forward multicast traffic to a VLAN provided that at

least one host on that VLAN responds to the periodic general IGMP queries. For a
host to remain a member of a multicast group, therefore, it must continue to respond
to the periodic general IGMP queries.
To leave a multicast group, a host can either not respond to the periodic general
IGMP queries, which results in a silent leave (the only leave option for hosts
connected to switches running IGMPv1), or send a group-specific IGMPv2 leave
message.
Related Topics

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

RFC 3171, IANA Guidelines for IPv4 Multicast Address Assignments at

http://tools.ietf.org/html/rfc3171

584

IGMP Snooping on EX-series Switches Overview

Chapter 38

Examples of Configuring Layer 3

Protocols

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Example: Configuring IGMP Snooping on EX-series Switches

IGMP snooping regulates multicast traffic in a switched network. With IGMP snooping
enabled, a LAN switch monitors the IGMP transmissions between a host (a network
device) and a multicast router, keeping track of the multicast groups and associated
member ports. The switch uses that information to make intelligent
multicast-forwarding decisions and forward traffic to the intended destination
interfaces.
Configure IGMP snooping on one or more VLANs to allow the switch to examine
IGMP packets and make forwarding decisions based on packet content. By default,
IGMP snooping is disabled on EX-series switches.

NOTE: When IGMP snooping is enabled on a VLAN, traffic for a given group is flooded
to all member ports until IGMP snooping discovers at least one member of the group
in the given VLAN.
This example describes how to configure IGMP snooping:

Requirements on page 585

Overview and Topology on page 586

Configuration on page 586

Requirements
This example uses the following software and hardware components:

One EX-series 3200-24T switch

JUNOS Release 9.1 or later for EX-series switches

Before you configure IGMP snooping, be sure you have:

Configured the employee-vlan VLAN on the switch

Example: Configuring IGMP Snooping on EX-series Switches

585

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Assigned interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3 to employee-vlan

See Example: Setting Up Bridging with Multiple VLANs for EX-series

Switches on page 376.

Overview and Topology

IGMP snooping controls multicast traffic in a switched network. With IGMP snooping
enabled, an EX-series switch monitors the IGMP transmissions between a host and
a multicast router to keep track of the multicast groups and associated member ports.
The switch uses this information to make intelligent decisions and forward multicast
traffic to the intended destination interfaces.
You can configure IGMP snooping on all interfaces in a VLAN or on individual
interfaces. This example shows how to configure IGMP snooping on an EX-series
switch by using the default IGMP options or configuring the IGMP options individually.
The configuration setup for this example includes the VLAN employee-vlan on the
switch.
Table 78 on page 586 shows the components of the topology for this example.
Table 78: Components of the IGMP Snooping Topology
Properties

Settings

Switch hardware

One EX 3200-24T switch

VLAN name

employee-vlan, tag 20

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3

Multicast IP address for employee-vlan

225.100.100.100

In this example, the switch is initially configured as follows:

IGMP snooping is disabled on the VLAN.

Configuration
To configure basic IGMP snooping on a switch:
CLI Quick Configuration

To quickly configure IGMP snooping, copy the following commands and paste them
into the switch terminal window:
[edit protocols]
set igmp-snooping vlan employee-vlan
set igmp-snooping vlan employee-vlan immediate-leave
set igmp-snooping vlan employee-vlan interface ge-0/0/3 static group
225.100.100.100
set igmp-snooping vlan employee-vlan interface ge-0/0/2 multicast-router-interface
set igmp-snooping vlan employee-vlan query-interval 60

586

Overview and Topology

Chapter 38: Examples of Configuring Layer 3 Protocols

set igmp-snooping vlan employee-vlan query-last-member-interval 75

set igmp-snooping vlan employee-vlan query-response-interval 3
set igmp-snooping vlan employee-vlan robust-count 4

Step-by-Step Procedure

Configure IGMP snooping:

1.

Enable and configure IGMP snooping on the VLAN employee-vlan:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan

2.

Configure the switch to immediately remove a group membership from an

interface when it receives a leave message from that interface and suppress the
sending of any group-specific queries for the multicast group (IGMPv2 only):
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan immediate-leave

3.

Statically configure IGMP group membership on a port:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/3.0
static group 225.100.100.100

4.

Statically configure an interface as a switching interface toward a multicast

router (the interface to receive multicast traffic):
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/2
multicast-router-interface

5.

Change the IGMP snooping query interval on the VLAN to 60 seconds:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan query-interval 60

6.

Change the IGMP snooping query-last-member interval on the VLAN to 75

seconds:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan query-last-member-interval 75

7.

Change the IGMP snooping query-response interval on the VLAN to 3 seconds:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan query-response-interval 3

8.

Change the number of timeout intervals the switch waits before timing out a
multicast group to 4:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan robust-count 4

Configuration

587

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Results

Check the results of the configuration:

user@switch# show protocols igmp-snooping
vlan employee-vlan {
query-interval 60;
query-last-member interval 75;
query-response interval 3;
robust-count 4;
immediate-leave;
interface ge-0/0/2 {
multicast-router-interface;
}
interface ge-0/0/3 {
static {
group 255.100.100.100
}
}
}

Related Topics

588

Configuration

Configuring IGMP Snooping (CLI Procedure) on page 593

[edit protocols] Configuration Statement Hierarchy on page 31

Chapter 39

Configuring Layer 3 Protocols

Configuring BGP Sessions (J-Web Procedure) on page 589

Configuring DHCP Services (J-Web Procedure) on page 590

Configuring IGMP Snooping (CLI Procedure) on page 593

Configuring an OSPF Network (J-Web Procedure) on page 594

Configuring a RIP Network (J-Web Procedure) on page 595

Configuring SNMP (J-Web Procedure) on page 596

Configuring Static Routing (CLI Procedure) on page 600

Configuring Static Routing (J-Web Procedure) on page 601

Configuring BGP Sessions (J-Web Procedure)

J-Web Configuration allows you to create BGP peering sessions.

NOTE: To configure BGP sessions a license must be installed on the EX-series switch.
To configure a BGP peering session :
1.

In the J-Web user interface, select Configure> Routing >BGP Routing.

2.

Enter information into the configuration page for BGP, as described in

Table 79 on page 589.

3.

To apply the configuration, click Apply.

Table 79: BGP Routing Configuration Summary

Field

Function

Your Action

Uniquely identifies the device.

Type the switch's 32-bit IP address, in dotted decimal

notation.

Enables or disables BGP.

To enable BGP, select the check box.

To disable BGP, clear the check box.

Router Identification

Router Identifier
(required)
BGP

Enable BGP

Configuring BGP Sessions (J-Web Procedure)

589

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 79: BGP Routing Configuration Summary (continued)

Field

Function

Your Action

Autonomous System
Number

Sets the unique numeric identifier of the

AS in which the switch is configured.

Type the switch's 32-bit AS number, in dotted decimal

notation.
If you enter an integer, the value is converted to a 32-bit
equivalent. For example, if you enter 3, the value
assigned to the AS is 0.0.0.3.

Peer Autonomous
System Number

Sets the unique numeric identifier of the

AS in which the peer host resides.

Type the peer host's 32-bit AS number, in dotted

decimal notation.
If you enter an integer, the value is converted to a 32-bit
equivalent. For example, if you enter 3, the value
assigned to the AS is 0.0.0.3.

Peer Address

Specifies the IP address of the peer host's

interface to which the BGP session is being
established.

Type the IP address of the peer host's adjacent interface,

in dotted decimal notation.

Local Address

Specifies the IP address of the local host's

interface from which the BGP session is
being established.

Type the IP address of the local host's adjacent interface,

in dotted decimal notation.

Related Topics

EX-series Switch Software Features Overview on page 3

Monitoring BGP Routing Information on page 603

Configuring DHCP Services (J-Web Procedure)

Use the J-Web DHCP Configuration pages to configure DHCP pools for subnets and
static bindings for DHCP clients. If DHCP pools or static bindings are already
configured, use the Configure Global DHCP Parameters Configuration page to add
settings for these pools and static bindings. Settings that have been previously
configured for DHCP pools or static bindings are not overridden when you use the
Configure Global DHCP Parameters Configuration page.
To configure the DHCP server:

590

1.

Select Configure>Services>DHCP.

2.

Access a DHCP Configuration page:

To configure a DHCP pool for a subnet, click Add in the DHCP Pools box.

To configure a static binding for a DHCP client, click Add in the DHCP Static
Binding box.

To globally configure settings for existing DHCP pools and static bindings,
click Configure Global DHCP Parameters.

3.

Enter information into the DHCP Configuration pages, as described in

Table 80 on page 591.

4.

To apply the configuration, click Apply.

Configuring DHCP Services (J-Web Procedure)

Chapter 39: Configuring Layer 3 Protocols

Table 80: DHCP Server Configuration Pages Summary

Field

Function

Your Action

DHCP Subnet (required)

Specifies the subnet on which DHCP is

configured.

Type an IP address prefix.

Address Range (Low)

(required)

Specifies the lowest address in the IP address

pool range.

Type an IP address that is part of the subnet

specified in DHCP Subnet.

Address Range (High)

(required)

Specifies the highest address in the IP address

pool range.

Type an IP address that is part of the subnet

specified in DHCP Subnet. This address must
be greater than the address specified in Address
Range (Low).

Exclude Addresses

Specifies addresses to exclude from the IP

address pool.

To add an excluded address, type the

address next to the Add button, and click
Add.

To delete an excluded address, select the

address in the Exclude Addresses box, and
click Delete.

DHCP Pool Information

Lease Time

Maximum Lease Time

(Seconds)

Specifies the maximum length of time a client

can hold a lease. (Dynamic BOOTP lease
lengths can exceed this maximum time.)

Type a number from 60 through 4,294,967,295

(seconds). You can also type infinite to specify
a lease that never expires.

Default Lease Time

(Seconds)

Specifies the length of time a client can hold a

lease for clients that do not request a specific
lease length.

Type a number from 60 through 2,147,483,647

(seconds). You can also type infinite to specify
a lease that never expires.

Server Identifier

Specifies the IP address of the DHCP server

reported to a client.

Type the IP address of the server. If you do not

specify a server identifier, the primary address
of the interface on which the DHCP exchange
occurs is used.

Domain Name

Specifies the domain name that clients must

use to resolve hostnames.

Type the name of the domain.

Domain Search

Specifies the orderfrom top to bottomin

which clients must append domain names
when resolving hostnames using DNS.

To add a domain name, type the name

next to the Add button, and click Add.

To delete a domain name, select the name

in the Domain Search box, and click
Delete.

Defines a list of DNS servers the client can use,

in the specified orderfrom top to bottom.

To add a DNS server, type an IP address

next to the Add button, and click Add.

To remove a DNS server, select the IP

address in the DNS Name Servers box,
and click Delete.

Server Information

DNS Name Servers

Configuring DHCP Services (J-Web Procedure)

591

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 80: DHCP Server Configuration Pages Summary (continued)

Field

Function

Your Action

Gateway Routers

Defines a list of relay agents on the subnet, in

the specified orderfrom top to bottom.

To add a relay agent, type an IP address

next to the Add button, and click Add.

To remove a relay agent, select the IP

address in the Gateway Routers box, and
click Delete.

To add a NetBIOS name server, type an

IP address next to the Add button, and
click Add.

To remove a NetBIOS name server, select

the IP address in the WINS Servers box,
and click Delete.

WINS Servers

Defines a list of NetBIOS name servers, in the

specified orderfrom top to bottom.

Boot Options

Boot File

Specifies the path and filename of the initial

boot file to be used by the client.

Type a path and filename.

Boot Server

Specifies the TFTP server that provides the

initial boot file to the client.

Type the IP address or hostname of the TFTP

server.

DHCP Static Binding Information

DHCP MAC Address

(required)

Specifies the MAC address of the client to be

permanently assigned a static IP address.

Type the hexadecimal MAC address of the

client.

Fixed IP Addresses
(required)

Defines a list of IP addresses permanently

assigned to the client. A static binding must
have at least one fixed address assigned to it,
but multiple addresses are also allowed.

To add an IP address, type it next to the

Add button, and click Add.

To remove an IP address, select it in the

Fixed IP Addresses box, and click Delete.

Host Name

Specifies the name of the client used in DHCP

messages exchanged between the server and
the client. The name must be unique to the
client within the subnet on which the client
resides.

Type a client hostname.

Client Identifier

Specifies the name of the client used by the

DHCP server to index its database of address
bindings. The name must be unique to the
client within the subnet on which the client
resides.

Type a client identifier in string form.

Hexadecimal Client
Identifier

Specifies the name of the client, in hexadecimal

form, used by the DHCP server to index its
database of address bindings. The name must
be unique to the client within the subnet on
which the client resides.

Type a client identifier in hexadecimal form.

Related Topics

592

DHCP Services for EX-series Switches Overview on page 579

Monitoring DHCP Services on page 605

Configuring DHCP Services (J-Web Procedure)

Chapter 39: Configuring Layer 3 Protocols

Configuring IGMP Snooping (CLI Procedure)

IGMP snooping regulates multicast traffic in a switched network. With IGMP snooping
enabled, a LAN switch monitors the IGMP transmissions between a host (a network
device) and a multicast router, keeping track of the multicast groups and associated
member ports. The switch uses that information to make intelligent
multicast-forwarding decisions and forward traffic to the intended destination
interfaces.
You can configure IGMP snooping on one or more VLANs to allow the switch to
examine IGMP packets and make forwarding decisions based on packet content. By
default, IGMP snooping is disabled on EX-series switches.

NOTE: When IGMP snooping is enabled on a VLAN, traffic for a given group is flooded
to all member ports until IGMP snooping discovers at least one member of the group
in the given VLAN.
To enable IGMP snooping and configure individual options as needed for your network
by using the CLI:
1.

Enable IGMP snooping on a VLAN:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan

2.

Configure the switch to immediately remove a multicast group membership

from an interface when it receives a leave message from that interface and
suppress the sending of any group-specific queries for the multicast group
(IGMPv2 only):
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan immediate-leave

3.

Statically configure IGMP group membership on a port:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/3.0
static group 225.100.100.100

4.

Statically configure an interface as a switching interface toward a multicast router

(the interface to receive multicast traffic):
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan interface ge-0/0/2.0
multicast-router-interface

5.

Change the IGMP snooping query interval on the VLAN to 60 seconds:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan query-interval 60

Configuring IGMP Snooping (CLI Procedure)

593

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

6.

Change the IGMP snooping query-last-member interval on the VLAN to 75

seconds:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan query-last-member-interval 75

7.

Change the IGMP snooping query-response interval on the VLAN to 3 seconds:

[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan query-response-interval 3

8.

Change the number of timeout intervals the switch waits before timing out a
multicast group to 4:
[edit protocols]
user@switch# set igmp-snooping vlan employee-vlan robust-count 4

Related Topics

show igmp-snooping membership on page 630

show igmp-snooping route on page 632

show igmp-snooping statistics on page 634

show igmp-snooping vlans on page 635

Example: Configuring IGMP Snooping on EX-series Switches on page 585

IGMP Snooping on EX-series Switches Overview on page 581

Configuring an OSPF Network (J-Web Procedure)

J-Web Configuration allows you to create single-area OSPF networks.
To configure a single-area OSPF network:
1.

In the J-Web user interface, select Configure> Routing>OSPF Routing.

2.

Enter information into the Configuration Routing page for OSPF, as described
in Table 81 on page 594.

3.

To apply the configuration, click Apply.

Table 81: OSPF Routing Configuration Summary

Field

Function

Your Action

Router Identification

Router
Identifier
(required)

Uniquely identifies the

device.

Type the switch's 32-bit IP address, in dotted decimal notation.

OSPF

594

Configuring an OSPF Network (J-Web Procedure)

Chapter 39: Configuring Layer 3 Protocols

Table 81: OSPF Routing Configuration Summary (continued)

Field

Function

Your Action

Enable OSPF

Enables or disables OSPF.

To enable OSPF, select the check box.

To disable OSPF, clear the check box.

OSPF Area ID

Uniquely identifies the

area within its AS.

Type a 32-bit numeric identifier for the area, or type an integer.

If you enter an integer, the value is converted to a 32-bit equivalent. For example,
if you enter 3, the value assigned to the area is 0.0.0.3.

Area Type

OSPF-Enabled
Interfaces

Designates the type of

OSPF area.

Designates one or more

interfaces on which OSPF
is enabled.

Related Topics

Select the type of OSPF area you are creating from the list :

regularA regular OSPF area, including the backbone area

stubA stub area

nssaA not-so-stubby area (NSSA)

The first time you configure OSPF, the Logical Interfaces box displays a list of
all the logical interfaces configured on the switch. Do any of:

To enable OSPF on an interface, click the interface name to highlight it,

and click the left arrow to add the interface to the OSPF interfaces list.

To enable OSPF on multiple interfaces at once, press Ctrl while you click
multiple interface names to highlight them. Then click the left arrow to add
the interfaces to the OSPF interfaces list.

To enable OSPF on all logical interfaces except the special me0 management
interface, select All Interfaces in the Logical Interfaces list and click the
left arrow.

To enable OSPF on all the interfaces displayed in the Logical Interfaces list,
click All to highlight every interface. Then click the left arrow to add the
interfaces to the OSPF interfaces list.

To disable OSPF on one or more interfaces, highlight the interface or

interfaces in the OSPF interfaces box and click the right arrow to move
them back to the Logical Interfaces list.

Monitoring OSPF Routing Information on page 606

Configuring a RIP Network (J-Web Procedure)

J-Web allows you to create RIP networks.
To configure a RIP network:
1.

In the J-Web user interface, select Configure> Routing > RIP Routing.

2.

Enter information into the Configuration page for RIP, as described in

Table 82 on page 596.

3.

To apply the configuration, click Apply.

Configuring a RIP Network (J-Web Procedure)

595

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 82: RIP Routing Configuration Summary

Field

Function

Your Action

Enables or disables RIP.

To enable RIP, select the check box.

To disable RIP, clear the check box.

To advertise the default route using

RIPv2, select the check box.

To disable the default route

advertisement, clear the check box.

RIP

Enable RIP

Advertise Default Route

Advertises the default route using RIPv2.

RIP-Enabled Interfaces

Related Topics

Designates one or more interfaces on which

RIP is enabled.

The first time you configure RIP, the Logical

Interfaces box displays a list of all the logical
interfaces configured on the switch. Do any of
the following:

To enable RIP on an interface, click the

interface name to highlight it, and click
the left arrow to add the interface to the
RIP interfaces list.

To enable RIP on multiple interfaces at

once, press Ctrl while you click multiple
interface names to highlight them. Then
click the left arrow to add the interfaces
to the RIP interfaces list.

To disable RIP on one or more interfaces,

highlight the interface or interfaces in the
RIP interfaces box and click the right
arrow to move them back to the Logical
Interfaces list.

Monitoring RIP Routing Information on page 608

Configuring SNMP (J-Web Procedure)

You can use the J-Web interface to define system identification information, create
SNMP communities, create SNMP trap groups, and configure health monitor options.
To configure SNMP features:
1.

Select Configure>Services>SNMP.

2.

Enter information into the Configuration page for SNMP, as described in

Table 83 on page 596.

3.

To apply the configuration click Apply.

Table 83: SNMP Configuration Page

Field

Function

Identification

596

Configuring SNMP (J-Web Procedure)

Your Action

Chapter 39: Configuring Layer 3 Protocols

Table 83: SNMP Configuration Page (continued)

Field

Function

Your Action

Contact
Information

Free-form text string that specifies an administrative

contact for the system.

Type contact information for the administrator

of the system (such as name and phone number).

System
Description

Free-form text string that specifies a description for the

system.

Type information that describes the system

Local Engine ID

Provides an administratively unique identifier of an

SNMPv3 engine for system identification.

Type the MAC address of Ethernet management

port 0.

The local engine ID contains a prefix and a suffix. The

prefix is formatted according to specifications defined
in RFC 3411. The suffix is defined by the local engine
ID. Generally, the local engine ID suffix is the MAC
address of Ethernet management port 0.
System Location

Free-form text string that specifies the location of the

system.

Type location information for the system (lab

name or rack name, for example).

System Override
Name

Free-form text string that overrides the system

hostname.

Type the hostname of the system.

Communities
To add a community, click Add
Community
Name

Specifies the name of the SNMP community.

. Type the name of the community being added.

Authorization

Specifies the type of authorization (either read-only or

read-write) for the SNMP community being configured.

Select the desired authorization (either read-only

or read-write) from the list.

Traps
To add a trap group, click Add.
Trap Group
Name

Specifies the name of the SNMP trap group being

configured.

Type the name of the group being added.

Configuring SNMP (J-Web Procedure)

597

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 83: SNMP Configuration Page (continued)

Field

Function

Your Action

Categories

Specifies which trap categories are added to the trap

group being configured.

To generate traps for authentication failures,

select Authentication.

To generate traps for chassis and

environment notifications, select Chassis.

To generate traps for configuration changes,

select Configuration.

To generate traps for link-related

notifications (up-down transitions), select
Link.

To generate traps for remote operation

notifications, select Remote operations.

To generate traps for remote network

monitoring (RMON), select RMON alarm.

To generate traps for routing protocol

notifications, select Routing.

To generate traps on system warm and cold

starts, select Startup.

To generate traps on Virtual Router

Redundancy Protocol (VRRP) events (such
as new-master or authentication failures),
select VRRP events.

1.

Enter the hostname or IP address, in dotted

decimal notation, of the target system to
receive the SNMP traps.

2.

Click Add.

Targets

Specifies one or more hostnames or IP addresses for

the systems to receive SNMP traps generated by the
trap group being configured.

Health Monitoring
Enable Health
Monitoring

Interval

Enables the SNMP health monitor on the switch. The

health monitor periodically (over the time you specify
in the interval field) checks the following key indicators
of switch health:

Percentage of file storage used

Percentage of Routing Engine CPU used

Percentage of Routing Engine memory used

Percentage of memory used for each system

process

Percentage of CPU used by the forwarding process

Percentage of memory used for temporary storage

by the forwarding process

Specifies the sampling frequency, in seconds, over

which the key health indicators are sampled and
compared with the rising and falling thresholds.

Select the check box to enable the health monitor

and configure options. Clear the check box to
disable the health monitor.
NOTE: If you select the Enable Health Monitoring
check box and do not specify options, then SNMP
health monitoring is enabled with default values.

Enter an interval time, in seconds, from 1 through

2147483647.
The default value is 300 seconds (5 minutes).

For example, if you configure the interval as 100

seconds, the values are checked every 100 seconds.

598

Configuring SNMP (J-Web Procedure)

Chapter 39: Configuring Layer 3 Protocols

Table 83: SNMP Configuration Page (continued)

Field

Function

Your Action

Rising Threshold

Specifies the value at which SNMP generates an event

(trap and system log message) when the value of a
sampled indicator is increasing.

Enter a value from 0 through 100. The default

value is 90.

For example, if the rising threshold is 90 (the default),

SNMP generates an event when the value of any key
indicator reaches or exceeds 90 percent.
Falling
Threshold

Specifies the value at which SNMP generates an event

(trap and system log message) when the value of a
sampled indicator is decreasing.
For example, if the falling threshold is 80 (the default),
SNMP generates an event when the value of any key
indicator falls back to 80 percent or less.

Related Topics

Enter a value from 0 through 100. The default

value is 80.
NOTE: The falling threshold value must be less
than the rising threshold value.

Monitoring System Process Information

Monitoring System Properties on page 105

Configuring SNMP (J-Web Procedure)

599

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring Static Routing (CLI Procedure)

Static routes are routes that are manually configured and entered into the routing
table. Dynamic routes, in contrast, are learned by the EX-series switch and added
to the routing table using a protocol such as OSPF or RIP.
The switch uses static routes:

When the switch does not have a route to a destination that has a better (lower)
preference value. The preference is an arbitrary value in the range from 0 through
255 that the software uses to rank routes received from different protocols,
interfaces, or remote systems. The routing protocol process generally determines
the active route by selecting the route with the lowest preference value. In the
given range, 0 is the lowest and 255 is the highest.

When the switch cannot determine the route to a destination.

When the switch is forwarding unroutable packets.

To configure basic static route options using the CLI:

To configure the switch's default gateway:

[edit]
user@switch# set routingoptions static route 0.0.0.0/0 next-hop 10.0.1.1

To configure a static route and specify the next address to be used when routing
traffic to the static route:
[edit]
user@switch# set routing-options static route 20.0.0.0/24 next-hop
10.0.0.2.1

To always keep the static route in the forwarding table:

[edit]
user@switch# set routing-options static route 20.0.0.0/24 retain

To prevent the static route from being readvertised:

[edit]
user@switch# set routing-options static route 20.0.0.0/24 no-readvertise

To remove inactive routes from the forwarding table:

[edit]
user@switch# set routing-options static route 20.0.0.0/24 active

Related Topics

600

Configuring Static Routing (J-Web Procedure) on page 601

Monitoring Routing Information on page 610

Configuring Static Routing (CLI Procedure)

Chapter 39: Configuring Layer 3 Protocols

Configuring Static Routing (J-Web Procedure)

J-Web configuration allows you to configure static routes.
To configure static routes:
1.

In the J-Web user interface, select Configure>Routing.

2.

Enter information into the routing page, as described in Table 84 on page 601.

3.

To apply the configuration, click Apply.

Table 84: Static Routing Configuration Summary

Field

Function

Your Action

Specifies the default gateway for the

switch.

Type the 32-bit IP address of the switch's

default route in dotted decimal notation.

Specifies the static route to add to the

routing table.

1.

On the main static routing

Configuration page, click Add.

2.

In the Static Route Address box,

type the 32-bit IP address of the
static route in dotted decimal
notation.

1.

In the Add box, type the 32-bit IP

address of the next-hop host.

2.

Click Add.

3.

Add more next-hop addresses as

necessary.

Default Route

Default Route

Static Routes

Static Route Address (required)

Next-Hop Addresses

Specifies the next-hop address or

addresses to be used when routing
traffic to the static route.

NOTE: If a route has multiple next-hop

addresses, traffic is routed across each
address in round-robin fashion.

4.

Related Topics

When you have finished adding

next-hop addresses, click OK.

Configuring Static Routing (CLI Procedure) on page 600

Monitoring Routing Information on page 610

Configuring Static Routing (J-Web Procedure)

601

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

602

Configuring Static Routing (J-Web Procedure)

Chapter 40

Verifying Layer 3 Protocols

Monitoring BGP Routing Information on page 603

Monitoring DHCP Services on page 605

Monitoring OSPF Routing Information on page 606

Monitoring RIP Routing Information on page 608

Monitoring Routing Information on page 610

Monitoring BGP Routing Information

Purpose
Action

Use the monitoring functionality to monitor BGP routing information.

To view BGP routing information in the J-Web interface, select
Monitor>Routing>BGP Information.
To view BGP routing information in the CLI, enter the following commands:

Meaning

show bgp summary

show bgp neighbor

Table 85 on page 603 summarizes key output fields in the BGP routing display.

Table 85: Summary of Key BGP Routing Output Fields

Field

Values

Additional Information

BGP Summary

Total
Groups

Number of BGP groups.

Total Peers

Number of BGP peers.

Down
Peers

Number of unavailable BGP peers.

Peer

Address of each BGP peer.

InPkt

Number of packets received from the peer.

OutPkt

Number of packets sent to the peer.

Monitoring BGP Routing Information

603

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 85: Summary of Key BGP Routing Output Fields (continued)

Field

Values

Additional Information

Flaps

Number of times a BGP session has changed state from

Down to Up.

A high number of flaps might indicate a problem with

the interface on which the BGP session is enabled.

Last
Up/Down

Last time that a session became available or

unavailable, since the neighbor transitioned to or from
the established state.

If the BGP session is unavailable, this time might be

useful in determining when the problem occurred.

State

A multipurpose field that displays information about

BGP peer sessions. The contents of this field depend
upon whether a session is established.

If a peer is not established, the field shows the

state of the peer session: Active, Connect, or Idle.

If a BGP session is established, the field shows the

number of active, received, and damped routes
that are received from a neighbor. For example,
2/4/0 indicates two active routes, four received
routes, and no damped routes.

BGP Neighbors

Peer
Address

Address of the BGP neighbor.

Autonomous
System

AS number of the peer.

Type

Type of peer: Internal or External.

State

Current state of the BGP session:

ActiveBGP is initiating a TCP connection in an

attempt to connect to a peer. If the connection is

successful, BGP sends an open message.

ConnectBGP is waiting for the TCP connection

Generally, the most common states are Active, which

indicates a problem establishing the BGP conenction,
and Established, which indicates a successful session
setup. The other states are transition states, and BGP
sessions normally do not stay in those states for
extended periods of time.

to become complete.

EstablishedThe BGP session has been

established, and the peers are exchanging BGP

update messages.

IdleThis is the first stage of a connection. BGP

is waiting for a Start event.

OpenConfirmBGP has acknowledged receipt of

an open message from the peer and is waiting to

receive a keepalive or notification message.

OpenSentBGP has sent an open message and is

waiting to receive an open message from the peer.

Export

Names of any export policies configured on the peer.

Import

Names of any import policies configured on the peer.

Number of
flaps

Number of times the BGP sessions has changed state

from Down to Up.

604

Monitoring BGP Routing Information

A high number of flaps might indicate a problem with

the interface on which the session is established.

Chapter 40: Verifying Layer 3 Protocols

Related Topics

Configuring BGP Sessions (J-Web Procedure) on page 589

Layer 3 Protocols Supported on EX-series Switches on page 7

Monitoring DHCP Services

Purpose

A switch can operate as a DHCP server. When it is a DHCP server, use the monitoring
functionality to view information about dynamic and static DHCP leases, conflicts,
pools, and statistics.

Action

To monitor the DHCP server in the J-Web interface, select Monitor>Services >DHCP.
To monitor the DHCP server in the CLI, enter the following CLI commands:

Meaning

show system services dhcp binding

show system services dhcp conflict

show system services dhcp pool

show system services dhcp statistics

Table 86 on page 605 summarizes the output fields in DHCP displays.

Table 86: Summary of DHCP Output Fields

Field

Values

Additional Information

DHCP Leases

Allocated
Address

List of IP addresses the DHCP server has assigned to

clients.

MAC
Address

Corresponding media access control (MAC) address

of the client.

Binding
Type

Type of binding assigned to the client: dynamic or

static.

Lease
Expires

Date and time the lease expires, or never for leases

that do not expire.

DHCP servers can assign a dynamic binding from a pool

of IP addresses or a static binding to one or more
specific IP addresses.

DHCP Conflicts

Detection
Time

Date and time the client detected the conflict.

Detection
Method

How the conflict was detected.

Only client-detected conflicts are displayed.

Address

IP address where the conflict occurs.

The addresses in the conflicts list remain excluded until

you use the clear system services dhcp conflict command
to manually clear the list.

DHCP Pools

Pool Name

Subnet on which the IP address pool is defined.

Monitoring DHCP Services

605

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 86: Summary of DHCP Output Fields (continued)

Field

Values

Additional Information

Low
Address

Lowest address in the IP address pool.

High
Address

Highest address in the IP address pool.

Excluded
Addresses

Addresses excluded from the address pool.

DHCP Statistics

Default
lease time

Lease time assigned to clients that do not request a

specific lease time.

Minimum
lease time

Minimum time a client can retain an IP address lease

on the server.

Maximum
lease time

Maximum time a client can retain an IP address lease

on the server.

Packets
dropped

Total number of packets dropped and the number of

packets dropped due to a particular condition.

Messages
received

Number of BOOTREQUEST, DHCPDECLINE,

DHCPDISCOVER, DHCPINFORM, DHCPRELEASE,
and DHCPREQUEST messages sent from DHCP clients
and received by the DHCP server.

Messages
sent

Number of BOOTREPLY, DHCPACK, DHCPOFFER,

and DHCPNAK messages sent from the DHCP server
to DHCP clients.

Related Topics

DHCP Services for EX-series Switches Overview on page 579

Configuring DHCP Services (J-Web Procedure) on page 590

Monitoring OSPF Routing Information

Purpose
Action

Use the monitoring functionality to monitor OSPF routing information.

To view OSPF routing information in the J-Web interface, select
Monitor>Routing>OSPF Information.
To view OSPF routing information in the CLI, enter the following CLI commands:

606

show ospf neighbor

show ospf interface

show ospf statistics

Monitoring OSPF Routing Information

Chapter 40: Verifying Layer 3 Protocols

Meaning

Table 87 on page 607 summarizes key output fields in the OSPF routing display.

Table 87: Summary of Key OSPF Routing Output Fields

Field

Values

Additional Information

OSPF Neighbors

Address

Address of the neighbor.

Interface
Name

Interface through which the neighbor is reachable.

State

State of the neighbor: Attempt, Down, Exchange, ExStart,

Full, Init, Loading, or 2way.

ID

ID of the neighbor.

Priority

Priority of the neighbor to become the designated

switch.

Generally, only the Down state, indicating a failed OSPF

adjacency, and the Full state, indicating a functional
adjacency, are maintained for more than a few
seconds. The other states are transitional states that a
neighbor is in only briefly while an OSPF adjacency is
being established.

OSPF Interfaces

Interface

Name of the interface running OSPF.

State

State of the interface: BDR, Down, DR, DRother, Loop,

PtToPt, or Waiting.

Area

Number of the area that the interface is in.

DR ID

Address of the area's designated device.

BDR ID

Address of the area's backup designated device.

Neighbors

Number of neighbors on this interface.

Adjacency
Count

Number of devices in the area using the same area

identifier.

Stub Type

The areas into which OSPF does not flood AS external

advertisements

Passive
Mode

In this mode the interface is present on the network

but does not transmit or receive packets.

Authentication
Type

The authentication scheme for the backbone or area.

Interface
Address

The IP address of the interface.

Address
Mask

The subnet mask or address prefix.

The Down state, indicating that the interface is not

functioning, and PtToPt state, indicating that a
point-to-point connection has been established, are the
most common states.

Monitoring OSPF Routing Information

607

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 87: Summary of Key OSPF Routing Output Fields (continued)

Field

Values

Additional Information

MTU

The maximum transmission unit size.

Interface
Cost

The path cost used to calculate the root path cost from
any given LAN segment is determined by the total cost
of each link in the path.

Hello
Interval

Displays how often the switch sends hello packets out

of the interface.

Dead
Interval

The interval during which the switch receives no hello

packets from the neighbor.

Retransmit
Interval

The interval for which the switch waits to receive a

link-state acknowledgment packet before retransmitting
link-state advertisements to an interfaces neighbors.

OSPF Statistics

Packet
Type

Type of OSPF packet.

Packets
Sent

Total number of packets sent.

Packets
Received

Total number of packets received.

Depth of
flood
Queue

Number of entries in the extended queue.

Total
Retransmits

Number of retransmission entries enqueued.

Total
Database
Summaries

Total number of database description packets.

Related Topics

Configuring an OSPF Network (J-Web Procedure) on page 594

Layer 3 Protocols Supported on EX-series Switches on page 7

Monitoring RIP Routing Information

Purpose
Action

Use the monitoring functionality to monitor RIP routing.

To view RIP routing information in the J-Web interface, select Monitor>Routing>RIP
Routing.
To view RIP routing information in the CLI, enter the following CLI commands:

608

show rip statistics

Monitoring RIP Routing Information

Chapter 40: Verifying Layer 3 Protocols

Meaning

show rip neighbor

Table 88 on page 609 summarizes key output fields in the RIP routing display.

Table 88: Summary of Key RIP Routing Output Fields

Field

Values

Additional Information

RIP Statistics

RIP
Protocol
Name

The RIP protocol name.

RIP Port

The port on which RIP is enabled.

Hold Down

The interval during which routes are neither advertised

nor updated.

Routes
Learned

Number of RIP routes learned on the logical interface.

Routes
Held Down

Number of RIP routes that are not advertised or

updated during hold-down.

Requests
Dropped

Number of requests dropped.

Responses
Dropped

Number of responses dropped.

RIP Neighbors

Neighbor

Name of the RIP neighbor.

State

State of the RIP connection: Up or Dn (Down).

Source
Address

Local source address.

This value is the configured address of the interface on

which RIP is enabled.

Destination
Address

Destination address.

This value is the configured address of the immediate

RIP adjacency.

Send Mode

The mode of sending RIP messages.

Receive
Mode

The mode in which messages are received.

In Metric

Value of the incoming metric configured for the RIP

neighbor.

Related Topics

This value is the name of the interface on which RIP

is enabled. Click the name to see the details for this
neighbor.

Configuring a RIP Network (J-Web Procedure) on page 595

Layer 3 Protocols Supported on EX-series Switches on page 7

Monitoring RIP Routing Information

609

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Monitoring Routing Information

Purpose
Action

Use the monitoring functionality to view inet.0 routing table.

To view the routing tables in the J-Web interface, select Monitor>Routing>Static
Routing
To view the routings table in the CLI, enter the following commands in the CLI
interface:

Meaning

show route terse

show route detail

Table 89 on page 610 summarizes key output fields in the routing information display.

Table 89: Summary of Key Routing Information Output Fields

Field

Values

n
destinations

Number of destinations for which there are routes in

the routing table.

n routes

Number of routes in the routing table:

activeNumber of routes that are active.

hold downNumber of routes that are in

Additional Information

hold-down state (neither advertised nor updated)

before being declared inactive.

hiddenNumber of routes not used because of

routing policies configured on the switching

platform.
Destination

Destination address of the route.

Protocol/
Preference

Protocol from which the route was learned: Static,

Direct, Local, or the name of a particular protocol.

The route preference is used as one of the route

selection criteria.

The preference is the individual preference value for

the route.
Next-Hop

Network layer address of the directly reachable

neighboring system (if applicable) and the interface
used to reach it.

If a next hop is listed as Discard, all traffic with that

destination address is discarded rather than routed.
This value generally means that the route is a static
route for which the discard attribute has been set.
If a next hop is listed as Reject, all traffic with that
destination address is rejected. This value generally
means that the address is unreachable. For example,
if the address is a configured interface address and the
interface is unavailable, traffic bound for that address
is rejected.
If a next hop is listed as Local, the destination is an
address on the host (either the loopback address or
Ethernet management port 0 address, for example).

610

Monitoring Routing Information

Chapter 40: Verifying Layer 3 Protocols

Table 89: Summary of Key Routing Information Output Fields (continued)

Field

Values

Additional Information

Age

How long the route has been known.

State

Flags for this route.

AS Path

AS path through which the route was learned. The

letters of the AS path indicate the path origin:

I IGP.

E EGP.

? Incomplete. Typically, the AS path was

aggregated.

Related Topics

There are many possible flags.

Configuring Static Routing (J-Web Procedure) on page 601

Configuring Static Routing (CLI Procedure) on page 600

Monitoring Routing Information

611

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

612

Monitoring Routing Information

Chapter 41

Configuration Statements for Layer 3

Protocols

[edit protocols] Configuration Statement Hierarchy on page 613

[edit protocols] Configuration Statement Hierarchy

protocols {
dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
interface (all | interface-name) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}

[edit protocols] Configuration Statement Hierarchy

613

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}

614

[edit protocols] Configuration Statement Hierarchy

Chapter 41: Configuration Statements for Layer 3 Protocols

}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;

[edit protocols] Configuration Statement Hierarchy

615

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
Related Topics

616

802.1X for EX-series Switches Overview on page 639

Example: Configure Automatic VLAN Administration Using GVRP on page 393

IGMP Snooping on EX-series Switches Overview on page 581

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

[edit protocols] Configuration Statement Hierarchy

Chapter 41: Configuration Statements for Layer 3 Protocols

disable
Syntax

Hierarchy Level
Release Information
Description

disable {
interface interface-name
}
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Disable IGMP snooping on all interfaces in a VLAN or on a specific VLAN interface.

Default

If you do not specify an interface, all interfaces in the given VLAN are disabled.

Options

interface-nameName of the interface.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

group
Syntax
Hierarchy Level
Release Information
Description

group ip-address;
[edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name static]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure a static multicast group using a valid IP multicast address.

Default

None.

Options

ip-address IP address of the multicast group receiving data on an interface.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

disable

617

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

igmp-snooping
Syntax

Hierarchy Level
Release Information
Description

igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
vlan vlan-id | vlan-name {
disable {
interface interface-name;
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
[edit protocols]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Enable and configure IGMP snooping on EX-series switches.
The remaining statements are explained separately.

Default
Required Privilege Level
Related Topics

618

igmp-snooping

IGMP snooping is disabled by default.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

Chapter 41: Configuration Statements for Layer 3 Protocols

immediate-leave
Syntax
Hierarchy Level
Release Information
Description

immediate-leave;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

(Applies only to switches running IGMPv2.) After the switch receives a leave group
membership message from a host, immediately remove the group membership from
the interface and suppress the sending of any group-specific queries for the multicast
group.

NOTE: When configuring this statement, ensure that the IGMP interface has only
one IGMP host connected. If more than one IGMPv2 host is connected to the switch
through the same interface and one of the hosts sends a leave message, the switch
removes all hosts on the interface from the multicast group. The switch loses contact
with the hosts in the multicast group that did not send a leave message until they
send join requests in response to the next general multicast listener query from the
router.

Default
Required Privilege Level
Related Topics

The immediate-leave feature is disabled.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

immediate-leave

619

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface
Syntax

Hierarchy Level
Release Information
Description

interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Enable IGMP snooping on an interface and configure interface-specific properties.
The remaining statements are explained separately.

Default

None.

Options

interface-name Name of the interface.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show igmp-snooping vlans on page 635

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

multicast-router-interface
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

620

interface

multicast-router-interface;
[edit protocols igmp-snooping vlan vlan-id | vlan-name interface interface-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Statically configure an interface as a switching interface toward a multicast router
(the interface to receive multicast traffic).
Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

Chapter 41: Configuration Statements for Layer 3 Protocols

query-interval
Syntax
Hierarchy Level
Release Information
Description

query-interval seconds;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure how frequently the switch sends host-query timeout messages to a multicast
group.

Default

125 seconds.

Options

seconds Number of seconds between host-query timeout messages.

Range: 1 through 1024 seconds

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

query-last-member-interval
Syntax
Hierarchy Level
Release Information
Description

query-last-member-interval seconds;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure the interval between group-specific query timeout messages sent by the
switch.

Default

1 second.

Options

seconds Amount of time between group-specific query timeout messages.

Range: 1 though 1024 seconds

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

query-interval

621

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

query-response-interval
Syntax
Hierarchy Level
Release Information
Description

query-response-interval seconds;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure the length of time the switch waits to receive a response to a specific query
message from a host.

Default

10 seconds.

Options

seconds Number of seconds the switch waits to receive a response to a specific

query message from a host.

Range: 1 through 25 seconds
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

robust-count
Syntax
Hierarchy Level
Release Information
Description

robust-count number;
[edit protocols igmp-snooping vlan vlan-id | vlan-name]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure the number of intervals the switch waits before removing a multicast group
from the multicast forwarding table. The length of each interval is configured using
the query-interval statement.

Default

Options

number Number of intervals the switch waits before timing out a multicast group.

Range: 2 through 10
Required Privilege Level
Related Topics

622

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

query-response-interval

Chapter 41: Configuration Statements for Layer 3 Protocols

traceoptions
Syntax

Hierarchy Level
Release Information
Description

traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
[edit protocols igmp-snooping]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Define tracing operations for IGMP snooping.

Default

The traceoptions feature is disabled by default.

Options

file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum number of trace files is reached (xk to specify KB,
xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file

is overwritten. If you specify a maximum number of files, you also must specify
a maximum file size with the size option.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags:

allAll tracing operations.

generalTrace general IGMP snooping protocol events.

leaveTrace leave group messages (IGMPv2 only).

normalTrace normal IGMP snooping protocol events.

packetsTrace all IGMP packets.

policyTrace policy processing.

queryTrace IGMP membership query messages.

reportTrace membership report messages.

routeTrace routing information.

stateTrace IGMP state transitions.

taskTrace routing protocol task processing.

timerTrace routing protocol timer processing.

traceoptions

623

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

match regex(Optional) Refine the output to include lines that contain the regular

expression.
no-world-readable(Optional) Restricted file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum

number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes
Range: 10 KB through 1 gigabytes
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics

624

traceoptions

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring IGMP Snooping on EX-series Switches on page 585

Configuring IGMP Snooping (CLI Procedure) on page 593

Chapter 41: Configuration Statements for Layer 3 Protocols

vlan
Syntax

Hierarchy Level
Release Information
Description

vlan vlan-id | vlan-name {

disable {
interface interface-name;
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
[edit protocols igmp-snooping]

Statement introduced in JUNOS Release 9.1 for EX-series switches.

Configure IGMP snooping parameters for a VLAN.
The remaining statements are explained separately.

Default

IGMP snooping options apply to the specified VLAN.

Options

vlan-idNumeric tag for a VLAN.

Range: 0 through 4095. Tags 0 and 4095 are reserved by JUNOS software, and
you should not configure them.
vlan-nameName of a VLAN.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring IGMP Snooping (CLI Procedure) on page 593

IGMP Snooping on EX-series Switches Overview on page 581

vlan

625

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

626

vlan

Chapter 42

Operational Mode Commands for Layer 3

Protocols

627

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear igmp-snooping membership

Syntax

Release Information
Description
Options

clear igmp-snooping membership

<vlan vlan-id | vlan-name>

Command introduced in JUNOS Release 9.1 for EX-series switches.

Clear IGMP snooping membership information.
vlan vlan-id Numeric tag identifier of the VLAN.
vlan vlan-name Name of the VLAN.

Required Privilege Level

Related Topics
List of Sample Output
clear igmp-snooping
membership

628

view

show igmp-snooping membership on page 630

clear igmp-snooping membership on page 628

user@switch> clear igmp-snooping membership vlan employee-vlan

clear igmp-snooping membership

Chapter 42: Operational Mode Commands for Layer 3 Protocols

clear igmp-snooping statistics

Syntax
Release Information
Description
Required Privilege Level
Related Topics
List of Sample Output
clear igmp-snooping
statistics

clear igmp-snooping statistics

Command introduced in JUNOS Release 9.1 for EX-series switches.

Clear IGMP snooping statistics.
view

show igmp-snooping statistics on page 634

clear igmp-snooping statistics on page 629

user@switch> clear igmp-snooping statistics

clear igmp-snooping statistics

629

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show igmp-snooping membership

Syntax

Release Information
Description
Options

show igmp-snooping membership

<brief | detail>
<interface interface-name >
<vlan vlan-id | vlan-number>

Command introduced in JUNOS Release 9.1 for EX-series switches.

Display IGMP snooping membership information.
noneDisplay general parameters.
brief | detail (Optional) Display the specified level of output.
interface interface-name (Optional) Display IGMP snooping information for the

specified interface.
vlan vlan-id | vlan-number (Optional) Display IGMP snooping information for the

specified VLAN.
Required Privilege Level
Related Topics
List of Sample Output
Output Fields

view

Configuring IGMP Snooping (CLI Procedure) on page 593

show igmp-snooping membership on page 631

show igmp-snooping membership detail on page 631
Table 42 on page 1160 lists the output fields for the show igmp-snooping membership
command. Output fields are listed in the approximate order in which they appear.

Table 90: show igmp-snooping membership Output Fields

Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All

Interfaces

Interfaces assigned to the VLAN.

All

Tag

Numerical identifier of the VLAN.

detail

Router interfaces

Names of interfaces statically configured as multicast router interfaces.

detail

Group

IP multicast address of the multicast group.

All

Receiver count

Number of interfaces that have membership in a multicast group.

detail

Flags

IGMP version of the host sending a join message. The IGMP version
can be V1-hosts, V2-hosts, or static.

detail

timeout

Length of time (in seconds) left until the entry is removed.

All

630

show igmp-snooping membership

Chapter 42: Operational Mode Commands for Layer 3 Protocols

show igmp-snooping
membership

user@switch> show igmp-snooping membership

VLAN: v1
224.1.1.1
*
258 secs
Interfaces: ge-0/0/0.0
224.1.1.3
*
258 secs
Interfaces: ge-0/0/0.0
224.1.1.5
*
258 secs
Interfaces: ge-0/0/0.0
224.1.1.7
*
258 secs
Interfaces: ge-0/0/0.0
224.1.1.9
*
258 secs
Interfaces: ge-0/0/0.0
224.1.1.11
*
258 secs
Interfaces: ge-0/0/0.0

show igmp-snooping
membership detail

user@switch> show igmp-snooping membership detail

VLAN: default Tag: 0 (Index: 119)
Router interfaces:ge-2/0/45.0, ge-2/0/47.0, ge-2/0/46.0
Group: 224.1.1.1
Receiver count: 0, Flags: <V1-hosts V2-hosts>
ge-2/0/46.0 timeout: 203
Group: 224.1.1.2
Receiver count: 0, Flags: <V1-hosts V2-hosts>
ge-2/0/46.0 timeout: 203
Group: 224.1.1.3
Receiver count: 0, Flags: <V1-hosts V2-hosts>
ge-2/0/46.0 timeout: 203
Group: 224.1.1.4
Receiver count: 0, Flags: <V1-hosts V2-hosts>
ge-2/0/46.0 timeout: 204
Group: 224.1.1.5
Receiver count: 0, Flags: <V1-hosts V2-hosts>
ge-2/0/46.0 timeout: 204
Group: 224.1.1.6

show igmp-snooping membership

631

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show igmp-snooping route

Syntax

Release Information
Description
Options

show igmp-snooping route

<brief | detail>
<ethernet-switching <brief | detail | vlan ( vlan-id | vlan-name )>>
<inet <brief | detail | vlan ( vlan-id | vlan-name )>>
<vlan vlan-id | vlan-name >

Command introduced in JUNOS Release 9.1 for EX-series switches.

Display IGMP snooping route information.
noneDisplay general parameters.
brief | detail (Optional) Display the specified level of output.
ethernet-switching (Optional) Display Ethernet switching information.
inet (Optional) Display inet information.
vlan vlan-id | vlan-name (Optional) Display route information for the specified

VLAN.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

show igmp-snooping statistics on page 634

show igmp-snooping vlans on page 635

show igmp-snooping route on page 632

show igmp-snooping route vlan v1 on page 633
Table 42 on page 1160 lists the output fields for the show igmp-snooping route command.
Output fields are listed in the approximate order in which they appear.

Table 91: show igmp-snooping route Output Fields

Field Name

Field Description

Table

(For internal use only. Value is always 0.)

VLAN

Name of the VLAN.

Group

Multicast group address.

Next-hop

ID associated with the next-hop device.

show igmp-snooping
route

632

user@switch> show igmp-snooping route

VLAN
Group
Next-hop
V11
224.1.1.1, *
533
Interfaces: ge-0/0/13.0, ge-0/0/1.0

show igmp-snooping route

Chapter 42: Operational Mode Commands for Layer 3 Protocols

VLAN
v12

show igmp-snooping
route vlan v1

Group
Next-hop
224.1.1.3, *
534
Interfaces: ge-0/0/13.0, ge-0/0/0.0

user@switch> show igmp-snooping route vlan v1

Table: 0
VLAN
Group
Next-hop
v1
224.1.1.1, *
1266
Interfaces: ge-0/0/0.0
v1
224.1.1.3, *
1266
Interfaces: ge-0/0/0.0
v1
224.1.1.5, *
1266
Interfaces: ge-0/0/0.0
v1
224.1.1.7, *
1266
Interfaces: ge-0/0/0.0
v1
224.1.1.9, *
1266
Interfaces: ge-0/0/0.0
v1
224.1.1.11, *
1266
Interfaces: ge-0/0/0.0

show igmp-snooping route

633

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show igmp-snooping statistics

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show igmp-snooping statistics

Command introduced in JUNOS Release 9.1 for EX-series switches.

Display IGMP snooping statistics.
view

show igmp-snooping route on page 632

show igmp-snooping vlans on page 635

show igmp-snooping statistics on page 634

Table 42 on page 1160 lists the output fields for the show igmp-snooping statistics
command. Output fields are listed in the approximate order in which they appear.

Table 92: show igmp-snooping statistics Output Fields

Field Name

Field Description

Bad length

IGMP packet has illegal or bad length.

Bad checksum

IGMP or IP checksum is incorrect.

Invalid interface

Packet was received through an invalid interface.

Receive unknown

Unknown IGMP type.

Timed out

Number of timeouts for all multicast groups.

IGMP Type

Type of IGMP message (Query, Report, Leave, or Other).

Received

Number of IGMP packets received.

Transmitted

Number of IGMP packets transmitted.

Recv Errors

Number of general receive errors.

show igmp-snooping
statistics

user@switch> show igmp-snooping statistics

Bad length: 0 Bad checksum: 0 Invalid interface: 0
Not local: 0 Receive unknown: 0 Timed out: 58
IGMP Type
Queries:
Reports:
Leaves:
Other:

634

show igmp-snooping statistics

Received
74295
18148423
0
0

Transmitted
0
0
0
0

Recv Errors
0
16333523
0
0

Chapter 42: Operational Mode Commands for Layer 3 Protocols

show igmp-snooping vlans

Syntax

Release Information
Description
Options

show igmp-snooping vlans

<brief | detail>
<vlan vlan-id | vlan-name>

Command introduced in JUNOS Release 9.1 for EX-series switches.

Display IGMP snooping VLAN information.
noneDisplay general parameters.
brief | detail (Optional) Display the specified level of output.
vlan vlan-id | vlan vlan-number (Optional) Display VLAN information for the specified

VLAN.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

show igmp-snooping route on page 632

show igmp-snooping statistics on page 634

show igmp-snooping vlans on page 636

show igmp-snooping vlans vlan v10 on page 636
show igmp-snooping vlans vlan v10 detail on page 636
Table 42 on page 1160 lists the output fields for the show igmp-snooping vlans command.
Output fields are listed in the approximate order in which they appear.

Table 93: show igmp-snooping vlans Output Fields

Field Name

Field Description

Level of Output

VLAN

Name of the VLAN.

All levels

Interfaces

Number of interfaces in the VLAN.

All levels

Groups

Number of groups in the VLAN

All levels

MRouters

Number of multicast routers associated with the VLAN.

All levels

Receivers

Number of host receivers in the VLAN.

All levels

Tag

Numerical identifier of the VLAN.

Detail

vlan-interface

Internal VLAN interface identifier.

Detail

Membership timeout

Membership timeout value.

Detail

show igmp-snooping vlans

635

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 93: show igmp-snooping vlans Output Fields (continued)

Field Name

Field Description

Level of Output

Querier timeout

Timeout value for interfaces dynamically marked as router

interfaces (interfaces that receive queries). When the querier
timeout is reached, the switch marks the interface as a host
interface.

Detail

Interface

Name of the interface.

Detail

Reporters

Number of dynamic groups on an interface.

Detail

show igmp-snooping
vlans

user@switch> show igmp-snooping vlans

VLAN
default
v1
v10
v11
v180
v181
v182

show igmp-snooping
vlans vlan v10

user@switch> show igmp-snooping vlans vlan v10

user@switch> show igmp-snooping vlans vlan v10
VLAN
Interfaces Groups MRouters Receivers
v10
1
0
0
0

show igmp-snooping
vlans vlan v10 detail

user@switch> show igmp-snooping vlans vlan v10 detail

VLAN: v10, Tag: 10, vlan-interface: vlan.10
Membership timeout: 260, Querier timeout: 255
Interface: ge-0/0/10.0, tagged, Groups: 0, Reporters: 0

636

show igmp-snooping vlans

Interfaces Groups MRouters Receivers

0
0
0
0
11
50
0
0
1
0
0
0
1
0
0
0
3
0
1
0
3
0
0
0
3
0
0
0

Part 10

802.1X, Port Security, and VoIP

Understanding 802.1X, Port Security, and VoIP on page 639

Examples of Configuring 802.1X, Port Security, and VoIP on page 669

Configuring 802.1X, Port Security, and VoIP on page 755

Verifying 802.1X, Port Security, and VoIP on page 785

Configuration Statements for 802.1X, Port Security, and VoIP on page 795

Operational Mode Commands for 802.1X, Port Security, and VoIP on page 865

802.1X, Port Security, and VoIP

637

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

638

802.1X, Port Security, and VoIP

Chapter 43

Understanding 802.1X, Port Security, and

VoIP

802.1X for EX-series Switches Overview on page 639

Understanding 802.1X Authentication on EX-series Switches on page 641

Understanding Dynamic VLANs for 802.1X on EX-series Switches on page 645

Understanding Guest VLANs for 802.1X on EX-series Switches on page 646

Understanding 802.1X and AAA Accounting on EX-series Switches on page 647

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Understanding 802.1X Static MAC on EX-series Switches on page 650

Understanding 802.1X and VoIP on EX-series Switches on page 652

Understanding 802.1X and VSAs on EX-series Switches on page 654

Port Security for EX-series Switches Overview on page 654

Understanding How to Protect Access Ports on EX-series Switches from Common

Attacks on page 656

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Understanding DAI for Port Security on EX-series Switches on page 662

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Understanding Trusted DHCP Servers for Port Security on EX-series

Switches on page 666

Understanding IP Source Guard for Port Security on EX-series Switches on page 666

802.1X for EX-series Switches Overview

IEEE 802.1X provides network edge security, protecting Ethernet LANs from Denial
of Service (DoS) attacks and preventing unauthorized user access.
802.1X works by using an Authenticator Port Access Entity (the switch) to block all
traffic to and from a supplicant (client) at the port until the supplicant's credentials
are presented and matched on the Authentication server (a RADIUS server). When
authenticated, the switch stops blocking traffic and opens the port to the supplicant.

802.1X for EX-series Switches Overview

639

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The supplicant is authenticated in either single mode, single-secure mode, or multiple

mode:

singleAuthenticates only the first supplicant. All other supplicants who connect

later to the port are allowed full access without any further authentication. They
effectively piggyback on the first supplicants authentication.

single-secureAllows only one supplicant to connect to the port. No other

supplicant is allowed to connect until the first supplicant logs out.

multipleAllows multiple supplicants to connect to the port. Each supplicant will

be authenticated individually.
Network access can be further defined using VLANs and Access Control Lists (ACLs).
VLANs and ACLs act as filters to separate and match groups of supplicants to the
areas of the LAN they require.
802.1X does not replace other security technologies. 802.1X works together with
port security features, such as DHCP snooping, Dynamic ARP Inspection (DAI), and
MAC limiting, to guard against DoS attacks and spoofing.
802.1X features on EX-series switches are:

Guest VLANProvides limited access to a LAN, typically just to the Internet, for
supplicants that fail 802.1X authentication.

Dynamic VLANEnables a supplicant, after authentication, to be a member of

a VLAN dynamically.

MAC-based AuthenticationProvides MAC-based authentication as a bypass

mechanism to authenticate non-responsive hosts (such as printers) that are not
802.1X-enabled. MAC-based authentication connects the non-responsive hosts
to 802.1X-enabled ports, bypassing 802.1X authentication.

Dynamic changes to a user sessionLets the switch administrator terminate an

already authenticated session. This feature is based on support of the RADIUS
Disconnect Message defined in RFC 3576.

Support for VoIPSupports IP telephones. If the phone is 8021X enabled, it is

authenticated like any other supplicant. When it is authenticated, the RADIUS
server returns the Voice VLAN ID and other parameters for managing VoIP traffic.
If the phone is not 802.1X-enabled, but has another 802.1X-compatible device
connected to its data port, that device is authenticated, and then VoIP traffic can
flow to and from the phone.
If the IP phone supports Link Layer Discovery Protocol (LLDP) or Link Layer
Discovery Protocol Media Endpoint Discovery (LLDP-MED), the RADIUS server
can send VoIP parameters to the IP telephone through these protocols. The VoIP
parameters ensure that voice traffic gets tagged and prioritized with the correct
values at the source itself. If the phone does not support LLDP or LLDP-MED,
then the packets will be put in the VoIP VLAN configured on the switch.

640

RADIUS AccountingSends accounting information to the RADIUS accounting

server. Accounting information is sent to the server whenever a subscriber logs

802.1X for EX-series Switches Overview

Chapter 43: Understanding 802.1X, Port Security, and VoIP

in or logs out and whenever a subscriber activates or deactivates a subscription.

This feature is based on RFC 2866, RADIUS Accounting.

Related Topics

Vendor Specific Attributes (VSAs)Supports a new set of filtering attributes that

are applied on the RADIUS authentication server. These filtering attributes further
define a supplicant's access during the 802.1X authentication process. Centrally
configuring VSAs on the authentication server does away with the need to
configure these same attributes in the form of firewall filters on every switch in
the LAN to which the supplicant may connect to the LAN. This feature is based
on RLI 4583, AAA RADIUS BRAS VSA Support.

Understanding 802.1X Static MAC on EX-series Switches on page 650

Understanding 802.1X Authentication on EX-series Switches on page 641

Understanding 802.1X and VoIP on EX-series Switches on page 652

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Understanding 802.1X and AAA Accounting on EX-series Switches on page 647

Understanding Guest VLANs for 802.1X on EX-series Switches on page 646

Understanding 802.1X and VSAs on EX-series Switches on page 654

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Understanding 802.1X Authentication on EX-series Switches

EX-series switches use 802.1X authentication to implement access control in an
enterprise network. Supplicants (hosts) are authenticated at the initial connection to
your LAN. By authenticating supplicants before they receive an IP address from a
DHCP server, unauthorized supplicants are prevented from gaining access to your
LAN.
The 802.1X standard is based on EAP (Extensible Authentication Protocol), a universal
authentication framework. EAP is not an authentication mechanism by itself. Instead,
EAP provides some common functions and a negotiation method to determine the
authentication mechanism (EAP method) used between the supplicant and the
authentication server. EAP methods include IETF standards and proprietary standards.
EAP methods supported on EX-series switches are:

Understanding 802.1X Authentication on EX-series Switches

641

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

EAP-MD5

EAP-TLS

EAP-TTLS

EAP-PEAP

A LAN network configured for 802.1X authentication contains three basic components:

SupplicantThe IEEE term for a host that requests to join the network. The host
can be responsive or nonresponsive. A responsive host is one on which 802.1X
is enabled and provides authentication credentials; specifically, a username and
password for EAP MD5, or a username and client certificates for EAP-TLS,
EAP-TTLS, and EAP-PEAP. A nonresponsive host is one on which 802.1X is not
enabled, but can be authenticated using a MAC-based authentication method.

Authenticator Port Access EntityThe IEEE term for the authenticator. The
EX-series switch is the authenticator and. It controls access by blocking all traffic
to and from supplicants until they are authenticated.

Authentication server The authentication server contains the backend database

that makes authentication decisions. It contains credential information for each
supplicant that can connect to the network. The authenticator forwards credentials
supplied by the supplicant to the authentication server. If the credentials
forwarded by the authenticator match the credentials in the authentication server
database, access is granted. If the credentials forwarded do not match, access
is denied. The EX-series switches support RADIUS authentication servers.

Figure 28 on page 643 illustrates the basic deployment topology for 802.1X on an
EX-series switch:

642

Understanding 802.1X Authentication on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

Figure 28: Example 802.1X Topology

Understanding 802.1X Authentication on EX-series Switches

643

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The communication protocol between the supplicant and the EX-series switch is
Extensible Authentication Protocol Over LAN (EAPOL). EAPOL is a version of EAP
designed to work with Ethernet networks. The communication protocol between the
authentication server and the switch is RADIUS.
The authentication process requires multiple message exchanges between the
supplicant and the authentication server. The switch that is in between the supplicant
and the authentication server is the authenticator. It acts as an intermediary,
converting EAPOL messages to RADIUS messages and vice versa.
Figure 29 on page 644 illustrates the authentication process:

Figure 29: Authentication Process

The basic authentication process works like this:

644

Understanding 802.1X Authentication on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

1.

Authentication is initiated by the client or the switch. The client initiates

authentication by sending an EAPOL-start message, or the switch initiates
authentication when it receives the first data packet from the client.

2.

When the switch port (authenticator) detects a new supplicant connecting to the
LAN network, the port on the authenticator is enabled and set to the initialized
state. In this state, only 802.1X traffic is allowed. Other traffic, such as DHCP
and HTTP, is blocked at the data link layer.

3.

The authenticator sends a RADIUS access request message to the RADIUS server
to allow the supplicant access to the LAN.

4.

The authentication server accepts or rejects the access request. If it accepts the
request, the authentication server sends a RADIUS access challenge. If the
challenge is met by the supplicant, the authenticator sets the port to the
authorized state and normal traffic is then accepted to pass through the port. If
the authentication server rejects the RADIUS access request, the authenticator
sets the port to the unauthorized state, blocking all traffic.

5.

When the supplicant disconnects from the network, the supplicant sends an
EAP-logoff message to the authenticator. The authenticator then sets the port to
the unauthorized state, once again blocking all non-EAP traffic.

The 802.1X authentication feature on an EX-series switch is based upon the IEEE
802.1D standard Port-Based Network Access Control.
Related Topics

802.1X for EX-series Switches Overview on page 639

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Configuring 802.1X Authentication (CLI Procedure) on page 756

Understanding Dynamic VLANs for 802.1X on EX-series Switches

Dynamic VLANs, in conjunction with the 802.1X authentication process, provide
secure access to the LAN for supplicants belonging to different VLANs on a single
port.
When this feature is configured, a supplicant becomes a member of a VLAN
dynamically after 802.1X authentication is successful. Successful authentication
requires that the VLAN ID or VLAN name exist on the switch and match the VLAN
ID or VLAN name sent by the RADIUS server during authentication.
If the VLAN does not exist, the supplicant is unauthenticated. If a guest VLAN is
established, the unauthenticated supplicant is automatically moved to the guest
VLAN.
Related Topics

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Understanding Guest VLANs for 802.1X on EX-series Switches on page 646

Understanding Dynamic VLANs for 802.1X on EX-series Switches

645

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding Guest VLANs for 802.1X on EX-series Switches

Guest VLANs, in conjunction with 802.1X authentication, provide secure access to
the LAN for corporate guests and for supplicants who fail the 802.1X authentication
process.
When a corporate visitor attempts to authenticate on the LAN, and authentication
fails, the visitor is moved to a guest VLAN. A guest VLAN typically provides access
only to the Internet.
A guest VLAN can also provide limited access to the LAN in cases when authentication
fails for supplicants that are not visitors. When authentication fails, the switch receives
an Access-Reject message for the client, and checks if a guest VLAN is configured on
that port. If so, it moves that user alone to the guest VLAN. If the Access-reject
message contains optional VLAN information, then the user is moved to the VLAN
specified by the RADIUS server and not to the locally configured guest-VLAN.
Authentication can fail for many reasons:

The supplicant machine does not have supplicant software on it (for example,
the supplicant is a non-responsive host, such as a printer).

The supplicant provided invalid credentialsa username or password that were

not authenticated by the authentication server.

For non-responsive hosts, the guest VLAN could allow limited access to a server from
which the non-responsive host can download the supplicant software and attempt
authentication again.
Related Topics

646

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Understanding Dynamic VLANs for 802.1X on EX-series Switches on page 645

Understanding Guest VLANs for 802.1X on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

Understanding 802.1X and AAA Accounting on EX-series Switches

EX-series switches support IETF RFC 2866, RADIUS Accounting. Configuring RADIUS
accounting on an EX-series switch permits statistical data about users logging onto
or off a LAN to be collected and sent to a RADIUS accounting server. The statistical
data gathered can be used for general network monitoring, to analyze and track
usage patterns, or to bill a user based upon the amount of time or type of services
accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers
to receive the statistical data from the switch, and select the type of accounting data
to be collected.
The RADIUS accounting server you specify can be the same server used for RADIUS
authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS
accounting servers. In the event that the primary server (the first one configured) is
unavailable, each RADIUS server in the list is tried in the order in which they are
configured in the JUNOS software.
The RADIUS accounting process between a switch and a RADIUS server works like
this:
1.

A RADIUS accounting server listens for User Datagram Protocol (UDP) packets
on a specific port. For example, on FreeRADIUS, the default port is 1813.

2.

The switch forwards an accounting-request packet containing an event record

to the accounting server. For example, a supplicant is authenticated through
802.1X authentication and connected to the LAN. The event record associated
with this supplicant contains an Acct-Status-Type attribute whose value indicates
the beginning of user service for this supplicant. When the supplicant's session
ends, the accounting request will contain an Acct-Status-Type attribute value
indicating the end of user service. The RADIUS accounting server records this
as a stop-accounting record containing session information and the length of the
session.

3.

The RADIUS accounting server logs these events as start-accounting or

stop-accounting records. The records are in a file. On FreeRADIUS, the file name
is the server's address; for example, 122.69.1.250.

4.

The accounting server sends an accounting-response packet back to the switch

confirming it has received the accounting request.

5.

If the switch does not receive a response from the server, it continues to send
accounting requests until an accounting response is returned from the accounting
server.

The statistics collected through this process can be displayed from the RADIUS server;
to see those statistics, the user accesses the log file configured to receive them.
Related Topics

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

802.1X for EX-series Switches Overview on page 639

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Understanding 802.1X and AAA Accounting on EX-series Switches

647

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches

EX-series switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
Protocol Media Endpoint Discovery (LLDP-MED) to learn and distribute device
information on network links. The information allows the switch to quickly identify
a variety of devices, resulting in a LAN that interoperates smoothly and efficiently.
LLDP-capable devices transmit information in Type Length Value (TLV) messages to
neighbor devices. Device information can include specifics, such as chassis and port
identification and system name and system capabilities. The TLVs leverage this
information from parameters that have already been configured in the JUNOS
software.
LLDP-MED goes one step further, exchanging IP-telephony messages between the
switch and the IP telephone. These TLV messages provide detailed information on
PoE policy. The PoE Management TLVs let the switch ports advertise the power level
and power priority needed. For example, the switch can compare the power needed
by an IP telephone running on a PoE interface with available resources. If the switch
cannot meet the resources required by the IP telephone, the switch could negotiate
with the telephone until a compromise on power is reached.
The switch also uses these protocols to ensure that voice traffic gets tagged and
prioritized with the correct values at the source itself. For example, 802.1p CoS and
802.1Q tag information can be sent to the IP telephone.
EX-series switches support the following basic TLVs:

Chassis IdentifierThe MAC address associated with the local system.

Port identifierThe port identification for the specified port in the local system.

Port DescriptionThe user configured port description. The port description

can be a maximum of 256 characters.

System NameThe user configured name of the local system. The system name

can be a maximum of 256 characters.

System DescriptionThe system description containing information about the

software and current image running on the system. This information is not
configurable, but taken from the software.

System CapabilitiesThe primary function performed by the system. The

capabilities that system supports are defined; for example, bridge or router. This
information is not configurable, but based on the model of the product.

Management AddressThe IPv4 management address of the local system.

EXseries switches support the following 802.3 TLVs:

Power via MDIA TLV that advertises MDI power support, PSE power pair, and

power class information.

MAC/PHY Configuration StatusA TLV that advertises information about the

physical interface, such as autonegotiation status and support and MAU type.
The information is not configurable, but based on the physical interface structure.

648

Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

Link AggregationA TLV that advertises if the port is aggregated and its aggregated

port ID.

Maximum Frame SizeA TLV that advertises the Maximum Transmission Unit

(MTU) of the interface sending LLDP frames.

Port VlanA TLV that advertises the VLAN name configured on the interface.

NOTE: If the IP address isn't configured on the Avaya IP phone, the phone sends an
ARP request to the DHCP server and references the VLAN ID for the VLAN on which
it is a member. If the VLAN ID is incorrect, the IP phones request for an IP address
is denied. To bypass this issue, configure the voip statement on the interface. With
the interface designated as a VoIP interface, the switch can forward the VLAN name
and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the
voice VLAN (that is, it references the voice VLANs ID) to make an ARP request and
receive an IP address.

EX-series switches support the following LLDP-MED TLVs:

LLDP MED CapabilitiesA TLV that advertises the primary function of the port.

The capabilities values range 0 through 15:

0 Capabilities

1 Network Policy

2 Location Identification

3 Extended Power via MDI-PSE

4 Inventory

515 Reserved

LLDP-MED Device Class Values:

0 Class not defined.

1 Class 1 Device.

2 Class 2 Device.

3 Class 3 Device.

4 Network Connectivity Device

5255 Reserved.

Network PolicyA TLV that advertises the port VLAN configuration and associated

Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application
types, such as voice or streaming video, 802.1Q VLAN tagging, and 802.1p
priority bits and Diffserv code points.

Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches

649

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Endpoint Location A TLV that advertises the physical location of the endpoint.

Extended Power via MDI A TLV that advertises the power type, power source,

power priority, and power value of the port. It is the responsibility of the PSE
device (network connectivity device) to advertise the power priority on a port.
Related Topics

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X Static MAC on EX-series Switches

Enterprise LANS support many different types of devices. Along with 802.1X-enabled
devices, non-802.1X enabled devices, such as building access control readers, printers,
and HVAC systems, must have reliable access to the LAN. These non-802.1X-enabled
endpoints are known as non-responsive hosts.
To allow non-responsive hosts access to the LAN, use static MAC as a bypass
mechanism for 802.1X authentication. When you configure static MAC, the MAC
address of the host is first checked in a local database (a user configured static list
of MAC addresses). If a match is found, the host is assumed to be successfully
authenticated and the interface is opened up for it. No further authentication is done
for that host.
The VLAN that the host should be moved to or the interfaces on which the host
connect may also be configured.
The following diagram shows the authentication process for non-responsive hosts.

650

Understanding 802.1X Static MAC on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

Figure 30: Process Flowchart for Non-Responsive Host Requests

Related Topics

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

802.1X for EX-series Switches Overview on page 639

Understanding 802.1X Static MAC on EX-series Switches

651

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding 802.1X and VoIP on EX-series Switches

When you use Voice over IP (VoIP), you can connect IP telephones to the switch and
configure IEEE 802.1X authentication for 802.1X-compatible IP telephones. The
802.1X authentication provides network edge security, protecting Ethernet LANs
from denial-of-service (DoS) attacks and preventing unauthorized user access.
VoIP is a protocol used for the transmission of voice through packet-switched
networks. VoIP transmits voice calls using a network connection instead of an analog
phone line.
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and
Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) provides the
class-of-service (CoS) parameters to the phone.
You can configure 802.1X authentication to work with VoIP in multiple supplicant
or single supplicant mode. In multiple-supplicant mode, the 802.1X process allows
multiple supplicants to connect to the interface. Each supplicant will be authenticated
individually. For an example of a VoIP multiple supplicant topology, see
Figure 31 on page 652.
Figure 31: VoIP Multiple Supplicant Topology

If an 802.1X-compatible IP telephone does not have an 802.1X host but has another
802.1X-compatible device connected to its data port, you can connect the phone to
an interface in single-supplicant mode. In single-supplicant mode, the 802.1X process
authenticates only the first supplicant. All other supplicants who connect later to the
interface are allowed full access without any further authentication. They effectively

652

Understanding 802.1X and VoIP on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

piggyback on the first supplicants authentication. For an example of a VoIP single

supplicant topology, see Figure 32 on page 653 .

Figure 32: VoIP Single Supplicant Topology

If an IP telephone does not support 802.1X, you can configure VoIP to bypass 802.1X
and LLDP-MED and have the packets forwarded to a VoIP VLAN,.
Related Topics

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication on page 698

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support on page 704

Understanding 802.1X and VoIP on EX-series Switches

653

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding 802.1X and VSAs on EX-series Switches

EX-series switches support the configuration of RADIUS attributes specific to Juniper
Networks. These attributes are known as vendor-specific attributes (VSAs) and are
described in RFC 2138, Remote Authentication Dial In User Service (RADIUS). Through
VSAs, you can configure port filtering attributes on the RADIUS server. VSAs are clear
text fields sent from the RADIUS server to the switch as a result of the 802.1X
authentication success or failure. The 802.1X authentication prevents unauthorized
user access by blocking a supplicant at the port until the supplicant is authenticated
by the RADIUS server. The VSA attributes are interpreted by the switch during
authentication, and the switch takes appropriate actions. Implementing port-filtering
attributes with 802.1X authentication on the RADIUS server provides a central location
that controls LAN access for supplicants.
These attributes specific to Juniper Networks are encapsulated in a RADIUS
vendor-specific attribute with the vendor ID set to the Juniper Networks ID number,
2636.
As well as configuring port filtering attributes through VSAs, you can apply a port
firewall filter directly to the RADIUS server that has already been configured on the
switch. Like port filtering attributes, the filter is applied during the 802.1X
authentication process, and its actions are applied at the switch port. Adding a port
firewall filter to a RADIUS server eliminates the need to add it to multiple ports and
switches.
VSAs are only supported for 802.1X single-supplicant configurationsnot for
multiple-supplicant configurations.
Related Topics

Understanding 802.1X Authentication on EX-series Switches on page 641

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

Configuring Firewall Filters (CLI Procedure) on page 945

Port Security for EX-series Switches Overview

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial
of service (DoS) on network devices. Port security features help protect the access
ports on your switch against the losses of information and productivity that can result
from such attacks.
JUNOS software on EX-series switches provides features to help secure ports on the
switch. The ports can be categorized as either trusted or untrusted. You apply policies
appropriate to those categories to protect against various types of attacks.
Port security features can be turned on to obtain the most robust port security level.
Basic port security features are enabled in the switch's default configuration. You
can configure additional features with minimal configuration steps.

654

Understanding 802.1X and VSAs on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

Port security features on EX-series switches are:

Related Topics

DHCP snoopingFilters and blocks ingress DHCP server messages on untrusted

ports; builds and maintains an IP-address/MAC-address binding database (called
the DHCP snooping database). You enable this feature on VLANs.

Dynamic ARP inspection (DAI)Prevents ARP spoofing attacks. ARP requests

and replies are compared against entries in the DHCP snooping database, and
filtering decisions are made based on the results of those comparisons. You
enable this feature on VLANs.

MAC limitingProtects against flooding of the Ethernet switching table (also

known as the MAC forwarding table or Layer 2 forwarding table). You enable
this feature on interfaces (ports).

MAC move limitingDetects MAC movement and MAC spoofing on access ports.
Prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network. You enable this feature on VLANs.

Trusted DHCP serverWith a DHCP server on a trusted port, protects against

rogue DHCP servers sending leases. You enable this feature on interfaces (ports).
By default, access ports are untrusted and trunk ports are trusted. (Access ports
are the switch ports that connect to Ethernet endpoints such as user PCs and
laptops, servers, and printers. Trunk ports are the switch ports that connect to
other Ethernet switches or to routers.)

IP source guardMitigates the effects of IP address spoofing attacks on the

Ethernet LAN. You enable this feature on VLANs. With IP source guard enabled,
the source IP address in the packet sent from an untrusted access interface is
validated against the source MAC address in the DHCP snooping database. The
packet is allowed for further processing if the source IP address to source MAC
address binding is valid; if the binding is not valid, the packet is discarded.

Security Features for EX-series Switches Overview on page 11

Understanding DHCP Snooping for Port Security on EX-series Switches on page

658

Understanding DAI for Port Security on EX-series Switches on page 662

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Understanding IP Source Guard for Port Security on EX-series Switches on page 666

Understanding How to Protect Access Ports on EX-series Switches from Common

Attacks on page 656

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Configuring Port Security (CLI Procedure) on page 768

Configuring Port Security (J-Web Procedure) on page 769

Port Security for EX-series Switches Overview

655

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding How to Protect Access Ports on EX-series Switches from Common

Attacks
Port security features can protect the EX-series switch against various types of attacks.
Protection methods against some common attacks are:

Mitigation of Ethernet Switching Table Overflow Attacks on page 656

Mitigation of Rogue DHCP Server Attacks on page 656

Protection Against ARP Spoofing Attacks on page 656

Protection Against DHCP Snooping Database Alteration Attacks on page 657

Protection Against DHCP Starvation Attacks on page 657

Mitigation of Ethernet Switching Table Overflow Attacks

In an overflow attack on the Ethernet switching table, an intruder sends so many
requests from new MAC addresses that the table cannot learn all the addresses. When
the switch can no longer use information in the table to forward traffic, it is forced
to broadcast messages. Traffic flow on the switch is disrupted, and packets are sent
to all hosts on the network. In addition to overloading the network with traffic, the
attacker might also be able to sniff that broadcast traffic.
To mitigate such attacks, configure both a MAC limit for learned MAC addresses and
some specific allowed MAC addresses. Use the MAC limit feature to control the total
number of MAC addresses that can be added to the Ethernet switching table for the
specified interface or interfaces. By setting the MAC addresses that are explicitly
allowed, you ensure that the addresses of network devices whose network access is
critical are guaranteed to be included in the Ethernet switching table. See Example:
Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect
the Switch from Ethernet Switching Table Overflow Attacks on page 714.

Mitigation of Rogue DHCP Server Attacks

If an attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server
on the LAN, the rogue server can start issuing leases to the network's DHCP clients.
The information provided to the clients by this rogue server can disrupt their network
access, causing DoS. The rogue server might also assign itself as the default gateway
device for the network. The attacker can then sniff the network traffic and perpetrate
a man-in-the-middle attackthat is, it misdirects traffic intended for a legitimate
network device to a device of its choice.
To mitigate a rogue DHCP server attack, set the interface to which that rogue server
is connected as untrusted. That action will block all ingress DHCP server messages
from that interface. See Example: Configuring a DHCP Server Interface as Untrusted
to Protect the Switch from Rogue DHCP Server Attacks on page 718.

Protection Against ARP Spoofing Attacks

In ARP spoofing, an attacker sends faked ARP messages on the network. The attacker
associates its own MAC address with the IP address of a network device connected
to the switch. Any traffic sent to that IP address is instead sent to the attacker. Now

656

Understanding How to Protect Access Ports on EX-series Switches from Common Attacks

Chapter 43: Understanding 802.1X, Port Security, and VoIP

the attacker can create various types of mischief, including sniffing the packets that
were meant for another host and perpetrating man-in-the middle attacks. (In a
man-in-the-middle attack, the attacker intercepts messages between two hosts, reads
them, and perhaps alters them, all without the original hosts knowing that their
communications have been compromised. )
To protect against ARP spoofing on your switch, enable both DHCP snooping and
dynamic ARP inspection (DAI). DHCP snooping builds and maintains the DHCP
snooping table. That table contains the MAC addresses, IP addresses, lease times,
binding types, VLAN information, and interface information for the untrusted
interfaces on the switch. DAI uses the information in the DHCP snooping table to
validate ARP packets. Invalid ARP packets are blocked.
See Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725.

Protection Against DHCP Snooping Database Alteration Attacks

In an attack designed to alter the DHCP snooping database, an intruder introduces
a DHCP client on one of the switch's untrusted access interfaces that has a MAC
address identical to that of a client on another untrusted port. The intruder acquires
the DHCP lease, which results in changes to the entries in the DHCP snooping table.
Subsequently, what would have been valid ARP requests from the legitimate client
are blocked.
To protect against this type of alteration of the DHCP snooping database, configure
MAC addresses that are explicitly allowed on the interface. See Example: Configuring
Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database
Alteration Attacks on page 729.

Protection Against DHCP Starvation Attacks

In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses so that the switch's trusted DHCP servers
cannot keep up with requests from legitimate DHCP clients on the switch. The address
space of those servers is completely used up, so they can no longer assign IP addresses
and lease times to clients. DHCP requests from those clients are either droppedthat
is, the result is a denial of service (DoS)or directed to a rogue DHCP server set up
by the attacker to impersonate a legitimate DHCP server on the LAN.
To protect the switch from DHCP starvation attacks, use the MAC limiting feature.
Specify the maximum number of MAC addresses that the switch can learn on the
access interfaces to which those clients connect. The switch's DHCP server or servers
will then be able to supply the specified number of IP addresses and leases to those
clients and no more. If a DHCP starvation attack occurs after the maximum number
of IP addresses has been assigned, the attack will fail. See Example: Configuring
MAC Limiting to Protect the Switch from DHCP Starvation Attacks on page 721.
Related Topics

Understanding DHCP Snooping for Port Security on EX-series Switches on page

658

Understanding DAI for Port Security on EX-series Switches on page 662

Understanding How to Protect Access Ports on EX-series Switches from Common Attacks

657

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Understanding Trusted DHCP Servers for Port Security on EX-series

Switches on page 666

Configuring Port Security (CLI Procedure) on page 768

Configuring Port Security (J-Web Procedure) on page 769

Understanding DHCP Snooping for Port Security on EX-series Switches

DHCP snooping allows the switch to monitor and control DHCP messages received
from untrusted devices connected to the switch. When DHCP snooping is enabled,
the system builds and maintains a database of valid IP-address/MAC-address (IP-MAC)
bindings called the DHCP snooping database.

DHCP Snooping Basics on page 658

DHCP Snooping Process on page 659

DHCP Server Access on page 660

DHCP Snooping Table on page 660

Static IP Address Additions to the DHCP Snooping Database on page 661

DHCP Snooping Basics

Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically,
leasing addresses to devices so that the addresses can be reused when no longer
needed. Hosts and end devices that require IP addresses obtained through DHCP
must communicate with a DHCP server across the LAN. JUNOS for EX-series software
provides the option to apply all access-port security features by VLAN or by port
(interface).
DHCP snooping acts as a guardian of network security by keeping track of valid IP
addresses assigned to downstream network devices by a trusted DHCP server (the
server is connected to a trusted network port).
DHCP snooping reads the lease information from the switch (which is a DHCP client)
and from this information creates the DHCP snooping database. This database is a
mapping between IP address and VLAN-MAC pair. For each VLAN-MAC address pair,
the database stores the corresponding IP address.
When a DHCP client releases an IP address (sends a DHCPRELEASE message), the
associated mapping entry is deleted from the database.
You can configure the switch to snoop DHCP server responses only from particular
VLANs. Doing this prevents spoofing of DHCP server messages.
By default, all trunk ports on the switch are trusted and all access ports are untrusted
for DHCP snooping. You can modify these defaults on each of the switch's interfaces.

658

Understanding DHCP Snooping for Port Security on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

You configure DHCP snooping for each VLAN, not for each interface (port). By default,
DHCP snooping is disabled for all VLANs.
If you move a network device from one VLAN to another, typically the device has to
acquire a new IP address, so its entry in the database, including the VLAN ID, is
updated.
The Ethernet switching process, ESWD, maintains the timeout (lease time) value for
each IP-MAC binding in its database. The lease time is assigned by the DHCP server.
The software reads the DHCP messages to obtain the lease time and deletes the
associated entry from the database when the lease time expires.
If the switch is rebooted, DHCP bindings are lost. The DHCP clients (the network
devices, or hosts) must reacquire the bindings.

DHCP Snooping Process

The basic process of DHCP snooping is shown in Figure 33 on page 659.
Figure 33: DHCP Snooping

For general information about the messages that the DHCP client and DHCP server
exchange during the assignment of an IP address for the client, see the JUNOS Software
System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos92/index.html.

Understanding DHCP Snooping for Port Security on EX-series Switches

659

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

DHCP Server Access

The DHCP server can be connected to the switch in one of two ways:

The server is directly connected to the same switch as the one connected to the
DHCP clients (the hosts, or network devices, that are requesting IP addresses
from the server). You must configure the port that connects the server to the
switch as a trusted port.

The server is directly connected to a switch that is itself directly connected

through a trunk port to the switch that the DHCP clients are connected to. The
trunk port is configured by default as a trusted port. The switch that the DHCP
server is connected to is not configured for DHCP snooping.

In both scenarios, the server and clients are members of the same VLAN.
Figure 34 on page 660 shows the DHCP server connected directly to the switch.
Figure 34: DHCP Server Connected to Switch

DHCP Snooping Table

The software creates a DHCP snooping information table that displays the content
of the DHCP snooping database. The table shows current MAC address-IP address
bindings, as well as lease time, type of binding, names of associated VLANs, and
associated interface. To view the table, type show dhcp snooping binding at the
operational mode prompt:
user@switch> show dhcp snooping binding

660

Understanding DHCP Snooping for Port Security on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

DHCP Snooping Information:

MAC address
IP address
00:05:85:3A:82:77 192.0.2.17
00:05:85:3A:82:79 192.0.2.18
00:05:85:3A:82:80 192.0.2.19

Lease (seconds)
600
653
720

Type
dynamic
dynamic
dynamic

VLAN
employee
employee
employee

Interface
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0

NOTE: If DHCP leases are sent from a DHCP server that is local (on the switch itself)
or on a VLAN other than the one the DHCP client is on, those entries in the DHCP
snooping table will be incorrect. They might display the interface as unknown (shown
as unknown in the Interface column) or show the lease as unknown or unleased
(both are represented by a dash, , in the Lease column).

Static IP Address Additions to the DHCP Snooping Database

You can add specific static IP addresses to the database as well as have the addresses
dynamically assigned through DHCP snooping. To add static IP addresses, you supply
the IP address, the MAC address of the device, the interface on which the device is
connected, and the VLAN with which the interface is associated. No lease time is
assigned to the entry. The statically configured entry never expires.
Related Topics

Port Security for EX-series Switches Overview on page 654

Understanding Trusted DHCP Servers for Port Security on EX-series

Switches on page 666

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Enabling DHCP Snooping (CLI Procedure) on page 771

Enabling DHCP Snooping (J-Web Procedure) on page 772

Understanding DHCP Snooping for Port Security on EX-series Switches

661

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding DAI for Port Security on EX-series Switches

Dynamic ARP inspection (DAI) protects EX-series switches against ARP spoofing.
DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping
database on the switch to validate ARP packets and to protect against ARP cache
poisoning. ARP requests and replies are compared against entries in the DHCP
snooping database, and filtering decisions are made based on the results of those
comparisons. When an attacker tries to use a forged ARP packet to spoof an address,
the switch compares the address to entries in the database. If the MAC address or
IP address in an ARP packet does not match a valid entry in the DHCP snooping
database, the packet is dropped.
ARP packets are trapped to the Routing Engine and are rate-limited to protect the
switch from CPU overload.

Address Resolution Protocol on page 662

ARP Spoofing on page 662

DAI on EX-series Switches on page 663

Address Resolution Protocol

Sending IP packets on a multiaccess network requires mapping an IP address to an
Ethernet media access control (MAC) address.
Ethernet LANs use Address Resolution Protocol (ARP) to map MAC addresses to IP
addresses.
The switch maintains this mapping in a cache that it consults when forwarding
packets to network devices. If the ARP cache does not contain an entry for the
destination device, the host (the DHCP client) broadcasts an ARP request for that
device's address and stores the response in the cache.

ARP Spoofing
ARP spoofing (also known as ARP poisoning or ARP cache poisoning) is one way to
initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the
MAC address of another device on the LAN. Instead of the switch sending traffic to
the proper network device, it sends it to the device with the spoofed address that is
impersonating the proper device. If the impersonating device is the attacker's
machine, the attacker receives all the traffic from the switch that should have gone
to another device. The result is that trafic from the switch is misdirected and cannot
reach its proper destination.
One type of ARP spoofing is gratuitous ARP, which is when a network device sends
an ARP request to resolve its own IP address. In normal LAN operation, gratuitous
ARP messages indicate that two devices have the same MAC address. They are also
broadcast when a network interface card (NIC) in a device is changed and the device
is rebooted, so that other devices on the LAN update their ARP caches. In malicious
situations, an attacker can poison the ARP cache of a network device by sending an
ARP response to the device that directs all packets destined for a certain IP address
to go to a different MAC address instead.

662

Understanding DAI for Port Security on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

To prevent MAC spoofing through gratuitous ARP and through other types of spoofing,
EX-series switches examine ARP responses through DAI.

DAI on EX-series Switches

DAI examines ARP requests and responses on the LAN and validates ARP packets.
The switch intercepts ARP packets from an access port and validates them against
the DHCP snooping database. If no IP-MAC entry in the database corresponds to the
information in the ARP packet, DAI drops the ARP packet and the local ARP cache
is not updated with the information in that packet. DAI also drops ARP packets when
the IP address in the packet is invalid.
JUNOS for EX-series software uses DAI for ARP packets received on access ports
because these ports are untrusted by default. Trunk ports are trusted by default, so
ARP packets bypass DAI on them.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is
disabled for all VLANs. You can set an interface to be trusted for ARP packets by
setting dhcp-trusted on that port.
For packets directed to the switch to which a network device is connected, ARP
queries are broadcast on the VLAN. The ARP responses to those queries are subjected
to the DAI check.
For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU
overloading, ARP packets destined for the Routing Engine are rate-limited.
If the DHCP server goes down and the lease time for an IP-MAC entry for a previously
valid ARP packet runs out, that packet is blocked.
Related Topics

Port Security for EX-series Switches Overview on page 654

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 775

Understanding DAI for Port Security on EX-series Switches

663

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series
Switches
MAC limiting protects against flooding of the Ethernet switching table (also known
as the MAC forwarding table or Layer 2 forwarding table). You enable this feature
on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing
on access interfaces. It prevents hosts whose MAC addresses have not been learned
by the switch from accessing the network. You enable this feature on VLANs.

MAC Limiting on page 664

MAC Move Limiting on page 664

Actions for MAC Limiting and MAC Move Limiting on page 665

MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 665

MAC Limiting
MAC limiting sets a limit on the number of MAC addresses that can be learned on a
single Layer 2 access interface. JUNOS software provides two MAC limiting methods:

Maximum number of MAC addressesYou configure the maximum number of

dynamic MAC addresses allowed per interface. As soon as the limit is reached,
incoming packets with new MAC addresses are dropped. The MAC limit value
in the EX-series switch default configuration is five MAC addresses.

Allowed MACYou configure specific allowed MAC addresses for the access
interface. Any MAC address that is not in the list of configured addresses is not
learned. Allowed MAC binds MAC addresses to a VLAN so that the address does
not get registered outside the VLAN. If an allowed MAC setting conflicts with a
dynamic MAC setting, the allowed MAC setting takes precedence.

MAC Move Limiting

MAC move limiting prevents hosts whose MAC addresses have not been learned by
the switch from accessing the network. Initial learning results when the host sends
DHCP requests. If a new MAC address is detected on an interface, the packet is
trapped to the switch. In general, when a host moves from one interface to another,
the host has to renegotiate its IP address and lease (or be reauthenticated if 802.1X
is configured on the switch). The DHCP request sent by the host can be one for a
new IP address or one to validate the old IP address. If 802.1X is not configured, the
Ethernet switching table entry is flushed from the original interface and added to the
new interface. These MAC movements are tracked, and if more than the configured
number of moves happens within one second, the configured action is performed.

664

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

Actions for MAC Limiting and MAC Move Limiting

You can choose to have one of the following actions performed when the limit of
MAC addresses or the limit of MAC moves is reached:

dropDrop the packet and generate an alarm, an SNMP trap, or a system log

entry.

logDo not drop the packet but generate an alarm, an SNMP trap, or a system

log entry.

noneTake no action.

shutdownBlock data traffic on the interface and generate an alarm.

If you do not set an action, then the action is none. You can also explicitly set none
as the action.
See results of these various action settings in Verifying That MAC Limiting Is Working
Correctly on page 790.
If you set a MAC limit to apply to all interfaces on the switch, you can override that
setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI
Procedure) on page 780.

MAC Addresses That Exceed the MAC Limit or MAC Move Limit
If you view log messages that indicate the MAC limit or MAC move limit is exceeded,
you can view the offending MAC addresses that have exceeded the limit. See
Troubleshooting Port Security for details.
Related Topics

Port Security for EX-series Switches Overview on page 654

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series Switches

665

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding Trusted DHCP Servers for Port Security on EX-series Switches

Any interface on the switch that connects to a DHCP server can be configured as a
trusted port. Configuring a DHCP server on a trusted port protects against rogue
DHCP servers sending leases.
Ensure that the DHCP server interface is physically securethat is, that access to
the server is monitored and controlled at the sitebefore you configure the port as
trusted.
Related Topics

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Enabling a Trusted DHCP Server (J-Web Procedure) on page 773

Understanding IP Source Guard for Port Security on EX-series Switches

Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of
source IP addresses or source MAC addresses. You can use the IP source guard access
port security feature on EX-series switches to mitigate the effects of these attacks.

IP Address Spoofing on page 666

How IP Source Guard Works on page 666

The IP Source Guard Database on page 667

Typical Uses of Other JUNOS Software Features with IP Source Guard on page 667

IP Address Spoofing
Hosts on access interfaces can spoof source IP addresses and/or source MAC addresses
by flooding the switch with packets containing invalid addresses. Such attacks
combined with other techniques such as TCP SYN flood attacks can result in
denial-of-service (DoS) attacks. With source IP address or source MAC address
spoofing, the system administrator cannot identify the source of the attack. The
attacker can spoof addresses on the same subnet or on a different subnet.

How IP Source Guard Works

IP source guard checks the IP source address and MAC source address in a packet
sent from a host attached to an untrusted access interface on the switch against
entries stored in the DHCP snooping database. If IP source guard determines that
the packet header contains an invalid source IP address or source MAC address, it
ensures that the switch does not forward the packetthat is, the packet is discarded.
When you configure IP source guard, you enable on it on one or more VLANs. IP
source guard applies its checking rules to packets sent from untrusted access interfaces

666

Understanding Trusted DHCP Servers for Port Security on EX-series Switches

Chapter 43: Understanding 802.1X, Port Security, and VoIP

on those VLANs. By default, on EX-series switches, access interfaces are untrusted

and trunk interfaces are trusted. IP source guard does not check packets that have
been sent to the switch by devices connected to either trunk interfaces or trusted
access interfacesthat is, interfaces configured as dhcp-trusted so that a DHCP server
can be connected to that interface to provide dynamic IP addresses.
IP source guard obtains information about IP-address/MAC-address/VLAN bindings
from the DHCP snooping database. It causes the switch to validate incoming IP
packets against the entries in that database.
After the DHCP snooping database has been populated either through dynamic DHCP
snooping or through configuration of specific static IP address/MAC address bindings,
the IP source guard feature builds its database. It then checks incoming packets from
access interfaces on the VLANs on which it is enabled. If the source IP addresses and
source MAC addresses match the IP source guard binding entries, the switch forwards
the packets to their specified destination addresses. If there are no matches, the
switch discards the packets.

The IP Source Guard Database

The IP source guard database looks like this:
user@switch> show ip-source-guard
IP source guard information:
Interface
Tag IP Address
MAC Address

VLAN

ge-0/0/12.0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/13.0

10.10.10.9

00:30:48:8D:01:3D

vlan100

ge0/0/13.0

100

voice

The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.

Typical Uses of Other JUNOS Software Features with IP Source Guard

You can configure IP source guard with various other features on the EX-series switch
to provide access port security, including:

VLAN tagging (used for voice VLANs)

GRES (Graceful Routing Engine switchover)

Virtual Chassis configurations (multiple EX 4200 switches that are managed

through a single management interface)

Link-aggregation groups (LAGs)

802.1X user authentication, in single supplicant mode

Understanding IP Source Guard for Port Security on EX-series Switches

667

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: The 802.1X user authentication is applied in one of three modes: single
supplicant, single-secure supplicant, or multiple supplicant. Single supplicant mode
works with IP source guard, but single-secure and multiple supplicant modes do not.

Related Topics

668

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 746

Understanding IP Source Guard for Port Security on EX-series Switches

Chapter 44

Examples of Configuring 802.1X, Port

Security, and VoIP

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series

Switch on page 691

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication on page 698

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support on page 704

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

669

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 746

Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch

802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use
802.1X to control network access. Only users and devices providing credentials that
have been verified against a user database are allowed access to the network. You
can use a RADIUS server as the user database.
This example describes how to connect a RADIUS server to an EX-series switch. and
configure it for 802.1X:

Requirements on page 670

Overview and Topology on page 670

Configuration on page 673

Verification on page 674

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX 4200 switch acting as an authenticator port access entity (PAE). The
ports on the authenticator PAE form a control gate that blocks all traffic to and
from supplicants until they are authenticated.

One RADIUS authentication server that supports 802.1X. The authentication

server acts as the backend database and contains credential information for
hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have:

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Configured users on the authentication server.

Overview and Topology

The EX-series switch acts as an authenticator Port Access Entity (PAE). It blocks all
traffic and acts as a control gate until the supplicant (client) is authenticated by the
server. All other users and devices are denied access.

670

Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Figure 35 on page 672 shows one EX 4200 switch that is connected to the devices
listed in Table 94 on page 673.

Overview and Topology

671

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 35: Topology for Configuration

672

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Table 94: Components of the Topology

Property

Settings

Switch hardware

EX 4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through
ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

One RADIUS server

Backend database with an address of 10.0.0.100 connected to the switch at port

ge-0/0/10

In this example, connect the RADIUS server to access port ge-0/0/10 on the EX 4200
switch. The switch acts as the authenticator and forwards credentials from the
supplicant to the user database on the RADIUS server. You must configure connectivity
between the EX 4200 and the RADIUS server by specifying the address of the server
and configuring the secret password. This information is configured in an access
profile on the switch.

NOTE: JUNOS Software System Basics Configuration Guide.

For more information about authentication, authorization, and accounting (AAA)
services, please see the JUNOS Software System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/

Configuration
CLI Quick Configuration

To quickly connect the RADIUS server to the switch, copy the following commands
and paste them into the switch terminal window:
[edit]
set access radius-server 10.0.0.100 secret juniper
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.0.0.100 10.2.14.200

Step-by-Step Procedure

To connect the RADIUS server to the switch:

1.

Define the address of the server, and configure the secret password. The secret
password on the switch must match the secret password on the server:
[edit access]
user@switch# set radius-server 10.0.0.100 secret juniper

2.

Configure the authentication order, making radius the first method of

authentication:
[edit access profile]
user@switch# set profile1 authentication-order radius

Configuration

673

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

3.

Configure a list of server IP addresses to be tried in order to authenticate the

supplicant:
[edit access profile]
user@switch# set profile1 radius authentication-server 10.0.0.100
10.2.14.200

Results

Display the results of the configuration:

user@switch> show configuration access
radius-server {
10.0.0.100
port 1812;
secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA
}
}
profile profile1{
authentication-order radius;
radius {
authentication-server 10.0.0.100 10.2.14.200;
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verify That the Switch and RADIUS Server are Properly Connected on page 674

Verify That the Switch and RADIUS Server are Properly Connected
Purpose

Action

Verify that the RADIUS server is connected to the switch on the specified port.
Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes
64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms
64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms

Meaning

Related Topics

674

Verification

ICMP echo request packets are sent from the switch to the target server at 10.0.0.100
to test whether it is reachable across the IP network. ICMP echo responses are being
returned from the server, verifying that the switch and the server are connected.

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to

Corporate Visitors on an EX-series Switch
802.1X on EX-series switches provides LAN access to users who do not have
credentials in the RADIUS database. These users, referred to as guests, are
authenticated and typically provided with access to the Internet.
This example describes how to create a guest VLAN and configure 802.1X
authentication for it.

Requirements on page 675

Overview and Topology on page 675

Configuration of a Guest VLAN That Includes 802.1X Authentication on page 678

Verification on page 679

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX-series 4200 switch acting as an authenticator interface access entity

(PAE). The interfaces on the authenticator PAE form a control gate that blocks
all traffic to and from supplicants until they are authenticated.

One RADIUS authentication server that supports 802.1X. The authentication

server acts as the backend database and contains credential information for
hosts (supplicants) that have permission to connect to the network.

Before you configure guest VLAN authentication, be sure you have:

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Overview and Topology

As part of IEEE 802.1X Port-Based Network Access Control (PNAC), you can provide
limited network access to supplicants who do not belong to a VLAN authentication
group by configuring authentication to a guest VLAN. Typically, guest VLAN access

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX-series Switch

675

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

is used to provide Internet access to visitors to a corporate site. However, you can
also use the guest VLAN feature to provide supplicants that fail 802.1X authentication
to a corporate LAN with access to a VLAN with limited resources.
Figure 36 on page 677 shows the conference room connected to the switch at interface
ge-0/0/1.

676

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Figure 36: Topology for Guest VLAN Example

Overview and Topology

677

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 95: Components of the Guest VLAN Topology

Property

Settings

Switch hardware

EX 4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0 through

ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)

VLAN names and tag IDs

sales, tag 100

support, tag 200
guest-vlan, tag 300

One RADIUS server

Backend database connected to the switch through interface ge-0/0/10

In this example, access interface ge-0/0/1 provides LAN connectivity in the conference
room. Configure this access interface to provide LAN connectivity to visitors in the
conference room who are not authenticated by the corporate VLAN.

Configuration of a Guest VLAN That Includes 802.1X Authentication

To create a guest VLAN and configure 802.1X authentication, perform these tasks:
CLI Quick Configuration

To quickly configure a guest VLAN, with 802.1X authentication, copy the following
commands and paste them into the switch terminal window:
[edit]
set vlans guest-vlan vlan-id 300
set protocols dot1x authenticator interface all guest-vlan guest-vlan

Step-by-Step Procedure

To configure a guest VLAN that includes 802.1X authentication on an EX-series switch:

1.

Configure the VLAN ID for the guest VLAN:

[edit]
user@switch# set vlans guest-vlan vlan-id 300

2.

Configure the guest VLAN under dot1x protocols:

[edit]
user@switch# set protocols dot1x authenticator interface all guest-vlan
guest-vlan

Results

Check the results of the configuration:

user@switch> show configuration
protocols {
dot1x {
authenticator {
interface {
all {
guest-vlan {

678

Configuration of a Guest VLAN That Includes 802.1X Authentication

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

guest-vlan;
}
}
}
}
}
}
vlans {
guest-vlan {
vlan-id 300;
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying That the Guest VLAN is Configured on page 679

Verifying That the Guest VLAN is Configured

Purpose

Action

Verify that the guest VLAN is created and that an interface has failed authentication
and been moved to the guest VLAN.
Use the operational mode commands:
user@switch> show vlans on page 570
Name
default

Tag

dynamic

40

guest

30

guestvlan

300

Interfaces
ge-0/0/3.0*
None
None
ge-0/0/1.0*

vlan_dyn
None
user@switch> show dot1x on page 873 interface ge-0/0/1.0 detail
ge-0/0/1.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Guest VLAN membership: guest-vlan
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user1, 00:00:00:00:13:23
Operational state: Authenticated
Reauthentication due in 3307 seconds

Meaning

The output from the show vlans command shows guest-vlan as the the name of the
VLAN and the VLAN ID as 300.

Verification

679

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The output from the show dot1x interface ge-0/0/1.0 detail command displays the
Guest VLAN membership field, indicating that a supplicant at this interface failed
802.1X authentication and was passed through to the guest-vlan.
Related Topics

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring 802.1X Authentication (CLI Procedure) on page 756

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch

As part of IEEE 802.1X Port-Based Network Access Control (PNAC), you can configure
access through 802.1X-configured ports to your LAN for devices that are not
802.1X-enabled. These devices, typically printers, are known as nonresponsive hosts.
Nonresponsive hosts are authenticated by means of their MAC address. If a
nonresponsive host's MAC address is compared and matched against a
user-configured static MAC address list, the nonresponsive host is authenticated and
an interface opened for it.
This example describes how to configure static MAC authentication for two printers.

Requirements on page 680

Overview and Topology on page 681

Configuration on page 683

Verification on page 684

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX 4200 switch acting as an authenticator port access entity (PAE). The
ports on the authenticator PAE form a control gate that blocks all traffic to and
from supplicants until they are authenticated.

One RADIUS authentication server. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have
permission to connect to the network.

Before you configure static MAC authentication, be sure you have:

680

Configured basic access between the EX-series switch and the RADIUS server.
See Connecting and Configuring the EX-series Switch (J-Web
Procedure) on page 58.

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Overview and Topology

Figure 37 on page 682 shows the two printers connected to the EX 4200.

Overview and Topology

681

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 37: Topology for Static MAC Authentication Configuration

The interfaces shown in Table 96 on page 683 will be configured for static MAC
authentication.

682

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Table 96: Components of the Static MAC Authentication Configuration Topology

Property

Settings

Switch hardware

EX 4200 24T, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through

ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connections to integrated printer/fax/copier

machines (no PoE required)

ge-0/0/19, MAC address 00:04:0f:fd:ac:fe

ge-0/0/20, MAC address 00:04:ae:cd:23:5f

The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface
ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected
to access interface ge-0/0/20. Both printers will be added to the static list and bypass
802.1X authentication.

Configuration
To configure static MAC authentication, perform these tasks:

Configuring Static MAC Authentication

CLI Quick Configuration

To quickly configure static MAC authentication, copy the following commands and
paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator authenticaton-profile-name profile1
set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
set protocols dot1x interface all supplicant multiple

Step-by-Step Procedure

Configure static MAC authentication:

1.

Configure the authentication profile name (access profile name) to use for
authentication:
[edit protocols]
user@switch# set dot1x authenticator authentication-profile-name profile1

2.

Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC

addresses:
[edit protocols]
user@switch# set dot1x authenticator static [00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f]

3.

Configure the 802.1X authentication method:

[edit protocols]
user@switch# set dot1x interface all supplicant multiple

Configuration

683

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Results

Display the results of the configuration:

user@switch> show
interfaces {
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan members default;
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan members default;
}
}
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name profile1
static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
interface {
all {
supplicant multiple;
}
}
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying Static MAC Authentication on page 684

Verifying Static MAC Authentication

Purpose

Action

Verify that the MAC address for both printers is configured and associated with the
correct interfaces.
Use the operational mode command:
user@switch> show dot1x static-mac-address on page 877
MAC address
00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f

Meaning

684

Verification

VLAN-Assignment
default
default

Interface
ge-0/0/19.0
ge-0/0/20.0

The output field MAC address shows the MAC addresses of the two printers.

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect
to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f
can connect to the LAN through interface ge-0/0/20.0.
Related Topics

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch
802.1x Port-Based Network Access Control (PNAC) authentication on EX-series
switches provides three types of authentication to meet the access needs of your
enterprise LAN:

Authenticate the first host (supplicant) on an authenticator port, and allow all
others also connecting to have access.

Authenticate only one supplicant on an authenticator port at one time.

Authenticate multiple supplicants on an authenticator port. Multiple supplicant

mode is used in VoIP configurations.

This example configures an EX-series 4200 switch to use IEEE 802.1X to authenticate
supplicants that use three different administrative modes:

Requirements on page 685

Overview and Topology on page 686

Configuration of 802.1X to Support Multiple Supplicant Modes on page 688

Verification on page 689

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX-series 4200 switch acting as an authenticator port access entity (PAE).
The ports on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.

One RADIUS authentication server that supports 802.1X. The authentication

server acts as the backend database and contains credential information for
hosts (supplicants) that have permission to connect to the network.

Before you configure the ports for 802.1X authentciation, be sure you have:

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch

685

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Configured users on the authentication server.

Overview and Topology

As shown in Figure 38 on page 687, the topology contains an EX 4200 access switch
connected to the authentication server on port ge-0/0/10. Interfaces ge-0/0/8,
ge-0/0/9, and ge-0/0/11 will be configured for three different administrative modes.

686

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Figure 38: Topology for Configuring Supplicant Modes

Overview and Topology

687

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 97: Components of the Supplicant Mode Configuration Topology

Property

Settings

Switch hardware

EX-series 4200 access switch, 24 Gigabit Ethernet ports: 8 PoE

ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8
through ge-0/0/23)

Connections to Avaya phoneswith integrated hub, to

connect phone and desktop PC to a single port; (requires
PoE)

ge-0/0/8, ge-0/0/9, and ge-0/0/11

To configure the administrative modes to support supplicants in different areas of

the Enterprise network:

Configure access port ge-0/0/8 for single supplicant mode authentication.

Configure access port ge-0/0/9 for single secure supplicant mode authentication.

Configure access port ge-0/0/11 for multiple supplicant mode authentication.

Single supplicant mode authenticates only the first supplicant that connects to an
authenticator port. All other supplicants connecting to the authenticator port after
the first supplicant has connected successfully, whether they are 802.1X-enabled or
not, are permitted free access to the port without further authentication. If the first
authenticated supplicant logs out, all other supplicants are locked out until a supplicant
authenticates.
Single-secure supplicant mode authenticates only one supplicant to connect to an
authenticator port. No other supplicant can connect to the authenticator port until
the first supplicant logs out.
Multiple supplicant mode authenticates multiple supplicants individually on one
authenticator port. If you configure a maximum number of devices that can be
connected to a port through port security, the lesser of the configured values is used
to determine the maximum number of supplicants allowed per port.

Configuration of 802.1X to Support Multiple Supplicant Modes

To configure 802.1X authentication to support multiple supplicants, perform these
tasks:
CLI Quick Configuration

To quickly configure the ports with different 802.1X authentication modes, copy the
following commands and paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator interface ge-0/0/8 supplicant single
set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/11 supplicant multiple

Step-by-Step Procedure

Configure the administrative mode on the interfaces:

1.

688

Configure the supplicant mode as single on interface ge-0/0/8:

Configuration of 802.1X to Support Multiple Supplicant Modes

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single

2.

Configure the supplicant mode as single secure on interface ge-0/0/9:

[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/9 supplicant
single-secure

3.

Configure multiple supplicant mode on interface ge-0/0/11:

[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/11 supplicant
multiple

Results

Check the results of the configuration:

[edit]
user@access-switch> show configuration
protocols {
dot1x {
authenticator {
interface {
ge-0/0/8.0 {
supplicant single;
)
ge-0/0/9.0 {
supplicant single-secure;
)
ge-0/0/11.0 {
supplicant multiple;
)
}
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying the 802.1X Configuration on page 689

Verifying the 802.1X Configuration

Purpose

Action

Verify the 802.1X configuration on interfaces ge-0/0/8, ge-0/0/9, and ge-0/0/5.

Verify the 802.1X configuration with the operational mode command show dot1x
interface:

Verification

689

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch> show dot1x interface ge-0/0/8.0 detail

ge-0/0/8.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user100, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 506 seconds
user@switch> show dot1x interface ge-0/0/9.0 detail
ge-0/0/9.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single Secure
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant timeout: 30 seconds
Supplicant: user101, 00:13:00:00:28:22
Operational state: Authenticated
Reauthentication due in 917 seconds
user@switch> show dot1x interface ge-0/0/11.0 detail
ge-0/0/11.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user102, 00:10:12:e0:28:22
Operational state: Authenticated
Reauthentication due in 1788 seconds

Meaning

Related Topics

690

The Supplicant mode output field displays the configured administrative mode for
each interface. Interface ge-0/0/8.0 displays Single supplicant mode. Interface
ge-0/0/9.0 displays Single Secure supplicant mode. Interface ge-0/0/11.0 displays
Multiple supplicant mode.

Understanding 802.1X Authentication on EX-series Switches on page 641

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

Verifying the 802.1X Configuration

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

You can configure voice over IP (VoIP) on an EX-series switch to support IP telephones.
VoIP is a protocol used for the transmission of voice through packet-switched
networks. VoIP transmits voice calls using a network connection instead of an analog
phone line. The Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED)
protocol forwards VoIP parameters from the switch to the phone. You also configure
802.1X authentication to allow the telephone access to the LAN. Authentication is
done through a backend RADIUS server.
This example describes how to configure VoIP on an EX-series switch to support an
Avaya IP phone, as well as the LLDP-MED protocol and 802.1X authentication:

Requirements on page 691

Overview and Topology on page 692

Configuration on page 694

Verification on page 696

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches

One EX 4200 switch acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.

An Avaya 9620 IP telephone that supports LLDP-MED and 802.1X

Before you configure VoIP, be sure you have:

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch on page 670.

Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information
about configuring PoE, see Configuring PoE (CLI Procedure) on page 1099.

NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power
adapter.

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

691

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Overview and Topology

Instead of using a regular telephone, you connect an IP telephone directly to the
switch. An IP phone has all the hardware and software needed to handle VoIP. You
also can power an IP telephone by connecting it to one of the Power over Ethernet
(PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX 4200 switch is connected
to an Avaya 9620 IP telephone. Avaya phones have a built-in bridge that allows you
to connect a desktop PC to the phone, so the desktop and phone in a single office
require only one interface on the switch. The EX-series switch is connected to a
RADIUS server on interface ge-0/0/10 (see Figure 39 on page 693).

692

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Figure 39: VoIP Topology

In this example, you configure VoIP parameters and specify the forwarding class
assured-forward for voice traffic to provide the highest quality of service.
Table 98 on page 693 describes the components used in this VoIP configuration
example.
Table 98: Components of the VoIP Configuration Topology
Property

Settings

Overview and Topology

693

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 98: Components of the VoIP Configuration Topology (continued)

Switch hardware

EX 4200 switch

VLAN names

data-vlan
voice-vlan

Connection to Avaya phonewith integrated hub, to connect phone

and desktop PC to a single interface (requires PoE)

ge-0/0/2

One RADIUS server

Provides backend database connected to the switch

through interface ge-0/0/10.

As well as configuring a VoIP for interface ge-0/0/2, you configure:

802.1X authentication. Authentication is set to multiple supplicant to support

more than one supplicant's access to the LAN through interface ge-0/0/2.

LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP

parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged
and prioritized with the correct values at the source itself. For example, 802.1p
class of service and 802.1Q tag information can be sent to the IP telephone.

NOTE: A PoE configuration is not necessary if an IP telephone is using a power

adapter.

Configuration
To configure VoIP, LLDP-MED, and 802.1X authentication:
CLI Quick Configuration

To quickly configure VoIP, LLDP-MED, and 802.1X, copy the following commands
and paste them into the switch terminal window:
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
set protocols lldp-med interface ge-0/0/2.0
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple

694

Configuration

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Step-by-Step Procedure

To configure VoIP with LLDP-MED and 802.1X:

1.

Configure the VLANs for voice and data:

[edit vlans]
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99

2.

Associate the VLAN data-vlan with the interface:

[edit vlans]
user@switch# set data-vlan interface ge-0/0/2.0

3.

Configure the interface as an access interface, configure support for Ethernet

switching, and add the data-vlan VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members
data-vlan
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access

4.

Configure VoIP on the interface and specify the assured-forwarding forwarding

class to provide the most dependable class of service:
[edit ethernetswitchingoptions]
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding

5.

Configure LLDP-MED protocol support:

[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0

6.

To authenticate an IP phone and a PC connected to the IP phone on the interface,

configure 802.1X authentication support and specify multiple supplicant mode:

NOTE: If you do not want to authenticate any device, skip the 802.1X configuration
on this interface.

[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration:

[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
unit 0 {

Configuration

695

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

family ethernet-switching {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2.0;
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
supplicant multiple;
}
}
}
}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
interface ge-0/0/2.0 {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying LLDP-MED Configuration on page 696

Verifying 802.1X Authentication for IP Phone and Desktop PC on page 697

Verifying the VLAN Association with the Interface on page 698

Verifying LLDP-MED Configuration

Purpose

696

Verification

Verify that LLDP-MED is enabled on the interface.

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Action

user@switch> show lldp on page 881 detail

LLDP
: Enabled
Advertisement interval : 30 Second(s)
Transmit delay
: 2 Second(s)
Hold timer
: 2 Second(s)
Config Trap Interval
: 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED
MED fast start count

Interface
all
ge-0/0/2.0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/11.0
ge-0/0/23.0

LLDP
Enabled
VLAN-id
0
0
0
99
0
0
0
20
0
0

: Enabled
: 3 Packet(s)

LLDP-MED
Enabled

Neighbor count
0
0

VLAN-name
default
employee-vlan
data-vlan
voice-vlan
employee-vlan
employee-vlan
default
employee-vlan
__juniper-vlan_internal__
default

LLDP basic TLVs supported:

Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.

Meaning

The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.

Verifying 802.1X Authentication for IP Phone and Desktop PC

Purpose

Action

Display the 802.1X configuration to confirm that the VoIP interface has access to
the LAN.
user@switch> show dot1x on page 873 interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds

Verifying 802.1X Authentication for IP Phone and Desktop PC

697

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Reauthentication: Enabled Reauthentication interval: 3600 seconds

Supplicant timeout: 30 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 3588 seconds

Meaning

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
addresses of the supplicants currently connected are displayed at the bottom of the
output.

Verifying the VLAN Association with the Interface

Purpose

Action

Display the interface state and VLAN membership.

user@switch> show ethernet-switching interfaces on page 545
Ethernet-switching table: 0 entries, 0 learned
user@switch> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/5.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/2.0 up
voice-vlan
unblocked
data-vlan
unblocked

Meaning

Related Topics

The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Defining CoS Forwarding Classes (CLI Procedure) on page 1036

Defining CoS Forwarding Classes (J-Web Procedure) on page 1037

Configuring LLDP-MED (CLI Procedure) on page 766

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication
You can configure voice over IP (VoIP) on an EX-series switch to support IP telephones.
VoIP is a protocol used for the transmission of voice through packet-switched

698

Verifying the VLAN Association with the Interface

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

networks. VoIP transmits voice calls using a network connection instead of an analog
phone line.
To configure VoIP on an EX-series switch to support an IP phone that does not support
802.1X authentication, you must add the MAC address of the phone as a static entry
in the authenticator database.
This example describes how to configure VoIP on an EX-series switch without 802.1X
authentication:

Requirements on page 699

Overview on page 699

Configuration on page 700

Verification on page 702

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches

An IP telephone without 802.1X authentication

Before you configure VoIP, be sure you have:

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch on page 670.

Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information
about configuring PoE, see Configuring PoE (CLI Procedure) on page 1099.

NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power
adapter.

Overview
Instead of using a regular telephone, you connect an IP telephone directly to the
switch. An IP phone has all the hardware and software needed to handle VoIP. You
also can power an IP telephone by connecting it to one of the Power over Ethernet
(PoE) interfaces on the switch.
In this example, the access interface ge-0/0/2 on the EX 4200 switch is connected
to a non-802.1X IP phone.

Requirements

699

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To configure VoIP on an EX-series switch to support an IP phone that does not support
802.1X authentication, add the MAC address of the phone as a static entry in the
authenticator database and set the supplicant mode to multiple.

Configuration
To configure VoIP without 802.1X authentication:
CLI Quick Configuration

To quickly configure VoIP, copy the following commands and paste them into the
switch terminal window:
[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set ethernetswitchingoptions voip interface ge-0/0/2.0 vlan voice-vlan
set ethernetswitchingoptions voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
set protocols lldpmed interface ge-0/0/2.0
set protocols dot1x authenticator authentication-profile-name auth-profile
set protocols dot1x authenticator static 00:04:f2:11:aa:a7
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Step-by-Step Procedure

To configure VoIP without 802.1X:

1.

Configure the VLANs for voice and data:

[edit vlans]
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99

2.

Associate the VLAN data-vlan with the interface:

[edit vlans]
user@switch# set data-vlan interface ge-0/0/2.0

3.

Configure the interface as an access interface, configure support for Ethernet

switching, and add the data-vlan VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members
data-vlan
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access

4.

Configure VoIP on the interface and specify the assured-forwarding forwarding

class to provide the most dependable class of service:
[edit ethernetswitchingoptions]
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class assured-forwarding

5.

700

Configuration

Configure LLDP-MED protocol support:

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

[edit protocols]
user@switch# set lldp-med interface ge-0/0/2.0

6.

Set the authentication profile (see Configuring 802.1X Authentication (CLI

Procedure) on page 756 and Configuring 802.1X RADIUS Accounting (CLI
Procedure) on page 761):
[edit protocols]
set dot1x authenticator authentication-profile-name auth-profile

7.

Specify the MAC address of the phone:

[edit protocols]
set dot1x authenticator static 00:04:f2:11:aa:a7

8.

Set the supplicant mode to multiple:

[edit protocols]
set dot1x authenticator interface ge-0/0/2.0 supplicant multiple

Results

Display the results of the configuration:

[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members data-vlan;
}
}
}
}
}
protocols {
lldp-med {
interface ge-0/0/2.0;
}
dot1x {
authenticator {
authentication-profile-name auth-profile;
static {
00:04:f2:11:aa:a7;
}
}
interface {
ge-0/0/2.0 {
supplicant multiple;
}
}

Configuration

701

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}
ethernet-switching options {
voip {
interface ge-0/0/2.0 {
vlan voice-vlan;
forwarding-class assured-forwarding;
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying LLDP-MED Configuration on page 702

Verifying Authentication for the Desktop PC on page 703

Verifying the VLAN Association with the Interface on page 703

Verifying LLDP-MED Configuration

Purpose

Action

Verify that LLDP-MED is enabled on the interface.

user@switch> show lldp on page 881 detail
LLDP
: Enabled
Advertisement interval : 30 Second(s)
Transmit delay
: 2 Second(s)
Hold timer
: 2 Second(s)
Config Trap Interval
: 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED
MED fast start count

Interface
all
ge-0/0/2.0
Interface
ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0

702

Verification

LLDP
Enabled
VLAN-id
0
0
0

: Enabled
: 3 Packet(s)

LLDP-MED
Enabled

Neighbor count
0
0

VLAN-name
default
employee-vlan
data-vlan

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/11.0
ge-0/0/23.0

99
0
0
0
20
0
0

voice-vlan
employee-vlan
employee-vlan
default
employee-vlan
__juniper-vlan_internal__
default

LLDP basic TLVs supported:

Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:
Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:
LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.

Meaning

The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.

Verifying Authentication for the Desktop PC

Purpose

Action

Meaning

Display the 802.1X configuration for the desktop PC connected to the VoIP interface
through the IP phone.
user@switch> show dot1x on page 873 interface ge/0/0/2.0 detail
ge-0/0/2.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 3588 seconds

The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
addresses of the supplicants currently connected are displayed at the bottom of the
output.

Verifying the VLAN Association with the Interface

Purpose

Display the interface state and VLAN membership.

Verifying Authentication for the Desktop PC

703

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Action

user@switch> show ethernet-switching interfaces on page 545

Ethernet-switching table: 0 entries, 0 learned
user@switch> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/5.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/2.0 up
voice-vlan
unblocked
data-vlan
unblocked

Meaning

Related Topics

The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support on page 704

Understanding 802.1X and VoIP on EX-series Switches on page 652

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support
You can configure voice over IP (VoIP) on an EX-series switch to support IP telephones.
VoIP is a protocol used for the transmission of voice through packet-switched
networks. VoIP transmits voice calls using a network connection instead of an analog
phone line.
The Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) protocol
is sometimes used with IP phones to forward VoIP parameters from the switch to
the phone. Not all IP phones support LLDP-MED, however.

NOTE: Because this configuration without LLDP-MED requires you to set the port
mode to trunk, 802.1X authentication cannot be enabled.
This example describes how to configure VoIP on an EX-series switch without
LLDP-MED and without 802.1X:

704

Requirements on page 705

Overview on page 705

Configuration on page 705

Verification on page 707

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED Support

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.1 or later for EX-series switches.

One EX 4200 switch acting as an authenticator port access entity (PAE). The
interfaces on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.

A non-LLDP-MED IP phone.

Before you configure VoIP, be sure you have:

Installed your EX-series switch. See Installing and Connecting an EX-series Switch.

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure) on page 58.

Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch on page 369.

Configured the IP phone as a member of the voice VLAN.

Configured interface ge-0/0/2 for Power over Ethernet (PoE). See Configuring
PoE (CLI Procedure) on page 1099.

NOTE: The PoE configuration is not necessary if the VoIP supplicant is using a power
adapter.

Overview
Instead of using a regular telephone, you connect an IP telephone directly to the
switch. An IP phone has all the hardware and software needed to handle VoIP. You
also can power an IP telephone by connecting it to one of the Power over Ethernet
(PoE) interfaces on the switch.
To configure VoIP on an EX-series switch to support an IP phone that does not support
LLDP-MED, set the mode of the port (to which you want to connect the IP phone) to
trunk, add the port as a member of the voice VLAN, and configure the data VLAN as
the native VLAN on the EX-series switch. This configuration ensures that the voice
traffic and data traffic do not affect each other.
In this example, the trunk interface ge-0/0/2 on the EX 4200 switch is connected to
a non-LLDP-MED IP phone.

Configuration
To configure VoIP without LLDP-MED or 802.1X authentication:
CLI Quick Configuration

To quickly configure VoIP, copy the following commands and paste them into the
switch terminal window:

Requirements

705

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit]
set vlans data-vlan vlan-id 77
set vlans voice-vlan vlan-id 99
set vlans data-vlan interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id data-vlan

Step-by-Step Procedure

Configure VoIP:
1.

Configure the VLANs for data and voice:

[edit vlans]
user@switch# set data-vlan vlan-id 77
user@switch# set voice-vlan vlan-id 99

2.

Configure the VLAN data-vlan on the interface:

[edit vlans]
user@switch# set data-vlan interface ge-0/0/2.0

3.

Set the port mode to trunk:

[edit interfaces]
set ge-0/0/2 unit 0 family ethernet-switching port-mode trunk

4.

Add the interface as a member of the voice VLAN:

[edit interfaces]
set ge-0/0/2 unit 0 family ethernet-switching vlan members voice-vlan

5.

Configure data-vlan as native to this trunk interface:

[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching native-vlan-id
data-vlan

Results

Display the results of the configuration:

[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members voice-vlan;
}
native-vlan-id data-vlan;
}
}

706

Configuration

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

}
}
vlans {
data-vlan {
vlan-id 77;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
vlan-id 99;
}
}

Verification
To confirm that the configuration is working properly, perform the following task:

Verifying the VLAN Association With the Interface on page 707

Verifying the VLAN Association With the Interface

Purpose

Action

Display the interface state and VLAN membership.

user@switch> show ethernet-switching interfaces on page 545
Ethernet-switching table: 0 entries, 0 learned
user@switch> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee-vlan
unblocked
ge-0/0/5.0 down
employee-vlan
unblocked
ge-0/0/3.0 down
employee-vlan
unblocked
ge-0/0/8.0 down
employee-vlan
unblocked
ge-0/0/10.0 down
default
unblocked
ge-0/0/11.0 down
employee-vlan
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/2.0 up
voice-vlan
unblocked
data-vlan
unblocked

Meaning

Related Topics

The field VLAN members shows that the ge-0/0/2.0 interface supports both the
data-vlan VLAN and voice-vlan VLAN. The State field shows that the interface is up.

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication on page 698

Understanding 802.1X and VoIP on EX-series Switches on page 652

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Verification

707

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and
MAC Move Limiting, on an EX-series Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting,
and MAC move limiting on the access ports of EX-series switches to protect the switch
and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS)
attacks. You can also configure a trusted DHCP server and specific (allowed) MAC
addresses for the switch interfaces.
This example describes how to configure basic port security featuresDHCP snooping,
DAI, MAC limiting, and MAC move limiting, as well as a trusted DHCP server and
allowed MAC addresseson a switch. The DHCP server and its clients are all members
of a single VLAN on the switch.

Requirements on page 708

Overview and Topology on page 708

Configuration on page 710

Verification on page 711

Requirements
This example uses the following hardware and software components:

One EX-series EX 3200-24P switch

JUNOS Release 9.0 or later for EX-series switches

A DHCP server to provide IP addresses to network devices on the switch

Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:

Connected the DHCP server to the switch.

Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX-series Switches on page 376.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
To protect the devices from such attacks, you can configure DHCP snooping to
validate DHCP server messages, DAI to protect against MAC spoofing, and MAC cache
limiting to constrain the number of MAC addresses the switch adds to its MAC address
cache.
This example shows how to configure these security features on an EX 3200-24P
switch. The switch is connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The
procedure for creating that VLAN is described in the topic Example: Setting Up
Bridging with Multiple VLANs for EX-series Switches on page 376. That procedure is
not repeated here. Figure 40 on page 730 illustrates the topology for this example.

708
Switch

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting, on an EX-series

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Figure 40: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 99 on page 730.
Table 99: Components of the Port Security Topology
Properties

Settings

Switch hardware

One EX 3200-24P, 24 ports (8 PoE ports)

VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, the switch is initially configured with the default port security setup.
In the default configuration on the switch:

Secure port access is activated on the switch.

A dynamic limit on the maximum number of MAC addresses to be learned

per port by the switch is already set in the default configuration. The default limit
is 5.

The switch does not drop any packets, which is the default setting.

Overview and Topology

709

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

DHCP snooping and DAI are disabled on all VLANs.

All access ports are untrusted and all trunk ports are trusted for DHCP snooping,
which is the default setting.

In the configuration tasks for this example, you set the DHCP server first as untrusted
and then as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a
VLAN; you modify the value for MAC limit; and you configure some specific (allowed)
MAC addresses on an interface.

Configuration
To configure basic port security on a switch whose DHCP server and client ports are
in a single VLAN:
CLI Quick Configuration

To quickly configure basic port security on the switch, copy the following commands
and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88
set interface ge-0/0/2 mac-limit 4 action drop
set interface ge-0/0/8 dhcp-trusted
set vlan employeevlan arp-inspection
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-move-limit 5 action drop

Step-by-Step Procedure

Configure basic port security on the switch:

1.

Enable DHCP snooping on the VLAN:

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan examine-dhcp

2.

Specify the interface (port) from which DHCP responses are allowed:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/8 dhcp-trusted

3.

Enable dynamic ARP inspection (DAI) on the VLAN:

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan arp-inspection

4.

Configure the MAC limit of 4 and specify that packets with new addresses be
dropped if the limit has been exceeded on the interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 4 action drop
user@switch# set interface ge-0/0/2 mac-limit 4 action drop

710

Configuration

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

5.

Configure a MAC move limit of 5 and specify that packets with new addresses
be dropped if the limit has been exceeded on the VLAN:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan mac-move-limit 5 action drop

6.

Configure the allowed MAC addresses:

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88

Results

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/1.0 {
mac-limit 4 action drop;
}
interface ge-0/0/2.0 {
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83
00:05:85:3a:82:85 00:05:85:3a:82:88 ];
mac-limit 4 action drop;
}
interface ge-0/0/8.0 {
dhcp-trusted;
}
vlan employee-vlan {
arp-inspection
examine-dhcp;
mac-move-limit 5 action drop;
}

Verification
To confirm that the configuration is working properly:

Verifying That DHCP Snooping Is Working Correctly on the Switch on page 711

Verifying That DAI Is Working Correctly on the Switch on page 712

Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on
the Switch on page 713

Verifying That Allowed MAC Addresses Are Working Correctly on the

Switch on page 714

Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose

Verify that DHCP snooping is working on the switch.

Verification

711

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Action

Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address
Lease
Type
--------------------------------00:05:85:3A:82:77
192.0.2.17
600
dynamic
00:05:85:3A:82:79
192.0.2.18
653
dynamic
00:05:85:3A:82:80
192.0.2.19
720
dynamic
00:05:85:3A:82:81
192.0.2.20
932
dynamic
00:05:85:3A:82:83
192.0.2.21
1230
dynamic
00:05:85:27:32:88
192.0.2.22
3200
dynamic

Meaning

VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan

Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-

Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic

VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan

Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash in the Lease column).

Verifying That DAI Is Working Correctly on the Switch

Purpose
Action

Verify that DAI is working on the switch.

Send some ARP requests from network devices connected to the switch.
Display the DAI information:
user@switch> show arp inspection statistics on page 871
ARP inspection statistics:
Interface
Packets received ARP inspection pass
ARP inspection failed
--------------- ---------------------------------- --------------------ge-0/0/1.0
7
5
2

712

Verifying That DAI Is Working Correctly on the Switch

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

ge-0/0/2.0
ge-0/0/3.0

Meaning

10
12

10
12

0
0

The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.

Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly
on the Switch
Purpose

Action

Verify that MAC limiting and MAC move limiting are working on the switch.
Suppose that two DHCP requests have been sent from hosts on ge-0/0/1 and five
DHCP requests from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4
with the action drop.
Display the MAC addresses learned:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 6 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85

Flood
Learn
Learn
Learn
Learn
Learn
Learn

Age

Interfaces

0
0
0
0
0
0

ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Note that one of the MAC addresses on ge-0/0/2 was not learned because the limit
of 4 MAC addresses for that interface had been exceeded.
Now suppose that DHCP requests have been sent from two of the hosts on ge-0/0/2
after they have been moved to other interfaces more than 5 times in 1 second, with
employee-vlan set to a MAC move limit of 5 with the action drop.
Display the MAC addresses in the table:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 4 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
*
*

Flood
Learn
Learn
Learn
Learn
Flood
Flood

Age

Interfaces

0
0
0
0
-

ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on the Switch

713

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Meaning

The first sample output shows that with a MAC limit of 4 for each interface, the DHCP
request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit. The second sample output shows that DHCP requests for two of the hosts
on ge-/0/0/2 were dropped when the hosts had been moved back and forth from
various interfaces more than 5 times in one second.

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose

Action

Verify that allowed MAC addresses are working on the switch.

Display the MAC cache information after 5 allowed MAC addresses have been
configured on interface ge/0/0/2:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 5 entries, 4 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

Related Topics

00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*

Age

Interfaces

0
0
0
0
-

ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Learn
Learn
Learn
Learn
Flood

Because the MAC limit value for this interface has been set to 4, only 4 of the 5
configured allowed addresses are learned.

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Configuring Port Security (CLI Procedure) on page 768

Configuring Port Security (J-Web Procedure) on page 769

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses,
to Protect the Switch from Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests
from new MAC addresses that the Ethernet switching table fills up and then overflows,
forcing the switch to broadcast all messages.

714

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

This example describes how to configure MAC limiting and allowed MAC addresses,
two port security features, to protect the switch from Ethernet switching table attacks:

Requirements on page 715

Overview and Topology on page 715

Configuration on page 717

Verification on page 717

Requirements
This example uses the following hardware and software components:

One EX 3200-24P switch

JUNOS Release 9.0 or later for EX-series switches

A DHCP server to provide IP addresses to network devices on the switch

Before you configure specific port security features to mitigate common

access-interface attacks, be sure you have:

Connected the DHCP server to the switch.

Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX-series Switches on page 376.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
This example describes how to protect the switch from an attack on the Ethernet
switching table that causes the table to overflow and thus forces the switch to
broadcast all messages.
This example shows how to configure port security features on an EX 3200-24P
switch. The switch is connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The
procedure for creating that VLAN is described in the topic Example: Setting Up
Bridging with Multiple VLANs for EX-series Switches on page 376. That procedure is
not repeated here. Figure 40 on page 730 illustrates the topology for this example.

Requirements

715

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 41: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 99 on page 730.
Table 100: Components of the Port Security Topology
Properties

Settings

Switch hardware

One EX 3200-24P, 24 ports (8 PoE ports)

VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, use the MAC limit feature to control the total number of MAC
addresses that can be added to the Ethernet switching table for the specified interface.
Use the allowed MAC addresses feature to ensure that the addresses of network
devices whose network access is critical are guaranteed to be included in the Ethernet
switching table.
In this example, the switch has already been configured as follows:

716

Secure port access is activated on the switch.

No MAC limit is set on any of the interfaces.

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

All access interfaces are untrusted, which is the default setting.

Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch
against Ethernet switching table overflow attacks:
CLI Quick Configuration

To quickly configure MAC limiting and some allowed MAC addresses, copy the
following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85

Step-by-Step Procedure

Configure MAC limiting and some allowed MAC addresses:

1.

Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with
different addresses be dropped once the limit is exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 4 action drop

2.

Configure the allowed MAC addresses on ge-0/0/2:

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85

Results

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/1.0 {
mac-limit 4 action drop;
}
interface ge-0/0/2.0 {
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 ];
}

Verification
To confirm that the configuration is working properly:

Verifying That MAC Limiting Is Working Correctly on the Switch on page 718

Configuration

717

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose

Action

Verify that MAC limiting is working on the switch.

Display the MAC cache information after DHCP requests have been sent from hosts
on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after
four allowed MAC addresses have been configured on interface ge/0/0/2:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 5 entries, 4 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

Related Topics

00:05:85:3A:82:71
00:05:85:3A:82:74
00:05:85:3A:82:77
00:05:85:3A:82:79
*
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*

Learn
Learn
Learn
Learn
Flood
Learn
Learn
Learn
Learn
Flood

Age

Interfaces

0
0
0
0
0
0
0
0
0
-

ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

The sample output shows that with a MAC limit of 4 for the interface, the DHCP
request for a fifth MAC address on ge-0/0/1 was dropped because it exceeded the
MAC limit and that only the specified allowed MAC addresses have been learned on
the ge-0/0/2 interface.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks
In a rogue DHCP server attack, an attacker has introduced a rogue server into the
network, allowing it to give IP address leases to the network's DHCP clients and to
assign itself as the gateway device.
This example describes how to configure a DHCP server interface as untrusted to
protect the switch from a rogue DHCP server:

718

Requirements on page 719

Overview and Topology on page 719

Configuration on page 720

Verification on page 720

Verifying That MAC Limiting Is Working Correctly on the Switch

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Requirements
This example uses the following hardware and software components:

One EX 3200-24P switch

JUNOS Release 9.0 or later for EX-series switches

A DHCP server to provide IP addresses to network devices on the switch

Before you configure an untrusted DHCP server interface to mitigate rogue DHCP
server attacks, be sure you have:

Connected the DHCP server to the switch.

Enabled DHCP snooping on the VLAN.

Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX-series Switches on page 376.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
This example describes how to protect the switch from rogue DHCP server attacks.
This example shows how to explicitly configure an untrusted interface on an
EX 3200-24P switch. Figure 40 on page 730 illustrates the topology for this example.
Figure 42: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 99 on page 730.

Requirements

719

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 101: Components of the Port Security Topology

Properties

Settings

Switch hardware

One EX 3200-24P, 24 ports (8 PoE ports)

VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is the subnet's broadcast address

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, the switch has already been configured as follows:

Secure port access is activated on the switch.

DHCP snooping is enabled on the VLAN employee-vlan.

The interface (port) where the rogue DHCP server has connected to the switch
is currently trusted.

Configuration
To configure the DHCP server interface as untrusted because the interface is being
used by a rogue DHCP server:
CLI Quick Configuration

To quickly set the rogue DHCP server interface as untrusted, copy the following
command and paste it into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/8 no-dhcp-trusted

Step-by-Step Procedure

Results

To set the DHCP server interface as untrusted:Specify the interface (port) from which
DHCP responses are not allowed:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/8 nodhcp-trusted

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/8.0 {
no-dhcp-trusted;
}

Verification
To confirm that the configuration is working properly:

720

Configuration

Verifying That the DHCP Server Interface Is Untrusted on page 721

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Verifying That the DHCP Server Interface Is Untrusted

Purpose

Action

Verify that DHCP snooping is working on the switch. See what happens when the
DHCP server is untrusted.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is not trusted. The following output results when requests are
sent from the MAC addresses but no server has provided IP addresses and leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address Lease
Type
-------------------------- -------00:05:85:3A:82:77
0.0.0.0
dynamic
00:05:85:3A:82:79
0.0.0.0
dynamic
00:05:85:3A:82:80
0.0.0.0
dynamic
00:05:85:3A:82:81
0.0.0.0
dynamic
00:05:85:3A:82:83
0.0.0.0
dynamic
00:05:85:27:32:88
0.0.0.0
dynamic

Meaning

Related Topics

VLAN
Interface
-----------employee-vlan
ge-0/0/1.0
employee-vlan
ge-0/0/1.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0
employee-vlan
ge-0/0/2.0

In the sample output from the database, the clients' MAC addresses are shown with
no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and
no leases (the lease time is shown as a dash in the Lease column).

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Enabling a Trusted DHCP Server (J-Web Procedure) on page 773

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses. The switch's trusted DHCP server or
servers cannot keep up with the requests and can no longer assign IP addresses and
lease times to legitimate DHCP clients on the switch. Requests from those clients
are either dropped or directed to a rogue DHCP server set up by the attacker.
This example describes how to configure MAC limiting, a port security feature, to
protect the switch against DHCP starvation attacks:

Requirements on page 722

Overview and Topology on page 722

Configuration on page 724

Verification on page 724

Verifying That the DHCP Server Interface Is Untrusted

721

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Requirements
This example uses the following hardware and software components:

One EX 3200-24P switch

JUNOS Release 9.0 or later for EX-series switches

A DHCP server to provide IP addresses to network devices on the switch

Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation
attacks, be sure you have:

Connected the DHCP server to the switch.

Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX-series Switches on page 376.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
This example describes how to protect the switch against one common type of attack,
a DHCP starvation attack.
This example shows how to configure port security features on an EX 3200-24P
switch that is connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The
procedure for creating that VLAN is described in the topic Example: Setting Up
Bridging with Multiple VLANs for EX-series Switches on page 376. That procedure is
not repeated here. Figure 40 on page 730 illustrates the topology for this example.

722

Requirements

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Figure 43: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 99 on page 730.
Table 102: Components of the Port Security Topology
Properties

Settings

Switch hardware

One EX 3200-24P, 24 ports (8 PoE ports)

VLAN name and ID

default

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, the switch has already been configured as follows:

Secure port access is activated on the switch.

No MAC limit is set on any of the interfaces.

DHCP snooping is disabled on the VLAN employee-vlan.

All access interfaces are untrusted, which is the default setting.

Overview and Topology

723

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuration
To configure the MAC limiting port security feature to protect the switch against
DHCP starvation attacks:
CLI Quick Configuration

To quickly configure MAC limiting, copy the following commands and paste them
into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/1 mac-limit 3 action drop
set interface ge-0/0/2 mac-limit 3 action drop

Step-by-Step Procedure

Configure MAC limiting:

1.

Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/1 mac-limit 3 action drop

2.

Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/2 mac-limit 3 action drop

Results

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/1.0 {
mac-limit 3 action drop;
}
interface ge-0/0/2.0 {
mac-limit 3 action drop;
}

Verification
To confirm that the configuration is working properly:

Verifying That MAC Limiting Is Working Correctly on the Switch on page 724

Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose

Action

724

Configuration

Verify that MAC limiting is working on the switch.

Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Display the MAC addresses learned when DHCP requests are sent from hosts on
ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3
with the action drop:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 6 learned
VLAN
MAC address
Type
default
default
default
default
default
default
default

Meaning

*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85

Age

Interfaces

0
0
0
0
0
0

ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Flood
Learn
Learn
Learn
Learn
Learn
Learn

The sample output shows that with a MAC limit of 3 for each interface, the DHCP
request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit.
Because only 3 MAC addresses can be learned on each of the two interfaces,
attempted DHCP starvation attacks will fail.

Related Topics

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks
In an ARP spoofing attack, the attacker associates its own MAC address with the IP
address of a network device connected to the switch. Traffic intended for that IP
address is now sent to the attacker instead of being sent to the intended destination.
The attacker can send faked, or spoofed, ARP messages on the LAN.
This example describes how to configure DHCP snooping and dynamic ARP inspection
(DAI), two port security features, to protect the switch against ARP spoofing attacks:

Requirements on page 725

Overview and Topology on page 726

Configuration on page 727

Verification on page 728

Requirements
This example uses the following hardware and software components:

One EX 3200-24P switch

JUNOS Release 9.0 or later for EX-series switches

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

725

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

A DHCP server to provide IP addresses to network devices on the switch

Before you configure DHCP snooping and DAI, two port security features, to mitigate
ARP spoofing attacks, be sure you have:

Connected the DHCP server to the switch.

Configured the VLAN employee-vlan on the switch.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
This example describes how to protect the switch against one common type of attack,
an ARP spoofing attack.
In an ARP spoofing attack, the attacker sends faked ARP messages, thus creating
various types of mischief on the LANfor example, the attacker might launch a
man-in-the middle attack.
This example shows how to configure port security features on an EX 3200-24P
switch that is connected to a DHCP server. The setup for this example includes the
VLAN employee-vlan on the switch. The procedure for creating that VLAN is described
in the topic Example: Setting Up Bridging with Multiple VLANs for EX-series
Switches on page 376. That procedure is not repeated here. Figure 40 on page 730
illustrates the topology for this example.
Figure 44: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 99 on page 730.

726

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Table 103: Components of the Port Security Topology

Properties

Settings

Switch hardware

One EX 3200-24P, 24 ports (8 PoE ports)

VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address

Interfaces in employee-vlan

ge-0/0/1,ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, the switch has already been configured as follows:

Secure port access is activated on the switch.

DHCP snooping is disabled on the VLAN employee-vlan.

All access ports are untrusted, which is the default setting.

Configuration
To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch
against ARP attacks:
CLI Quick Configuration

To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the
following commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan examine-dhcp
set vlan employee-vlan arp-inspection

Step-by-Step Procedure

Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN:
1.

Set the ge-0/0/8 interface as trusted:

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/8 dhcp-trusted

2.

Enable DHCP snooping on the VLAN:

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan examine-dhcp

3.

Enable DAI on the VLAN:

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan arp-inspection

Configuration

727

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Results

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/8.0 {
dhcp-trusted;
}
vlan employee-vlan {
arp-inspection
examine-dhcp;
}

Verification
To confirm that the configuration is working properly:

Verifying That DHCP Snooping Is Working Correctly on the Switch on page 728

Verifying That DAI Is Working Correctly on the Switch on page 728

Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose

Action

Verify that DHCP snooping is working on the switch.

Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is trusted. The following output results when requests are sent
from the MAC addresses and the server has provided the IP addresses and leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address
Lease
Type
--------------------------------00:05:85:3A:82:77
192.0.2.17
600
dynamic
00:05:85:3A:82:79
192.0.2.18
653
dynamic
00:05:85:3A:82:80
192.0.2.19
720
dynamic
00:05:85:3A:82:81
192.0.2.20
932
dynamic
00:05:85:3A:82:83
192.0.2.21
1230
dynamic
00:05:85:27:32:88
192.0.2.22
3200
dynamic

Meaning

VLAN
---employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/3.0

When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.

Verifying That DAI Is Working Correctly on the Switch

Purpose

Action

Verify that DAI is working on the switch.

Send some ARP requests from network devices connected to the switch.
Display the DAI information:

728

Verification

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

user@switch> show arp inspection statistics on page 871

ARP inspection statistics:
Interface
Packets received ARP inspection pass
ARP inspection failed
--------------- ---------------------------------- --------------------ge-0/0/1.0
7
5
2
ge-0/0/2.0
10
10
0
ge-0/0/3.0
12
12
0

Meaning

Related Topics

The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Enabling DHCP Snooping (CLI Procedure) on page 771

Enabling DHCP Snooping (J-Web Procedure) on page 772

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 775

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks
In one type of attack on the DHCP snooping database, an intruder introduces a DHCP
client on an untrusted access interface with a MAC address identical to that of a client
on another untrusted interface. The intruder then acquires the DHCP lease of that
other client, thus changing the entries in the DHCP snooping table. Subsequently,
what would have been valid ARP requests from the legitimate client are blocked.
This example describes how to configure allowed MAC addresses, a port security
feature, to protect the switch from DHCP snooping database alteration attacks:

Requirements on page 729

Overview and Topology on page 730

Configuration on page 731

Verification on page 732

Requirements
This example uses the following hardware and software components:

One EX 3200-24P switch

JUNOS Release 9.0 or later for EX-series switches

A DHCP server to provide IP addresses to network devices on the switch

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks

729

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Before you configure specific port security features to mitigate common

access-inteface attacks, be sure you have:

Connected the DHCP server to the switch.

Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX-series Switches on page 376.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
This example describes how to protect the switch from an attack on the DHCP
snooping database that alters the MAC addresses assigned to some clients.
This example shows how to configure port security features on an EX 3200-24P
switch that is connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The
procedure for creating that VLAN is described in the topic Example: Setting Up
Bridging with Multiple VLANs for EX-series Switches on page 376. That procedure is
not repeated here. Figure 40 on page 730 illustrates the topology for this example.
Figure 45: Network Topology for Basic Port Security

The components of the topology for this example are shown in Table 99 on page 730.
Table 104: Components of the Port Security Topology
Properties

Settings

Switch hardware

One EX 3200-24P, 24 ports (8 PoE ports)

730

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Table 104: Components of the Port Security Topology (continued)

VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address

Interfaces in employee-vlan

ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8

Interface for DHCP server

ge-0/0/8

In this example, the switch has already been configured as follows:

Secure port access is activated on the switch.

DHCP snooping is enabled on the VLAN employee-vlan.

All access ports are untrusted, which is the default setting.

Configuration
To configure allowed MAC addresses to protect the switch against DHCP snooping
database alteration attacks:
CLI Quick Configuration

To quickly configure some allowed MAC addresses on an interface, copy the following
commands and paste them into the switch terminal window:
[edit ethernet-switching-options secure-access-port]
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:81
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:83
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:85
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:88

Step-by-Step Procedure

Results

To configure some allowed MAC addresses on an interface:Configure the five allowed

MAC addresses on an interface:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:80user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:81user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:83user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:85user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:88

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/2.0 {
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 00:05:85:3a:82:88 ];
}

Configuration

731

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verification
To confirm that the configuration is working properly:

Verifying That Allowed MAC Addresses Are Working Correctly on the

Switch on page 732

Verifying That Allowed MAC Addresses Are Working Correctly on the Switch
Purpose

Action

Verify that allowed MAC addresses are working on the switch.

Display the MAC cache information:
user@switch> show ethernet-switching table
Ethernet-switching table: 6 entries, 5 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

Related Topics

00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
00:05:85:3A:82:88
*

Age

Interfaces

0
0
0
0
0
-

ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Learn
Learn
Learn
Learn
Learn
Flood

The output shows that the five MAC addresses configured as allowed MAC addresses
have been learned and are displayed in the MAC cache. The last MAC address in the
list, one that had not been configured as allowed, has not been added to the list of
learned addresses.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting
on the access interfaces of EX-series switches to protect the switch and the Ethernet
LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. To obtain
those basic settings, you can use the switch's default configuration for port security,
configure an action for the MAC limit, and enable DHCP snooping and DAI on a
VLAN. You can configure those features when the DHCP server is connected to a
different switch from the one to which the DHCP clients (network devices) are
connected.

732

Verification

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

This example describes how to configure port security features on an EX-series switch
whose hosts obtain IP addresses and lease times from a DHCP server attached to a
second switch:

Requirements on page 733

Overview and Topology on page 733

Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 on page 735

Configuring a VLAN and Interfaces on Switch 2 on page 737

Verification on page 738

Requirements
This example uses the following hardware and software components:

One EX 3200-24P switchSwitch 1 in this example.

An additional EX-series switchSwitch 2 in this example. You will not configure

port security on this switch.

JUNOS Release 9.0 or later for EX-series switches.

A DHCP server connected to Switch 2. You will use the server to provide IP
addresses to network devices connected to Switch 1.

At least two network devices (hosts) that you will connect to access interfaces
on Switch 1. These devices will be DHCP clients.

Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:

Connected the DHCP server to Switch 2.

Configured the VLAN employee-vlan on the switch. See Example: Setting Up

Bridging with Multiple VLANs for EX-series Switches on page 376.

Overview and Topology

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
To protect the devices from such attacks, you can configure:

DHCP snooping to validate DHCP server messages

DAI to protect against ARP spoofing

MAC limiting to constrain the number of MAC addresses the switch adds to its
MAC address cache

This example shows how to configure these port security features on an EX 3200
switch, which is Switch 1 in this example. (You could also use an EX 4200 switch for
this example.) Switch 1 is attached to a switch that is not configured with port security
features. That second switch (Switch 2) is connected to a DHCP server. (See
Figure 46 on page 734. ) Network devices (hosts) that are connected to Switch 1 will
send requests for IP addresses (that is, the devices will be DHCP clients). Those
requests will be transmitted from Switch 1 to Switch 2 and then to the DHCP server

Requirements

733

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

connected to Switch 2. Responses to the requests will be transmitted along the reverse
path from the one followed by the requests.
The setup for this example includes the VLAN employee-vlan on both switches.
Figure 46 on page 734 shows the network topology for the example.
Figure 46: Network Topology for Port Security Setup with Two Switches on Same
VLAN

The components of the topology for this example are shown in Table 105 on page 734.
Table 105: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2
Properties

Settings

Switch hardware

One EX 3200-24P (Switch 1), and an additional EX-series switch

(Switch 2)

VLAN name and ID

employee-vlan, tag 20

VLAN subnets

192.0.2.16/28
192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address

Trunk interface on both switches

ge-0/0/11

Access interfaces on Switch 1

ge-0/0/1, ge-0/0/2, and ge-0/0/3

Access interface on Switch 2

ge-0/0/1

Interface for DHCP server

ge-0/0/1 on Switch 2

734

Overview and Topology

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Switch 1 is initially configured with the default port security setup. In the default
configuration on the switch:

Secure port access is activated on the switch.

The switch does not drop any packets, which is the default setting.

A dynamic limit on the maximum number of MAC addresses to be learned

per port by the switch is already set in the default configuration. The default limit
is 5.

DHCP snooping and dynamic ARP inspection (DAI) are disabled on all VLANs.

All access interfaces are untrusted and trunk interfaces are trusted; these are the
default settings.

In the configuration tasks for this example, you configure a VLAN on both switches.
In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In this
example, you'll also enable DAI and a MAC limit of 5 on Switch 1.
Because the interface that connects Switch 2 to Switch 1 is a trunk interface, you do
not have to configure this interface to be trusted. As noted above, trunk interfaces
are automatically trusted, so DHCP messages coming from the DHCP server to Switch
2 and then on to Switch 1 are trusted.

Configuring a VLAN, Interfaces, and Port Security Features on Switch 1

To configure a VLAN, interfaces, and port security features on Switch 1:
CLI Quick Configuration

To quickly configure a VLAN, interfaces, and port security features, copy the following
commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/1 maclimit 5
action drop
set ethernet-switching-options secure-access-port vlan employee-vlan arpinspection
set ethernet-switching-options secure-access-port vlan employee-vlan examinedhcp
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members 20
set vlans employeevlan vlan-id 20

Step-by-Step Procedure

To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAI and
DHCP on the VLAN :
1.

Configure the VLAN employee-vlan with VLAN ID 20:

[edit vlans]
user@switch1# set employee-vlan vlan-id 20

2.

Configure an interface on Switch 1 as a trunk interface:

[edit interfaces]

Configuring a VLAN, Interfaces, and Port Security Features on Switch 1

735

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch1# set ge-0/0/11 unit 0 family ethernet-switching port-mode trunk

3.

Associate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11:
[edit interfaces]
user@switch1# set
20
user@switch1# set
20
user@switch1# set
20
user@switch1# set
20

4.

ge-0/0/1 unit 0 family ethernet-switching vlan members

ge-0/0/2 unit 0 family ethernet-switching vlan members
ge-0/0/3 unit 0 family ethernet-switching vlan members
ge-0/0/11 unit 0 family ethernet-switching vlan members

Enable DHCP snooping on the VLAN:

[edit ethernet-switching-options secure-access-port]
user@switch1# set vlan employee-vlan examine-dhcp

5.

Enable DAI on the VLAN:

[edit ethernet-switching-options secure-access-port]
user@switch1# set vlan employee-vlan arp-inspection

6.

Configure a MAC limit of 5 on ge-0/0/1 and specify that the address be dropped
if the limit has been exceeded:
[edit ethernet-switching-options secure-access-port]
user@switch1# set interface ge-0/0/1 mac-limit 5 action drop

Results

Display the results of the configuration:

[edit]
user@switch1# show
ethernet-switching-options {
secure-access-port {
interface ge-0/0/1.0{
mac-limit 5 action drop;
}
vlan employee-vlan {
arp-inspection;
examine-dhcp;
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members 20;
}

736

Configuring a VLAN, Interfaces, and Port Security Features on Switch 1

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members 20;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}

Configuring a VLAN and Interfaces on Switch 2

To configure the VLAN and interfaces on Switch 2:
CLI Quick Configuration

To quickly configure the VLAN and interfaces on Switch 2, copy the following
commands and paste them into the switch terminal window:
[edit]
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set vlans employee-vlan vlan-id 20

Step-by-Step Procedure

To configure the VLAN and interfaces on Switch 2:

1.

Configure an interface on Switch 2 as a trunk interface:

Configuring a VLAN and Interfaces on Switch 2

737

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit interfaces]
user@switch2# set ge-0/0/11 unit 0 ethernet-switching port-mode trunk

2.

Associate the VLAN with interfaces ge-0/0/1 and ge-0/0/11:

[edit interfaces]
user@switch2# set ge-0/0/1 unit 0 family ethernet-switching vlan members
20
user@switch2# set ge-0/0/11 unit 0 family ethernet-switching vlan members
20

Results

Display the results of the configuration:

[edit]
user@switch2# show
interfaces {
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}

Verification
To confirm that the configuration is working properly:

738

Verification

Verifying That DHCP Snooping Is Working Correctly on Switch 1 on page 739

Verifying That DAI Is Working Correctly on Switch 1 on page 739

Verifying That MAC Limiting Is Working Correctly on Switch 1 on page 739

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Verifying That DHCP Snooping Is Working Correctly on Switch 1

Purpose

Action

Verify that DHCP snooping is working on Switch 1.

Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface through which Switch 2
sends the DHCP server replies to clients connected to Switch 1 is trusted. The server
has provided the IP addresses and leases:
user@switch1> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address
Lease
Type
--------------------------------00:05:85:3A:82:77
192.0.2.17
600
dynamic
00:05:85:3A:82:79
192.0.2.18
653
dynamic
00:05:85:3A:82:80
192.0.2.19
720
dynamic
00:05:85:3A:82:81
192.0.2.20
932
dynamic
00:05:85:3A:82:83
192.0.2.21
1230
dynamic
00:05:85:3A:82:90
192.0.2.20
932
dynamic
00:05:85:3A:82:91
192.0.2.21
1230
dynamic

Meaning

VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan

Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0

The output shows, for each MAC address, the assigned IP address and lease timethat
is, the time, in seconds, remaining before the lease expires.

Verifying That DAI Is Working Correctly on Switch 1

Purpose

Action

Verify that DAI is working on Switch 1.

Send some ARP requests from network devices connected to the switch.
Display the DAI information:
user@switch1> show arp inspection statistics on page 871
ARP inspection statistics:
Interface
Packets received ARP inspection pass
ARP inspection failed
--------------- ---------------------------------- --------------------ge-0/0/1.0
7
5
2
ge-0/0/2.0
10
10
0
ge-0/0/3.0
18
15
3

Meaning

The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.

Verifying That MAC Limiting Is Working Correctly on Switch 1

Purpose

Action

Verify that MAC limiting is working on Switch 1.

Display the MAC addresses that are learned when DHCP requests are sent from hosts
on ge-0/0/1:

Verifying That DHCP Snooping Is Working Correctly on Switch 1

739

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch1> show ethernet-switching table on page 550

Ethernet-switching table: 6 entries, 5 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

Related Topics

00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
*

Age

Interfaces

0
0
0
0
0
-

ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/1.0

Learn
Learn
Learn
Learn
Learn
Flood

The sample output shows that five MAC addresses have been learned for interface
ge-0/0/1, which corresponds to the MAC limit of 5 set in the configuration. The last
line of the output shows that a sixth MAC address request was dropped, as indicated
by the asterisk (*) in the MAC address column.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Configuring Port Security (CLI Procedure) on page 768

Configuring Port Security (J-Web Procedure) on page 769

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of
source IP addresses or source MAC addresses. These spoofed packets are sent from
hosts connected to untrusted access interfaces on the switch. You can enable the IP
source guard port security feature on EX-series switches to mitigate the effects of
such attacks. If IP source guard determines that a source IP address and a source
MAC address in a binding in an incoming packet are not valid, the switch does not
forward the packet.
If two VLANs share an interface, you can configure IP source guard on just one of
the VLANs; in this example, you configure IP source guard on an untagged data VLAN
but not on the tagged voice VLAN. You can use 802.1X user authentication to validate
the device connections on the data VLAN.
This example describes how to configure IP source guard with 802.1X user
authentication on a data VLAN, with a voice VLAN on the same interface:

740

Requirements on page 741

Overview and Topology on page 741

Configuration on page 742

Verification on page 744

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Requirements
This example uses the following hardware and software components:

One EX-series EX 3200-24P switch

JUNOS Release 9.2 or later for EX-series switches

A DHCP server to provide IP addresses to network devices on the switch

A RADIUS server to provide 802.1X authentication

Before you configure IP source guard for the data VLANs, be sure you have:

Connected the DHCP server to the switch.

Connected the RADIUS server to the switch and configured user authentication
on the server. See Example: Connecting a RADIUS Server for 802.1X to an
EX-series Switch on page 670.

Configured the VLANs. See Example: Setting Up Bridging with Multiple VLANs
for EX-series Switches on page 376 for detailed information about configuring
VLANs.

Overview and Topology

IP source guard checks the IP source address and MAC source address in a packet
sent from a host attached to an untrusted access interface on the switch. If IP source
guard determines that the packet header contains an invalid source IP address or
source MAC address, it ensures that the switch does not forward the packetthat
is, the packet is discarded.
When you configure IP source guard, you enable on it on one or more VLANs. IP
source guard applies its checking rules to untrusted access interfaces on those VLANs.
By default, on EX-series switches, access interfaces are untrusted and trunk interfaces
are trusted. IP source guard does not check packets that have been sent to the switch
by devices connected to either trunk interfaces or trusted access interfacesthat is,
interfaces configured with dhcp-trusted so that a DHCP server can be connected to
that interface to provide dynamic IP addresses.
IP source guard obtains information about IP-address/MAC-address/VLAN bindings
from the DHCP snooping database. It causes the switch to validate incoming IP
packets against the entries in that database.
The topology for this example includes one EX-3200-24P switch, a PC and an IP
phone connected on the same interface, a connection to a DHCP server, and a
connection to a RADIUS server for user authentication.

NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode do not
work with IP source guard. For more information about 802.1X authentication, see
Understanding 802.1X Authentication on EX-series Switches on page 641.

Requirements

741

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Tip

You can set the ip-source-guard flag in the traceoptions statement for debugging
purposes.
This example shows how to configure a static IP address to be added to the DHCP
snooping database.

Configuration
CLI Quick Configuration

To quickly configure IP source guard on a data VLAN, copy the following commands
and paste them into the switch terminal window:
set ethernet-switching-options voip interface ge-0/0/14.0 vlan voice
set ethernet-switching-options secure-access-port interface ge-0/0/24.0
dhcp-trusted
set ethernet-switching-options secure-access-port interface ge-0/0/14 static-ip
11.1.1.1 mac 00:11:11:11:11:11 vlan data
set ethernet-switching-options secure-access-port vlan data examine-dhcp
set ethernet-switching-options secure-access-port vlan data ip-source-guard
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data
set vlans voice vlan-id 100
set protocols lldp-med interface ge-0/0/14.0
set protocols dot1x authenticator authentication-profile-name profile52
set protocols dot1x authenticator interface ge-0/0/14.0 supplicant single

Step-by-Step Procedure

To configure IP source guard on the data VLAN:

1.

Configure the VoIP interface:

[edit ethernet-switching-options]
user@switch# set voip interface ge-0/0/14.0 vlan voice

2.

Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the data VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24.0 dhcp-trusted
[edit interfaces]
user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members
data

3.

Configure a static IP address on an interface on the data VLAN (optional)

[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/14 static-ip 11.1.1.1
mac 00:11:11:11:11:11 vlan data

4.

Configure DHCP snooping and IP source guard on the data VLAN:

[edit ethernet-switching-options]
user@switch# set secure-access-port vlan data examine-dhcp
user@switch# set secure-access-port vlan data ip-source-guard

5.

742

Configuration

Configure 802.1X user authentication and LLDP-MED on the interface that is

shared by the data VLAN and the voice VLAN:

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

[edit protocols]
user@switch# set lldp-med interface ge-0/0/14.0
user@switch# set dot1x authenticator authentication-profile-name profile52
user@switch# set dot1x authenticator interface ge-0/0/14.0 supplicant single

6.

Set the VLAN ID for the voice VLAN:

[edit vlans]
user@switch# set voice vlan-id 100

Results

Check the results of the configuration:

[edit ethernet-switching-options]
user@switch# show
voip {
interface ge-0/0/14.0 {
vlan voice;
}
}
secure-access-port {
interface ge-0/0/14.0 {
static-ip 11.1.1.1 vlan data mac 00:11:11:11:11:11;
}
interface ge-0/0/24.0 {
dhcp-trusted;
}
vlan data {
examine-dhcp;
ip-source-guard;
}
}
[edit interfaces]
ge-0/0/24 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
[edit vlans]
voice {
vlan-id 100;
}
[edit protocols]
lldp-med {
interface ge-0/0/14.0;

Configuration

743

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
dot1x {
authenticator {
authentication-profile-name profile52;
interface {
ge-0/0/14.0 {
supplicant single;
}
}
}
}
Tip

If you wanted to configure IP source guard on the voice VLAN as well as on the data
VLAN, you would configure DHCP snooping and IP source guard exactly as you did
for the data VLAN. The configuration result for the voice VLAN under
secure-access-port would look like this:
secure-access-port {
vlan voice {
examine-dhcp;
ip-source-guard;
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying That 802.1X User Authentication Is Working on the Interface on page 744

Verifying the VLAN Association with the Interface on page 745

Verifying That DHCP Snooping and IP Source Guard Are Working on the Data
VLAN on page 745

Verifying That 802.1X User Authentication Is Working on the Interface

Purpose

Action

Verify the 802.1X configuration on interface ge-0/0/14.

Verify the 802.1X configuration with the operational mode command show dot1x
interface:
user@switch> show dot1x on page 873 interface e-0/0/14.0 detail
ge-0/0/14.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user100, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 506 seconds

744

Verification

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Meaning

The Supplicant mode output field displays the configured administrative mode for
each interface. Interface ge-0/0/14.0 displays Single supplicant mode.

Verifying the VLAN Association with the Interface

Purpose

Action

Display the interface state and VLAN membership.

user@switch> show ethernet-switching interfaces on page 545
Ethernet-switching table: 0 entries, 0 learned
user@switch> show ethernet-switching interfaces
Interface
State
VLAN members
Blocking
ge-0/0/0.0 down
default
unblocked
ge-0/0/1.0 down
employee
unblocked
ge-0/0/2.0 down
employee
unblocked
ge-0/0/12.0 down
default
unblocked
ge-0/0/13.0 down
default
unblocked
ge-0/0/13.0 down
vlan100
unblocked
ge-0/0/14.0 up
voice
unblocked
data
unblocked
ge-0/0/17.0 down
employee
unblocked
ge-0/0/23.0 down
default
unblocked
ge-0/0/24.0 down
data
unblocked
employee
unblocked
vlan100
unblocked
voice
unblocked

Meaning

The field VLAN members shows that the ge-0/0/14.0 interface supports both the data
VLAN and the voice VLAN. The State field shows that the interface is up.

Verifying That DHCP Snooping and IP Source Guard Are Working on the
Data VLAN
Purpose

Action

Verify that DHCP snooping and IP source guard are enabled and working on the data
VLAN.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC address
IP address Lease (seconds) Type

VLAN

Interface

00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:30:48:92:A5:9D
00:30:48:8D:01:3D
00:30:48:8D:01:5D
00:11:11:11:11:11

employee
employee
employee
employee
vlan100
data
voice
data

ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/14.0
ge-0/0/14.0

192.0.2.17
192.0.2.18
192.0.2.19
192.0.2.20
10.10.10.7
10.10.10.9
10.10.10.8
11.1.1.1

600
653
720
932
720
720
1230

dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
dynamic
static

Verifying the VLAN Association with the Interface

745

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

00:05:85:27:32:88
00:05:85:27:32:89
00:05:85:27:32:90

192.0.2.22
192.0.2.23
192.0.2.27

static
static
static

employee
employee
employee

ge-0/0/17.0
ge-0/0/17.0
ge-0/0/17.0

View the IP source guard information for the data VLAN.

Meaning

user@switch> show ip-source-guard on page 1160

IP source guard information:
Interface
Tag IP Address
MAC Address

VLAN

ge-0/0/13.0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/14.0
ge-0/0/14.0

0
0

10.10.10.9
11.1.1.1

00:30:48:8D:01:3D
00:11:11:11:11:11

data
data

ge0/0/13.0

100

voice

When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see the preceding sample output for show dhcp snooping binding)
shows, for each MAC address, the assigned IP address and lease timethat is, the
time, in seconds, remaining before the lease expires. Static IP addresses have no
assigned lease time. Statically configured entries never expire.
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.

Related Topics

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 746

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series

Switch on page 691

Configuring IP Source Guard (CLI Procedure) on page 781

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of
source IP addresses or source MAC addresses. These spoofed packets are sent from
hosts connected to untrusted access interfaces on the switch. You can enable the IP
source guard port security feature on EX-series switches to mitigate the effects of
such attacks. If IP source guard determines that a source IP address and a source
MAC address in a binding in an incoming packet are not valid, the switch does not
forward the packet.

746

Example: Configuring IP Source Guard with Other EX-series Switch Features to Mitigate Address-Spoofing Attacks on
Untrusted Access Interfaces

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

You can use IP source guard in combination with other EX-series switch features to
mitigate address-spoofing attacks on untrusted access interfaces. This example shows
two configuration scenarios:

Requirements on page 747

Overview and Topology on page 747

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and

Dynamic ARP Inspection on page 748

Configuring IP Source Guard on a Guest VLAN on page 750

Verification on page 753

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.2 or later for EX-series switches

An EX 4200-24P switch

A DHCP server to provide IP addresses to network devices on the switch

A RADIUS server to provide 802.1X authentication

Before you configure IP source guard for these scenarios, be sure you have:

Connected the DHCP server to the switch.

Connected the RADIUS server and configured user authentication on the RADIUS
server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch on page 670.

Configured the VLANs on the switch. See Example: Setting Up Bridging with
Multiple VLANs for EX-series Switches on page 376 for detailed information about
configuring VLANs.

Overview and Topology

IP source guard checks the IP source address and MAC source address in a packet
sent from a host attached to an untrusted access interface on the switch. If IP source
guard determines that the packet header contains an invalid source IP address or
source MAC address, it ensures that the switch does not forward the packetthat
is, the packet is discarded.
When you configure IP source guard, you enable on it on one or more VLANs. IP
source guard applies its checking rules to untrusted access interfaces on those VLANs.
By default, on EX-series switches, access interfaces are untrusted and trunk interfaces
are trusted. IP source guard does not check packets that have been sent to the switch
by devices connected to either trunk interfaces or trusted access interfacesthat is,
interfaces configured with dhcp-trusted so that a DHCP server can be connected to
that interface to provide dynamic IP addresses.

Requirements

747

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

IP source guard obtains information about IP-address/MAC-address/VLAN bindings

from the DHCP snooping database. It causes the switch to validate incoming IP
packets against the entries in that database.
The topology for this example includes an EX-4200-24P switch, a connection to a
DHCP server, and a connection to a RADIUS server for user authentication.

NOTE: The 802.1X user authentication applied in this example is for single
supplicants. Single-secure supplicant mode and multiple supplicant mode do not
work with IP source guard. For more information about 802.1X authentication, see
Understanding 802.1X Authentication on EX-series Switches on page 641.
In the first example configuration, two clients (network devices) are connected to
an access switch. You configure IP source guard and 802.1X user authentication, in
combination with access port security features DHCP snooping and dynamic ARP
inspection (DAI). This setup is designed to protect the switch from IP attacks such
as ping of death attacks, DHCP starvation, and ARP spoofing.
In the second example configuration, the switch is configured for 802.1X user
authentication. If the client fails authentication, the switch redirects the client to a
guest VLAN that allows this client to access a set of restricted network features. You
configure IP source guard on the guest VLAN to mitigate effects of source IP spoofing.

NOTE: Control-plane rate limiting is achieved by restricting CPU control-plane

protection. It can be used in conjunction with storm control (see Understanding
Storm Control on EX-series Switches on page 367) to limit data-plane activity.
Tip

You can set the ip-source-guard flag in the traceoptions statement for debugging
purposes.

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic
ARP Inspection
CLI Quick Configuration

To quickly configure IP source guard with 802.1X authentication and with other
access port security features, copy the following commands and paste them into the
switch terminal window:
set
set
set
set
set
set
set
set
set
set
set
set

748

ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted

ethernet-switching-options secure-access-port vlan data examine-dhcp
ethernet-switching-options secure-access-port vlan data arp-inspection
ethernet-switching-options secure-access-port vlan data ip-source-guard
interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members data
interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members data
interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members data
protocols lldp-med interface ge-0/0/0.0
protocols dot1x authenticator authentication-profile-name profile52
protocols dot1x authenticator interface ge-0/0/0.0 supplicant single
protocols lldp-med interface ge-0/0/1.0
protocols dot1x authenticator interface ge-0/0/1.0 supplicant single

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

Step-by-Step Procedure

To configure IP source guard with 802.1X authentication and various port security
features:
1.

Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the data VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set set ge-0/0/24 unit 0 family ethernet-switching vlan
members data

2.

Associate two interfaces with the data VLAN:

[edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members
data
user@switch# set ge-0/0/1 unit 0 family ethernet-switching vlan members
data

3.

Configure 802.1X user authentication and LLDP-MED on the two interfaces that
you associated with the data VLAN:
[edit protocols]
user@switch# set lldp-med interface ge-0/0/0.0
user@switch# set dot1x authenticator authentication-profile-name profile52
user@switch# set dot1x authenticator interface ge-0/0/0.0 supplicant single
user@switch# set lldp-med interface ge-0/0/1.0
user@switch# set dot1x authenticator interface ge-0/0/1.0 supplicant single

4.

Configure access port security features DHCP snooping, dynamic ARP inspection
(DAI), and IP source guard on the data VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port vlan data examine-dhcp
user@switch# set secure-access-port vlan data arp-inspection
user@switch# set secure-access-port vlan data ip-source-guard

Results

Check the results of the configuration:

[edit ethernet-switching-options]
secure-access-port {
interface ge-0/0/24.0 {
dhcp-trusted;
}
vlan data {
arp-inspection;
examine-dhcp;
ip-source-guard;
}
}
[edit interfaces]

Configuring IP Source Guard with 802.1X Authentication, DHCP Snooping, and Dynamic ARP Inspection

749

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
vlan {
members data;
}
}
}
}
[edit protocols]
lldp-med {
interface ge-0/0/14.0;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
dot1x {
authenticator {
authentication-profile-name profile52;
}
interface {
ge-0/0/0.0 {
supplicant single;
}
ge-0/0/1.0 {
supplicant single;
}
ge-0/0/14.0 {
supplicant single;
}
}
}

Configuring IP Source Guard on a Guest VLAN

CLI Quick Configuration

750

To quickly configure IP source guard on a guest VLAN, copy the following commands
and paste them into the switch terminal window:

Configuring IP Source Guard on a Guest VLAN

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

set ethernet-switching-options secure-access-port interface ge-0/0/24 dhcp-trusted

set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members employee
set ethernet-switching-options secure-access-port vlan employee examine-dhcp
set ethernet-switching-options secure-access-port vlan employee ip-source-guard
set ethernet-switching-options secure-access-port interface ge-0/0/0 static-ip
11.1.1.1 mac 00:11:11:11:11:11 vlan employee
set ethernet-switching-options secure-access-port interface ge-0/0/1 static-ip
11.1.1.2 mac 00:22:22:22:22:22 vlan employee
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set protocols dot1x authenticator authentication-profile-name profile52
set protocols dot1x authenticator interface ge-0/0/0 supplicant single
set protocols dot1x authenticator interface ge-0/0/0 guest-vlan employee
set protocols dot1x authenticator interface ge-0/0/0 supplicant-timeout 2
set protocols dot1x authenticator interface ge-0/0/1 supplicant single
set protocols dot1x authenticator interface ge-0/0/1 guest-vlan employee
set protocols dot1x authenticator interface ge-0/0/1 supplicant-timeout 2
set vlans employee vlan-id 300

Step-by-Step Procedure

To configure IP source guard on a guest VLAN:

1.

Configure the interface on which the DHCP server is connected to the switch
as a trusted interface and add that interface to the employee VLAN:
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/24 dhcp-trusted
user@switch# set ge-0/0/24 unit 0 family ethernet-switching vlan members
employee

2.

Configure two interfaces for the access port mode:

[edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode access
user@switch# set ge-0/0/1 unit 0 family ethernet-switching port-mode access

3.

Configure DHCP snooping and IP source guard on the employee VLAN:

[edit ethernet-switching-options]
user@switch# set secure-access-port vlan employee examine-dhcp
user@switch# set secure-access-port vlan employee ip-source-guard

4.

Configure a static IP address on each of two interfaces on the employee VLAN

(optional):
[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/0 static-ip 11.1.1.1
mac 00:11:11:11:11:11 vlan employee

[edit ethernet-switching-options]
user@switch# set secure-access-port interface ge-0/0/1 static-ip 11.1.1.2
mac 00:22:22:22:22:22 vlan employee

5.

Configure 802.1X user authentication:

Configuring IP Source Guard on a Guest VLAN

751

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit protocols]
user@switch# set
user@switch# set
user@switch# set
user@switch# set
user@switch# set
2

6.

dot1x authenticator authentication-profile-name profile52

dot1x authenticator interface ge-0/0/0 supplicant single
dot1x authenticator interface ge-0/0/1 supplicant single
dot1x authenticator interface ge-0/0/0 supplicant-timeout 2
dot1x authenticator interface ge-0/0/1 supplicant-timeout

Set the VLAN ID for the employee VLAN:

[edit vlans]
user@switch# set employee vlan-id 100

Results

Check the results of the configuration:

[edit protocols]
dot1x {
authenticator {
authentication-profile-name profile52;
}
interface {
ge-0/0/0.0 {
guest-vlan employee;
supplicant single;
supplicant-timeout 2;
}
ge-0/0/1.0 {
guest-vlan employee;
supplicant single;
supplicant-timeout 2;
}
}
}
}
[edit vlans]
employee {
vlan-id 100;
}
[edit interfaces]
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {

752

Configuring IP Source Guard on a Guest VLAN

Chapter 44: Examples of Configuring 802.1X, Port Security, and VoIP

port-mode access;
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
vlan {
members employee;
}
}
}
}
[edit ethernet-switching-options]
secure-access-port {
interface ge-0/0/0.0 {
static-ip 11.1.1.1 vlan employee mac 00:11:11:11:11:11;
}
interface ge-0/0/1.0 {
static-ip 11.1.1.2 vlan employee mac 00:22:22:22:22:22;
}
interface ge-0/0/24.0 {
dhcp-trusted;
}
vlan employee {
examine-dhcp;
ip-source-guard;
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying That 802.1X User Authentication Is Working on the Interface on page 753

Verifying the VLAN Association with the Interface on page 753

Verifying That DHCP Snooping and IP Source Guard Are Working on the
VLAN on page 754

Verifying That 802.1X User Authentication Is Working on the Interface

Purpose

Action
Meaning

Verify that the 802.1X configuration is working on the interface.

Use the show dot1x on page 873 interface command to view the 802.1X details.
The Supplicant mode output field displays the configured administrative mode for
each interface.

Verifying the VLAN Association with the Interface

Purpose

Verity interface states and VLAN memberships.

Verification

753

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Action

Use the show ethernet-switching interfaces on page 545 command to view the Ethernet
switching table entries.

Meaning

The field VLAN members shows the associations between VLANs and interfaces. The
State field shows whether the interfaces are up or down.
For the guest VLAN configuration, the interface is associated with the guest VLAN if
and when the supplicant fails 802.1X user authentication.

Verifying That DHCP Snooping and IP Source Guard Are Working on the
VLAN
Purpose

Action

Verify that DHCP snooping and IP source guard are enabled and working on the
VLAN.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Use the show dhcp snooping binding on page 872 command to display the DHCP
snooping information when the interface on which the DHCP server connects to the
switch is trusted. View the MAC addresses from which requests were sent and the
IP addresses and leases provided by the server.
Use the show ip-source-guard on page 1160 command to view IP source guard information
for the VLAN.

Meaning

When the interface on which the DHCP server connects to the switch has been set
to trusted, the output shows, for each MAC address, the assigned IP address and
lease timethat is, the time, in seconds, remaining before the lease expires. Static
IP addresses have no assigned lease time. Statically configured entries never expire.
The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields.

Related Topics

754

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series

Switch on page 691

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

Configuring IP Source Guard (CLI Procedure) on page 781

Verifying That DHCP Snooping and IP Source Guard Are Working on the VLAN

Chapter 45

Configuring 802.1X, Port Security, and

VoIP

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

Configuring LLDP (CLI Procedure) on page 764

Configuring LLDP (J-Web Procedure) on page 765

Configuring LLDP-MED (CLI Procedure) on page 766

Configuring Port Security (CLI Procedure) on page 768

Configuring Port Security (J-Web Procedure) on page 769

Enabling DHCP Snooping (CLI Procedure) on page 771

Enabling DHCP Snooping (J-Web Procedure) on page 772

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Enabling a Trusted DHCP Server (J-Web Procedure) on page 773

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 775

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Configuring MAC Move Limiting (CLI Procedure) on page 779

Configuring MAC Move Limiting (J-Web Procedure) on page 779

Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure) on page 780

Configuring IP Source Guard (CLI Procedure) on page 781

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI

Procedure) on page 783

755

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring 802.1X Authentication (CLI Procedure)

IEEE 802.1X authentication provides network edge security, protecting Ethernet
LANs from denial-of-service (DoS) attacks and preventing unauthorized user access.
802.1X works by using an Authenticator Port Access Entity (the EX-series switch) to
block all traffic to and from a supplicant (client) at the interface until the supplicant's
credentials are presented and matched on the Authentication server (a RADIUS server).
When authenticated, the switch stops blocking and opens the interface to the
supplicant.
To configure 802.1X authentication:

Specify the RADIUS server to be used as the authentication server.

Specify the 802.1X exclusion list, used to specify which supplicants can bypass
802.1X authentication and be automatically connected to the LAN.

Specify 802.1X interface settings on the switch.

1. Configuring the RADIUS Server on page 756

2. Configuring Static MAC Bypass on page 757
3. Configuring 802.1X Interface Settings on page 757

Configuring the RADIUS Server

To configure a RADIUS server:
1.

Define the address of the server, the RADIUS server authentication port number,
and the secret password. The secret password on the switch must match the
secret password on the server:
[edit access ]
user@switch# set radius-server 10.0.0.100 port 1812 secret abc

2.

Configure the authentication order, making radius the first method of

authentication:
[edit access]
user@switch# set profile profile1 authentication-order radius

3.

Configure a list of server IP addresses to be tried in order to authenticate the

supplicant:
[edit access profile]
user@switch# set profile1 radius authentication-server 10.0.0.100 10.2.14.200

756

Configuring 802.1X Authentication (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Configuring Static MAC Bypass

Configure any MAC addresses, supplicants, or interfaces to be excluded from 802.1X
authenticationthat is, they will be authenticated.
To configure the 802.1X exclusion:
1.

Specify a MAC address to be excluded from 802.1X authentication:

[edit protocols dot1x]
user@switch# set authenticator static 00:04:0f:fd:ac:fe

2.

Configure a supplicant to bypass authentication if connected through a particular

interface:
[edit protocols dot1x]
user@switch# set authenticator static 00:04:0f:fd:ac:fe

3.

interface

ge-0/0/5

Once a supplicant is authenticated, configure a supplicant to be moved to a

specific VLAN:
[edit protocols dot1x]
user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
vlan-assignment default-vlan

Configuring 802.1X Interface Settings

Configure the supplicant mode, reauthentication, the administrative mode, and
timeout values.
To configure the interface settings:
1.

Configure the supplicant mode as single (authenticates the first supplicant),

single-secure (authenticates only one supplicant), or multiple (authenticates
multiple supplicants):
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5 supplicant multiple

2.

Enable reauthentication:
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5/0 reauthentication interval
5

3.

Configure the port timeout value for the response from the supplicant:
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5 supplicant-timeout 5

4.

Configure the timeout for the interface before it resends an authentication request
to the RADIUS server:

Configuring Static MAC Bypass

757

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit protocols dot1x]

user@switch# set authenticator interface ge-0/0/5 server-timeout 5

5.

Configure how long the interface waits before retransmitting the initial EAPOL
PDUs to the supplicant:
[edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/5 transmit-period 5

Related Topics

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Monitoring 802.1X Authentication on page 785

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X Authentication on EX-series Switches on page 641

Configuring 802.1X Authentication (J-Web Procedure)

To configure 802.1X settings using J-Web:
1.

From the Configure menu, select Security > 802.1X.

The 802.1X screen displays a list of interfaces, whether 802.1X security has been
enabled, and the assigned port role.
When you select a particular interface, the Details section displays 802.1X details
for the selected interface.

2.

758

Click one:

RADIUS ServersSpecifies the RADIUS server to be used for authentication.

Select the checkbox to select the required server. Click Add or Edit to add or
modify the RADIUS server settings. Enter information as specified in
Table 106 on page 759.

Exclusion List Excludes hosts from the 802.1X authentication list by

specifying the MAC address. Click Add or Edit in the Exclusion list screen to
include or modify the MAC addresses. Enter information as specified in
Table 107 on page 759.

Edit Specifies 802.1X settings for the selected interface

Apply 802.1X ProfileApplies a pre-defined 802.1X profile based on

the port role. If a message appears asking if you want to configure a
RADIUS server, click Yes.

802.1X ConfigurationConfigures custom 802.1X settings for the

selected interface. If a message appears asking if you want to configure
a RADIUS server, click Yes. Enter information as specified in

Configuring 802.1X Authentication (J-Web Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Table 106 on page 759. To configure 802.1X settings enter information

as specified in Table 108 on page 759.

Delete Deletes 802.1X authentication configuration on the selected

interface.

Table 106: RADIUS Server Settings

Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Enter the IP address in dotted decimal

notation.

Password

Specifies the login password.

Enter the password.

Confirm Password

Verifies the login password for the server.

Reenter the password.

Server Port Number

Specifies the port with which the server is associated.

Type the port number.

Source Address

Specifies the source address of the server.

Type the servers 32-bit IP address, in

dotted decimal notation.

Retry Attempts

Specifies the number of login retries allowed after a

login failure.

Type the number.

Timeout

Specifies the time interval to wait before the

connection to the server is closed.

Type the interval in seconds.

Table 107: 802.1X Exclusion List

Field

Function

Your Action

MAC Address

Specifies the MAC address to be excluded from

802.1X authentication.

Enter the MAC address.

Exclude if connected
through the port

Specifies that the host can bypass authentication

if it is connected through a particular interface.

Select to enable the option. Select the port

through which the host is connected.

Move the host to the VLAN

Specifies moving the host to a specific VLAN once

the host is authenticated.

Select to enable the option. Select the

VLAN from the list.

Table 108: 802.1X Port Settings

Field

Function

Your Action

Supplicant Mode

Configuring 802.1X Authentication (J-Web Procedure)

759

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 108: 802.1X Port Settings (continued)

Field

Function

Your Action

Supplicant Mode

Specifies the mode to be adopted for supplicants:

Select the required mode.

Single allows only one host for

authentication.

Multiple allows multiple hosts for

authentication. Each host is checked before
being admitted to the network.

Single authentication for multiple hosts

Allows multiple hosts but only the first is
authenticated.

Authentication
Enable
re-authentication

Specifies enabling reauthentication on the

selected interface.

1.

Select to enable reauthentication.

2.

Enter the timeout for reauthentication in

seconds.

Action on
authentication
failure

Specifies the action to be taken in case of an

authentication failure.

Select one:

Timeouts

Specifies timeout values for each action.

Related Topics

760

Move to the Guest VLAN Select the VLAN

to move the interface to.

Deny the host is not permitted access.

Enter the value in seconds for:

Port waiting time after an authentication failure

EAPOL re-transmitting interval

Max. EAPOL requests

Maximum number of retries

Port timeout value for the response from the

supplicant

Port timeout value for the response from the

RADIUS server

Configuring 802.1X Authentication (CLI Procedure) on page 756

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Understanding 802.1X Authentication on EX-series Switches on page 641

802.1X for EX-series Switches Overview on page 639

Configuring 802.1X Authentication (J-Web Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Configuring 802.1X RADIUS Accounting (CLI Procedure)

RADIUS accounting permits statistical data about users logging onto or off a LAN to
be collected and sent to a RADIUS accounting server. The statistical data gathered
can be used for general network monitoring, to analyze and track usage patterns, or
to bill a user based upon the amount of time or type of services accessed.
To configure basic RADIUS accounting using the CLI:
1.

Specify the accounting servers to which the switch will forward accounting
statistics:
[edit access]
user@switch# set profile profile1 radius accounting-server [122.69.1.250
122.69.1.252]

2.

Define the RADIUS accounting servers:

[edit access]
user@switch# set radius-server 122.69.1.250 secret juniper
user@switch# set radius-server 122.69.1.252 secret juniper1

3.

Enable accounting for an access profile:

[edit access]
user@switch# set profile profile1 accounting

4.

Configure the RADIUS servers to use while sending accounting messages and
updates:
[edit access]
user@switch# set profile profile1 accounting order radius none

5.

Configure the statistics to be collected on the switch and forwarded to the

accounting server:
[edit access]
user@switch# set profile profile1 accounting order stop-on-access-deny
user@switch# set profile profile1 accounting order stop-on-failure

6.

Display accounting statistics collected on the switch:

user@switch> show network-access aaa statistics accounting
Accounting module statistics
Requests received: 1
Accounting Response failures: 0
Accounting Response Success: 1
Requests timedout: 0

7.

Open an accounting log on the RADIUS accounting server using the server's
address, and view accounting statistics:

Configuring 802.1X RADIUS Accounting (CLI Procedure)

761

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[root@freeradius]# cd /usr/local/var/log/radius/radacct/122.69.1.250
[root@freeradius 122.69.1.250]# ls

detail-20071214

[root@freeradius 122.69.1.250]# vi details-20071214

Related Topics

Thu Feb

7 01:01:00 2008
User-Name = "md5user01"
NAS-Port = 4325376
Acct-Status-Type = Start
Acct-Session-Id = "8O2.1x80101b"
NAS-Identifier = "sys-java97"
NAS-Port-Type = Virtual
NAS-IP-Address = 10.93.15.197
Client-IP-Address = 10.93.15.197
Acct-Unique-Session-Id = "b0a382acdc4387a5"
Timestamp = 1202374860

Thu Feb

7 02:34:47 2008
User-Name = "md5user01"
NAS-Port = 4325376
Acct-Status-Type = Stop
Acct-Session-Id = "8O2.1x8011b"
Acct-Input-Octets = 0
Acct-Output-Octets = 72
Acct-Session-Time = 1202349593
Acct-Input-Packets = 0
Acct-Output-Packets = 1
Acct-Terminate-Cause = Lost-Carrier
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
NAS-Identifier = "sys-java97"
NAS-Port-Type = Virtual
NAS-IP-Address = 10.93.15.197
Client-IP-Address = 10.93.15.197
Acct-Unique-Session-Id = "eb4e171ae562daf5"
Timestamp = 1202380487

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Understanding 802.1X and AAA Accounting on EX-series Switches on page 647

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure)

EX-series switches support a new set of port filtering attributes called vendor-specific
attributes (VSAs). Through VSAs, you can configure port filtering attributes on the
RADIUS server. VSAs are clear text fields sent from the RADIUS server to the switch
as a result of the 802.1X authentication success or failure. The 802.1X authentication
prevents unauthorized user access by blocking a supplicant at the port until the
supplicant is authenticated by the RADIUS server. The VSA attributes are interpreted
by the switch, and the switch takes appropriate actions.

762

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

The following procedure uses FreeRADIUS to configure VSAs. For specifics on

configuring your server, consult the AAA documentation that was included with your
server.
This topic includes the following tasks:
1. Load the Juniper Dictionary on page 763

Load the Juniper Dictionary

Load the Juniper Dictionary, which contains the set of filtering attributes called
Juniper-Switching-Filter, attribute ID 48.
1.

Load the Juniper Dictionary:

[root@freeradius]# cd usr/share/freeradius/dictionary.juniper

# dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
# VENDOR
Juniper
2636
BEGIN-VENDOR
Juniper
ATTRIBUTE
Juniper-Local-User-Name
1
string
ATTRIBUTE
Juniper-Allow-Commands
2
string
ATTRIBUTE
Juniper-Deny-Commands
3
string
ATTRIBUTE
Juniper-Allow-Configuration
4
string
ATTRIBUTE
Juniper-Deny-Configuration
5
string
ATTRIBUTE
Juniper-Firewall-Filter
44
string
ATTRIBUTE
Juniper-Switching-Filter
48
string
<

2.

If the attribute Juniper-Switching-Filter is not displayed in the dictionary, you can

copy and paste it at the end of the list in the dictionary, and close the file:
[root@freeradius]# cd usr/share/freeradius/dictionary.juniper

# dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
# VENDOR
Juniper
2636
BEGIN-VENDOR
Juniper
ATTRIBUTE
Juniper-Local-User-Name
1
string
ATTRIBUTE
Juniper-Allow-Commands
2
string
ATTRIBUTE
Juniper-Deny-Commands
3
string
ATTRIBUTE
Juniper-Allow-Configuration
4
string
ATTRIBUTE
Juniper-Deny-Configuration
5
string
ATTRIBUTE
Juniper-Firewall-Filter
44
string
copy and paste the entire string here
<

Load the Juniper Dictionary

763

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Configuring 802.1X Authentication (CLI Procedure) on page 756

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding 802.1X and VSAs on EX-series Switches on page 654

Configuring LLDP (CLI Procedure)

EX-series switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
Protocol Media Endpoint Discovery (LLDP-MED) to learn and distribute device
information on network links. The information allows the switch to quickly identify
a variety of devices, resulting in a LAN that interoperates smoothly and efficiently.
The LLDP protocol cannot be enabled by issuing the set protocols lldp statement at
the edit hierarchy level. Enable the LLDP protocol by configuring it on all interfaces
or specific interfaces.
To configure basic LLDP options using the CLI:
1.

Configure the advertisement interval in seconds to specify the frequency at which

LLDP advertisements are sent:
[edit protocols lldp]
user@switch# set advertisement-interval 45

2.

Configure the frequency in seconds at which LLDP advertisements are sent from
the switch in the first second after it has detected an LLDP-capable device:
[edit protocols lldp]
user@switch# set fast-start 8

3.

Specify the multiplier used in combination with the advertisement-interval value

to determine the length of time LLDP information is held before it is discarded:
[edit protocols lldp]
user@switch# set hold-multiplier 5

4.

Configure the delay between 2 successive LLDP advertisements:

[edit protocols lldp]
user@switch# set transmit-delay 5

5.

Configure LLDP on all interfaces or on a specific interface:

[edit protocols lldp]
user@switch# set interface all

6.

764

Configure tracing operations for the LLDP protocol:

Configuring LLDP (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

[edit protocols lldp]

user@switch# set traceoptions file lldptrace

Related Topics

Configuring LLDP-MED (CLI Procedure) on page 766

Configuring LLDP (J-Web Procedure) on page 765

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Configuring LLDP (J-Web Procedure)

Use the LLDP Configuration page to configure LLDP global and port settings.
To configure LLDP:
1.

From the Configure menu, select the option Switching > LLDP.
The LLDP Configuration page displays LLDP Global Settings and Port Settings.
The second half of the screen displays operational details for the selected port.

2.

To modify LLDP Global Settings, click Global Settings.

Enter information as described in Table 109 on page 765.

3.

To modify Port Settings, click Edit in the Port Settings section.

Enter information as described in Table 110 on page 766.

Table 109: Global Settings

Field

Function

Your Action

Advertising interval

Specifies the frequency of outbound LLDP advertisements. You can

increase or decrease this interval.

Type the number of seconds.

Transmit delay

Specifies a delay-interval setting that the switch uses to delay transmitting

successive advertisements. You can increase this interval to reduce the
frequency of successive advertisements.

Type the delay time in

seconds.

Hold multiplier

Specifies the multiplier factor to be used by an LLDP-enabled switch to

calculate the time-to-live (TTL) value for the LLDP advertisements it
generates and transmits to LLDP neighbors.

Type the required number in

the field.

Fast start count

Specifies the LLDP refresh-interval setting (default: 3 seconds) for

transmitting advertisements. It can cause an unacceptable delay in MED
device configuration. You can temporarily override the refresh-interval
setting. This results in the port initially advertising LLDMED at a faster
rate for a limited time.

Type the Fast start count

interval.

Configuring LLDP (J-Web Procedure)

765

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 110: Edit Port Settings

Field

Function

Your Action

LLDP Status

Specifies whether LLDP has been enabled on the port.

Select one: Enabled, Disabled, or None.

LLDP-MED Status

Specifies whether LLDPMED has been enabled on

the port.

Select Enable from the list.

Related Topics

Configuring LLDP (CLI Procedure) on page 764

Configuring LLDP-MED (CLI Procedure) on page 766

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Configuring LLDP-MED (CLI Procedure)

Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) is an extension
of LLDP. The EX-series switch uses LLDP-MED to support device discovery of VoIP
telephones and to create location databases for these telephone locations for
emergency services. The location information configured is used during emergency
calls to identify the location of the LLDP-MED device.
To configure basic LLDP-MED options using the CLI:
1.

Configure the frequency at which LLDP-MED advertisements are sent from the
switch in the first second after it has detected an LLDP-MED device:
[edit protocols lldp-med]
user@switch# set fast-start 6

2.

Configure LLDP-MED on all interfaces or on a specific interface:

[edit protocols lldp-med]
user@switch# set interface ge-0/0/2.0

3.

Configure the location information that is advertised from the switch to the
LLDP-MED device. You can specify a civic-based location (geographic location)
or a location based on an elin (emergency location identification string):

To specify a civic-based location:

[edit protocols lldp-med]
user@switch# set interface ge-0/0/2.0 location civic-based country-code US
user@switch# set interface ge-0/0/2.0 location civic-based ca-type 1
ca-value El Dorado County
user@switch# set interface ge-0/0/2.0 location civic-based ca-type 2
ca-value CA

766

Configuring LLDP-MED (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

user@switch# set interface ge-0/0/2.0 location civic-based ca-type 3

ca-value Somerset
user@switch# set interface ge-0/0/2.0 location civic-based ca-type 6
ca-value Mount Aukum Road
user@switch# set interface ge-0/0/2.0 location civic-based ca-type 19
ca-value 6450
user@switch# set interface ge-0/0/2.0 location civic-based ca-type 21
ca-value Holiday Market

To specify location using an elin string:

[edit protocols lldp-med]
user@switch# set interface ge-0/0/2.0 location elin 4085551212

You can display the configuration settings using the show lldp command:
[edit protocols lldp-med]
user@switch> show lldp on page 881
LLDP
Advertisement interval
Transmit delay
Hold timer
Config Trap Interval
Connection Hold timer

:
:
:
:
:
:

LLDP MED
MED fast start count

: Enabled
: 6 Packets

Interface
all
ge-0/0/2.0

Related Topics

LLDP
Enabled
-

Enabled
30 seconds
2 seconds
2 seconds
60 seconds
300 seconds

LLDP-MED
Enabled

Configuring LLDP (J-Web Procedure) on page 765

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Configuring LLDP-MED (CLI Procedure)

767

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring Port Security (CLI Procedure)

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial
of service (DoS) on network devices. Port security features such as DHCP snooping,
DAI (dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as
trusted DHCP server, help protect the access ports on your EX-series switch against
the losses of information and productivity that can result from such attacks.
To configure port security features using the CLI:
1.

Enable DHCP snooping:

On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan default examine-dhcp

On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all examine-dhcp

2.

Enable DAI:

On a single VLAN (here, the VLAN is employee-vlan):

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employeevlan arp-inspection

On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all arp-inspection

3.

Limit the number of dynamic MAC addresses and specify the action to take if
the limit is exceededfor example, set a MAC limit of 5 with an action of drop:

On a single interface (here, the interface is ge-0/0/1):

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/1 mac-limit 5 action drop

On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all maclimit 5 action drop

4.

Specify allowed MAC addresses:

On a single interface (here, the interface is ge-0/0/2):

[edit ethernet-switching-options secure-access-port]

768

Configuring Port Security (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:80

user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:83

On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all allowed-mac 00:05:85:3A:82:80
user@switch# set interface all allowed-mac 00:05:85:3A:82:81
user@switch# set interface all allowed-mac 00:05:85:3A:82:83

5.

Limit the number of times a MAC address can move from its original interface
in one secondfor example, set a MAC move limit of 5 with an action of drop
if the limit is exceeded:

On a single VLAN (here, the VLAN is employee-vlan):

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employeevlan mac-move-limit 5 action drop

On all VLANs:
[edit ethernet-switching-options secure-access-port]
set vlan all macmove-limit 5 action drop

6.

Configure a trusted DHCP server on an interface (here, the interface is ge-0/0/8):

[edit ethernet-switching-options secure-access port]
user@switch# set interface ge0/0/8 dhcp-trusted

Related Topics

Configuring Port Security (J-Web Procedure) on page 769

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Monitoring Port Security on page 786

Port Security for EX-series Switches Overview on page 654

Configuring Port Security (J-Web Procedure)

To configure port security on the EX-series switch using the J-Web interface:
1.

From the Configure menu select the option Security > Port Security.
The first part of the screen displays a VLAN list with the VLAN name, VLAN
identifier, port members, and port security VLAN features.

Configuring Port Security (J-Web Procedure)

769

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

The second part of the screen displays a list of all ports and whether security
features have been enabled on the ports.
2.

Click one:

Edit Click this option to modify the security features for the selected port

or VLAN.
Enter information as specified in Table 111 on page 770 to modify Port
Security settings on VLANs.
Enter information as specified in Table 112 on page 770 to modify Port
Security settings on interfaces.

Activate/Deactivate Click this option to enable or disable security on the

switch.

Table 111: Port Security Settings on VLANs

Field

Function

Your Action

DHCP Snooping

Allows the switch to monitor and control DHCP

messages received from untrusted devices connected
to the switch. Builds and maintains a database of valid
IP addresses/MAC address bindings. (By default, access
ports are untrusted and trunk ports are trusted.)

Select to enable DHCP snooping on a specified

VLAN or all VLANs.

ARP Inspection

Uses information in the DHCP snooping database to

validate ARP packets on the LAN and protect against
ARP cache poisoning.

Select to enable ARP inspection on a specified

VLAN or all VLANs. (Configure any port on which
you do not want ARP inspection to occur as a
trusted DHCP server port.)

MAC Movement

Prevents hosts whose MAC addresses have not been

learned by the switch from accessing the network.
Specifies the number of times per second that a MAC
address can move to a new interface.

Enter the required number.

MAC Movement
Action

Specifies the action to be taken if the MAC move limit

is exceeded.

Select one:

LogGenerate a system log entry, an SNMP

trap, or an alarm.

DropDrop the packets and generate a

system log entry, an SNMP trap, or an alarm.

ShutdownBlock data traffic on the

interface and generate an alarm.

None No action to be taken.

Table 112: Port Security on Interfaces

Field

Function

Your Action

Trust DHCP

Specifies trusting DHCP packets on the selected

interface. By default trunk ports are dhcp-trusted.

Select to enable DHCP trust.

770

Configuring Port Security (J-Web Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Table 112: Port Security on Interfaces (continued)

Field

Function

Your Action

MAC Limit

Specifies the number of MAC addresses that can

be learned on a single Layer 2 access port. This
option is not valid for trunk ports.

Enter the required number.

MAC Limit Action

Specifies the action to be taken if the MAC limit is

exceeded. This option is not valid for trunk ports.

Select one:

Allowed MAC List

Specifies the MAC addresses that are allowed for

the interface.

Related Topics

LogGenerate a system log entry, an SNMP

trap, or an alarm.

DropDrop the packets and generate a system

log entry, an SNMP trap, or an alarm.

ShutdownBlock data traffic on the interface

and generate an alarm.

None No action to be taken.

To add a MAC address:

1.

Click Add.

2.

Enter the MAC address.

3.

Click OK.

Configuring Port Security (CLI Procedure) on page 768

Monitoring Port Security on page 786

Port Security for EX-series Switches Overview on page 654

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Enabling DHCP Snooping (CLI Procedure)

DHCP snooping allows the switch to monitor and control DHCP messages received
from untrusted devices connected to the EX-series switch. It builds and maintains a
database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping
database.
You configure DHCP snooping for each VLAN, not for each interface (port). By default,
DHCP snooping is disabled for all VLANs.
To enable DHCP snooping on a VLAN or all VLANs by using the CLI:

On a specific VLAN (here, the VLAN is default):

[edit ethernet-switching-options secure-access port]
user@switch# set vlan default examine-dhcp

On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all examine-dhcp

Enabling DHCP Snooping (CLI Procedure)

771

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Enabling DHCP Snooping (J-Web Procedure) on page 772

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Verifying That DHCP Snooping Is Working Correctly on page 787

Monitoring Port Security on page 786

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Enabling DHCP Snooping (J-Web Procedure)

DHCP snooping allows the EX-series switch to monitor and control DHCP messages
received from untrusted devices connected to the switch. It builds and maintains a
database of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping
database.
You configure DHCP snooping for each VLAN, not for each interface (port). By default,
DHCP snooping is disabled for all VLANs.
To enable DHCP snooping on one or more VLANs by using the J-Web interface:
1.

Select Configure>Security>Port Security.

2.

Select one or more VLANs from the VLAN list.

3.

Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.

4.

Select the Enable DHCP Snooping on VLAN check box and then click OK.

5.

Click OK after the command has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics

772

Enabling DHCP Snooping (CLI Procedure) on page 771

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Verifying That DHCP Snooping Is Working Correctly on page 787

Enabling DHCP Snooping (J-Web Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Monitoring Port Security on page 786

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Enabling a Trusted DHCP Server (CLI Procedure)

You can configure any interface on the EX-series switch that connects to a DHCP
server as a trusted interface (port). Configuring a DHCP server on a trusted interface
protects against rogue DHCP servers sending leases.
You configure a trusted DHCP server on an interface, not on a VLAN. By default, all
access interfaces are untrusted and all trunk interfaces are trusted.
To configure a trusted interface for a DHCP server by using the CLI (here, the interface
is ge-0/0/8):
[edit ethernet-switching-options secure-access port]
user@switch# set interface ge0/0/8 dhcp-trusted

Related Topics

Enabling a Trusted DHCP Server (J-Web Procedure) on page 773

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Verifying That a Trusted DHCP Server Is Working Correctly on page 788

Monitoring Port Security on page 786

Understanding Trusted DHCP Servers for Port Security on EX-series

Switches on page 666

Enabling a Trusted DHCP Server (J-Web Procedure)

You can configure any interface on the EX-series switch that connects to a DHCP
server as a trusted interface (port). Configuring a DHCP server on a trusted interface
protects against rogue DHCP servers sending leases.
You configure a trusted DHCP server on an interface, not on a VLAN. By default, all
access interfaces are untrusted and all trunk interfaces are trusted.
To enable a trusted DHCP server on one or more interfaces by using the J-Web
interface:
1.

Select Configure>Security>Port Security.

2.

Select one or more interfaces from the Port list.

3.

Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.

Enabling a Trusted DHCP Server (CLI Procedure)

773

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

4.

Select the Trust DHCP check box and then click OK.

5.

Click OK after the command has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Verifying That a Trusted DHCP Server Is Working Correctly on page 788

Monitoring Port Security on page 786

Understanding Trusted DHCP Servers for Port Security on EX-series

Switches on page 666

Enabling Dynamic ARP Inspection (CLI Procedure)

Dynamic ARP inspection (DAI) protects EX-series switches against ARP spoofing.
DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping
database on the switch to validate ARP packets and to protect against ARP cache
poisoning.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is
disabled for all VLANs.
To enable dynamic ARP inspection (DAI) on a VLAN or all VLANs using the CLI:

On a single VLAN (here, the VLAN is employee-vlan):

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan arp-inspection

On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all arp-inspection

Related Topics

774

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 775

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Enabling Dynamic ARP Inspection (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Verifying That DAI Is Working Correctly on page 789

Monitoring Port Security on page 786

Understanding DAI for Port Security on EX-series Switches on page 662

Enabling Dynamic ARP Inspection (J-Web Procedure)

Dynamic ARP inspection (DAI) protects EX-series switches against ARP spoofing.
DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping
database on the switch to validate ARP packets and to protect against ARP cache
poisoning.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is
disabled for all VLANs.
To enable DAI on one or more VLANs by using the J-Web interface:
1.

Select Configure>Security>Port Security.

2.

Select one or more VLANs from the VLAN list.

3.

Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.

4.

Select the Enable ARP Inspection on VLAN check box and then click OK.

5.

Click OK after the command has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Verifying That DAI Is Working Correctly on page 789

Monitoring Port Security on page 786

Understanding DAI for Port Security on EX-series Switches on page 662

Enabling Dynamic ARP Inspection (J-Web Procedure)

775

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring MAC Limiting (CLI Procedure)

MAC limiting protects against flooding of the Ethernet switching table on the EX-series
switch. MAC limiting sets a limit on the number of MAC addresses that can be learned
on a single Layer 2 access interface (port).
JUNOS software provides two MAC limiting methods:

Maximum number of dynamic MAC addresses allowed per interfaceAs soon

as the limit is reached, incoming packets with new MAC addresses are dropped.

Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned.

You configure MAC limiting for each interface, not for each VLAN. In the default
configuration, the limit for dynamically learned MAC addresses for each interface is
5 and the action that the switch will take if that limit is exceeded is none.
To configure MAC limiting on a specific interface or on all interfaces, using the CLI:
1.

For limiting the number of dynamic MAC addresses, set a MAC limit of 5 with
an action of drop if the limit is exceeded:

On a single interface (here, the interface is ge-0/0/1):

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/1 mac-limit 5 action drop

On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all maclimit 5 action drop

2.

For specifying specific allowed MAC addresses:

On a single interface (here, the interface is ge-0/0/2):

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge0/0/2 allowed-mac 00:05:85:3A:82:83

On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all allowed-mac 00:05:85:3A:82:80
user@switch# set interface all allowed-mac 00:05:85:3A:82:81
user@switch# set interface all allowed-mac 00:05:85:3A:82:83

Related Topics

776

Configuring MAC Limiting (J-Web Procedure) on page 777

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Configuring MAC Limiting (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Verifying That MAC Limiting Is Working Correctly on page 790

Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure) on page 780

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Configuring MAC Limiting (J-Web Procedure)

MAC limiting protects against flooding of the Ethernet switching table on an EX-series
switch. MAC limiting sets a limit on the number of MAC addresses that can be learned
on a single Layer 2 access interface (port).
JUNOS software provides two MAC limiting methods:

Maximum number of dynamic MAC addresses allowed per interfaceAs soon

as the limit is reached, incoming packets with new MAC addresses are dropped.

Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned.

You configure MAC limiting for each interface, not for each VLAN. In the default
configuration, the limit for dynamically learned MAC addresses for each interface is
5 and the action that the switch will take if that limit is exceeded is none.
To enable MAC limiting on one or more interfaces using the J-Web interface:
1.

Select Configure>Security>Port Security.

2.

Select one or more interfaces from the Port list.

3.

Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.

4.

To set a dynamic MAC limit:

5.

1.

Type a limit value in the MAC Limit box.

2.

Select an action from the MAC Limit Action box. The switch takes this action
when the limit is exceeded.

To set allowed MAC addresses:

1.

Click Add.

2.

Type the allowed MAC address and click OK.

Repeat this step to add more allowed MAC addresses.

Configuring MAC Limiting (J-Web Procedure)

777

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

6.

Click OK when you have finished setting MAC limits.

7.

Click OK after the command has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics

778

Configuring MAC Limiting (CLI Procedure) on page 776

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Verifying That MAC Limiting Is Working Correctly on page 790

Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure) on page 780

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Configuring MAC Limiting (J-Web Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Configuring MAC Move Limiting (CLI Procedure)

MAC move limiting detects MAC address movement and MAC address spoofing on
access ports. It prevents hosts whose MAC addresses have not been learned by the
EX-series switch from accessing the network.
You configure MAC move limiting for each VLAN, not for each interface (port). In
the default configuration, the MAC move limit for each VLAN is unlimited. The default
action that the switch will take if a limit is set and then that limit is exceeded is none.
To configure a MAC move limit on a specific VLAN or on all VLANs, using the CLI:

On a single VLAN (here, the VLAN is employee-vlan):

[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employeevlan mac-move-limit 5 action drop

On all VLANs:
[edit ethernet-switching-options secure-access-port]
set vlan all macmove-limit 5 action drop

Related Topics

Configuring MAC Move Limiting (J-Web Procedure) on page 779

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That MAC Move Limiting Is Working Correctly on page 793

Monitoring Port Security on page 786

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Configuring MAC Move Limiting (J-Web Procedure)

MAC move limiting detects MAC movement and MAC spoofing on access ports. It
prevents hosts whose MAC addresses have not been learned by the EX-series switch
from accessing the network.
You configure MAC move limiting for each VLAN, not for each interface (port). In
the default configuration, the MAC move limit for each VLAN is unlimited; the default
action that the switch will take if a limit is set and then that limit is exceeded is none.
To enable MAC move limiting on one or more VLANs by using the J-Web interface:
1.

Select Configure>Security>Port Security.

2.

Select one or more VLANs from the VLAN list.

3.

Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.

4.

To set a MAC move limit:

Configuring MAC Move Limiting (CLI Procedure)

779

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

5.

1.

Type a limit value in the MAC Movement box.

2.

Select an action from the MAC Movement Action box. The switch takes this
action when the limit is exceeded.

3.

Click OK.

Click OK after the command has been successfully delivered.

NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics

Configuring MAC Move Limiting (CLI Procedure) on page 779

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That MAC Move Limiting Is Working Correctly on page 793

Monitoring Port Security on page 786

Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 664

Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces (CLI Procedure)
If you set a MAC limit in your port security settings to apply to all interfaces on the
EX-series switch, you can override that setting for a particular interface by specifying
action none.
To use the none action to override a MAC limit setting:
1.

Set the MAC limitfor example, a limit of 5 with action drop:

[edit ethernet-switching-options secure-access-port]
user@switch# set interface all mac-limit 5 action drop

2.

Then change the action for one interface (here, ge-0/0/2) with this command.
You don't need to specify a limit value.
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge0/0/2 mac-limit action none

Related Topics

780

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That MAC Limiting Is Working Correctly on page 790

Configuring IP Source Guard (CLI Procedure)

You can use the IP source guard access port security feature on EX-series switches
to mitigate the effects of source IP address spoofing and source MAC address spoofing.
If IP source guard determines that a host connected to an access interface has sent
a packet with an invalid source IP address or source MAC address in the packet
header, it ensures that the switch does not forward the packetthat is, the packet
is discarded.
You enable the IP source guard feature on VLANs. You can enable it on a specific
VLAN, on all VLANs, or on a VLAN range.

NOTE: IP source guard applies only to access interfaces and only to untrusted
interfaces. If you enable IP source guard on a VLAN that includes trunk interfaces or
an interface set to dhcp-trusted, the CLI shows an error when you try to commit the
configuration.
Before you configure IP source guard, be sure that you have:
Enabled DHCP snooping on the VLAN or VLANs on which you will configure IP source
guard. See Enabling DHCP Snooping (CLI Procedure) on page 771.

Configuring IP Source Guard (CLI Procedure)

781

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To enable IP source guard on a VLAN, all VLANs, or a VLAN range (a series of tagged
VLANs) by using the CLI:

NOTE: Replace values displayed in italics with values for your configuration.

On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch#set vlan default ip-source-guard

On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all ip-source-guard

On a VLAN range:
a.

Set the VLAN range (the VLAN name is employee):

[edit vlans]
user@switch# set employee vlan-range 100-101

b.

Associate an interface with a VLAN-range number (100 in the following

example) and set the port mode to access:
[edit interfaces]
user@switch# set ge-0/0/6 unit 0 family ethernet-switching port-mode access
vlan members 100

c.

Enable IP source guard on the VLAN employee:

[edit ethernet-switching-options secure-access port]
user@switch# set vlan employee ip-source-guard

NOTE: You can use the no-ip-source-guard statement to disable IP source guard for a
specific VLAN after you have enabled the feature for all VLANs.
To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.
Related Topics

782

Verifying That IP Source Guard Is Working Correctly on page 794

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

Configuring IP Source Guard (CLI Procedure)

Chapter 45: Configuring 802.1X, Port Security, and VoIP

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 746

Understanding IP Source Guard for Port Security on EX-series Switches on page 666

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)
You can add static (fixed) IP addresses and bind them to fixed MAC addresses in the
DHCP snooping database. These bindings are labeled as static in the database,
while those bindings that have been added through the process of DHCP snooping
are labeled dynamic.
To configure a static IP address/MAC address binding in the DHCP snooping database,
by using the CLI:

NOTE: Replace values displayed in italics with values for your configuration.

[edit ethernet-switching-options secure-access port]

user@switch#set interface ge-0/0/2 static-ip 10.0.10.12 vlan data-vlan mac
00:05:85:3A:82:80

To view results of the configuration steps before committing the configuration, type
the show command at the user prompt.
To commit these changes to the active configuration, type the commit command at
the user prompt.
Related Topics

Verifying That DHCP Snooping Is Working Correctly on page 787

Understanding DHCP Snooping for Port Security on EX-series Switches on page 658

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)

783

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

784

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI Procedure)

Chapter 46

Verifying 802.1X, Port Security, and VoIP

Monitoring 802.1X Authentication on page 785

Monitoring Port Security on page 786

Verifying That DHCP Snooping Is Working Correctly on page 787

Verifying That a Trusted DHCP Server Is Working Correctly on page 788

Verifying That DAI Is Working Correctly on page 789

Verifying That MAC Limiting Is Working Correctly on page 790

Verifying That MAC Move Limiting Is Working Correctly on page 793

Verifying That IP Source Guard Is Working Correctly on page 794

Monitoring 802.1X Authentication

Purpose

Use the monitoring feature to display details of authenticated users and users who
have failed authentication.

Action

To display authentication details in the J-Web interface, select Monitoring > Security
> 802.1X.
To display authentication details in the CLI, enter the following commands:

Meaning

show dot1x interface detail | display xml

show dot1x interface detail <interface> | display xml

show dot1x auth-failed-users

The details displayed include:

A list of authenticated users.

The total number of users connected.

A list of users who have failed authentication

You can also specify an interface for which the details must be displayed.
Related Topics

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Configuring 802.1X Authentication (CLI Procedure) on page 756

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Monitoring 802.1X Authentication

785

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Monitoring Port Security

Purpose

Action

Use the monitoring functionality to view these port security details:

DHCP snooping database for a VLAN or all VLANs

ARP inspection details for all interfaces

To monitor port security in the J-Web interface, select Monitor > Security > Port
Security.
To monitor and manipulate the DHCP snooping database and ARP inspection statistics
in the CLI, enter the following commands:

show dhcp snooping binding

clear dhcp snooping bindingIn addition to clearing the whole database, you can

clear database entries for specified VLANs or MAC addresses.

Meaning

show arp inspection statistics

clear arp inspection statistics

The J-Web Port Security Monitoring page comprises two sections:

DHCP SnoopingDisplays the DHCP snooping database for all the VLANs for
which DHCP snooping is enabled. To view the DHCP snooping database for a
specific VLAN, select the specific VLAN from the list.

ARP InspectionDisplays the ARP inspection details for all interfaces. The
information includes details of the number of packets that passed ARP inspection
and the number of packets that failed the inspection. The pie chart graphically
represents these statistics when you select an interface. To view ARP inspection
statistics for a specific interface, select the interface from the list.

You have the following options on the page:

Clear ALLClears the DHCP snooping database, either for all VLANs if the option
ALL has been selected in the Select VLANs list or for the specific VLAN that has
been selected in that list.

ClearDeletes a specific IP address from the DHCP snooping database.

To clear ARP statistics on the page, click Clear All in the ARP Statistics section.
Use the CLI commands to show and clear DHCP snooping database and ARP
inspection statistics details.
Related Topics

786

Configuring Port Security (CLI Procedure) on page 768

Configuring Port Security (J-Web Procedure) on page 769

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Monitoring Port Security

Chapter 46: Verifying 802.1X, Port Security, and VoIP

Verifying That DHCP Snooping Is Working Correctly

Purpose

Action

Verify that DHCP snooping is working on the switch and that the DHCP snooping
database is correctly populated with both dynamic and static bindings.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:

Meaning

user@switch> show dhcp snooping binding on page 872

DHCP Snooping Information:
MAC address
IP address Lease (seconds) Type

VLAN

Interface

00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:27:32:88

employee
employee
employee
employee
employee
data

ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/4.0

192.0.2.17
192.0.2.18
192.0.2.19
192.0.2.20
192.0.2.21
192.0.2.22

600
653
720
932
1230

dynamic
dynamic
dynamic
dynamic
dynamic
static

When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires. Static IP addresses have no assigned lease time. The statically
configured entry never expires.
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC address
IP address Lease (seconds) Type

VLAN

Interface

00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:27:32:88

employee
employee
employee
employee
employee
data

ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/4.0

0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
192.0.2.22

dynamic
dynamic
dynamic
dynamic
dynamic
static

In the preceding output sample, IP addresses and lease times are not assigned to the
dynamically learned bindings because the DHCP clients do not have a trusted server
to which they can send requests. In the database, the clients' MAC addresses are
shown with no assigned IP addresses (hence the 0.0.0.0 content in the IP Address
column) and no leases (the lease time is shown as a dash in the Lease column).
Related Topics

Enabling DHCP Snooping (CLI Procedure) on page 771

Enabling DHCP Snooping (J-Web Procedure) on page 772

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI

Procedure) on page 783

Verifying That DHCP Snooping Is Working Correctly

787

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Monitoring Port Security on page 786

Troubleshooting Port Security

Verifying That a Trusted DHCP Server Is Working Correctly

Purpose

Action

Verify that a DHCP trusted server is working on the switch. See what happens when
the DHCP server is trusted and then untrusted.
Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
user@switch> show dhcp snooping binding on page 872
DHCP Snooping Information:
MAC Address
IP Address
Lease
Type
--------------------------------00:05:85:3A:82:77
192.0.2.17
600
dynamic
00:05:85:3A:82:79
192.0.2.18
653
dynamic
00:05:85:3A:82:80
192.0.2.19
720
dynamic
00:05:85:3A:82:81
192.0.2.20
932
dynamic
00:05:85:3A:82:83
192.0.2.21
1230
dynamic
00:05:85:27:32:88
192.0.2.22
3200
dynamic

Meaning

VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan

Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease timethat is, the time, in seconds, remaining before
the lease expires.
If the DHCP server had been configured as untrusted, the output would look like this:
user@switch> show dhcp snooping binding
DHCP Snooping Information:
MAC Address
IP Address Lease
-------------------------- ----00:05:85:3A:82:77
0.0.0.0
00:05:85:3A:82:79
0.0.0.0
00:05:85:3A:82:80
0.0.0.0
00:05:85:3A:82:81
0.0.0.0
00:05:85:3A:82:83
0.0.0.0
00:05:85:27:32:88
0.0.0.0
-

788

Verifying That a Trusted DHCP Server Is Working Correctly

Type
---dynamic
dynamic
dynamic
dynamic
dynamic
dynamic

VLAN
---employeevlan
employeevlan
employeevlan
employeevlan
employeevlan
employeevlan

Interface
--------ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Chapter 46: Verifying 802.1X, Port Security, and VoIP

In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash in the Lease column).
Related Topics

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Enabling a Trusted DHCP Server (J-Web Procedure) on page 773

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Monitoring Port Security on page 786

Troubleshooting Port Security

Verifying That DAI Is Working Correctly

Purpose
Action

Verify that dynamic ARP inspection (DAI) is working on the switch.

Send some ARP requests from network devices connected to the switch.
Display the DAI information:
user@switch> show arp inspection statistics on page 871
ARP inspection statistics:
Interface
Packets received ARP inspection pass
ARP inspection failed
--------------- ---------------------------------- --------------------ge-0/0/1.0
7
5
2
ge-0/0/2.0
10
10
0
ge-0/0/3.0
12
12
0

Meaning

Related Topics

The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 775

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Monitoring Port Security on page 786

Verifying That DAI Is Working Correctly

789

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Verifying That MAC Limiting Is Working Correctly

MAC limiting protects against flooding of the Ethernet switching table. MAC limiting
sets a limit on the number of MAC addresses that can be learned on a single Layer
2 access interface (port).
JUNOS software provides two MAC limiting methods:

Maximum number of dynamic MAC addresses allowed per interfaceAs soon

as the limit is reached, incoming packets with new MAC addresses are dropped.

Specific allowed MAC addresses for the access interfaceAny MAC address
that is not in the list of configured addresses is not learned.

To verify MAC limiting configurations:

1. Verifying That MAC Limiting for Dynamic MAC Addresses Is Working
Correctly on page 790
2. Verifying That Allowed MAC Addresses Are Working Correctly on page 790
3. Verifying Results of Various Action Settings When the MAC Limit Is
Exceeded on page 791
4. Customizing the Ethernet Switching Table Display to View Information for a
Specific Interface on page 793

Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Purpose

Action

Verify that MAC limiting for dynamic MAC addresses is working on the switch.
Display the MAC addresses that have been learned. The following sample output
shows the results when two DHCP requests were sent from hosts on ge-0/0/1 and
five DHCP requests were sent from hosts on ge-0/0/2, with both interfaces set to a
MAC limit of 4 with the action drop:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 6 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

*
00:05:85:3A:82:77
00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85

Flood
Learn
Learn
Learn
Learn
Learn
Learn

Age

Interfaces

0
0
0
0
0
0

ge-0/0/2.0
ge-0/0/1.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

The sample output shows that with a MAC limit of 4 for each interface, the DHCP
request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit. The address was not learned, and thus an asterisk (*) rather than an
address appears in the MAC address column in the first line of the sample output.

Verifying That Allowed MAC Addresses Are Working Correctly

Purpose

790

Verify that allowed MAC addresses are working on the switch.

Verifying That MAC Limiting Is Working Correctly

Chapter 46: Verifying 802.1X, Port Security, and VoIP

Action

Display the MAC cache information after allowed MAC addresses have been configured
on an interface. The following sample shows the MAC cache after 5 allowed MAC
addresses had been configured on interface ge/0/0/2. In this instance, the interface
was also set to a dynamic MAC limit of 4 with action drop.
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 5 entries, 4 learned
VLAN
MAC address
Type
employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

00:05:85:3A:82:80
00:05:85:3A:82:81
00:05:85:3A:82:83
00:05:85:3A:82:85
*

Learn
Learn
Learn
Learn
Flood

Age

Interfaces

0
0
0
0
-

ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

Because the MAC limit value for this interface had been set to 4, only four of the five
configured allowed addresses were learned and thus added to the MAC cache. Because
that fifth address was not learned, an asterisk (*) rather than an address appears in
the MAC address column in the last line of the sample output.

Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
Purpose

Action

Verify the results provided by the various action settings for MAC limitsdrop, log,
and shutdownwhen the limits are exceeded.
Display the results of the various action settings.

NOTE: You can view log messages by using the show log messages command. You
can also have the log messages displayed by configuring the monitor start messages
with the monitor start messages command.

drop actionFor MAC limiting configured with a drop action and with the MAC
limit set to 5:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 6 entries, 5 learned
VLAN
MAC address
Type

Age

Interfaces

employeevlan

Flood

ge-0/0/2.0

employeevlan

00:05:85:3A:82:80

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:81

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:83

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:85

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:88

Learn

ge-0/0/2.0

Verifying Results of Various Action Settings When the MAC Limit Is Exceeded

791

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

log actionFor MAC limiting configured with a log action and with MAC limit
set to 5:
user@switch> show ethernet-switching table
Ethernet-switching table: 74 entries, 73 learned
VLAN
MAC address
Type

Age

Interfaces

employeevlan

Flood

ge-0/0/2.0

employeevlan

00:05:85:3A:82:80

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:81

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:82

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:83

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:84

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:85

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:87

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:88

Learn

ge-0/0/2.0

. . .

shutdown actionFor MAC limiting configured with a shutdown action and with
MAC limit set to 3:
user@switch> show ethernet-switching table
Ethernet-switching table: 4 entries, 3 learned
VLAN
MAC address
Type

Meaning

Age

Interfaces

employeevlan

Flood

ge-0/0/2.0

employeevlan

00:05:85:3A:82:82

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:84

Learn

ge-0/0/2.0

employeevlan

00:05:85:3A:82:87

Learn

ge-0/0/2.0

For the drop action resultsThe sixth MAC address exceeded the MAC limit. The
request packet for that address was dropped. Only five MAC addresses have been
learned on ge-0/0/2.
For the log action resultsThe sixth MAC address exceeded the MAC limit. No MAC
addresses were blocked.
For the shutdown action resultsThe fourth MAC address exceeded the MAC limit.
The request packet for that address was dropped. Only three MAC addresses have
been learned on ge-0/0/2. Data traffic on ge-0/0/2 is blocked.

792

Verifying Results of Various Action Settings When the MAC Limit Is Exceeded

Chapter 46: Verifying 802.1X, Port Security, and VoIP

NOTE: With action set to shutdown, the show ethernet-switching interfaces on page
545 detail command shows the interface as blocked.
If you set a MAC limit to apply to all interfaces on the switch, you can override that
setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI
Procedure) on page 780.

Customizing the Ethernet Switching Table Display to View Information for a Specific
Interface
Purpose

Action

You can use the show ethernet-switching table on page 550 interface command to view
information for a specific interface.
For example, to view information for just the ge-0/0/2 interface, type:
user@switch> show ethernet-switching table interface ge-0/0/2.0

Related Topics

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Monitoring Port Security on page 786

Verifying That MAC Move Limiting Is Working Correctly

Purpose

Action

Verify that MAC move limiting is working on the switch.

Display the MAC addresses in the Ethernet switching table when MAC move limiting
has been configured for a VLAN. The following sample shows results after two of the
hosts on ge-0/0/2 sent DHCP requests after the MAC addresses for those hosts had
moved to other interfaces more than five times in 1 second. The VLAN, employee-vlan,
was set to a MAC move limit of 5 with the action drop:
user@switch> show ethernet-switching table on page 550
Ethernet-switching table: 7 entries, 4 learned
VLAN
MAC address
Type
employee-vlan

00:05:85:3A:82:77

Learn

Age

Interfaces

ge-0/0/1.0

Customizing the Ethernet Switching Table Display to View Information for a Specific Interface

793

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

employee-vlan
employee-vlan
employee-vlan
employee-vlan
employee-vlan

Meaning

00:05:85:3A:82:79
00:05:85:3A:82:80
00:05:85:3A:82:81
*
*

Learn
Learn
Learn
Flood
Flood

0
0
0
-

ge-0/0/1.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0
ge-0/0/2.0

The last two lines of the sample output show that DHCP requests for two hosts on
ge-/0/0/2 were dropped when the hosts had been moved back and forth from the
original interfaces more than five times in 1 second. The MAC addresses for those
hosts were not learned.

NOTE: For descriptions of the results of the various action settingsdrop, log, and
shutdownsee Verifying That MAC Limiting Is Working Correctly on page 790

Related Topics

Configuring MAC Move Limiting (CLI Procedure) on page 779

Configuring MAC Move Limiting (J-Web Procedure) on page 779

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Monitoring Port Security on page 786

Verifying That IP Source Guard Is Working Correctly

Purpose

Action

Meaning

Related Topics

794

Verify that IP source guard is enabled and is mitigating the effects of any source IP
spoofing attacks on the EX-series switch.
Display the IP source guard database.
user@switch> show ip-source-guard
IP source guard information:
Interface
Tag IP Address
MAC Address

VLAN

ge-0/0/12.0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/13.0

10.10.10.9

00:30:48:8D:01:3D

vlan100

ge0/0/13.0

100

voice

The IP source guard database table contains the VLANs enabled for IP source guard,
the untrusted access interfaces on those VLANs, the VLAN 802.1Q tag IDs if there
are any, and the IP addresses and MAC addresses that are bound to one another. If
a switch interface is associated with multiple VLANs and some of those VLANs are
enabled for IP source guard and others are not, the VLANs that are not enabled for
IP source guard have a star (*) in the IP Address and MAC Address fields. See the
entry for the voice VLAN in the preceding sample output.

Configuring IP Source Guard (CLI Procedure) on page 781

Verifying That IP Source Guard Is Working Correctly

Chapter 47

Configuration Statements for 802.1X,

Port Security, and VoIP

[edit access] Configuration Statement Hierarchy on page 795

[edit protocols] Configuration Statement Hierarchy on page 795

[edit ethernet-switching-options] Configuration Statement Hierarchy on page 799

[edit access] Configuration Statement Hierarchy

access {
profile profile-name {
accounting {
order [ radius | none ];
stop-on-access-deny;
stop-on-failure;
}
authentication-order [ authentication-method ];
radius {
accounting-server [ server-address ];
authentication-server [ server-address ];
}
}
}
Related Topics

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

[edit protocols] Configuration Statement Hierarchy

protocols {
dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}

[edit access] Configuration Statement Hierarchy

795

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
interface (all | interface-name) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
disable {
interface interface-name
}
immediate-leave;
interface interface-name {
multicast-router-interface;
static {
group ip-address;
}
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
interface (all | interface-name) {
disable;

796

[edit protocols] Configuration Statement Hierarchy

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
configuration-name name;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
vlan (vlan-id | vlan-name);
interface interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;

[edit protocols] Configuration Statement Hierarchy

797

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}

revision-level revision-level;
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
rstp {
disable;
bpdu-block-on-edge;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {
file filename <files number > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
stp {
disable;
bridge-priority priority;
forward-delay seconds;
hello-time seconds;
interface (all | interface-name) {
disable;
bpdu-timeout-action {
block;
alarm;
}
cost cost;
edge;
mode mode;
no-root-port;
priority priority;
}
max-age seconds;
}
traceoptions {

798

[edit protocols] Configuration Statement Hierarchy

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

file filename <files number > <size size> <no-stamp | world-readable |

no-world-readable>;
flag flag;
}
}
Related Topics

802.1X for EX-series Switches Overview on page 639

Example: Configure Automatic VLAN Administration Using GVRP on page 393

IGMP Snooping on EX-series Switches Overview on page 581

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Understanding MSTP for EX-series Switches on page 422

Understanding RSTP for EX-series Switches on page 421

Understanding STP for EX-series Switches on page 420

[edit ethernet-switching-options] Configuration Statement Hierarchy

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );

[edit ethernet-switching-options] Configuration Statement Hierarchy

799

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

mac-limit limit action action;

static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable
| no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Related Topics

800

Port Mirroring on EX-series Switches Overview on page 1123

Port Security for EX-series Switches Overview on page 654

Understanding 802.1X and VoIP on EX-series Switches on page 652

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding 802.1X and VoIP on EX-series Switches on page 652

[edit ethernet-switching-options] Configuration Statement Hierarchy

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

access
Syntax

Hierarchy Level
Release Information
Description

access {
profile profile-name {
authentication-order [ldap radius | none];
accounting {
order [radius | none];
stop-on-access-deny;
stop-on-failure;
}
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
}
[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure authentication, authorization, and accounting (AAA) services.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

Not enabled
adminTo view this statement in the configuration.
admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

access

801

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

accounting
Syntax

Hierarchy Level
Release Information
Description

accounting {
order radius | none;
stop-on-access-deny;
stop-on-failure;
}
}
[edit access profile profile-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the authentication order for authentication, authorization, and accounting
(AAA) services.

Default

Not enabled

Options

noneUse no authentication for specified subscribers.

radiusUse RADIUS authentication for specified subscribers.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

802

accounting

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Understanding 802.1X and AAA Accounting on EX-series Switches on page 647

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

accounting-server
Syntax
Hierarchy Level
Release Information
Description

accounting-server [server-addresses];
[edit access profile profile-name radius]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the Remote Authentication Dial-In User Service (RADIUS) server for
authentication. To configure multiple RADIUS servers, include multiple server
addresses. The servers are tried in order and in a round-robin fashion until a valid
response is received from one of the servers or until all the configured retry limits
are reached.

Default

Not enabled

Options

server-addressesOne or more addresses of RADIUS authentication servers.

Required Privilege Level

Related Topics

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

show network-access aaa statistics authentication on page 895

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Understanding 802.1X and AAA Accounting on EX-series Switches on page 647

accounting-server

803

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

advertisement-interval
Syntax
Hierarchy Level
Release Information
Description

advertisement-interval seconds;
[edit protocols lldp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For switches configured for Link Layer Discovery Protocol, configure the frequency
at which LLDP advertisements are sent.

Default

Disabled.

Options

seconds(Optional) The number of seconds.

Range: 5 through 32,768 seconds

Default: 30 seconds
Required Privilege Level
Related Topics

804

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

advertisement-interval

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

allowed-mac
Syntax

Hierarchy Level
Release Information
Description

allowed-mac {
mac-address-list;
}
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify particular MAC addresses to be added to the MAC address cache.

Default

Allowed MAC addresses take precedence over dynamic MAC values that have been
applied with the mac-limit statement.

Options

mac-address-listOne or more MAC addresses configured as allowed MAC addresses

for a specified interface or all interfaces.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

mac-limit

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

allowed-mac

805

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

arp-inspection
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

806

arp-inspection

(arp-inspection | no-arp-inspection);
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Perform dynamic ARP inspection on all VLANs or on the specified VLAN.

arp-inspectionEnable ARP inspection.

no-arp-inspectionDisable ARP inspection.

Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Enabling Dynamic ARP Inspection (J-Web Procedure) on page 775

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

authentication-order
Syntax
Hierarchy Level
Release Information
Description

authentication-order [ldap radius | none];

[edit access profile profile-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the order of authentication, authorization, and accounting (AAA) servers
to use while sending authentication messages.

Default

Not enabled

Options

ldapLightweight Directory Access Protocol.

noneNo authentication for specified subscribers.
radiusRemote Authentication Dial-In User Service authentication.

Required Privilege Level

Related Topics

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

authentication-order

807

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

authenticator
Syntax

Hierarchy Level
Release Information
Description

authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
}
[edit protocols dot1x]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure an authenticator for 802.1X authentication.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

808

authenticator

No static MAC address or VLAN is configured.

routingTo view this statement in the configuration.
routingcontrolTo add this statement to the configuration.

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Understanding 802.1X Static MAC on EX-series Switches on page 650

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

authentication-profile-name
Syntax
Hierarchy Level
Release Information
Description

authentication-profile-name access-profile-name;
[edit protocols dot1x authenticator]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the name of the access profile to be used for 802.1X authentication.

Default

No access profile is specified.

Options

access-profile-nameName of the access profile. The access profile is configured at

the [edit access profile] hierarchy level and contains the RADIUS server IP address

and other information used for 802.1X authentication.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Understanding 802.1X Authentication on EX-series Switches on page 641

authentication-profile-name

809

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

authentication-server
Syntax
Hierarchy Level
Release Information
Description

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the Remote Authentication Dial-In User Service (RADIUS) server for
authentication. To configure multiple RADIUS servers, include multiple server
addresses. The servers are tried in order and in a round-robin fashion until a valid
response is received from one of the servers or until all the configured retry limits
are reached.
Not enabled

Options

server-addressesConfigure one or more RADIUS server addresses.

Related Topics

[edit access profile profile-name radius]

Default

Required Privilege Level

810

authentication-server [server-addresses];

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

show network-access aaa statistics authentication on page 895

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

authentication-server

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

ca-type
Syntax

Hierarchy Level
Release Information
Description

ca-type {
number {
ca-value value;
}
}
[edit protocols lldp-med interface (all | interface-name location civic-based)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure
the address elements. These elements are included in the location information to be
advertised from the switch to the MED. This information is used during emergency
calls to identify the location of the MED.
For further information about the values that can be used to comprise the location,,
refer to RFC 4776, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option
for Civic Addresses Configuration Information. A subset of those values is provided
below.
The ca-value statement is explained separately.

Default

Disabled.

Options

valueCivic address elements that represent the civic or postal address. Values are:

Required Privilege Level

Related Topics

0A code that specifies the language used to describe the location.

16The leading-street direction, such as N.

17A trailing street suffix, such as SW.

18A street suffix or type, such as Ave or Platz.

19A house number, such as 6450.

20A house-number suffix, such as A or 1/2.

21A landmark, such as Stanford University.

22Additional location information, such as South Wing.

23The name and occupant of a location, such as Carrillo's Holiday Market.

24A house-number suffix, such as 95684.

25A building structure, such as East Library.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

ca-type

811

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring LLDP-MED (CLI Procedure) on page 766

ca-value
Syntax
Hierarchy Level

Release Information
Description

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure
location information, such as street address and city, that is indexed by the ca-type
code. This information is advertised from the switch to the MED and is used during
emergency calls to identify the location of the MED.
Disabled.

Options

valueSpecify a value that correlates to the ca-type. See ca-type for a list of codes
and suggested values.

Related Topics

[edit protocols lldp-med interface (all | interface-name ) location civic-based ca-type

number]

Default

Required Privilege Level

812

ca-value value;

ca-value

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

civic-based
Syntax

Hierarchy Level
Release Information
Description

civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
[edit protocols lldp-med interface (all | interface-name) location]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), configure
the geographic location to be advertised from the switch to the MED. This information
is used during emergency calls to identify the location of the MED.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

civic-based

813

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

country-code
Syntax
Hierarchy Level
Release Information
Description

country-code code;
[edit protocols lldp-med interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure
the two-letter country code to include in the location information. Location information
is advertised from the switch to the MED, and is used during emergency calls to
identify the location of the MED. The country code is required when configuring
LLDP-MED based on location.

Default

Disabled.

Options

codeTwo-letter ISO 3166 country code in capital ASCII letters; for example, US or

DE.
Required Privilege Level
Related Topics

814

country-code

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

dhcp-trusted
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

(dhcp-trusted | no-dhcp-trusted);
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Allow DHCP responses from the specified interfaces (ports) or all interfaces.

dhcp-trustedAllow DHCP responses.

no-dhcp-trustedDeny DHCP responses.

Trusted for trunk ports, untrusted for access ports.

routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Enabling a Trusted DHCP Server (J-Web Procedure) on page 773

dhcp-trusted

815

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

disable
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics

816

disable

disable;
[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Disable 802.1X authentication on a specified interface or all interfaces.
802.1X authentication is disabled on all interfaces.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show dot1x on page 873

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

disable
Syntax
Hierarchy Level

Release Information
Description
Default

Required Privilege Level

Related Topics

disable;
[edit protocols lldp],
[edit protocols interface lldp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Disable the LLDP configuration on the switch or on one or more interfaces.
If you do not configure LLDP, it is disabled on the switch and on specific switch
interfaces.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

disable
Syntax
Hierarchy Level

Release Information
Description
Default

Required Privilege Level

Related Topics

disable;
[edit protocols lldp-med],
[edit protocols lldp-med interface]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Disable the LLDP-MED configuration on the switch or on one or more interfaces.
If you do not configure LLDP-MED, it is disabled on the switch and on specific switch
interfaces.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

disable

817

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

dot1x
Syntax

Hierarchy Level
Release Information
Description

dot1x {
authenticator {
authentication-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name );
interface interface-names;
}
}
interface (all | [ interface-names ]) {
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests number;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure 802.1X authentication for Port-Based Network Access Control.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

818

dot1x

802.1X is disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show dot1x on page 873

clear dot1x on page 868

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

Configuring 802.1X Authentication (CLI Procedure) on page 756

elin
Syntax
Hierarchy Level
Release Information
Description

elin number;
[edit protocols lldp-med interface (all | interface-name location)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure
the Emergency Line Identification Number (ELIN) as location information. Location
information is advertised from the switch to the MED and is used during emergency
calls to identify the location of the MED.

Default

Disabled.

Options

numberConfigure a 10-digit number (area code and telephone number).

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

elin

819

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ethernet-switching-options
Syntax

820

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;

ethernet-switching-options

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Hierarchy Level
Release Information
Description

[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Support for storm control and BPDU protection added in JUNOS Release 9.1.
Configure Ethernet switching options.
The statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Port Mirroring on EX-series Switches Overview on page 1123

Port Security for EX-series Switches Overview on page 654

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding 802.1X and VoIP on EX-series Switches on page 652

ethernet-switching-options

821

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

examine-dhcp
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

822

examine-dhcp

(examine-dhcp | no-examine-dhcp);
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Enable DHCP snooping on all VLANs or on the specified VLAN.

examine-dhcpEnable DHCP snooping.

no-examine-dhcpDisable DHCP snooping.

Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Enabling DHCP Snooping (CLI Procedure) on page 771

Enabling DHCP Snooping (J-Web Procedure) on page 772

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

fast-start
Syntax
Hierarchy Level
Release Information
Description

Options

fast-start seconds;
[edit protocols lldp-med]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the frequency at which Link Layer Discovery Protocol Media Endpoint
(LLDP-MED) advertisements are sent from the switch in the first second after it has
detected an LLDP-MED device (such as an IP telephone).
count secondsNumber of advertisements.

Range: 1 through 10
Default: 3
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP-MED (CLI Procedure) on page 766

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

fast-start

823

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

forwarding-class
Syntax

forwarding-class < assured-forwarding | best-effort | expedited-forwarding |network-control

>;

Hierarchy Level

[edit ethernet-switching-options voip interface <all | interface-name | access-ports]> vlan

(vlan-id | vlan-name | untagged)]

Release Information
Description

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For EX-series switches, configure the forwarding class used to handle packets on the
VoIP interface.

Default

Disabled.

Options

classForwarding class:

assured-forwarding Assured forwarding (AF)Provides a group of values you

can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with
three drop probabilities: low, medium, and high.

best-effortProvides no service profile. For the best effort forwarding class, loss

priority is typically not carried in a class-of-service (CoS) value, and random early
detection (RED) drop profiles are more aggressive.

expedited-forwadingProvides a low loss, low latency, low jitter, assured

bandwidth, end-to-end service.

network-controlProvides a typically high priority because it supports protocol

control.
Required Privilege Level
Related Topics

824

forwarding-class

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication on page 698

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support on page 704

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

guest-vlan
Syntax
Hierarchy Level
Release Information
Description

guest-vlan (vlan-id | vlan-name);

[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the VLAN to which an interface is moved when no 802.1X supplicants are
connected on the interface. The VLAN specified must already exist on the switch.

Default

None

Options

vlan-idVLAN tag identifier of the guest VLAN.

vlan-nameName of the guest VLAN.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access

to Corporate Visitors on an EX-series Switch on page 675

Understanding Guest VLANs for 802.1X on EX-series Switches on page 646

guest-vlan

825

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

hold-multiplier
Syntax
Hierarchy Level
Release Information
Description

hold-multiplier number;
[edit protocols lldp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the multiplier used in combination with the advertisement-interval value to
determine the length of time LLDP information is held before it is discarded. The
default value is 4 (or 120 seconds).

Default

Disabled.

Options

numberA number used as a multiplier.

Range: 2 through 10
Default: 4 (or 120 seconds)
Required Privilege Level
Related Topics

826

hold-multiplier

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

interface
Syntax

Hierarchy Level
Release Information
Description

interface (all | interface-name) {

allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
[edit ethernet-switching-options secure-access-port]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

static-ip ip-address introduced in JUNOS Release 9.2 for EX-series switches.
Apply port security features to all interfaces or to the specified interface.
The statements are explained separately.

Options

allApply port security features to all interfaces.

interface-nameApply port security features to the specified interface.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

Configuring MAC Limiting (CLI Procedure) on page 776

Enabling a Trusted DHCP Server (CLI Procedure) on page 773

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI

Procedure) on page 783

interface

827

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface
Syntax

Hierarchy Level
Release Information
Description

interface (all | interface-name) {

disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
[edit protocols lldp-med]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) on
all interfaces or on a specific interface.

Default

Not enabled

Options

allAll interfaces on the switch.

interface-nameName of a specific interface.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

828

interface

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

interface
Syntax

Hierarchy Level
Release Information
Description

interface (all | interface-name) {

disable;
}
[edit protocols lldp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Link Layer Discovery Protocol (LLDP) on all interfaces or on a specific
interface.

Default

None

Options

allAll interfaces on the switch.

interface-nameName of a specific interface.

The remaining statement is explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

interface

829

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface
Syntax

Hierarchy Level
Release Information
Description
Options

interface (all | [interface-name] | access-ports) {

vlan vlan-name );
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
[edit ethernet-switching-options voip]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Enable voice over IP (VoIP) for all interfaces or specific interfaces.
all | interface-name | access-portsEnable VoIP on all interfaces, on a specific interface,

or on all access ports.

Required Privilege Level
Related Topics

830

interface

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication on page 698

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support on page 704

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

interface
Syntax

Hierarchy Level
Release Information
Description

Options

interface (all | [ interface-names ]) {

disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests number;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
[edit protocols dot1x authenticator]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure 802.1X authentication for Port-Based Network Access Control for all
interfaces or for specific interfaces.
allConfigure all interfaces for 802.1X authentication.

[interface-names ] List of interfaces to configure for 802.1X authentication.

The remaining statements are explained separately.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show dot1x on page 873

clear dot1x on page 868

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

interface

831

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ip-source-guard
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

832

ip-source-guard

(ip-source-guard | no-ip-source-guard);
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Perform IP source guard checking on packets sent from access interfaces. Validate
source IP addresses and source MAC addresses on all VLANs or on the specified
VLAN or VLAN range. Forward packets with valid addresses and drop those with
invalid addresses.

ip-source-guardEnable IP source guard checking.

no-ip-source-guardDisable IP source guard checking.

Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 746

Configuring IP Source Guard (CLI Procedure) on page 781

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

lldp
Syntax

Hierarchy Level
Release Information
Description

lldp {
disable;
advertisement-interval seconds;
fast-start number;
hold-multiplier number;
interface (all | [interface-name]) {
disable;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
transmit-delay seconds;
}
[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Link Layer Discovery Protocol (LLDP). The switch uses LLDP to advertise
its identity and capabilities on a LAN, as well as receive information about other
network devices. LLDP is defined in the IEEE standard 802.1AB-2005.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

LLDP is enabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP-MED (CLI Procedure) on page 766

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

lldp

833

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

lldp-med
lldp-med {
disable;

Syntax

fast-start number;
interface (all | interface-name) {
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
Hierarchy Level
Release Information
Description

[edit protocols]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure Link Layer Discovery Protocol Media Endpoint Discovery. LLDP-MED is
an extension of LLDP. The switch uses LLDP-MED to support device discovery of
VoIP telephones and to create location databases for these telephone locations for
emergency services. LLDP-MED is defined in the standard ANSI/TIA-1057 by the
Telecommunications Industry Association (TIA).
The statements are explained separately.

Default
Required Privilege Level
Related Topics

834

lldp-med

Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

location
Syntax

Hierarchy Level
Release Information
Description

location {
elin number;
civic-based {
what number;
country-code code;
ca-type{
number {
ca-value value;
}
}
}
}
[edit protocols lldp-med interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), configure
the location information. Location information is advertised from the switch to the
MED. This information is used during emergency calls to identify the location of the
MED.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

Disabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

location

835

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

mac
Syntax
Hierarchy Level

Release Information
Description

Options
Required Privilege Level
Related Topics

836

mac

mac mac-address;
[edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip
ip-address vlan vlan-name]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Media access control (MAC) address, or hardware address, for the device connected
to the specified interface.
mac-addressValue (in hexadecimal format) for address assigned to this device.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI

Procedure) on page 783

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

mac-limit
Syntax

Hierarchy Level
Release Information
Description

mac-limit;
limit action action;
[edit ethernet-switching-options secure-access-port interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Number of MAC addresses to dynamically add to the MAC address cache for this
interface (port) and action to be taken by the switch if the MAC address learning limit
is reached on the interface (port).

Default

The default limit is 5 MAC addresses for each interface (port). The default action is
no action (none).

Options

limitMaximum number of MAC addresses.

actionAction to take when the MAC address limit is reached:

noneNo action. This is the default.

dropDrop the packet and generate an alarm, an SNMP trap, or a system log

entry .

logDo not drop the packet but generate an alarm, an SNMP trap, or a system

log entry.

Required Privilege Level

Related Topics

shutdownBlock data traffic on the interface and generate an alarm.

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

allowed-mac

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Configuring MAC Limiting (CLI Procedure) on page 776

Configuring MAC Limiting (J-Web Procedure) on page 777

mac-limit

837

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

mac-move-limit
Syntax

Hierarchy Level
Release Information
Description

mac-move-limit;
limit action action;
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Number of times a MAC address can move to a new interface (port) in 1 second, and
the action to be taken by the switch if the MAC address move limit is reached.

Default

The default move limit is unlimited. The default action is no action (none).

Options

limitMaximum number of moves to a new interface per second.

actionAction to take when the MAC address move limit is reached:

noneNo action. This is the default.

dropDrop the packet and generate an alarm, an SNMP trap, or a system log

entry.

logDo not drop the packet but generate an alarm, an SNMP trap, or a system

log entry.

Required Privilege Level

Related Topics

838

mac-move-limit

shutdownBlock data traffic on the interface and generate an alarm.

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

mac-limit

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Configuring MAC Move Limiting (CLI Procedure) on page 779

Configuring MAC Move Limiting (J-Web Procedure) on page 779

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

maximum-requests
Syntax
Hierarchy Level
Release Information
Description

maximum-requests number;
[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, configure the maximum number of times an EAPOL
request packet is retransmitted to the supplicant before the authentication session
times out.

Default

Two retransmission attempts

Options

numberNumber of retransmission attempts.

Range: 1 through 10
Default: 2
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

no-reauthentication
Syntax
Hierarchy Level
Release Information
Description
Default
Required Privilege Level
Related Topics

no-reauthentication;
[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, disables reauthentication.
Not disabled
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Understanding 802.1X Authentication on EX-series Switches on page 641

maximum-requests

839

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

order
Syntax
Hierarchy Level
Release Information
Description

order [radius | none];

[edit access profile accounting]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the order of authentication, authorization, and accounting (AAA) servers
to use while sending accounting messages and updates.

Default

Not enabled

Options

noneNo accounting for specified subscribers.

radiusRemote Authentication Dial-In User Service accounting for specified

subscribers.
[ radius | none ] Use multiple types of accounting in the order specified. RADIUS

accounting is initially used. However, if RADIUS servers are not available, no

accounting is done.
Required Privilege Level
Related Topics

840

order

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

profile
Syntax

Hierarchy Level
Release Information
Description

profile profile-name {
accounting {
order [radius | none];
stop-on-access-deny;
stop-on-failure;
}
authentication-order [authentication-method];
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
[edit access]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure an access profile. The access profile contains the entire authentication,
authorization, and accounting (AAA) configuration that aids in handling AAA requests,
including the authentication method and order, AAA server addresses, and AAA
accounting.

Default

Not enabled

Options

profile-nameProfile name of up to 32 characters.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

profile

841

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

quiet-period
Syntax
Hierarchy Level
Release Information
Description

quiet-period seconds;
[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, configure the number of seconds the interface remains
in the wait state following a failed authentication attempt by a supplicant before
reattempting authentication.

Default

60 seconds

Options

secondsNumber of seconds the interface remains in the wait state.

Range: 0 through 65,535 seconds

Default: 60 seconds
Required Privilege Level
Related Topics

842

quiet-period

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show network-access aaa statistics authentication on page 895

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

radius
Syntax

Hierarchy Level
Release Information
Description

radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
[edit access profile profile-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the Remote Authentication Dial-In User Service (RADIUS) servers for
authentication and for accounting. To configure multiple RADIUS servers, include
multiple radiusstatements. The servers are tried in order and in a round-robin fashion
until a valid response is received from one of the servers or until all the configured
retry limits are reached.
The statements are explained separately.

Required Privilege Level

Related Topics

adminTo view this statement in the configuration.

admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

radius

843

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

reauthentication
Syntax

Hierarchy Level
Release Information
Description

reauthentication {
interval seconds;
}
[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, specify reauthentication parameters.

Default

3600 seconds.

Options

disableDisables the periodic reauthentication of the supplicant.

interval secondsSets the periodic reauthentication time interval. The range is 1

through 65,535 seconds.

Required Privilege Level
Related Topics

844

reauthentication

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Understanding 802.1X Authentication on EX-series Switches on page 641

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

retries
Syntax
Hierarchy Level
Release Information
Description

retries number;
[edit protocols dot1x authenticator interface (all | [interface-names])]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, configure the number of times the switch attempts to
authenticate the port after an initial failure. The port remains in a wait state during
the quiet period after the authentication attempt.

Default

3 retries

Options

numberNumber of retries.

Range: 1 through 10
Default: 3
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Understanding 802.1X Authentication on EX-series Switches on page 641

retries

845

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

secure-access-port
Syntax

Hierarchy Level

secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
[edit ethernet-switching-options]

Release Information

Statement introduced in JUNOS Release 9.0 for EX-series switches.

static-ip and ip-source-guard introduced in JUNOS Release 9.2 for EX-series switches.

Description

Configure port security features, including MAC limiting and whether interfaces can
receive DHCP responses, and apply dynamic ARP inspection, DHCP snooping, and
MAC move limiting to no VLANs, specific VLANs, or all VLANs.
The statements are explained separately.

Required Privilege Level

Related Topics

846

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks on page 729

Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC

Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 714

Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks on page 721

Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

from Rogue DHCP Server Attacks on page 718

secure-access-port

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

server-timeout
Syntax
Hierarchy Level
Release Information
Description

server-timeout seconds;
[edit protocols dot1x authenticator interface (all | [interface-name])

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, configure the amount of time a port will wait for a reply
when relaying a response from the supplicant to the authentication server before
timing out and invoking the server-fail action.

Default

30 seconds

Options

secondsNumber of seconds.

Range: 1 through 60 seconds

Default: 30 seconds
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show dot1x on page 873

clear dot1x on page 868

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

802.1X for EX-series Switches Overview on page 639

server-timeout

847

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

static
Syntax

Hierarchy Level
Release Information
Description

static {
mac-address {
vlan-assignment (vlan-id |vlan-name );
interface interface-names;
}
}
[edit protocols dot1x authenticator authentication-profile-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure MAC addresses to exclude from 802.1X authentication. The static MAC
list provides an authentication bypass mechanism for supplicants connecting to a
port, permitting devices such as printers that are not 802.1X-enabled to be connected
to the network on 802.1X-enabled ports.
Using this 802.1X authentication-bypass mechanism, the supplicant connected to
the MAC address is assumed to be successfully authenticated and the port is opened
for it. No further authentication is done for the supplicant.
You can optionally configure the VLAN that the supplicant is moved to or the interfaces
on which the MAC address can gain access from.

Options

mac-addressThe MAC address of the device for which 802.1X authentication should

be bypassed and the device permitted access to the port.

The remaining statements are explained separately.
Required Privilege Level
Related Topics

848

static

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show dot1x static-mac-address on page 877

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Configuring 802.1X Authentication (CLI Procedure) on page 756

Configuring 802.1X Authentication (J-Web Procedure) on page 758

Understanding 802.1X Static MAC on EX-series Switches on page 650

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

static-ip
Syntax

Hierarchy Level
Release Information

static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
[edit ethernet-switching-options secure-access-port interface (all |interface-name)]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Description

Static (fixed) IP address and static MAC address, with an associated VLAN, added to
the DHCP snooping database.

Options

ip-addressIPv4 address assigned to a device connected on the specified interface.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI

Procedure) on page 783

stop-on-access-deny
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

stop-on-access-deny;
[edit access profile profile-name accounting]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configures the authentication order for authentication, authorization, and accounting
(AAA) services to send an Acct-Stop message if the AAA server denies access to a
supplicant.
Not enabled
adminTo view this statement in the configuration.
admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

show network-access aaa statistics authentication on page 895

static-ip

849

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

stop-on-failure
Syntax
Hierarchy Level
Release Information
Description

Default
Required Privilege Level
Related Topics

850

stop-on-failure

stop-on-failure;
[edit access profile profile-name accounting]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure authentication order for authentication, authorization, and accounting
(AAA) services to send an Acct-Stop message if a supplicant fails AAA authorization,
but the RADIUS server grants access. For example, a supplicant might fail AAA
authentication due to an internal error such as a timeout.
Not enabled
adminTo view this statement in the configuration.
admin-controlTo add this statement to the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761,

Understanding 802.1X and AAA Accounting on EX-series Switches on page 647,

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

supplicant
Syntax
Hierarchy Level
Release Information
Description

supplicant (single | single-secure | multiple);

[edit protocols dot1x authenticator interface (all | [interface-name])

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, configure the method used to authenticate supplicants.

Default

Single.

Options

singleAuthenticates only the first supplicant that connects to an authenticator port.

All other supplicants connecting to the authenticator port after the first supplicant,
regardless if they are 802.1X-enabled or not, are permitted free access to the
port without further authentication. If the first authenticated supplicant logs out,
all other supplicants are locked out until a supplicant authenticates again.
single-secureAuthenticates only one supplicant to connect to an authenticator port.

No other supplicants can connect to the authenticator port until the first supplicant
logs out.
multipleAuthenticates multiple supplicants individually on one authenticator port.

You can configure the number of supplicants per port. If you configure a
maximum number of devices that can be connected to a port through port
security settings, the lower of the configured values is used to determine the
maximum number of supplicants allowed per port.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

supplicant-timeout

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Understanding 802.1X Authentication on EX-series Switches on page 641

supplicant

851

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

supplicant-timeout
Syntax
Hierarchy Level
Release Information
Description

supplicant-timeout seconds;
[edit protocols dot1x authenticator interface (all | [interface-name])

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, configure how long the port waits for a response when
relaying a request from the authentication server to the supplicant before resending
the request.

Default

30 seconds

Options

secondsNumber of seconds.

Range: 1 through 60 seconds

Default: 30 seconds
Required Privilege Level
Related Topics

852

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

supplicant

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Understanding 802.1X Authentication on EX-series Switches on page 641

supplicant-timeout

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

traceoptions
Syntax

Hierarchy Level
Release Information
Description

traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
[edit protocols dot1x]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define tracing operations for the 802.1X protocol.

Default

Tracing operations are disabled.

Options

file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
file number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify

gigabytes number of trace files is reached. Then the oldest trace file is overwritten.
If you specify a maximum number of files, you also must specify a maximum
file size with the sizeoption.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags:

allAll tracing operations.

config-internalTrace internal configuration operations.

generalTrace general operations.

normalTrace normal operations.

parseTrace reading of the configuration.

regex-parseTrace regular-expression parsing operations.

stateTrace protocol state changes.

taskTrace protocol task operations.

timerTrace protocol timer operations.

match regex(Optional) Refine the output to include lines that contain the regular

expression.
no-world-readable(Optional) Restricted file access to the user who created the file.

traceoptions

853

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number

of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabyte
Range: 10 KB through 1gigabyte
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics

854

traceoptions

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring 802.1X Authentication (CLI Procedure) on page 756

802.1X for EX-series Switches Overview on page 639

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

traceoptions
Syntax

Hierarchy Level
Release Information
Description

traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag (detail | disable | receive | send);
}
[edit protocols lldp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define tracing operations for the LLDP protocol.

Default

Tracing operations are disabled.

Options

file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify

GB number of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the size option.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags:

allAll tracing operations.

configTrace configuration operations.

packetTrace packet events.

rtsockTrace routing socket operations.

match regex(Optional) Refine the output to include lines that contain the regular

expression.
no-world-readable(Optional) Restrict file access to the user who created the file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum

number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB

traceoptions

855

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics

856

traceoptions

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring LLDP-MED (CLI Procedure) on page 766

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

traceoptions
Syntax

Hierarchy Level
Release Information
Description

traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
[edit ethernet-switching-options]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Define global tracing operations for access security features on Ethernet switches.

Default

The traceoptions feature is disabled by default.

Options

disable(Optional) Disable the tracing operation. You can use this option to disable

a single operation when you have defined a broad group of tracing operations,
such as all.
file filenameName of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
files number(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum number of trace files is reached (xk to specify KB,
xm to specify MB, or xg to specify gigabytes), at which point the oldest trace file

is overwritten. If you specify a maximum number of files, you also must specify
a maximum file size with the size option.
Range: 2 through 1000
Default: 3 files
flag flagTracing operation to perform. To specify more than one tracing operation,

include multiple flag statements. You can include the following flags:

access-securityTrace access security events.

allAll tracing operations.

config-internalsTrace internal configuration operations.

forwarding-databaseTrace forwarding database and next-hop events.

generalTrace general events.

interfaceTrace interface events.

ip-source-guardTrace IP source guard events.

krtTrace communications over routing sockets.

libTrace library calls.

normalTrace normal events.

parseTrace reading of the configuration.

traceoptions

857

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

regex-parseTrace regular-expression parsing operations.

rtgTrace redundant trunk group events.

stateTrace state transitions.

stpTrace spanning-tree events.

taskTrace Ethernet-switching task processing.

timerTrace Ethernet-switching timer processing.

vlanTrace VLAN events.

no-stamp(Optional) Do not timestamp the trace file.

Default: If you omit this option, timestamp information is placed at the beginning
of each line of the tracing output.
no-world-readable(Optional) Restrict file access to the user who created the file.
replace(Optional) Replace an existing trace file if there is one rather than appending

to it.
Default: If you do not include this option, tracing output is appended to an
existing trace file.
size size(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number

of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabytes
Range: 10 KB through 1 gigabyte
Default: 128 KB
world-readable(Optional) Enable unrestricted file access.
Required Privilege Level
Related Topics

858

traceoptions

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Port Security for EX-series Switches Overview on page 654

EX-series Switches Interfaces Overview on page 259

Understanding IP Source Guard for Port Security on EX-series Switches on page 666

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding STP for EX-series Switches on page 420

Understanding Bridging and VLANs on EX-series Switches on page 359

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

transmit-delay
Syntax
Hierarchy Level
Release Information
Description

transmit-delay seconds;
[edit protocols lldp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the delay between 2 successive LLDP advertisements.

Default

Disabled.

Options

secondsNumber of seconds between two successive LLDP advertisements.

Range: 1 through 8192 seconds

Default: 2
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

transmit-period
Syntax
Hierarchy Level
Release Information
Description

transmit-period seconds;
[edit protocols dot1x authenticator interface (all | [interface-name])

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For 802.1X authentication, how long the port waits before retransmitting the initial
EAPOL PDUs to the supplicant.

Default

30 seconds

Options

secondsNumber of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant.
Range: 1 through 65,535 seconds
Default: 30 seconds

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring 802.1X Authentication (CLI Procedure) on page 756

802.1X for EX-series Switches Overview on page 639

transmit-delay

859

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan
Syntax

Hierarchy Level
Release Information
Description

vlan (all | vlan-name) {

(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
[edit ethernet-switching-options secure-access-port]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

ip-source-guard option introduced in JUNOS Release 9.2 for EX-series switches.
Apply DHCP snooping, dynamic ARP inspection (DAI), IP source guard, and MAC
move limiting.
The statements are explained separately.

Options

allApply DHCP snooping, DAI, IP source guard, and MAC move limiting to all

VLANs.
vlan-nameApply DHCP snooping, DAI, IP source guard, and MAC move limiting to

the specified VLAN.

Required Privilege Level
Related Topics

860

vlan

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

Switch with Access to a DHCP Server Through a Second Switch on page 732

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks on page 725

Enabling Dynamic ARP Inspection (CLI Procedure) on page 774

Enabling DHCP Snooping (CLI Procedure) on page 771

Configuring IP Source Guard (CLI Procedure) on page 781

Configuring MAC Move Limiting (CLI Procedure) on page 779

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

vlan
Syntax
Hierarchy Level

Release Information
Description

Options
Required Privilege Level
Related Topics

vlan vlan-name;
[edit ethernet-switching-options secure-access-port interface (all | interface-name) static-ip
ip-address]

Statement introduced in JUNOS Release 9.2 for EX-series switches.

Associate the static IP address with the specified VLAN associated with the specified
interface.
vlan-nameName of a specific VLAN associated with the specified interface.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Configuring Static IP Addresses for DHCP Bindings on Access Ports (CLI

Procedure) on page 783

vlan-assignment
Syntax
Hierarchy Level
Release Information
Description

Options

vlan-assignment (vlan-id | vlan-name);

[edit protocols dot1x authenticator authentication-profile-name static mac-address]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

For MAC addresses that are on the static MAC list and excluded from 802.1X
authentication, configure the VLAN that is associated with the device.
vlan-id | vlan-nameThe name of the VLAN or the VLAN tag identifier to associate

with the device. The VLAN already exists on the switch.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show dot1x static-mac-address on page 877

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Understanding 802.1X Static MAC on EX-series Switches on page 650

vlan

861

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

voip
Syntax

Hierarchy Level
Release Information
Description

voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name );
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
[edit ethernet-switching-options]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure voice over IP (VoIP) interfaces.
The statements are explained separately.

Required Privilege Level

Related Topics

862

voip

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Example: Configuring VoIP on an EX-series Switch Without Including 802.1X

Authentication on page 698

Example: Configuring VoIP on an EX-series Switch Without Including LLDP-MED

Support on page 704

Chapter 47: Configuration Statements for 802.1X, Port Security, and VoIP

what
Syntax
Hierarchy Level
Release Information
Description

what number;
[edit protocols lldp-med interface (all | interface-name) location civic-based]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Modified in JUNOS Release 9.2 for EX-series switches to display new default.
For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure
the location to which the DHCP entry refers. This information is advertised, along
with other location information, from the switch to the MED. It is used during
emergency calls to identify the location of the MED.
Options 0 and 1 should not be used unless it is known that the DHCP client is in
close physical proximity to the server or network element.

Default

Options

numberLocation:

Required Privilege Level

Related Topics

0Location of the DHCP server.

1Location of a network element believed to be closest to the client.

2Location of the client.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

show lldp on page 881

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring LLDP-MED (CLI Procedure) on page 766

what

863

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

864

what

Chapter 48

Operational Mode Commands for 802.1X,

Port Security, and VoIP

865

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear arp inspection statistics

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields
clear arp inspection
statistics

866

clear arp inspection statistics

Command introduced in JUNOS Release 9.0 for EX-series switches.

Clear ARP inspection statistics.
clear

show arp inspection statistics on page 871

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That DAI Is Working Correctly on page 789

clear arp inspection statistics on page 866

This command produces no output.
user@switch> clear arp inspection statistics

clear arp inspection statistics

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

clear dhcp snooping binding

Syntax

Release Information
Description
Options

clear dhcp snooping binding

<mac (all | mac-address)>
<vlan (all | vlan-name)>
<vlan (all | vlan-name) mac (all | mac-address)>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Clear the DHCP snooping database information.
mac (all | mac-address)(Optional) Clear DHCP snooping information for the specified

MAC address or all MAC addresses.

vlan (all | vlan-name)(Optional) Clear DHCP snooping information for the specified

VLAN or all VLANs.

Required Privilege Level
Related Topics

List of Sample Output

Output Fields
clear dhcp snooping
binding

clear

show dhcp snooping binding on page 872

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That DHCP Snooping Is Working Correctly on page 787

clear dhcp snooping binding on page 867

This command produces no output.
user@switch> clear dhcp snooping binding

clear dhcp snooping binding

867

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear dot1x
Syntax

Release Information
Description

clear dot1x
(interface (all | [interface-names]) | mac-address [mac-addresses])

Command introduced in JUNOS Release 9.0 for EX-series switches.

Reset the authentication state of a port. When you reset a port, reauthentication on
the port is also triggered. The switch sends out a multicast message on the port to
restart the authentication of all connected supplicants. If a MAC address is reset, then
the switch sends out a unicast message to that specific MAC address to restart
authentication.
If a supplicant is sending traffic when the clear dot1x interface command is issued,
the authenticator immediately initiates reauthenticataion. This process happens very
quickly, and it may seem that reauthentication did not occur. To verify that
reauthentication has happened, issue the operational mode command show dot1x
interface detail. The value for Reauthentication due and Reauthentication interval will
be about the same.

Options

all(Optional) Clears all ports, or specific ports or specific MAC addresses.

interface interface-names(Optional) Resets the authentication state of all supplicants

connected to the specified ports (when the port is an authenticator) or for itself
(when the port is a supplicant).
mac-address mac-addressesResets the authentication state only for the specified

MAC addresses.
Required Privilege Level
Related Topics

List of Sample Output

clear dot1x interface

clear dot1x mac-address

868

clear dot1x

view

show dot1x on page 873

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

clear dot1x interface on page 868

clear dot1x mac-address on page 868
user@switch> clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0]
user@switch> clear dot1x macaddress 00:04:ae:cd:23:5f

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

clear lldp neighbors

Syntax

Release Information
Description
Options

clear lldp neighbors

<interface interface>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Clear the learned remote neighbor information on all or selected interfaces.
noneClear the remote neighbor information on all interfaces.
interface interface(Optional) Clear the remote neighbor information from one or

more selected interfaces.

Required Privilege Level
Related Topics

List of Sample Output

clear lldp neighbors

clear lldp neighbors
interface ge-0/1/1.0

view

show lldp on page 881

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

clear lldp neighbors on page 869

clear lldp neighbors interface ge-0/1/1.0 on page 869
user@switch> clear lldp neighbors
user@switch> clear lldp neighbors interface ge-0/1/1.0

clear lldp neighbors

869

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear lldp statistics

Syntax

Release Information
Description
Options

clear lldp statistics

<interface interface>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Clear LLDP statistics on one or more interfaces.
noneClears LLDP statistics on all interfaces.
interface interface-names(Optional) Clear LLDP statistics on one or more interfaces.

Required Privilege Level

Related Topics

List of Sample Output

clear lldp statistics

clear lldp statistics
interface ge-0/1/1.0

870

view

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

clear lldp statistics on page 870

clear lldp statistics interface ge-0/1/1.0 on page 870
user@switch> clear lldp statistics
user@switch> clear lldp statistics interface ge-0/1/1.0

clear lldp statistics

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show arp inspection statistics

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show arp inspection statistics

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display ARP inspection statistics.
view

clear arp inspection statistics on page 866

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That DAI Is Working Correctly on page 789

show arp inspection statistics on page 871

Table 113 on page 871 lists the output fields for the show arp inspection statistics
command. Output fields are listed in the approximate order in which they appear.

Table 113: show arp inspection statistics Output Fields

Field Name

Field Description

Level of Output

Interface

Interface on which ARP inspection has been applied.

All levels

Packets received

Total number of packets total that underwent ARP inspection.

All levels

ARP inspection pass

Total number of packets that passed ARP inspection.

All levels

ARP inspection failed

Total number of packets that failed ARP inspection.

All levels

show arp inspection

statistics

user@switch> show arp inspection statistics

Interface
--------ge-0/0/0
ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7

Packets received
----------------0
0
0
0
0
0
0
703

ARP inspection pass

------------------0
0
0
0
0
0
0
701

ARP inspection failed

--------------------0
0
0
0
0
0
0
2

show arp inspection statistics

871

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show dhcp snooping binding

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show dhcp snooping binding

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the DHCP snooping database information.
view

clear dhcp snooping binding on page 867

Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch on page 708

Verifying That DHCP Snooping Is Working Correctly on page 787

show dhcp snooping binding on page 872

Table 114 on page 872 lists the output fields for the show dhcp snooping binding
command. Output fields are listed in the approximate order in which they appear.

Table 114: show dhcp snooping binding Output Fields

Field Name

Field Description

Level of Output

MAC Address

MAC address of the network device; bound to the IP address.

All levels

IP Address

IP address of the network device; bound to the MAC address.

All levels

Lease

Lease granted to the IP address.

All levels

Type

How the MAC address was acquired.

All levels

VLAN

VLAN name of the network device whose MAC address is shown.

All levels

Interface

Interface address (port).

All levels

show dhcp snooping

binding

user@switch> show dhcp snooping binding

DHCP Snooping Information:
MAC Address
IP Address
-------------------------00:00:01:00:00:03
192.0.2.0
00:00:01:00:00:04
192.0.2.1
00:00:01:00:00:05
192.0.2.5

872

show dhcp snooping binding

Lease
----640
720
800

Type
------dynamic
dynamic
dynamic

VLAN
---guest
guest
guest

Interface
--------ge-0/0/12.0
ge-0/0/12.0
ge-0/0/13.0

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show dot1x
Syntax

Release Information
Description
Options

show dot1x
<brief | detail>
<interface [interface-names]>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the current operational state of all ports with the list of connected users.
noneDisplay information for all authenticator ports.
brief | detail(Optional) Display the specified level of output.
interface interface-namesDisplay information for the specified port with a list of

connected supplicants.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

clear dot1x on page 868

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

Configurations on an EX-series Switch on page 685

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI

Procedure) on page 762

show dot1x interface brief on page 875

show dot1x interface detail on page 875
Table 115 on page 873 lists the output fields for the show dot1x command. Output
fields are listed in the approximate order in which they appear.

Table 115: show dot1x statistics Output Fields

Field Name

Field Description

Level of Output

interface

Name of a port.

All levels

MAC address

The MAC address of the connected supplicant on the port.

All levels

Role

The 802.1X authentication role of the interface. When 802.1X is enabled on

an interface, the role is Authenticator.

brief, detail

show dot1x

873

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 115: show dot1x statistics Output Fields (continued)

Field Name

Field Description

Level of Output

State

The state of the port:

brief

AuthenticatedThe supplicant has been authenticated through the RADIUS

server or has been permitted access through server fail fallback.

AuthenticatingThe supplicant is authenticating through the RADIUS server.

HeldAn action has been triggered through server fail fallback during a

RADIUS timeout. A supplicant is denied access, been permitted access

through a specified VLAN, or has maintained the authenticated state
granted to the supplicant before the RADIUS timeout occurred.
Admin-state

The administrative state of the port:

detail

autoTraffic is allowed through the port based on the authentication

result. (Default)

force-authorizeAll traffic flows through the port irrespective of the

authentication result. This state is not allowed on an interface whose VLAN

membership has been set to dynamic.

force-unauthorizeAll traffic drops on the port irrespective of the

authentication result. This state is not allowed on an interface whose VLAN

membership has been set to dynamic.
The mode for the supplicant:

Supplicant

detail

singleAuthenticates only the first supplicant. All other supplicants who

connect later to the port are allowed full access without any further
authentication. They effectively piggyback on the first supplicants
authentication.

single-secureAllows only one supplicant to connect to the port. No other

supplicant is allowed to connect until the first supplicant logs out.

multipleAllows multiple supplicants to connect to the port. Each

supplicant is authenticated individually.

Quiet period

The number of seconds the port remains in the wait state following a failed
authentication exchange with the supplicant before reattempting the
authentication. The default value is 60 seconds. The range is 0 through 65,535
seconds.

detail

Transmit period

The number of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant. The default value is 30 seconds. The range is 1 through
65,535 seconds.

detail

Reauthentication

The reauthentication state:

detail

disablePeriodic reauthentication of the client is disabled.

intervalSets the periodic reauthentication time interval. The default value

is 3600 seconds. The range is 1 through 65,535 seconds.

Supplicant timeout

The number of seconds the port waits for a response when relaying a request
from the authentication server to the supplicant before resending the request.
The default value is 30 seconds. The range is 1 through 60 seconds.

detail

Server timeout

The number of seconds the port waits for a reply when relaying a response
from the supplicant to the authentication server before timing out. The default
value is 30 seconds. The range is 1 through 60 seconds.

detail

874

show dot1x

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

Table 115: show dot1x statistics Output Fields (continued)

Field Name

Field Description

Level of Output

Maximum EAPOL
requests

The maximum number of retransmission times of an EAPOL request packet

to the supplicant before the authentication session times out. The default value
is 2. The range is 1 through 10.

detail

Number of clients
bypassed because of
authentication

The number of non-802.1X clients granted access to the LAN by means of

static MAC bypass. The following fields are displayed:

detail

Number of connected
supplicants

ClientMAC address of the client.

vlan The name of the VLAN to which the client is connected.

The number of supplicants connected to a port.

show dot1x interface

brief

user@switch> show dot1x interface [ge-0/0/1 ge-0/0/2 ge0/0/3] brief

Interface Role
State
--------- -------ge-0/0/1 Authenticator Authenticated
Authenticating
ge-0/0/2 Authenticator Connecting
ge-0/0/3 Supplicant
Authenticated

show dot1x interface

detail

detail

MAC address
-----------------00:a0:d2:18:1a:c8
00:a0:e5:32:97:af
00:a6:55:f2:94:ae

user@switch> show dot1x interface ge-0/0/12.0 detail

ge-0/0/12.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 5
Quiet period: 60 seconds
Transmit period: 60 seconds
Reauthentication: Enabled Reauthentication interval: 40 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: v2
Number of clients bypassed because of authentication: 1
Client: 02:12:06:00:04:00 vlan: v1
Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
Operational state: Authenticated
Reauthentication due in 3588 seconds

show dot1x

875

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show dot1x authentication-failed-users

Syntax

show dot1x static-mac-address (interface [interface-name])

Release Information

Command introduced in JUNOS Release 9.0 for EX-series switches.

Description

Displays supplicants (users) that have failed 802.1X authentication.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

clear dot1x on page 868

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Configuring 802.1X Authentication (CLI Procedure) on page 756

show dot1x authentication-failed-users on page 876

Table 116 on page 877 lists the output fields for the show dot1x
authentication-failed-users command. Output fields are listed in the approximate order
in which they appear.

Table 116: show dot1x static-mac-address Output Fields

Field Name

Field Description

Level of Output

Interface

The MAC address configured to bypass 802.1X authentication.

all

MAC address

The MAC address configured statically on the interface.

all

User

The user that is configured on the RADIUS server and that has failed 802.1X
authentication.

all

show dot1x
authentication-failed-users

user@switch> show dot1x authentication-failed-users

Interface
ge-0/0/0.0

876

MAC address
00:00:00:10:00:02

show dot1x authentication-failed-users

User
md5user02

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show dot1x static-mac-address

Syntax
Release Information
Description

Options

show dot1x static-mac-address <(interface [interface-name])>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Displays all the static MAC addresses that are configured to bypass 802.1X
authentication on the switch.
interface [interface-name](Optional) Display static MAC addresses for a specific

interface.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

clear dot1x on page 868

Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series

Switch on page 680

Configuring 802.1X Authentication (CLI Procedure) on page 756

Understanding 802.1X Static MAC on EX-series Switches on page 650

show dot1x static-mac-address on page 877

show dot1x static-mac-address interface ge-0/0/0.1 on page 877
Table 116 on page 877 lists the output fields for the show dot1x static-mac-address
command. Output fields are listed in the approximate order in which they appear.

Table 117: show dot1x static-mac-address Output Fields

Field Name

Field Description

Level of Output

MAC address

The MAC address of the device that is configured to bypass 802.1X

authentication.

all

VLAN-Assignment

The name of the VLAN to which the device is assigned.

all

Interface

The name of the interface on which authentication is bypassed for a given MAC
address.

all

show dot1x
static-mac-address

user@switch> show dot1x static-mac-address

MAC address
00:00:00:11:22:33
00:00:00:00:12:12
00:00:00:02:34:56

show dot1x
static-mac-address
interface ge-0/0/0.1

VLAN-Assignment

facilities

Interface
ge-0/0/3.0
ge-0/0/1.0

user@switch> show dot1x static-mac-address interface ge-0/0/0.1

MAC address

VLAN-Assignment

Interface

show dot1x static-mac-address

877

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

00:00:00:12:24:12
00:00:00:72:30:58

878

show dot1x static-mac-address

support
support

ge-0/0/1.0
ge-0/0/1.0

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show ip-source-guard
Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show ip-source-guard

Command introduced in JUNOS Release 9.2 for EX-series switches.

Display IP source guard database information.
view

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface

with a Voice VLAN on page 740

Example: Configuring IP Source Guard with Other EX-series Switch Features to

Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces on page 746

Verifying That IP Source Guard Is Working Correctly on page 794

show ip-source-guard on page 879

Table 42 on page 1160 lists the output fields for the show ip-source-guard command.
Output fields are listed in the approximate order in which they appear.

Table 118: show ip-source-guard Output Fields

Field Name

Field Description

VLAN

VLAN on which IP source guard is enabled.

Interface

Access interface associated with the VLAN in column 1.

Tag

VLAN ID for the VLAN in column 1. Possible values are:

0, indicating the VLAN is not tagged.

1 4093

IP Address

Source IP address for a device connected to the interface in column 2. A value

of * (star, or asterisk) indicates that IP source guard is not enabled on this VLAN
but the interface is shared with a VLAN that is enabled for IP source guard.

MAC Address

Source MAC address for a device connected to the interface in column 2. A

value of * (star, or asterisk) indicates that IP source guard is not enabled on
this VLAN but the interface is shared with a VLAN that is enabled for IP source
guard.

show ip-source-guard

user@switch> show ip-source-guard

IP source guard information:
Interface
Tag IP Address
MAC Address

VLAN

ge-0/0/12.0

10.10.10.7

00:30:48:92:A5:9D

vlan100

ge-0/0/13.0

10.10.10.9

00:30:48:8D:01:3D

vlan100

show ip-source-guard

879

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge0/0/13.0

880

show ip-source-guard

100

voice

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show lldp
Syntax

Release Information
Description

Options

show lldp
<detail >

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display information about Link Layer Discovery Protocol (LLDP). LLDP is used to
learn and distribute device information on network links.
noneDisplay LLDP information for all interfaces.
detail(Optional) Display detailed LLDP information for all interfaces.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

show lldp on page 883

show lldp (detail) on page 884
Table 119 on page 881 lists the output fields for the show lldp command. Output fields
are listed in the approximate order in which they appear.

Table 119: show lldp Output Fields

Field Name

Field Description

Level of Output

LLDP

The LLDP operating state. The state can be enabled or disabled.

All levels

Advertisement Interval

The frequency, in seconds, at which LLDP advertisements are sent. The default
value is 30 seconds.

All levels

Transmit Delay

The delay between two successive LLDP advertisements. The default value is
2 seconds.

All levels

Hold Timer

The multiplier used in combination with the advertisement-interval value to

determine the length of time LLDP information is held before it is discarded.
The default value is 4 (or 120 seconds).

All levels

LLDP-MED

The Link Level Discovery Protocol Media Endpoint Discovery (LLDP-MED)

operating state. The state can be enabled or disabled.

All levels

LLDP-MED fast start count

The number of advertisements sent from a switch to a device, such as a VoIP

telephone, when the device is first detected by the switch. These increased
advertisements are temporary. After a device and a switch exchange
information and can communicate, advertisements are reduced to one per
second. The default value is 3. The range is from 1 through 10.

All levels

show lldp

881

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 119: show lldp Output Fields (continued)

Field Name

Field Description

Level of Output

LLDP Port Configuration

The LLDP Port Configuration:

All Levels

PortThe port number.

LLDPThe LLDP operating state. The state can be enabled or disabled.

LLDP-MEDThe LLDPMED operating state. The state can be enabled or

disabled.

Neighbor Count(detail) The total number of new LLDP neighbors detected

since the last switch reboot.

LLDP Vlan export details

The LLDP VLAN information that is advertised:

PortThe interface on which LLDP is configured.

Vlan-idThe VLAN tag associated with the interface sending LLDP frames.

detail

If a port is not a member of a VLAN, the VLAN ID is advertised as 0.

NotificationEnabled

LLDP Basic TLVs

Supported

Vlan-nameThe VLAN name associated with the VLAN ID.

The LLDP event notification information:

RReceived .

TTransmitted .

The basic TLVs supported on the switch:

Chassis IdentifierThe MAC address associated with the local system.

Port identifierThe port identification for the specified port in the local

system.

Port DescriptionThe user configured port description. The port

description can be a maximum of 256 characters.

System NameThe user configured name of the local system. The system

name can be a maximum of 256 characters.

System DescriptionThe system description containing information about

the software and current image running on the system. This information
is not configurable, but taken from the software.

System CapabilitiesThe primary function performed by the system. The

capabilities that system supports are defined; for example, bridge or

router. This information is not configurable, but based on the model of
the product.

882

show lldp

Management AddressThe IPv4 management address of the local system.

detail

detail

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

Table 119: show lldp Output Fields (continued)

Field Name

Field Description

Level of Output

LLDP 802.3 TLVs

Supported

The 802.3 TLVs supported on the switch:

detail

Power via MDIA TLV that advertises MDI power support, PSE power pair,

and power class information.

MAC/PHY Configuration StatusA TLV that advertises information about

the physical interface, such as autonegotiation status and support and

MAU type. The information is not configurable, but based on the physical
interface structure.

Link AggregationA TLV that advertises if the interface is aggregated and

its aggregated interface ID.

Maximum Frame SizeA TLV that advertises the Maximum Transmission

Unit (MTU) of the interface sending LLDP frames.

Port VlanA TLV that advertises the VLAN name configured on the

interface.
LLDP-MED TLVs Enabled

The LLDP-MED TLVs supported on the switch:

detail

LLDP MED CapabilitiesA TLV that advertises the primary function of the

port. The capabilities values range from 0 through 15:

0 Capabilities

1 Network Policy

2 Location Identification

3 Extended Power via MDI-PSE

4 Inventory

515 Reserved

LLDP-MED Device Class Values:

0 Class not defined.

1 Class 1 Device.

2 Class 2 Device.

3 Class 3 Device.

4 Network Connectivity Device

5255 Reserved.

Network PolicyA TLV that advertises the port VLAN configuration and

associated Layer 2 and Layer 3 attributes. Attributes include the policy

identifier, application types, such as voice or streaming video, 802.1q
VLAN tagging, and 802.1p priority bits and Diffserv code points.

Endpoint Location A TLV that advertises the physical location of the

endpoint.

Extended Power via MDI A TLV that advertises the power type, power

source, power priority, and power value of the port. It is the responsibility
of the PSE device (network connectivity device) to advertise the power
priority on a port.

show lldp

user@host> show lldp

LLDP
Advertisement interval

: Enabled
: 30 seconds

show lldp

883

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Transmit Delay
Hold timer

: 2 seconds
: 120 seconds

LLDP-MED
: Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:
Port
LLDP
LLDP-MED
----------------All
Enabled
Disabled
ge-0/1/0.0 Enabled
Enabled
ge-0/1/1.0 Enabled
Enabled
ge-0/1/2.0 Enabled
Disabled
ge-0/1/3.0 Enabled
Disabled
ge-0/1/4.0 Enabled
Disabled
ge-0/1/5.0 Enabled
Disabled
ge-0/1/5.0 Enabled
Disabled
ge-0/1/7.0 Disabled Disabled

show lldp (detail)

user@switch> show lldp detail

LLDP
Advertisement interval
Transmit Delay
Hold timer

:
:
:
:

Enabled
30 seconds
2 seconds
120 seconds

LLDP-MED
: Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:
Port
LLDP
LLDP-MED
Neighbor count
-----------------------------All
Enabled
Disabled
11
ge-0/1/0.0 Enabled
Enabled
1
ge-0/1/1.0 Enabled
Enabled
2
ge-0/1/2.0 Enabled
Disabled
2
ge-0/1/3.0 Enabled
Disabled
2
ge-0/1/4.0 Enabled
Disabled
2
ge-0/1/5.0 Enabled
Disabled
1
ge-0/1/6.0 Enabled
Disabled
1
ge-0/1/7.0 Disabled Disabled
0

LLDP Vlan export details:

Port
Vlan-id
Vlan-name
-----------------ge-0/0/0.0 100
Voice
ge-0/0/1.0 200
Voice
NotificationEnabled:
------------------R(lldpRemTablesChange),T(lldpXMEDTopologyChangeDetected)
LLDP Basic TLVs Supported:
------------------------Chassis identifier, Port identifier, Port Description , System Name , System
Description, System Capabilities, Management Address.
LLDP 802.3 TLVs Supported:
------------------------Power via MDI, MAC/PHY Configuration Status, Link Aggregation,

884

show lldp

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

Maximum Frame Size, Port Vlan, Port and Protocol Vlan ID,
Protocol Identity.
LLDP-MED TLVs Enabled:
--------------------LLDP MED Capabilities, Network Policy, Endpoint Location,
Extended Power Via MDI.

show lldp

885

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show lldp local-info

Syntax
Release Information
Description

Options
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show lldp local-info

Command introduced in JUNOS Release 9.0 for EX-series switches.

Displays learned information about Link Layer Discovery Protocol (LLDP) on local
interfaces.
noneDisplay learned LLDP information on all local interfaces and devices.

view

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

show lldp local-info on page 886

Table 120 on page 886 lists the output fields for the show lldp local-info command.
Output fields are listed in the approximate order in which they appear.

Table 120: show lldp local-info Output Fields

Field Name

Field Description

Level of Output

LLDP Local MIB

Details

LLDP local details:

All levels

Chassis ID The MAC address associated with the local system.

System name The user configured name of the local system.

Sytem descr The system description containing information about the

software and current image running on the system. This information is

not configurable, but taken from the software.

Interface NameThe name of the interface.

Interface IDThe port component of the MAC Service Access Point (MSAP)

identified associated with the transmitting LLDP agent.

Interface DescrThe port description. The port description is the value

entered at the [edit interfaces interface-name unit unit-number description ]

hierarchy level.

show lldp local-info

user@host> show lldp local-info

LLDP Local MIB details
---------------------Chassis ID
: 00:19:e2:50:4a:c0
System name : sw-java-u
System descr : Juniper Networks, Inc. olive internet router, Version
8.5I0 [mgprasad] Build date: 2007-08-02 22:00:31 UTC

886

show lldp local-info

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

Interface Name
-------------ge-0/1/0.0
ge-0/1/1.0
ge-0/1/2.0

Interface ID
-----------18
27
13

Interface Descr
--------------Avaya Port
Port for Hub

show lldp local-info

887

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show lldp neighbors

Syntax

Release Information
Description

Options

show lldp neighbors

<interface interface-ids>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display learned information about Link Layer Discovery Protocol (LLDP) on all
neighboring interfaces or on selected interfaces.
noneDisplay learned LLDP information on all neighboring interfaces and devices.
interface interface-ids(Optional) Display learned LLDP information on the selected

interface or device.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

Configuring LLDP (CLI Procedure) on page 764

Understanding 802.1X and LLDP and LLDP-MED on EX-series

Switches on page 648

show lldp neighbors on page 889

show lldp neighbors interface ge-0/0/4.0 on page 890
Table 121 on page 888 lists the output fields for the show lldp neighbors command.
Output fields are listed in the approximate order in which they appear.

Table 121: show lldp neighbors Output Fields

Field Name

Field Description

Level of Output

LLDP Remote Devices

Information

LLDP Remote devices information:

All levels

LocalPortThe local port number.

ChassisIdThe MAC address associated with the local system.

PortInfoPort Info is either PortID or PortDescr, whichever is available.

PortID: The port identification associated with the transmitting

LLDP agent.

PortDescr: The user-configured port description. Port description can

be a maximum of 256 characters.

SysName: The user-configured name of the local system. System name

can be a maximum of 256 characters.

index

Juniper Networks internal index.

interface level

Time to Live

The age of the information propagated in LLDP frames. Time to live (TTL) value
is between 0 and 65,535 seconds.

interface level

Time mark

Time filter for an entry.

interface level

888

show lldp neighbors

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

Table 121: show lldp neighbors Output Fields (continued)

Field Name

Field Description

Level of Output

Chassis type

The value used to identify a chassis. For an EX-series switch, this is the MAC
address. However, this value is vendor-specific. The value for chassis type is
used by LLDP to identify a device.

interface level

Port type

The neighbor's unique SNMP index for a port.

interface level

System descr

The system description containing information about the software and current
image running on the system. This information is not configurable, but taken
from the software.

interface level

System capabilities

The primary function performed by the system. The capabilities that the system
supports are defined; for example, bridge. This information is not configurable,
but based on the model of the product.

interface level

Remote Management
Address

Supported The capabilities the system supports.

Enabled The capabilities enabled on the system.

The IPV4 management address of the system.

interface level

TypeThe possible management address subtypes; for example IPv4,

802 media.

MED Information
Detail

AddressThe management address of the subtype system.

The LLDP MED Information:

interface level

EndpointClass: A set of mandatory and optional TLVs . There are three

classes:

Class 1 (Generic Endpoints) Apply to all endpoints that require base

LLDP discovery services.

Class 2 (Media Endpoint ) Apply to endpoints that have IP Media

Capabilities.

Class 3 (Communication Endpoint ) Apply to endpoints that support

IP Media (IP Phones, and so on).

Media Policy Vlan Id The configured VLAN ID for an application type

running on a port.

Media Policy Priority The media policy priority, defined in the VLAN tag,

to mark a packet with priority.

Media Policy Dscp The DSCP prioritization, used if an untagged VLAN is

advertised.

Media Policy Tagged Set based on the VLAN (tagged or untagged) used

by an application type.

show lldp neighbors

user@switch> show lldp neighbors

LLDP Remote Devices Information
LocalPort
--------ge-0/0/0.0
ge-0/0/1.0
ge-0/0/1.0

ChassisId
--------10.209.192.12
10.209.192.12
10.209.192.13

PortInfo
SysName
--------------00 19 bb 20 de 80 AVA4C357D
00 19 bb 20 de 80 AVA4C357D
00 19 bb 20 de 81 AVA4C357E

show lldp neighbors

889

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-0/0/3.0
ge-0/0/3.0
ge-0/0/4.0
ge-0/0/4.0
ge-0/0/5.0
ge-0/0/6.0

show lldp neighbors

interface ge-0/0/4.0

00
00
00
00
00
00

19
19
19
19
19
19

bb
bb
bb
bb
bb
bb

20
20
20
20
20
20

de
de
de
de
de
de

79
80
79
80
81
82

5
3
5
3
ge-0/0/3
ge-0/0/4

apg-hp1
apg-hp1
apg-hp1
apg-hp1
Ball1
Ball2

user@switch>show lldp neighbors interface ge-0/0/4.0

LLDP Remote Device Information Detail
Index 6 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port
: ge-0/0/4.0
ChassisType
: mac-address
ChassisId
: 00 19 bb 20 de 80
PortType
: local
PortId
: 3
SysName
: apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr
: 3
.
.
.
System Capabilities Supported
System Capabilities Enabled

: bridge, router
: bridge

Remote Management Address

Type
: ipv4
Address : 10.204.34.35

Index 7 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port
: ge-0/0/4.0
ChassisType
: mac-address
ChassisId
: 00 19 bb 20 de 79
PortType
: local
PortId
: 5
SysName
: apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr
: 3
.
.
.
System Capabilities Supported
System Capabilities Enabled
Remote Management Address
Type
: ipv4
Address : 10.204.34.35

890

show lldp neighbors

: bridge, router
: bridge

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show lldp statistics

Syntax

Release Information
Description
Options

show lldp statistics

<interface interface-ids>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display LLDP statistics on all or selected interfaces.
noneDisplay LLDP statistics on all interfaces and devices.
interface interface-ids(Optional) Display LLDP statistics on the selected devices.

Required Privilege Level

List of Sample Output
Output Fields

view
show lldp statistics on page 891
show lldp statistics interface ge-0/1/1.0 on page 891
Table 77 on page 891 lists the output fields for the show lldp statistics command.
Output fields are listed in the approximate order in which they appear.

Table 122: show lldp statistics Output Fields

Field Name

Field Description

Level of Output

Interface

Name of an interface.

All levels

Received

The total number of LLDP frames received on an interface.

All levels

Transmitted

The total number of LLDP frames transmitted on an interface.

All levels

Unknown-TLVs

The number of unrecognized LLDP TLVs received on an interface.

All levels

With-Errors

The number of invalid LLDP TLVs received on an interface.

All levels

Discarded

The number of LLDP TLVs received and then discarded on an interface.

All levels

show lldp statistics

user@switch> show lldp statistics

Interface
--------ge-0/1/1.0
ge-0/1/2.0
ge-0/1/3.0
ge-0/1/4.0
ge-0/1/5.0
ge-0/1/6.0
ge-0/1/7.0

show lldp statistics

interface ge-0/1/1.0

Received
-------544
540
544
544
544
544
0

Transmitted
---------540
500
540
540
540
540
0

Unknown-TLVs
-----------0
0
0
0
0
0
0

With-Errors
----------0
0
0
0
0
0
0

Discarded
--------0
0
0
0
0
0
0

user@switch> show lldp statistics interface ge-0/1/1.0

show lldp statistics

891

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Interface
--------ge-0/1/1.0

892

show lldp statistics

Received
-------544

Transmitted
---------540

Unknown-TLVs
-----------0

With-Errors
----------0

Discarded
--------0

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show network-access aaa statistics accounting

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show network-access aaa statistics accounting

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Display authentication, authorization, and accounting (AAA) accounting statistics.
view

accounting-server

stop-on-access-deny

Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 761

show network-access aaa statistics accounting on page 893

Table 123 on page 893 lists the output fields for the show network-access aaa statistics
accounting command. Output fields are listed in the approximate order in which they
appear.

Table 123: show network-access aaa statistics accounting Output Fields

Field Name

Field Description

Requests received

The number of accounting-request packets sent from a switch to a RADIUS accounting server.

Accounting Response
failures

The number of accounting-response failure packets sent from the RADIUS accounting server to the
switch.

Accounting Response
Success

The number of accounting-response success packets sent from the RADIUS accounting server to the
switch.

Requests timedout

The number of requests-timedout packets sent from the RADIUS accounting server to the switch.

show network-access
aaa statistics
accounting

user@switch> show network-access aaa statistics accounting

Accounting module statistics
Requests received: 1
Accounting Response failures: 0
Accounting Response Success: 1
Requests timedout: 0

show network-access aaa statistics accounting

893

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show network-access aaa statistics authentication

Syntax
Release Information
Description
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show network-access aaa statistics authentication

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Display authentication, authorization, and accounting (AAA) authentication statistics.
view

authentication-server

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

show network-access aaa statistics authentication on page 894

Table 124 on page 894 lists the output fields for the show network-access aaa statistics
authentication command. Output fields are listed in the approximate order in which
they appear.

Table 124: show network-access aaa statistics authentication Output Fields

Field Name

Field Description

Requests received

The number of authentication requests received by the switch.

Accepts

The number of authentication accepts received by the RADIUS server.

Rejects

The number authentication rejects sent by the RADIUS server.

Challenges

The number of authentication challenges sent by the RADIUS server.

show network-access
aaa statistics
authentication

894

user@switch> show network-access aaa statistics authentication

Authentication module statistics
Requests received: 2
Accepts: 1
Rejects: 0
Challenges: 1

show network-access aaa statistics authentication

Chapter 48: Operational Mode Commands for 802.1X, Port Security, and VoIP

show network-access aaa statistics dynamic-requests

Syntax
Release Information
Description

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

show network-access aaa statistics dynamic-requests;

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Display authentication, authorization, and accounting (AAA) authentication statistics
for disconnects.
view

authentication-server

Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 670

show network-access aaa statistics authentication on page 895

Table 125 on page 895 lists the output fields for the show network-access aaa statistics
dynamic-requests command. Output fields are listed in the approximate order in
which they appear.

Table 125: show network-access aaa statistics dynamic-requests Output Fields

Field Name

Field Description

Requests received

The number of dynamic requests received by the RADIUS server.

Processed
successfully

The number of dynamic requests successfully processed by the RADIUS server.

Errors during
processing

The number of errors that occurred while the RADIUS server was processing the dynamic request.

Silently dropped

The number of silently dropped requests.

show network-access
aaa statistics
authentication

user@switch> show network-access aaa statistics dynamic-requests

Dynamic-requests module statistics
Requests received: 0
Processed successfully: 0
Errors during processing: 0
Silently dropped: 0

show network-access aaa statistics dynamic-requests

895

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

896

show network-access aaa statistics dynamic-requests

Part 11

Packet Filtering

Understanding Packet Filtering on page 899

Examples of Configuring Packet Filtering on page 923

Configuring Packet Filtering on page 945

Verifying Packet Filtering on page 959

Troubleshooting Packet Filtering on page 963

Configuration Statements for Packet Filtering on page 967

Operational Mode Commands for Packet Filtering on page 981

Packet Filtering

897

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

898

Packet Filtering

Chapter 49

Understanding Packet Filtering

Firewall Filters for EX-series Switches Overview on page 899

Understanding Planning of Firewall Filters on page 901

Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 903

Understanding How Firewall Filters Control Packet Flows on page 905

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Understanding How Firewall Filters Are Evaluated on page 915

Understanding Firewall Filter Match Conditions on page 917

Understanding How Firewall Filters Test a Packet's Protocol on page 921

Understanding the Use of Policers in Firewall Filters on page 921

Firewall Filters for EX-series Switches Overview

Firewall filters provide rules that define whether to permit or deny packets that are
transiting an interface on a switch from a source address to a destination address.
You configure firewall filters to determine whether to permit or deny traffic before
it enters or exits a port, VLAN, or Layer 3 (routed) interface to which the firewall filter
is applied. An ingress firewall filter is a filter that is applied to packets that are entering
a network. An egress firewall filter is a filter is applied to packets that are exiting a
network. You can configure firewall filters to subject packets to filtering,
class-of-service (CoS) marking (grouping similar types of traffic together and treating
each type of traffic as a class with its own level of service priority), and traffic policing
(controlling the maximum rate of traffic sent or received on an interface).

Firewall Filter Types on page 899

Firewall Filter Components on page 900

Firewall Filter Processing on page 900

Firewall Filter Types

The following firewall filter types are supported for EX-series switches:

Port (Layer 2) firewall filterPort firewall filters apply to Layer 2 switch ports.
You can apply port firewall filters only in the ingress direction on a physical port.

VLAN firewall filterVLAN firewall filters provide access control for packets that
enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN

Firewall Filters for EX-series Switches Overview

899

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

firewall filters in both ingress and egress directions on a VLAN. VLAN firewall
filters are applied to all packets that are forwarded to or forwarded from the
VLAN.

Router (Layer 3) firewall filterYou can apply a router firewall filter in both
ingress and egress directions on Layer 3 (routed) interfaces and routed VLAN
interfaces (RVI). You can also apply a router firewall filter in ingress direction on
the loopback interface.

NOTE: Firewall filters are not supported on aggregated Ethernet interfaces.

To apply a firewall filter, you must:
1.

Configure the firewall filter.

2.

Apply the firewall filter to a port, VLAN, or router interface.

Firewall Filter Components

In a firewall filter, you first define the family address type, (ethernet-switching or inet),
and then you define one or more terms that specify the filtering criteria and the
action to take if a match occurs.
Each term consists of the following components:

Match conditionsSpecifies the values or fields that the packet must contain.
You can define various match conditions, including the IP source address field,
IP destination address field, Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source port field, IP protocol field, Internet Control
Message Protocol (ICMP) packet type, TCP flags, and interfaces.

ActionSpecifies what to do if a packet matches the match conditions. Possible

actions are to accept or discard a packet. In addition, packets can be counted to
collect statistical information. If no action is specified for a term, the default
action is to accept the packet.

Firewall Filter Processing

The order of the terms within a firewall filter is important. Packets are tested against
each term in the order in which the terms are listed in the firewall filter configuration.
When a firewall filter contains multiple terms, the switch takes a top-down approach
and compares a packet against the first term in the firewall filter. If the packet matches
the first term, the switch executes the action defined by that term to either permit
or deny the packet, and no other terms are evaluated. If the switch does not find a
match between the packet and first term, it then compares the packet to the next
term in the firewall filter by using the same match process. If no match occurs
between the packet and the second term, the switch continues to compare the packet
to each successive term defined in the firewall filter until a match is found. If a packet
does not match any terms in a firewall filter, the default action is to discard the
packet.

900

Firewall Filters for EX-series Switches Overview

Chapter 49: Understanding Packet Filtering

Related Topics

Understanding Planning of Firewall Filters on page 901

Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 903

Understanding How Firewall Filters Are Evaluated on page 915

Understanding Firewall Filter Match Conditions on page 917

Understanding the Use of Policers in Firewall Filters on page 921

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding Planning of Firewall Filters

Before you create a firewall filter and apply it to an interface, determine what you
want the firewall filter to accomplish and how to use its match conditions and actions
to achieve your goals. It is important that you understand how packets are matched
to match conditions, the default and configured actions of the firewall filter, and
proper placement of the firewall filter.
You can configure and apply no more than one firewall filter per port, VLAN, or
router interface, per direction. The number of firewall filter terms allowed per filter
cannot exceed 2048. In addition, you should try to be conservative in the number
of terms (rules) that you include in each firewall filter because a large number of
terms requires longer processing time during a commit and also can make firewall
filter testing and troubleshooting more difficult. Similarly, applying firewall filters
across many switch and router interfaces can make testing and troubleshooting the
rules of those filters difficult.
Before you configure and apply firewall filters, answer the following questions for
each of those firewall filters:
1.

What is the purpose of the firewall filter?

For example, you can use a firewall filter to limit traffic to source and destination
MAC addresses, specific protocols, or certain data rates or to prevent denial of
service (DoS) attacks.

2.

What are the appropriate match conditions?

a.

Determine the packet header fields that the packet must contain for a match.
Possible fields include:

Layer 2 header fieldsSource and destination MAC addresses, dot1q

tag, Ethernet type, VLAN

Layer 3 header fieldsSource and destination IP addresses, protocols,

and IP options (IP precedence, IP fragmentation flags, TTL type)

TCP header fieldsSource and destination ports and flags

ICMP header fieldsPacket type and code

Understanding Planning of Firewall Filters

901

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

b.

3.

Determine the port, VLAN, or router interface on which the packet was
received.

What are the appropriate actions to take if a match occurs?

Possible actions to take if a match occurs are accept and discard.

4.

What additional action modifiers might be required?

Determine if additional actions are required if a packet matches a match
condition; for example, you can specify an action modifier to count, analyze, or
police packets.

5.

On what interface should the firewall filter be applied?

Start with the following basic guidelines:

If all the packets entering a port need to be exposed to filtering, then use
port firewall filters.

If all the packets that are bridged need filtering, then use VLAN firewall filters.

If all the packets that are routed need filtering, then use router firewall filters.

Before you choose the interface at which to apply a firewall filter, understand
how that placement can impact traffic flow to other interfaces. In general, apply
a firewall filter that filters on source and destination IP addresses, IP protocols,
or protocol informationsuch as ICMP message types, and TCP and UDP port
numbersnearest to the source devices. However, typically apply a firewall filter
that filters only on a source IP address nearest to the destination devices. When
applied too close to the source device, a firewall filter that filters only on a source
IP address could potentially prevent that source device from accessing other
services that are available on the network.

NOTE: Firewall filters are not supported on aggregated Ethernet interfaces.

NOTE: Egress firewall filters do not affect the flow of locally generated control packets
from the Routing Engine.

6.

In which direction should the firewall filter be applied?

You can apply firewall filters to ports on the switch to filter packets that are
entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed)
interfaces to filter packets that are entering or exiting a VLAN or routed interface.
Typically, you configure different sets of actions for traffic entering an interface
than you configure for traffic exiting an interface.

Related Topics

902

Firewall Filters for EX-series Switches Overview on page 899

Understanding the Use of Policers in Firewall Filters on page 921

Understanding Planning of Firewall Filters

Chapter 49: Understanding Packet Filtering

Understanding How Firewall Filters Are Evaluated on page 915

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches
EX-series switches are multilayered switches that provide Layer 2 switching and
Layer 3 routing. You apply firewall filters at multiple processing points in the packet
forwarding path on EX-series switches. At each processing point, the action to be
taken on a packet is determined based on the results of the lookup in the switch's
forwarding table. A table lookup determines which exit port on the switch to use to
forward the packet.
For both bridged unicast packets and routed unicast packets, firewall filters are
evaluated and applied hierarchically. First, a packet is checked against the port firewall
filter, if present. If the packet is permitted, it is then checked against the VLAN firewall
filter, if present. If the packet is permitted, it is then checked against the router
firewall filter, if present. The packet must be permitted by the router firewall filter
before it is processed.
Figure 47 on page 904 shows the various firewall filter processing points in the packet
forwarding path in a multilayered switching platform.

Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches

903

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 47: Firewall Filter Processing Points in the Packet Forwarding Path

For a multicast packet that results in replications, an egress firewall filter is applied
to each copy of the packet based on its corresponding egress VLAN.
For Layer 2 (bridged) unicast packets, the following firewall filter processing points
apply:

Ingress port firewall filter

Ingress VLAN firewall filter

Egress VLAN firewall filter

For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall
filter processing points apply:

Related Topics

904

Ingress port firewall filter

Ingress VLAN firewall filter (Layer 2 CoS)

Ingress router firewall filter (Layer 3 CoS)

Egress router firewall filter

Egress VLAN firewall filter

Firewall Filters for EX-series Switches Overview on page 899

Understanding How Firewall Filters Control Packet Flows on page 905

Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches

Chapter 49: Understanding Packet Filtering

Understanding Bridging and VLANs on EX-series Switches on page 359

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding How Firewall Filters Control Packet Flows

EX-series switches support firewall filters that allow you to control flows of data
packets and local packets. Data packets are chunks of data that transit the switch as
they are forwarded from a source to a destination. Local packets are chunks of data
that are destined for or sent by the switch. Local packets usually contain routing
protocol data, data for IP services such as Telnet or SSH, and data for administrative
protocols such as the Internet Control Message Protocol (ICMP).
You create firewall filters to protect your switch from excessive traffic transiting the
switch to a network destination or destined for the Routing Engine on the switch.
Firewall filters that control local packets can also protect your switch from external
incidents such as denial-of-service (DoS) attacks.
Firewall filters affect packet flows entering in to or exiting from the switch's interfaces:

Ingress firewall filters affect the flow of data packets that are received by the
switch's interfaces. The Packet Forwarding Engine (PFE) handles this flow. When
a switch receives a data packet on an interface, the switch determines where to
forward the packet by looking in the forwarding table for the best route (Layer 2
switching, Layer 3 routing) to a destination. Data packets are forwarded to their
destination through an outgoing interface. Locally destined packets are forwarded
to the Routing Engine.

Egress firewall filters affect the flow of data packets that are transmitted from
the switch's interfaces but do not affect the flow of locally generated control
packets from the Routing Engine. The Packet Forwarding Engine handles the
flow of data packets that are transmitted from the switch, and egress firewall
filters are applied here. The Packet Forwarding Engine also handles the flow of
control packets from the Routing Engine.

Figure 48 on page 906 illustrates the application of ingress and egress firewall filters
to control the flow of packets through the switch.

Understanding How Firewall Filters Control Packet Flows

905

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 48: Application of Firewall Filters to Control Packet Flow

Related Topics

1.

Ingress firewall filter applied to control locally destined packets that are received
on the switch's interfaces and are destined for the Routing Engine.

2.

Ingress firewall filter applied to control incoming packets on the switch's

interfaces.

3.

Egress firewall filter applied to control packets that are transiting the switch's
interfaces.

Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 903

Understanding How Firewall Filters Are Evaluated on page 915

Firewall Filter Match Conditions and Actions for EX-series Switches

Each term in a firewall filter consists of match conditions and an action. Match
conditions are the values or fields that the packet must contain. You can define
multiple, single, or no match conditions. If no match conditions are specified for the
term, the packet is accepted by default. The action is the action that the switch takes
if a packet matches the match conditions for the specific term. Allowed actions are
accept a packet or discard a packet. In addition, you can specify action modifiers to
count, mirror, rate limit and classify packets.
For each firewall filter, you define the terms that specify the filtering criteria (match
conditions) to apply to packets and the action for the switch to take if a match occurs.
Table 126 on page 907 describes the match conditions you can specify when
configuring a firewall filter. The string that defines a match condition is called a match
statement. All match conditions are applicable to IPv4 traffic.

906

Firewall Filter Match Conditions and Actions for EX-series Switches

Chapter 49: Understanding Packet Filtering

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches
Match Condition

Description

Direction/Interface

destination-address
ip-address

IP destination address field, which is the

address of the final destination node.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

destination-mac-address mac-address

Destination media access control (MAC)

address of the packet.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs.

destination-port number

TCP or User Datagram Protocol (UDP)

destination port field. Typically, you
specify this match in conjunction with the
protocol match statement to determine
which protocol is used on the port. In
place of the numeric value, you can
specify one of the following text
synonyms (the port numbers are also
listed):

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

afs (1483), bgp (179), biff (512), bootpc

(68), bootps (67),
cmd (514), cvspserver (2401),
dhcp (67), domain (53),
eklogin (2105), ekshell (2106), exec (512),
finger (79), ftp (21), ftp-data (20),

Firewall Filter Match Conditions and Actions for EX-series Switches

907

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition

Description

Direction/Interface

http (80), https (443),

ident (113), imap (143),
kerberos-sec (88), klogin (543), kpasswd
(761), krb-prop (754), krbupdate (760),
kshell (544),
ldap (389), login (513),
mobileip-agent (434), mobilip-mn (435),
msdp (639),
netbios-dgm (138), netbios-ns (137),
netbios-ssn (139), nfsd (2049), nntp (119),
ntalk (518), ntp (123),
pop3 (110), pptp (1723), printer (515),
radacct (1813),radius (1812), rip (520),
rkinit (2108),
smtp (25), snmp (161), snmptrap (162),
snpp (444), socks (1080), ssh (22), sunrpc
(111), syslog (514),
tacacs-ds (65), talk (517), telnet (23), tftp
(69), timed (525),
who (513),
xdmcp (177),
zephyr-clt (2103), zephyr-hm (2104)
dot1q-tag number

The tag field in the ethernet header. The

tag values can be 14095.

Ingress ports and VLANs.

Egress VLANs.

908

Firewall Filter Match Conditions and Actions for EX-series Switches

Chapter 49: Understanding Packet Filtering

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition

Description

Direction/Interface

dot1q-user-priority number

User-priority field of the tagged Ethernet

packet. User-priority values can be 07.

Ingress ports and VLANs.

Egress VLANs.

In place of the numeric value, you can

specify one of the following text
synonyms (the field values are also listed):

background (1)Background

best-effort (0)Best effort

controlled-load (4)Controlled load

excellent-load (3)Excellent load

network-control (7)Network control

reserved traffic

dscp number

standard (2)Standard or Spare

video (5)Video

voice (6)Voice

Differentiated Services code point (DSCP).

The DiffServ protocol uses the
type-of-service (ToS) byte in the IP header.
The most significant six bits of this byte
form the DSCP.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

You can specify DSCP in hexadecimal,

binary, or decimal form.
In place of the numeric value, you can
specify one of the following text
synonyms (the field values are also listed):

ef (46)as defined in RFC 2598, An

Expedited Forwarding PHB.

af11 (10), af12 (12), af13 (14);

af21 (18), af22 (20), af23 (22);
af31 (26), af32 (28), af33 (30);
af41 (34), af42 (36), af43 (38)

These four classes, with three drop

precedences in each class, for a total
of 12 code points, are defined in RFC
2597, Assured Forwarding PHB.

Firewall Filter Match Conditions and Actions for EX-series Switches

909

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition

Description

Direction/Interface

ether-type [ipv4 | arp | mpls | dot1q | value]

Ethernet type field of a packet. The

EtherType value specifies what protocol is
being transported in the Ethernet frame.
In place of the numeric value, you can
specify one of the following text
synonyms:

Ingress ports and VLANs.

arpEtherType value ARP (0x0806)

dot1qEtherType value 802.1Q

Egress VLANs.

(0x8100)

ipv4EtherType value IPv4 (

0x0800)

mplsEtherType value MPLS

(0x8847)
fragment-flags [
is-fragment |
more-fragment |
dont-fragment]

IP fragmentation flags.

fragment-flags [is-fragment] supported

for: Ingress ports, VLANs, and router

interfaces. Egress VLANs and router
interfaces.
fragment-flags [more-fragment |
dont-fragment] supported for: Ingress

ports, VLANs, and router interfaces.

910

Firewall Filter Match Conditions and Actions for EX-series Switches

Chapter 49: Understanding Packet Filtering

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition

Description

Direction/Interface

icmp-code number

ICMP code field. This value or keyword

provides more specific information than
icmp-type. Because the values meaning
depends upon the associated icmp-type,
you must specify icmp-type along with
icmp-code. In place of the numeric value,
you can specify one of the following text
synonyms (the field values are also listed).
The keywords are grouped by the ICMP
type with which they are associated:

Ingress ports, VLANs, and router

interfaces.

icmp-type number

parameter-problemip-header-bad (0),
required-option-missing (1)

redirectredirect-for-host (1),
redirect-for-network (0),
redirect-for-tos-and-host (3),
redirect-for-tos-and-net (2)

time-exceededttl-eq-zero-during-reassembly
(1), ttl-eq-zero-during-transit (0)

unreachablecommunication-prohibited-by-filtering
(13), destination-host-prohibited (10),
destination-host-unknown (7),
destination-network-prohibited (9),
destination-network-unknown (6),
fragmentation-needed (4),
host-precedence-violation (14),
host-unreachable (1),
host-unreachable-for-TOS (12),
network-unreachable (0),
network-unreachable-for-TOS (11),
port-unreachable (3),
precedence-cutoff-in-effect (15),
protocol-unreachable (2),
source-host-isolated (8),
source-route-failed (5)

ICMP packet type field. Typically, you

specify this match in conjunction with the
protocol match statement to determine
which protocol is being used on the port.
In place of the numeric value, you can
specify one of the following text
synonyms (the field values are also listed):

Egress VLANs and router interfaces.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

echo-reply (0), echo-request (8), info-reply

(16), info-request (15),
mask-request (17), mask-reply (18),
parameter-problem (12),
redirect (5), router-advertisement (9),
router-solicit (10), source-quench (4),
time-exceeded (11), timestamp (13),
timestamp-reply (14), unreachable (3)

Firewall Filter Match Conditions and Actions for EX-series Switches

911

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition

Description

Direction/Interface

interface interface-name

Interface on which the packet is received.

You can specify the wildcard character *
as part of an interface name.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

NOTE: An interface from which a packet

is sent cannot be used as a match
condition.
ip-options

Presence of the options field in the IP

header.

Ingress ports, VLANs, and router

interfaces.

packet-length bytes

Length of the received packet, in bytes.

Ingress router interfaces.

precedence precedence

IP precedence. In place of the numeric

value, you can specify one of the following
text synonyms (the field values are also
listed):

Ingress ports, VLANs, and router

interfaces.

protocol list of protocols

critical-ecp (5)

flash (3)

flash-override (4)

immediate (2)

internet-control (6)

net-control (7)

priority (1)

routine (0)

IPv4 protocol value. In place of the

numeric value, you can specify one of the
following text synonyms:

Egress VLANs and router interfaces.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

egp (8), esp (50), gre (47), icmp (1), igmp

(2), ipip (4),
ospf (89), pim (103), rsvp (46), tcp (6), udp
(17)
source-address
ip-address

IP source address field, which is the

address of the source node sending the
packet.

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

source-mac-address mac-address

Source MAC address.

Ingress ports and VLANs.

Egress VLANs.

source-port number

912

TCP or UDP source-port field. Typically,

you specify this match in conjunction with
the protocol match statement to determine
which protocol is being used on the port.
In place of the numeric field, you can
specify one of the text synonyms listed
under destination-port.

Firewall Filter Match Conditions and Actions for EX-series Switches

Ingress ports, VLANs, and router

interfaces.
Egress VLANs and router interfaces.

Chapter 49: Understanding Packet Filtering

Table 126: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
Match Condition

Description

Direction/Interface

packet-length bytes

Length of the received packet, in bytes.

Ingress ports, VLANs, and router

interfaces.

tcp-flags [flags tcp-initial]

One or more TCP flags:

Ingress ports, VLANs, and router

interfaces.

bit-namefin, syn, rst, push, ack,

urgent

logical operators& (logical AND), !

(negation)

numerical value 0x01 through

0x20

text synonymtcp-initial

To specify multiple flags, use logical

operators.
NOTE: tcp-flags is not supported on egress
firewall filters.
Matches the first TCP packet of a
connection. tcp-initial is a synonym for the
bit names ""(syn & !ack)".

tcp-initial

Ingress ports, VLANs, and router

interfaces.

tcp-initial does not implicitly check that

the protocol is TCP. To do so, specify the

protocol tcp match condition.
ttl value

TTL type to match. The value range is 1

through 255.

Ingress router interfaces.

vlan [vlan-name | vlan-id]

The VLAN that is associated with the

packet.

Ingress ports and VLANs.

Egress VLANs.

Some of the numeric range and bit-field match conditions allow you to specify a text
synonym. For a list of all the synonyms for a match condition, do any of the following:

If you are using the J-Web Configuration page, select the synonym from the
appropriate list.

If you are using the CLI, type a question mark (?) after the from statement.

To specify the bit-field value to match, you must enclose the values in quotations
marks (" "). For example, a match occurs if the RST bit in the TCP flags field is set:
tcp-flags "rst;

For information about logical operators and how to use bit-field logical operations
to create expressions that are evaluated for matches, see Understanding Firewall
Filter Match Conditions on page 917.

Firewall Filter Match Conditions and Actions for EX-series Switches

913

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

When you define one or more terms that specify the filtering criteria, you also define
the action to take if the packet matches all criteria. Table 127 on page 914 shows the
actions that you can specify in a term.
Table 127: Actions for Firewall Filters
Action

Description

accept

Accept a packet.

discard

Discard a packet silently without sending an Internet Control Message

Protocol (ICMP) message.

In addition to the actions, you can specify action modifiers. Table 128 on page 914
shows the action modifers that you can specify in a term.
Table 128: Action Modifiers for Firewall Filters
Action Modifier

Description

analyzer analyzer-name

Mirror port traffic to a specified destination port or VLAN that is

connected to a protocol analyzer application. Mirroring copies all packets
seen on one switch port to a network monitoring connection on another
switch port. The analyzer-name must be configured under [edit
ethernet-switching-actions analyzer].
You can specify mirroring for ingress port, VLAN and router firewall
filters only.

count counter-name

Count the number of packets that pass this filter, term, or policer.

forwarding-class class

Classify packet in one of the following forwarding classes:

assured-forwarding

best-effort

expedited-forwarding

network-control

loss-priority [low | high]

Set the Packet Loss Priority (PLP).

policer policer-name

Apply rate limits to the traffic.

You can specify a policer for ingress port, VLAN and router firewall filters
only.

Related Topics

914

Firewall Filter Configuration Statements Supported by JUNOS Software for

EX-series Switches on page 968

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding Firewall Filter Match Conditions on page 917

Understanding How Firewall Filters Are Evaluated on page 915

Firewall Filter Match Conditions and Actions for EX-series Switches

Chapter 49: Understanding Packet Filtering

Understanding How Firewall Filters Test a Packet's Protocol on page 921

Understanding the Use of Policers in Firewall Filters on page 921

Understanding How Firewall Filters Are Evaluated

A firewall filter consists of one or more terms, and the order of the terms within a
firewall filter is important. Before you configure firewall filters, you should understand
how EX-series switches evaluate the terms within a firewall filter and how packets
are evaluated against the terms.
When a firewall filter consists of a single term, the filter is evaluated as follows:

If the packet matches all the conditions, the action in the then statement is taken.

If the packet matches all the conditions, and no action is specified in the then
statement, the default action accept is taken.

When a firewall filter consists of more than one term, the firewall filter is evaluated
sequentially:
1.

The packet is evaluated against the conditions in the from statement in the first
term.

2.

If the packet matches all the conditions in the term, the action in the then
statement is taken and the evaluation ends. Subsequent terms in the filter are
not evaluated.

3.

If the packet does not match all the conditions in the term, the packet is evaluated
against the conditions in the from statement in the second term.
This process continues until either the packet matches the conditions in the from
statement in one of the subsequent terms or there are no more terms in the
filter.

4.

If a packet passes through all the terms in the filter without a match, the packet
is discarded.

Figure 49 on page 916 shows how an EX-series switch evaluates the terms within a
firewall filter.

Understanding How Firewall Filters Are Evaluated

915

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 49: Evaluation of Terms within a Firewall Filter

If a term does not contain a from statement, the packet is considered to match and
the action in the then statement of the term is taken.
If a term does not contain a then statement, or if an action has not been configured
in the then statement, and the packet matches the conditions in the from statement
of the term, the packet is accepted.
Every firewall filter contains an implicit deny statement at the end of the filter, which
is equivalent to the following explicit filter term:
term implicit-rule {
then discard;
}

Consequently, if a packet passes through all the terms in a filter without matching
any conditions, the packet is discarded. If you configure a firewall filter that has no
terms, all packets that pass through the filter are discarded.

NOTE: Firewall filtering is supported on packets that are at least 48 bytes long.
Related Topics

916

Firewall Filters for EX-series Switches Overview on page 899

Understanding Firewall Filter Match Conditions on page 917

Understanding the Use of Policers in Firewall Filters on page 921

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding How Firewall Filters Are Evaluated

Chapter 49: Understanding Packet Filtering

Understanding Firewall Filter Match Conditions

Before you define terms for firewall filters, you must understand how the conditions
that you specify in a term are handled and how to specify interface filter, numeric
filter, address filter, and bit-field filter match conditions to achieve the desired filtering
results.

Filter Match Conditions on page 917

Numeric Filter Match Conditions on page 917

Interface Filter Match Conditions on page 918

IP Address Filter Match Conditions on page 918

MAC Address Filter Match Conditions on page 919

Bit-Field Filter Match Conditions on page 919

Filter Match Conditions

In the from statement of a firewall filter term, you specify the conditions that the
packet must match for the action in the then statement to be taken. All conditions
in the from statement must match for the action to be taken. The order in which you
specify match conditions is not important, because a packet must match all the
conditions in a term for a match to occur.
If you specify no match conditions in a term, that term matches all packets.
An individual condition in a from statement cannot contain a list of values. For
example, you cannot specify numeric ranges or multiple source or destination
addresses.
Individual conditions in a from statement cannot be negated. A negated condition is
an explicit mismatch.

Numeric Filter Match Conditions

Numeric filter conditions match packet fields that are identified by a numeric value,
such as port and protocol numbers. For numeric filter match conditions, you specify
a keyword that identifies the condition and a single value that a field in a packet
must match.
You can specify the numeric value in one of the following ways:

Single numberA match occurs if the value of the field matches the number.
For example:
source-port 25;

Text synonym for a single number A match occurs if the value of the field
matches the number that corresponds to the synonym. For example:
source-port http;

Understanding Firewall Filter Match Conditions

917

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To specify more than one value in a filter term, you enter each value in its own match
statement. For example, a match occurs in the following term if the value of vlan
field is 10 or 30.
[edit firewall family family-name filter filter-name term term-name from]
vlan 10;
vlan 30;

The following restrictions apply to numeric filter match conditions:

You cannot specify a range of values.

You cannot specify a list of comma-separated values.

You cannot exclude a specific value in a numeric filter match condition. For
example, you cannot specify a condition that would match only if the match
condition was not equal to a given value.

Interface Filter Match Conditions

Interface filter match conditions can match interface name values in a packet. For
interface filter match conditions, you specify the name of the interface, for example:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set interface ge-0/0/1

Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter
that is applied to a router interface can specify the logical unit number in the interface
filter match condition, for example:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set interface ge-0/1/0.0

You can include the * wildcard as part of the interface name, for example:
[edit firewall
user@host# set
user@host# set
user@host# set

family family-name filter filter-name term term-name from]

interface ge-0/*/1
interface ge-0/1/*
interface ge-*

IP Address Filter Match Conditions

Address filter match conditions can match prefix values in a packet, such as IP source
and destination prefixes. For address filter match conditions, you specify a keyword
that identifies the field and one prefix of that type that a packet must match.
You specify the address as a single prefix. A match occurs if the value of the field
matches the prefix. For example:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set destination-address 10.2.1.0/28;

918

Understanding Firewall Filter Match Conditions

Chapter 49: Understanding Packet Filtering

Each prefix contains an implicit 0/0 except statement, which means that any prefix
that does not match the prefix that is specified is explicitly considered not to match.
To specify the address prefix, use the notation prefix/prefix-length. If you omit
prefix-length, it defaults to /32. For example:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set destination-address 10
[edit firewall family family-name filter filter-name term term-name from]
user@host# show
destination-address {
10.0.0.0/32;
}

To specify more than one IP address in a filter term, you enter each address in its
own match statement. For example, a match occurs in the following term if the value
of the source-address field matches either of the following source-address prefixes:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set source-address 10.0.0.0/8
user@host# set source-address 10.1.0.0/16

MAC Address Filter Match Conditions

MAC address filter match conditions can match source and destination MAC address
values in a packet. For MAC address filter match conditions, you specify a keyword
that identifies the field and one value of that type that a packet must match.
You can specify the MAC address as six hexadecimal bytes in the following formats:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set destination-mac-address 0011.2233.4455
[edit firewall family family-name filter filter-name term term-name from]
user@host# set destination-mac-address 00:11:22:33:44:55
[edit firewall family family-name filter filter-name term term-name from]
user@host# set destination-mac-address 001122334455

To specify more than one MAC address in a filter term, you enter each MAC address
in its own match statement. For example, a match occurs in the following term if
the value of the source-mac-address field matches either of the following addresses.
[edit firewall family family-name filter filter-name term term-name from]
user@host# set source-mac-address 00:11:22:33:44:55
user@host# set source-mac-address 00:11:22:33:20:15

Bit-Field Filter Match Conditions

Bit-field filter conditions match packet fields if particular bits in those fields are or
are not set. You can match the IP options, TCP flags, and IP fragmentation fields.
For bit-field filter match conditions, you specify a keyword that identifies the field
and tests to determine that the option is present in the field.

Understanding Firewall Filter Match Conditions

919

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To specify the bit-field value to match, enclose the value in double quotation marks.
For example, a match occurs if the RST bit in the TCP flags field is set:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "rst"

Typically, you specify the bits to be tested by using keywords. Bit-field match
keywords always map to a single bit value. You also can specify bit fields as
hexadecimal or decimal numbers.
To match multiple bit-field values, use the logical operators, which are described in
Table 129 on page 920. The operators are listed in order from highest precedence to
lowest precedence. Operations are left-associative.
Table 129: Actions for Firewall Filters
Logical Operators

Description

Negation.

& or +

Logical AND.

To negate a match, precede the value with an exclamation point. For example, a
match occurs only if the RST bit in the TCP flags field is not set:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "!rst"

In the following example of a logical AND operation, a match occurs if the packet is
the initial packet on a TCP session:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "syn" & "!ack"

You can use text synonyms to specify some common bit-field matches. You specify
these matches as a single keyword. In the following example of a text synonym, a
match occurs if the packet is the initial packet on a TCP session:
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags tcp-initial

Logical OR operations are not supported; however you can specify the equivalent
OR functionality by specifying two of the same match conditions in a single term or
in two consecutive terms. For example, in the following term, a match occurs if the
packet in a TCP session is urgent or has priority :
[edit firewall family family-name filter filter-name term term-name from]
user@host# set tcp-flags "urgent"
user@host# set tcp-flags "push"

920

Understanding Firewall Filter Match Conditions

Chapter 49: Understanding Packet Filtering

Related Topics

Firewall Filters for EX-series Switches Overview on page 899

Understanding How Firewall Filters Test a Packet's Protocol on page 921

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Understanding How Firewall Filters Test a Packet's Protocol

When examining match conditions, JUNOS software for EX-series switches tests only
the field that is specified. The software does not implicitly test the IP header to
determine whether a packet is an IP packet. Therefore, in some cases, you should
specify protocol field match conditions in conjunction with other match conditions
to ensure that the filters are performing the expected matches.
If you specify a protocol match condition or a match of the ICMP type or TCP flags
field, there is no implied protocol match. For the following match conditions, you
should explicitly specify the protocol match condition in the same term:

destination-portSpecify the match protocol tcp or protocol udp.

source-portSpecify the match protocol tcp or protocol udp.

If you do not specify the protocol when using the preceding fields, design your filters
carefully to ensure that they perform the expected matches. For example, if you
specify a match of destination-port ssh, the switch deterministically matches any
packets that have a value of 22 in the two-byte field that is two bytes beyond the
end of the IP header without ever checking the IP protocol field.
Related Topics

Firewall Filters for EX-series Switches Overview on page 899

Understanding Firewall Filter Match Conditions on page 917

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Understanding the Use of Policers in Firewall Filters

Policing, or rate limiting, is an important component of firewall filters that lets you
control the amount of traffic that enters an interface. A firewall filter configured with
a policer permits only traffic at specified data rates to provide protection from
denial-of-service (DOS) attacks. Traffic that exceeds the rate limits specified by the
policer can be discarded. Discard is the only supported policer action.
A policer applies two types of rate limits on traffic:

BandwidthThe number of bits per second permitted, on average.

Maximum burst sizeThe maximum size permitted for bursts of data that exceed
the given bandwidth limit.

Understanding How Firewall Filters Test a Packet's Protocol

921

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Policing uses an algorithm to enforce a limit on average bandwidth while allowing

bursts up to a specified maximum value.
After you name and configure a policer, it is stored as a template. You can then use
a policer in a firewall filter configuration.
Each policer that you configure includes an implicit counter that counts the number
of packets that exceed the rate limits that are specified for the policer. To get filter
or term-specific packets counts, you must configure a new policer for each filter or
term that requires policing.
Related Topics

922

Firewall Filters for EX-series Switches Overview on page 899

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Understanding the Use of Policers in Firewall Filters

Chapter 50

Examples of Configuring Packet Filtering

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series
Switches
This example shows how to configure and apply firewall filters to control traffic that
is entering or exiting a port on the switch, a VLAN on the network, and a Layer 3
interface on the switch. Firewall filters define the rules that determine whether to
forward or deny packets at specific processing points in the packet flow.

Requirements on page 923

Overview on page 924

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit
TCP and ICMP Traffic on page 927

Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from

Disrupting VoIP Traffic on page 933

Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic
on the Employee VLAN on page 935

Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and

Peer-to-Peer Applications on the Guest VLAN on page 937

Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined

for the Corporate Subnet on page 939

Verification on page 941

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches.

Two Juniper Networks EX 3200-48T switches: one to be used as an access switch,

the other to be used as a distribution switch

One Juniper Networks EX-UM-4SFP uplink module

One Juniper Networks J-series router

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches

923

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Before you configure and apply the firewall filters in this example, be sure you have:

An understanding of firewall filter concepts, policers, and CoS

Installed the uplink module in the distribution switch. See Installing an Uplink
Module in an EX-series Switch.

Overview
This configuration example show how to configure and apply firewall filters to provide
rules to evaluate the contents of packets and determine when to discard, forward,
classify, count, and analyze packets that are destined for or originating from the
EX-series switches that handle all voice-vlan, employee-vlan, and guest-vlan traffic.
Table 130 on page 924 shows the firewall filters that are configured for the EX-series
switches in this example.
Table 130: Configuration Components: Firewall Filters
Component

Purpose/Description

Port firewall filter,

This firewall filter performs two functions:

ingress-port-voip-class-limit-tcp-icmp

Assigns priority queueing to packets with a source MAC address that matches the
phone MAC addresses. The forwarding class expedited-forwarding provides low loss,
low delay, low jitter, assured bandwidth, and end-to-end service for all voice-vlan
traffic.

Performs rate limiting on packets that enter the ports for employee-vlan. The traffic
rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000
bytes.

This firewall filter is applied to port interfaces on the access switch.

VLAN firewall filter,
ingress-vlan-rogue-block

Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device that
manages call registration, admission, and call status for VoIP calls. Only TCP or UDP
ports should be used; and only the gatekeeper uses HTTP. That is, all voice-vlan traffic on
TCP ports should be destined for the gatekeeper device. This firewall filter applies to all
phones on voice-vlan, including communication between any two phones on the VLAN
and all communication between the gatekeeper device and VLAN phones.
This firewall filter is applied to VLAN interfaces on the access switch.

VLAN firewall filter,

egress-vlan-watch-employee

Accepts employee-vlan traffic destined for the corporate subnet, but does not monitor this
traffic. Employee traffic destined for the Web is counted and analyzed.
This firewall filter is applied to vlan interfaces on the access switch.

VLAN firewall filter,

ingress-vlan-limit-guest

Prevents guests (non-employees) from talking with employees or employee hosts on

employee-vlan. Also prevents guests from using peer-to-peer applications on guest-vlan,
but allows guests to access the Web.
This firewall filter is applied to VLAN interfaces on the access switch.

Router firewall filter,

egress-router-corp-class

Prioritizes employee-vlan traffic, giving highest forwarding-class priority to employee traffic

destined for the corporate subnet.
This firewall filter is applied to a routed port (Layer 3 uplink module) on the distribution
switch.

924

Overview

Chapter 50: Examples of Configuring Packet Filtering

Figure 50 on page 925 shows the application of port, VLAN, and Layer 3 routed firewall
filters on the switch.
Figure 50: Application of Port, VLAN, and Layer 3 Routed Firewall Filters

Network Topology
The topology for this configuration example consists of one EX-3200-48T switch at
the access layer, and one EX-3200-48T switch at the distribution layer. The distribution
switch's uplink module is configured to support a Layer 3 connection to a J-series
router.
The EX-series switches are configured to support VLAN membership.
Table 131 on page 925 shows the VLAN configuration components for the VLANs.
Table 131: Configuration Components: VLANs
VLAN Name

VLAN ID

VLAN Subnet and Available

IP Addresses

VLAN Description

voice-vlan

10

192.0.2.0/28 192.0.2.1
through 192.0.2.14

Voice VLAN used for

employee VoIP traffic

192.0.2.15 is subnets
broadcast address

Network Topology

925

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 131: Configuration Components: VLANs (continued)

VLAN Name

VLAN ID

VLAN Subnet and Available

IP Addresses

VLAN Description

employee-vlan

20

192.0.2.16/28 192.0.2.17
through 192.0.2.30
192.0.2.31 is subnets

VLAN standalone PCs, PCs

connected to the network
through the hub in VoIP
telephones, wireless access
points, and printers. This
VLAN completely includes the
voice VLAN. Two VLANs
(voice-vlan and employee-vlan)
must be configured on the
ports that connect to the
telephones.

broadcast address

guest-vlan

30

192.0.2.32/28 192.0.2.33
through 192.0.2.46
192.0.2.47 is subnets

broadcast address

camera-vlan

40

192.0.2.48/28 192.0.2.49
through 192.0.2.62
192.0.2.63 is subnets

VLAN for guests data devices

(PCs). The scenario assumes
that the corporation has an
area open to visitors, either
in the lobby or in a
conference room, that has a
hub to which visitors can plug
in their PCs to connect to the
Web and to their companys
VPN.
VLAN for the corporate
security cameras.

broadcast address

Ports on the EX-series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports.
Table 132 on page 926 shows the switch ports that are assigned to the VLANs and
the IP and MAC addresses for devices connected to the switch ports:
Table 132: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Switch and Port Number

VLAN Membership

IP and MAC Addresses

Port Devices

ge-0/0/0, ge-0/0/1

voice-vlan, employee-vlan

IP addresses: 192.0.2.1
through 192.0.2.2

Two VoIP telephones, each

connected to one PC.

MAC addresses:
00.05.85.00.00.01,
00.05.85.0000.02

ge-0/0/2, ge-0/0/3

926

Network Topology

employee-vlan

192.0.2.17 through
192.0.2.18

Printer, wireless access points

Chapter 50: Examples of Configuring Packet Filtering

Table 132: Configuration Components: Switch Ports on a 48-Port All-PoE Switch (continued)
Switch and Port Number

VLAN Membership

IP and MAC Addresses

Port Devices

ge-0/0/4, ge-0/0/5

guest-vlan

192.0.2.34 through
192.0.2.35

Two hubs into which visitors

can plug in their PCs. Hubs
are located in an area open
to visitors, such as a lobby or
conference room

ge-0/0/6, ge-0/0/7

camera-vlan

192.0.2.49 through
192.0.2.50

Two security cameras

ge-0/0/9

voice-vlan

IP address: 192.0.2.14

Gatekeeper device. The

gatekeeper manages call
registration, admission, and
call status for VoIP phones.

MAC
address:00.05.85.00.00.0E
ge-0/1/0

IP address: 192.0.2.65

Layer 3 connection to a
router; note that this is a port
on the switchs uplink module

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP
and ICMP Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration

To quickly configure and apply a port firewall filter to prioritize voice traffic and
rate-limit packets that are destined for the employee-vlan subnet, copy the following
commands and paste them into the switch terminal window:
[edit]
set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer tcp-connection-policer then discard
set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer icmp-connection-policer then discard
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.01
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.02
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from protocol udp
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high then forwarding-class
expedited-forwarding
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high then loss-priority low
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term network-control from precedence
net-control

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

927

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

set firewall family ethernet-switching filter

ingress-port-voip-class-limit-tcp-icmp term network-control then forwarding-class
network-control
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term network-control then loss-priority
low
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection from destination-address
192.0.2.16/28
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection from protocol tcp
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then policer
tcp-connection-policer
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then count tcp-counter
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then forwarding-class
best-effort
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then loss-priority
high
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection from
destination-address 192.0.2.16/28
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection from protocol icmp
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then policer
icmp-connection-policer
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then count icmp-counter
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then forwarding-class
best-effort
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then loss-priority
high
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term best-effort then forwarding-class
best-effort
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term best-effort then loss-priority high
set interfaces ge-0/0/0 description "voice priority and tcp and icmp traffic
rate-limiting filter at ingress port"
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input
ingress-port-voip-class-limit-tcp-icmp
set interfaces ge-0/0/1 description "voice priority and tcp and icmp traffic
rate-limiting filter at ingress port"
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input
ingress-port-voip-class-limit-tcp-icmp
set class-of-service schedulers voice-high buffer-size percent 15
set class-of-service schedulers voice-high priority high
set class-of-service schedulers net-control buffer-size percent 10
set class-of-service schedulers net-control priority high
set class-of-service schedulers best-effort buffer-size percent 75
set class-of-service schedulers best-effort priority low
set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class
expedited-forwarding scheduler voice-high
set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class
network-control scheduler net-control

928

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

Chapter 50: Examples of Configuring Packet Filtering

set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class

best-effort scheduler best-effort

Step-by-Step Procedure

To configure and apply a port firewall filter to prioritize voice traffic and rate-limit
packets that are destined for the employee-vlan subnet:
1.

Define the policers tcp-connection-policer and icmp-connection-policer:

[edit]
user@switch# set
burst-size-limit
user@switch# set
user@switch# set
burst-size-limit
user@switch# set

2.

firewall policer tcp-connection-policer if-exceeding

30k bandwidth-limit 1m
firewall policer tcp-connection-policer then discard
firewall policer icmp-connection-policer if-exceeding
30k bandwidth-limit 1m
firewall policer icmp-connection-policer then discard

Define the firewall filter ingress-port-voip-class-limit-tcp-icmp:

[edit firewall]
user@switch# set family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp

3.

Define the term voip-high:

[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp ]
user@switch# set term voip-high from source-mac-address 00.05.85.00.00.01
user@switch# set term voip-high from source-mac-address 00.05.85.00.00.02
user@switch# set term voip-high from protocol udp
user@switch# set term voip-high then forwarding-class expedited-forwarding
user@switch# set term voip-high then loss-priority low

4.

Define the term network-control:

[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp ]
user@switch# set term network-control from precedence net-control
user@switch# set term network-control then forwarding-class network-control
user@switch# set term network-control then loss-priority low

5.

Define the term tcp-connection to configure rate limits for TCP traffic:
[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term tcp-connection from destination-address 192.0.2.16/28
user@switch# set term tcp-connection from protocol tcp
user@switch# set term tcp-connection then policer tcp-connection-policer
user@switch# set term tcp-connection then count tcp-counter
user@switch# set term tcp-connection then forwarding-class best-effort
user@switch# set term tcp-connection then loss-priority high

6.

Define the term icmp-connection to configure rate limits for ICMP traffic:

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

929

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit firewall family ethernet-switching filter

ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term icmp-connection from destination-address
192.0.2.16/28
user@switch# set term icmp-connection from protocol icmp
user@switch# set term icmp-connection then policer icmp-policer
user@switch# set term icmp-connection then count icmp-counter
user@switch# set term icmp-connection then forwarding-class best-effort
user@switch# set term icmp-connection then loss-priority high

7.

Define the term best-effort with no match conditions for an implicit match on
all packets that did not match any other term in the firewall filter:
[edit firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term best-effort then forwarding-class best-effort
user@switch# set term best-effort then loss-priority high

8.

Apply the firewall filter ingress-port-voip-class-limit-tcp-icmp as an input filter to

the port interfaces for employee-vlan :
[edit interfaces]
user@switch# set ge-0/0/0 description "voice priority and tcp and
traffic rate-limiting filter at ingress port"
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp
user@switch# set ge-0/0/1 description "voice priority and tcp and
traffic rate-limiting filter at ingress port"
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp

9.

icmp
input
icmp
input

Configure the parameters that are desired for the different schedulers.

NOTE: When you configure parameters for the schedulers, define the numbers to
match your network traffic patterns.

[edit class-of-service]
user@switch# set schedulers voice-high buffer-size percent 15
user@switch# set schedulers voice-high priority high
user@switch# set schedulers networkcontrol buffer-size percent 10
user@switch# set schedulers networkcontrol priority high
user@switch# set schedulers best-effort buffer-size percent 75
user@switch# set schedulers best-effort priority low

10.

Assign the forwarding-classes to schedulers with a scheduler map:

[edit class-of-service]
user@switch# set scheduler-maps ethernet-diffsrv-cos-map
user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class
expedited-forwarding scheduler voice-high
user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class
network-control scheduler net-control

930

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

Chapter 50: Examples of Configuring Packet Filtering

user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class

best-effort scheduler best-effort

11.

Associate the scheduler map with the outgoing interface:

edit class-of-service
user@switch# set interfaces ge0/1/0 scheduler-map ethernet-diffsrv-cos-map

Results

Display the results of the configuration:

user@switch# show
firewall {
policer tcp-connection-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 30k;
}
then {
discard;
}
}
policer icmp-connection-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 30k;
}
then {
discard;
}
}
family ethernet-switching {
filter ingress-port-voip-class-limit-tcp-icmp {
term voip-high {
from {
destination-mac-address 00.05.85.00.00.01;
destination-mac-address 00.05.85.00.00.02;
protocol udp;
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term network-control {
from {
precedence net-control ;
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term tcp-connection {

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

931

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

from {
destination-address 192.0.2.16/28;
protocol tcp;
}
then {
policer tcp-connection-policer;
count tcp-counter;
forwarding-class best-effort;
loss-priority high;
}
}
term icmp-connection
from {
protocol icmp;
}
then {
policer icmp-connection-policer;
count icmp-counter;
forwarding-class best-effort;
loss-priority high;
}
}
term best-effort {
then {
forwarding-class best-effort;
loss-priority high;
}
}
}
}
}
interfaces {
ge-0/0/0 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
family ethernet-switching {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
ge-0/0/1 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
family ethernet-switching {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
}
scheduler-maps {

932

Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

Chapter 50: Examples of Configuring Packet Filtering

ethernet-diffsrv-cos-map {
forwarding-class expedited-forwarding scheduler voice-high;
forwarding-class network-control scheduler net-control;
forwarding-class best-effort scheduler best-effort;
}
}
interfaces {
ge/0/1/0 {
scheduler-map ethernet-diffsrv-cos-map;
}
}

Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP
Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration

To quickly configure a VLAN firewall filter on voice-vlan to prevent rogue devices from
using HTTP sessions to mimic the gatekeeper device that manages VoIP traffic, copy
the following commands and paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper from destination-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper from destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block
to-gatekeeper then accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block
from-gatekeeper from source-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block
from-gatekeeper from source-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block
from-gatekeeper then accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block
not-gatekeeper from destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block
not-gatekeeper then count rogue-counter
set firewall family ethernet-switching filter ingress-vlan-rogue-block
not-gatekeeper then discard
set vlans voice-vlan description "block rogue devices on voice-vlan"
set vlans voice-vlan filter input ingress-vlan-rogue-block

Step-by-Step Procedure

term
term
term
term
term
term
term
term
term

To configure and apply a VLAN firewall filter on voice-vlan to prevent rogue devices
from using HTTP to mimic the gatekeeper device that manages VoIP traffic:
1.

Define the firewall filter ingress-vlan-rogue-block to specify filter matching on the

traffic you want to permit and restrict:
[edit firewall]
user@switch# set family ethernet-switching filter ingress-vlan-rogue-block

2.

Define the term to-gatekeeper to accept packets that match the destination IP
address of the gatekeeper:

Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic

933

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit firewall family

user@switch# set term
user@switch# set term
user@switch# set term

3.

Define the term from-gatekeeper to accept packets that match the source IP
address of the gatekeeper:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term

4.

ethernet-switching filter ingress-vlan-rogue-block]

from-gatekeeper from source-address 192.0.2.14
from-gatekeeper from source-port 80
from-gatekeeper then accept

Define the term not-gatekeeper to ensure all voice-vlan traffic on TCP ports is
destined for the gatekeeper device:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term

5.

ethernet-switching filter ingress-vlan-rogue-block]

to-gatekeeper from destination-address 192.0.2.14
to-gatekeeper from destination-port 80
to-gatekeeper then accept

ethernet-switching filter ingress-vlan-rogue-block]

not-gatekeeper from destination-port 80
not-gatekeeper then count rogue-counter
not-gatekeeper then discard

Apply the firewall filter ingress-vlan-rogue-block as an input filter to the VLAN

interface for the VoIP telephones:
[edit interfaces]
user@switch# set vlans voicevlan description "block rogue devices on
voice-vlan"
user@switch# set vlans voicevlan filter input ingress-vlan-rogue-block

Results

Display the results of the configuration:

user@switch# show
firewall {
family ethernet-switching {
filter ingress-vlan-rogue-block {
term to-gatekeeper {
from {
destination-address 192.0.2.14/32
destination-port 80;
}
then {
accept;
}
}
term from-gatekeeper {
from {
source-address 192.0.2.14/32
source-port 80;
}
then {
accept;
}

934

Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic

Chapter 50: Examples of Configuring Packet Filtering

}
term not-gatekeeper {
from {
destination-port 80;
}
then {
count rogue-counter;
discard;
}
}
}
vlans {
voice-vlan {
description "block rogue devices on voice-vlan";
filter {
input ingress-vlan-rogue-block;
}
}
}

Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the
Employee VLAN
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration

A firewall filter is configured and applied to VLAN interfaces to filter employee-vlan

egress traffic. Employee traffic destined for the corporate subnet is accepted but not
monitored. Employee traffic destined for the Web is counted and analyzed.
To quickly configure and apply a VLAN firewall filter, copy the following commands
and paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-corp from destination-address 192.0.2.16/28
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-corp then accept
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-web from destination-port 80
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-web then count employee-web-counter
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-web then analyzer employee-monitor
set vlans employee-vlan description "filter at egress VLAN to count and analyze
employee to Web traffic"
set vlans employee-vlan filter output egress-vlan-watch-employee

Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN

935

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Step-by-Step Procedure

To configure and apply an egress port firewall filter to count and analyze
employee-vlan traffic that is destined for the Web:
1.

Define the firewall filter egress-vlan-watch-employee:

[edit firewall]
user@switch# set family ethernet-switching filter
egress-vlan-watch-employee

2.

Define the term employee-to-corp to accept but not monitor all employee-vlan
traffic destined for the corporate subnet:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]
user@switch# set term employee-to-corp from destination-address
192.0.2.16/28
user@switch# set term employee-to-corp then accept

3.

Define the term employee-to-web to count and monitor all employee-vlan traffic
destined for the Web:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]
user@switch# set term employee-to-web from destination-port 80
user@switch# set term employee-to-web then count employee-web-counter
user@switch# set term employee-to-web then analyzer employee-monitor

NOTE: See Example: Configuring Port Mirroring for Local Monitoring of Employee
Resource Use on EX-series Switches on page 1127 for information about configuring
the employee-monitor analyzer.

4.

Apply the firewall filter egress-vlan-watch-employee as an output filter to the port

interfaces for the VoIP telephones:
[edit]
user@switch# set vlans employee-vlan description "filter at egress VLAN
to count and analyze employee to Web traffic"
user@switch# set vlans employee-vlan filter output
egress-vlan-watch-employee

Results

Display the results of the configuration:

user@switch# show
firewall {
family ethernet-switching {
filter egress-vlan-watch-employee {
term employee-to-corp {
from {
destination-address 192.0.2.16/28
}
then {
accept;

936

Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN

Chapter 50: Examples of Configuring Packet Filtering

}
}
term employee-to-web {
from {
destination-port 80;
}
then {
count employee-web-counter:
analyzer employee-monitor;
}
}
}
}
}
vlans {
employee-vlan {
description "filter at egress VLAN to count and analyze employee to Web traffic";
filter {
output egress-vlan-watch-employee;
}
}
}

Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer

Applications on the Guest VLAN
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration

In the following example, the first filter term permits guests to talk with other guests
but not employees on employee-vlan. The second filter term allows guests Web access
but prevents them from using peer-to-peer applications on guest-vlan.
To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking
guests from talking with employees or employee hosts on employee-vlan or attempting
to use peer-to-peer applications on guest-vlan, copy the following commands and
paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
guest-to-guest from destination-address 192.0.2.33/28
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
guest-to-guest then accept
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
no-guest-employee-no-peer-to-peer then accept
set vlans guest-vlan description "restrict guest-to-employee traffic and
peer-to-peer applications on guest VLAN"
set vlans guest-vlan filter input ingress-vlan-limit-guest

Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN

937

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Step-by-Step Procedure

To configure and apply a VLAN firewall filter to restrict guest-to-employee traffic and
peer-to-peer applications on guest-vlan:
1.

Define the firewall filter ingress-vlan-limit-guest:

[edit firewall]
set firewall family ethernet-switching filter ingress-vlan-limit-guest

2.

Define the term guest-to-guest to permit guests on the guest-vlan to talk with
other guests but not employees on the employee-vlan:
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]
user@switch# set term guest-to-guest from destination-address 192.0.2.33/28
user@switch# set term guest-to-guest then accept

3.

Define the term no-guest-employee-no-peer-to-peer to allow guests on guest-vlan

Web access but prevent them from using peer-to-peer applications on the
guest-vlan.

NOTE: The destination-mac-address is the default gateway, which for any host in a
VLAN is the next-hop router.

[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]

user@switch# set term no-guest-employee-no-peer-to-peer from
destination-mac-address 00.05.85.00.00.DF
user@switch# set term no-guest-employee-no-peer-to-peer then accept

4.

Apply the firewall filter ingress-vlan-limit-guest as an input filter to the interface

for guest-vlan :
[edit]
user@switch# set vlans guest-vlan description "restrict guest-to-employee
traffic and peer-to-peer applications on guest VLAN"
user@switch# set vlans guest-vlan filter input ingress-vlan-limit-guest

Results

Display the results of the configuration:

user@switch# show
firewall {
family ethernet-switching {
filter ingress-vlan-limit-guest {
term guest-to-guest {
from {
destination-address 192.0.2.33/28;
}
then {
accept;
}
}
term no-guest-employee-no-peer-to-peer {

938

Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN

Chapter 50: Examples of Configuring Packet Filtering

from {
destination-mac-address 00.05.85.00.00.DF;
}
then {
accept;
}
}
}
}
}
vlans {
guest-vlan {
description "restrict guest-to-employee traffic and peer-to-peer applications on
guest VLAN";
filter {
input ingress-vlan-limit-guest;
}
}
}

Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the
Corporate Subnet
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration

To quickly configure a firewall filter for a routed port (Layer 3 uplink module) to filter
employee-vlan traffic, giving highest forwarding-class priority to traffic destined for
the corporate subnet, copy the following commands and paste them into the switch
terminal window:
[edit]
set firewall family inet filter egress-router-corp-class term corp-expedite from
destination-address 192.0.2.16/28
set firewall family inet filter egress-router-corp-class term corp-expedite then
forwarding-class expedited-forwarding
set firewall family inet filter egress-router-corp-class term corp-expedite then
loss-priority low
set firewall family inet filter egress-router-corp-class term not-to-corp then
accept
set interfaces ge-0/1/0 description "filter at egress router to expedite destined
for corporate network"
set ge-0/1/0 unit 0 family inet source-address 103.104.105.1
set interfaces ge-0/1/0 unit 0 family inet filter output egress-router-corp-class

Step-by-Step Procedure

To configure and apply a firewall filter to a routed port (Layer 3 uplink module) to
give highest priority to employee-vlan traffic destined for the corporate subnet:
1.

Define the firewall filter egress-router-corp-class:

[edit]
user@switch# set firewall family inet filter egress-router-corp-class

2.

Define the term corp-expedite:

Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet

939

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit firewall]
user@switch# set family inet filter egress-router-corp-class term
corp-expedite from destination-address 192.0.2.16/28
user@switch# set family inet filter egress-router-corp-class term
corp-expedite then forwarding-class expedited-forwarding
user@switch# set family inet filter egress-router-corp-class term
corp-expedite then loss-priority low

3.

Define the term not-to-corp:

[edit firewall]
user@switch# set family inet filter egress-router-corp-class term
not-to-corp then accept

4.

Apply the firewall filter egress-router-corp-class as an output filter for the port
on the switch's uplink module, which provides a Layer 3 connection to a router:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter at egress router to expedite
employee traffic destined for corporate network"
user@switch# set ge-0/1/0 unit 0 family inet source-address 103.104.105.1
user@switch# set ge-0/1/0 unit 0 family inet filter output
egress-router-corp-class

Results

Display the results of the configuration:

user@switch# show
firewall {
family inet {
filter egress-router-corp-class {
term corp-expedite {
from {
destination-address 192.0.2.16/28;
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term not-to-corp {
then {
accept;
}
}
}
}
}
interfaces {
ge-0/1/0 {
unit 0 {
description "filter at egress router interface to expedite employee traffic
destined for corporate network";
family inet {

940

Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet

Chapter 50: Examples of Configuring Packet Filtering

source-address 103.104.105.1
filter {
output egress-router-corp-class;
}
}
}
}
}

Verification
To confirm that the firewall filters are working properly, perform the following tasks:

Verifying that Firewall Filters and Policers are Operational on page 941

Verifying that Schedulers and Scheduler-Maps are Operational on page 941

Verifying that Firewall Filters and Policers are Operational

Purpose

Action

Verify the operational state of the firewall filters and policers that are configured on
the switch.
Use the operational mode command:
user@switch> show firewall on page 1160
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
tcp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer

Packets
0
0
Packets
0
0

Filter: ingress-vlan-rogue-block
Filter: egress-vlan-watch-employee
Counters:
Name
employee-webcounter

Meaning

Packets
0

The show firewall command displays the names of the firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for all configured counters and the packet count for all policers.

Verifying that Schedulers and Scheduler-Maps are Operational

Purpose
Action

Verify that schedulers and scheduler-maps are operational on the switch.

Use the operational mode command:
user@switch> show class-of-service on page 1080 scheduler-map
Scheduler map: default, Index: 2

Verification

941

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Scheduler: default-be, Forwarding class:

Transmit rate: 95 percent, Rate Limit:
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Low
non-TCP
1
Low
TCP
1
High
non-TCP
1
High
TCP
1

best-effort, Index: 20
none, Buffer size: 95 percent,

Name
default-drop-profile
default-drop-profile
default-drop-profile
default-drop-profile

Scheduler: default-nc, Forwarding class: network-control, Index: 22

Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
default-drop-profile
Low
TCP
1
default-drop-profile
High
non-TCP
1
default-drop-profile
High
TCP
1
default-drop-profileScheduler map:
ethernet-diffsrv-cos-map, Index: 21657
Scheduler: best-effort, Forwarding class: best-effort, Index: 61257
Transmit rate: remainder, Rate Limit: none, Buffer size: 75 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: voice-high, Forwarding class: expedited-forwarding, Index: 3123
Transmit rate: remainder, Rate Limit: none, Buffer size: 15 percent,
Priority: high
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: net-control, Forwarding class: network-control, Index: 2451
Transmit rate: remainder, Rate Limit: none, Buffer size: 10 percent,
Priority: high
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>

Meaning
Related Topics

942

Displays statistics about the configured schedulers and schedulers-maps.

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Example: Configuring CoS on EX-series Switches on page 1011

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Verifying that Schedulers and Scheduler-Maps are Operational

Chapter 50: Examples of Configuring Packet Filtering

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

[edit firewall] Configuration Statement Hierarchy on page 29

Verifying that Schedulers and Scheduler-Maps are Operational

943

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

944

Verifying that Schedulers and Scheduler-Maps are Operational

Chapter 51

Configuring Packet Filtering

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding

Behavior (CLI Procedure) on page 957

Configuring Firewall Filters (CLI Procedure)

You configure firewall filters on EX-series switches to control traffic that enters ports
on the switch or enters and exits VLANs on the network and Layer 3 (routed)
interfaces. To configure a firewall filter you must configure the filter and then apply
it to a port, VLAN, or Layer 3 interface.

Configuring a Firewall Filter on page 945

Applying a Firewall Filter to a Port on a Switch on page 948

Applying a Firewall Filter to a VLAN on a Network on page 949

Applying a Firewall Filter to a Layer 3 (Routed) Interface on page 949

Configuring a Firewall Filter

To configure a firewall filter:

Configuring Firewall Filters (CLI Procedure)

945

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1.

Configure the family address type for a firewall filter:

For a firewall filter that is applied to a port or VLAN, specify the family
address type ethernet-switching (or bridge) to filter Layer 2 (Ethernet) packets
and Layer 3 (IP) packets, for example:
[edit firewall]
user@switch# set family ethernet-switching

For a firewall filter that is applied to a Layer 3 (routed) interface, specify the
family address type inet to filter IPv4 packets, for example:
[edit firewall]
user@switch# set family inet

2.

Specify the filter name:

[edit firewall family ethernet-switching]
user@switch# set filter ingress-port-filter

The filter name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long. Each filter name must be unique.
3.

Specify a term name:

[edit firewall family ethernet-switching filter ingress-port-filter]
user@switch# set term term-one

The term name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long.
A firewall filter can contain one or more terms. Each term name must be unique
within a filter.

NOTE: For EX-series switches, the number of terms allowed per firewall filter cannot
exceed 2048. If you attempt to configure a firewall filter that exceeds this limit, the
switch returns the following message after the commit operation:
Number of filter terms 2048 exceeded: Only 2048 terms can be defined.

4.

In each firewall filter term, specify the match conditions to use to match
components of a packet.
To specify match conditions to match on packets that contain a specific
source-address and source-portfor example:
[edit firewall family ethernet-switching filter ingress-port-filter term
term-one]

946

Configuring a Firewall Filter

Chapter 51: Configuring Packet Filtering

user@switch# set from source-address 192.0.2.14

user@switch# set from source-port 80

You can specify one or more match conditions in a single from statement. For
a match to occur, the packet must match all the conditions in the term.
The from statement is optional, but if included in a term, the from statement
cannot be empty. If you omit the from statement, all packets are considered to
match.
5.

In each firewall filter term, specify the actions to take if the packet matches all
the conditions in that term.
You can specify an action and/or action modifiers:

To specify a filter action, for example, to discard packets that match the
conditions of the filter term:
[edit firewall family ethernet-switching filter ingress-port-filter term
term-one]
user@switch# set then discard

You can specify no more than one action (accept or discard) per filter term.

To specify action modifiers, for example, to count and classify packets in a

forwarding class:
[edit firewall family ethernet-switching filter ingress-port-filter term
term-one]
user@switch# set then count counter-one
user@switch# set then forwarding-class expedited-forwarding

You can specify any of the following action modifiers in a then statement:

analyzer analyzer-nameMirror port traffic to a specified destination port

or VLAN that is connected to a protocol analyzer application. An analyzer
must be configured under the ethernet-switching family address type.

For information, see Configuring Port Mirroring to Analyze Traffic (CLI

Procedure) on page 1139.

count counter-nameCount the number of packets that pass this filter

term.

NOTE: We recommend that you configure a counter for each term in a firewall filter,
so that you can monitor the number of packets that match the conditions specified
in each filter term.

forwarding-class classClassify packets in a forwarding class.

Configuring a Firewall Filter

947

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

loss-priority prioritySet the priority of dropping a packet.

policer policer-nameApply rate-limiting to the traffic.

If you omit the then statement or do not specify an action, packets that match
all the conditions in the from statement are accepted. However, you should always
explicitly configure an action and/or action modifier in the then statement. You
can include no more than one action statement, but any combination of action
modifiers. For an action or action modifier to take effect, all conditions in the
from statement must match.

NOTE: Implicit discard is also applicable to a firewall filter applied to the loopback
interface, lo0.

Applying a Firewall Filter to a Port on a Switch

To apply a firewall filter to an ingress port on a switch:
1.

Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter
at trunk port for employee-vlan and voice-vlan"

2.

Specify the unit number and family address type for the interface:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching

For firewall filters that are applied to ports, the family address type must be
ethernet-switching (or bridge).
3.

To apply a firewall filter to filter packets that are entering a port:

[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input
ingress-port-filter

You cannot apply a firewall filter to filter packets that are exiting ports.

NOTE: You can apply no more than one firewall filter per ingress port.

948

Applying a Firewall Filter to a Port on a Switch

Chapter 51: Configuring Packet Filtering

Applying a Firewall Filter to a VLAN on a Network

To apply a firewall filter to a VLAN:
1.

Specify the VLAN name and VLAN ID and provide a meaningful description of
the firewall filter and the VLAN to which the filter is applied:
[edit vlans]
user@switch# set employeevlan vlan 20 vlan-description "filter to rate
limit traffic on employee-vlan"

2.

Apply firewall filters to filter packets that are entering or exiting a VLAN:

To apply a firewall filter to filter packets that are entering the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter input ingress-vlan-filter

To apply a firewall filter to filter packets that are exiting the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter

NOTE: You can apply no more than one firewall filter per VLAN, per direction.

Applying a Firewall Filter to a Layer 3 (Routed) Interface

To apply a firewall filter to a Layer 3 routed interface on a switch:
1.

Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter to count and monitor
employeevlan traffic on layer 3 interface"

2.

Specify the unit number, family address type, and address for the interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24

For firewall filters applied to Layer 3 routed interfaces, the family address type
must be inet.
3.

You can apply firewall filters to filter packets that are entering or exiting a Layer 3
routed interface:

To apply a firewall filter to filter packets that are entering a Layer 3 interface:

Applying a Firewall Filter to a VLAN on a Network

949

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
filter input ingress-router-filter

To apply a firewall filter to filter packets that are exiting a Layer 3 interface,
include the filter input statement, for example:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
filter output egress-router-filter

NOTE: You can apply no more than one firewall filter per Layer 3 interface, per
direction.

NOTE: Ingress firewall filters applied to the loopback interface, lo0, affect all inbound
traffic destined for the CPU.

Related Topics

Configuring Firewall Filters (J-Web Procedure) on page 950

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Monitoring Firewall Filter Traffic on page 960

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding

Behavior (CLI Procedure) on page 957

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Firewall Filters for EX-series Switches Overview on page 899

Configuring Firewall Filters (J-Web Procedure)

To configure firewall filters settings using the J-Web interface:
1.

Select Configure > Security > Filters.

The Firewall Filter Configuration screen displays a list of all configured VLAN or
router filters and the ports or VLANs associated with a particular filter.

2.

950

Click one:

Configuring Firewall Filters (J-Web Procedure)

Chapter 51: Configuring Packet Filtering

AddSelect this option to create a new filter. Enter information as specified

in Table 133 on page 951.

EditSelect this option to edit an existing filter settings. Enter information

as specified in Table 133 on page 951.

DeleteSelect this option to delete a filter.

Term UpSelect this option to move a term up in the filter term list.

Term DownSelect this option to move a term down in the filter term list.

Table 133: Create a New Filter

Field

Function

Your Action

Filter type

Specifies the filter type: Port/VLAN firewall filter or

Router firewall filter.

Select the filter type.

Filter name

Specifies the name for the filter.

Enter a name.

Select terms to be part

of the filter

Specifies the terms to be associated with the filter. Add

new terms or edit existing terms.

Click Add to add new terms. Enter

information as specified in
Table 134 on page 951.

Specifies the ports with which the filter is associated.

1.

Click Add.

NOTE: For a Port/VLAN filter type only Ingress direction

is supported for port association.

2.

Select the direction: Ingress or

Egress.

3.

Select the ports.

4.

Click OK.

Specifies the VLANs with which the filter is associated.

1.

Click Add.

NOTE: Because Router firewall filters can be associated

with ports only, this section is not displayed for a Router
firewall filter.

2.

Select the direction: Ingress or

Egress.

3.

Select the VLANs.

4.

Click OK.

Filter tab

Association tab
Port Associations

VLAN Associations

Table 134: Create a New Term

Field

Function

Your Action

Term Name

Specifies the name of the term.

Enter a name.

Protocols

Specifies the protocols to be associated with the

term.

1.

Click Add.

2.

Select the protocols.

3.

Click OK.

Configuring Firewall Filters (J-Web Procedure)

951

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 134: Create a New Term (continued)

Field

Function

Your Action

Source/Destination

Specifies the IP address, MAC address, and

available ports.

Click Edit to enter the IP address and select the

ports for the source and destination.

NOTE: MAC address is specified only for a

Port/VLAN filters.
Action

Specifies the packet actions for the term.

More

Specifies advanced configuration options for the

filter.

Select one:

Accept

Discard

Select the Match conditions as specified in

Table 135 on page 952.
Select the packet actions for the term as specified
in Table 135 on page 952.

Table 135: Term-Advanced Options

Table

Function

Your Action

ICMP Type

Specifies the ICMP packet type field. Typically, you specify this match
in conjunction with the protocol match to determine which protocol
is being used on the port.

Select the option from the list.

ICMP Code

Specifies more specific information than icmp-type. Because the values

meaning depends upon the associated icmp-type, you must specify
icmp-type along with icmp-code. The keywords are grouped by the
ICMP type with which they are associated.

Select one:

Fragment Flags

Specifies the IP fragmentation flags.

NOTE: Fragment flags is supported on ingress ports, VLANs, and router
interfaces.

TCP Flags

Specifies one or more TCP flags.

NOTE: TCP flags is supported on ingress ports, VLANs, and router
interfaces.

IP Precedence

Specifies IP precedence. The options are: assured forwarding,

best-effort, expedited-forwarding, network-control.

Parameter-problem

Redirect

Time-exceeded

Unreachable

Select either the option

is-fragement or enter a
combination of fragment flags.

Select either the option tcp-initial

or enter a combination of TCP
flags.

Select the option from the list.

NOTE: IP precedence and DSCP number cannot be specified together

for the same term.
Interface

952

Specifies the interface association.

Configuring Firewall Filters (J-Web Procedure)

Select the interface from the list.

Chapter 51: Configuring Packet Filtering

Table 135: Term-Advanced Options (continued)

Table

Function

Your Action

Ether Type

Specifies the ethernet type field of a packet.

Select one:

NOTE: This option is not applicable for a Routing filter.

Arp

Dot 1q

dot1q-tag

Specifies the tag field in the Ethernet header. Values can be from 1
through 4095.

Enter the required number.

NOTE: This option is not applicable for a Routing filter.

Dot 1q User
Priority

Specifies the user-priority field of the tagged Ethernet packet.

User-priority values can be 07.

Enter a number or the

corresponding text synonym.

In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed)

background (1)Background

best-effort (0)Best effort

controlled-load (4)Controlled load

excellent-load (3)Excellent load

network-control (7)Network control reserved traffic

standard (2)Standard or Spare

video (5)Video

voice (6)Voice

NOTE: This option is not applicable for a Routing filter.

DSCP Number

Specifies the Differentiated Services code point (DSCP). The DiffServ

protocol uses the type-of-service (ToS) byte in the IP header. The most
significant six bits of this byte form the DSCP.

Select the DSCP number from

the list.

Select VLAN

Specifies the VLAN to be associated.

Select the VLAN from the list.

NOTE: This option is not applicable for a Routing filter.

TTL Value

Specifies the time-to-live value.

Enter a value.

NOTE: This option is applicable for a Routing filter.

Packet Length

Specifies the length of the packet.

Enter a value.

NOTE: This option is applicable for a Routing filter.

Action
Counter Name

Specifies the count of the number of packets that pass this filter, term,
or policer.

Enter a value.

Configuring Firewall Filters (J-Web Procedure)

953

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 135: Term-Advanced Options (continued)

Table

Function

Your Action

Forwarding Class

Classifies the packet into one of the following forwarding classes:

Select the option from the list.

Loss Priority

assured-forwarding

best-effort

expedited-forwarding

network-control

user-defined

Specifies the Packet Loss Priority.

Enter the value.

NOTE: Forwarding Class and Loss Priority should be specified together

for the same term.
Analyzer

Specifies whether to perform port-mirroring on packets. Port-mirroring

copies all packets seen on one switch port to a network monitoring
connection on another switch port.

Related Topics

Select the analyzer from the list.

Configuring Firewall Filters (CLI Procedure) on page 945

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Firewall Filters for EX-series Switches Overview on page 899

Configuring Policers to Control Traffic Rates (CLI Procedure)

You can configure policers to rate limit traffic on EX-series switches. After you
configure a policer, you can include it in an ingress firewall filter configuration.
When you configure a firewall filter, you can specify a policer action for any term or
terms within the filter. All traffic that matches a term that contains a policer action
goes through the policer that the term references. Each policer that you configure
includes an implicit counter. To get term-specific packet counts, you must configure
a new policer for each filter term that requires policing.
The following policer limits apply on the switch:

A maximum of 512 policers can be configured for port firewall filters.

A maximum of 512 policers can be configured for VLAN and Layer 3 firewall
filters.

If the policer configuration exceeds these limits, the switch returns the following
message after the commit operation:
Cannot assign policers: Max policer limit reached

954

Configuring Policers to Control Traffic Rates (CLI Procedure)

Chapter 51: Configuring Packet Filtering

1. Configuring Policers on page 955

2. Specifying Policers in a Firewall Filter Configuration on page 956
3. Applying a Firewall Filter That Is Configured with a Policer on page 956

Configuring Policers
To configure a policer:
1.

Specify the name of the policer:

[edit firewall]
user@switch# set policer policer-one

The policer name can contain letters, numbers, and hyphens (-) and can be up
to 64 characters long.
2.

Configure rate limiting for the policer:

a.

Specify the bandwidth limit in bits per second (bps) to control the traffic rate
on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k

The range for the bandwidth limit is 1k through 102.3g bps.

b.

Specify the maximum allowed burst size to control the amount of traffic
bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k

To determine the value for the burst-size limit, multiply the bandwidth of
the interface on which the filter is applied by the amount of time to allow a
burst of traffic at that bandwidth to occur:
burst size = bandwidth * allowable time for burst traffic
The range for the burst-size limit is 1 through 2,147,450,880 bytes.
3.

Specify the policer action discard to discard packets that exceed the rate limits:
[edit firewall policer]
user@switch# set policer-one then discard

Discard is the only supported policer action.

Configuring Policers

955

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Specifying Policers in a Firewall Filter Configuration

To reference a policer, configure a filter term that includes the policer action:
[edit firewall family ethernet-switching]
user@switch# set filter limit-hosts term term-one from source-address 192.0.2.16/28
userswitch# set filter limit-hosts term term-one then policer policer-one

Applying a Firewall Filter That Is Configured with a Policer

A firewall filter that is configured with one or more policer actions, like any other
filter, must be applied to a port, VLAN, or Layer 3 interface. For information about
applying firewall filters, see the sections on applying firewall filters in Configuring
Firewall Filters (CLI Procedure) on page 945.

NOTE: You can include policer actions on ingress firewall filters only.
Related Topics

956

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Verifying That Policers Are Operational on page 960

Understanding the Use of Policers in Firewall Filters on page 921

Specifying Policers in a Firewall Filter Configuration

Chapter 51: Configuring Packet Filtering

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding

Behavior (CLI Procedure)
You can configure firewall filters with multifield classifiers to classify packets transiting
a port, VLAN, or Layer 3 interface on an EX-series switch.
You specify multifield classifiers in a firewall filter configuration to set the forwarding
class and packet loss priority (PLP) for incoming or outgoing packets. By default, the
data traffic that is not classified is assigned to the best-effort class associated with
queue 0.
You can specify any of the following default forwarding classes:

Forwarding class

Queue

best-effort

assured-forwarding

expedited-forwarding

network-control

To assign multifield classifiers in firewall filters:

1.

Configure the family name and filter name for the filter at the [edit firewall]
hierarchy level, for example:
[edit firewall]
user@switch# set family ethernet-switching
user@switch# set family ethernet-switching filter ingress-filter

2.

Configure the terms of the filter, including the forwarding-class and loss-priority
action modifiers as appropriate. When you specify a forwarding class you must
also specify the packet loss priority. For example, each of the following terms
examines different packet header fields and assigns an appropriate classifier
and the packet loss priority:

The term voice-traffic matches packets on the voice-vlan and assigns the
forwarding class expedited-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term voice-traffic from vlan-id voice-vlan
user@switch# set term voice-traffic then forwarding-class
expedited-forwarding
user@switch# set term voice-traffic then loss-priority low

The term data-traffic matches packets on employee-vlan and assigns the

forwarding class assured-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter]
user@switch# set term data-traffic from vlan-id employee-vlan

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)

957

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch# set term data-traffic then forwarding-class assured-forwarding

user@switch# set term data-traffic then loss-priority low

Because loss of network-generated packets can jeopardize proper network

operation, delay is preferable to discard of packets. The following term,
network-traffic, assigns the forwarding class network-control and packet loss
priority low:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term

The last term accept-traffic matches any packets that did not match on any
of the preceding terms and assigns the forwarding class best-effort and packet
loss priority low:
[edit firewall family
user@switch# set term
user@switch# set term
user@switch# set term

Related Topics

958

ethernet-switching filter ingress-filter]

network-traffic from precedence net-control
network-traffic then forwarding-class network
network-traffic then loss-priority low

ethernet-switching filter ingress-filter]

accept-traffic from precedence net-control
accept-traffic then forwarding-class best-effort
accept-traffic then loss-priority low

3.

Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information
about applying the filter, see Configuring Firewall Filters (CLI
Procedure) on page 945.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Monitoring Firewall Filter Traffic on page 960

Defining CoS Classifiers (CLI Procedure) on page 1033

Defining CoS Classifiers (J-Web Procedure) on page 1034

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)

Chapter 52

Verifying Packet Filtering

Verifying That Firewall Filters Are Operational on page 959

Verifying That Policers Are Operational on page 960

Monitoring Firewall Filter Traffic on page 960

Verifying That Firewall Filters Are Operational

Purpose

After you configure and apply firewall filters to ports, VLANs, or Layer 3 interfaces,
you can perform the following task to verify that the firewall filters configured on
EX-series switches are working properly.

Action

Use the operational mode command to verify that the firewall filters on the switch
are working properly:
user@switch> show firewall on page 1160
Filter: egress-vlan-watch-employee
Counters:
Name
counter-employee-web
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
Filter: ingress-vlan-limit-guest

Meaning

Related Topics

Bytes
0

Packets
0

Bytes
0

Packets
0

Packets
0
0

The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. For each counter that is specified in a
filter configuration, the output field shows the byte count and packet count for the
term in which the counter is specified. For each policer that is specified in a filter
configuration, the output field shows the packet count for packets that exceed the
specified rate limits.

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Verifying That Firewall Filters Are Operational

959

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Monitoring Firewall Filter Traffic on page 960

Verifying That Policers Are Operational

Purpose

Action

After you configure policers and include them in firewall filter configurations, you
can perform the following tasks to verify that the policers configured on EX-series
switches are working properly.
Use the operational mode command to verify that the policers on the switch are
working properly:
user@switch> show policer on page 1160
Filter: egress-vlan-watch-employee
Filter: ingress-port-filter
Filter: ingress-port-voip-class-limit-tcp-icmp
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
Filter: ingress-vlan-limit-guest

Meaning

Related Topics

Packets
0
0

The show policer command displays the names of all firewall filters and policers that
are configured on the switch. For each policer that is specified in a filter configuration,
the output field shows the current packet count for all packets that exceed the
specified rate limits.

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Monitoring Firewall Filter Traffic on page 960

Monitoring Firewall Filter Traffic

You can monitor firewall filter traffic on EX-series switches.

960

Monitoring Traffic for All Firewall Filters and Policers That Are Configured on
the Switch on page 961

Monitoring Traffic for a Specific Firewall Filter on page 961

Monitoring Traffic for a Specific Policer on page 961

Verifying That Policers Are Operational

Chapter 52: Verifying Packet Filtering

Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch
Purpose

Action

Perform the following task to monitor the number of packets and bytes that matched
the firewall filters and monitor the number of packets that exceeded policer rate
limits:
Use the operational mode command:
user@switch> show firewall on page 1160
Filter: egress-vlan-watch-employee
Counters:
Name
counter-employee-web
Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name
icmp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block
Filter: ingress-vlan-limit-guest

Meaning

Bytes
3348

Packets
27

Bytes
4100

Packets
49

Packets
0
0

The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for counters and packet count for policers.

Monitoring Traffic for a Specific Firewall Filter

Purpose

Action

Perform the following task to monitor the number of packets and bytes that matched
a firewall filter and monitor the number of packets that exceeded the policer rate
limits.
Use the operational mode command:
user@switch> show firewall filter ingress-vlan-rogue-block
Filter: ingress-vlan-rogue-block
Counters:
Name
Bytes
rogue-counter
2308

Meaning

Packets
20

The show firewall filter filter-name command displays the name of the firewall filter,
the packet and byte count for all counters configured with the filter, and the packet
count for all policers configured with the filter.

Monitoring Traffic for a Specific Policer

Purpose

Action

Perform the following task to monitor the number of packets that exceeded policer
rate limits:
Use the operational mode command:
user@switch> show policer on page 1160 tcp-connection-policer

Monitoring Traffic for All Firewall Filters and Policers That Are Configured on the Switch

961

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Filter: ingress-port-voip-class-limit-tcp-icmp
Policers:
Name
tcp-connection-policer

Meaning

Related Topics

962

Packets
0

The show policer policer-name command displays the name of the firewall filter that
specifies the policer-action and displays the number of packets that exceeded rate
limits for the specified filter.

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Monitoring Traffic for a Specific Policer

Chapter 53

Troubleshooting Packet Filtering

Troubleshooting Firewall Filters on page 963

Troubleshooting Firewall Filters

1. Firewall Filter Configuration Returns a No Space Available in TCAM
Message on page 963

Firewall Filter Configuration Returns a No Space Available in TCAM Message

Problem

When a firewall filter configuration exceeds the amount of available TCAM space,
the switch returns the following syslogd message:
No space available in tcam.
Rules for filter filter-name will not be installed.

The switch returns this message during the commit operation if the firewall filter
that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of
available TCAM space. However, the commit operation for the firewall filter
configuration is completed in the CLI module.
Solution

When a firewall filter configuration exceeds the amount of available TCAM table
space, you must configure a new firewall filter with fewer filter terms so that the
space requirements for the filter do not exceed the available space in the TCAM table.
You can perform either of the following procedures to correct the problem:
To delete the firewall filter and its bind points and apply the new smaller firewall
filter to the same bind points:
1.

Delete the firewall filter configuration and the bind points to ports, VLANs, or
Layer 3 interfacesfor example:
[edit]
user@switch# delete firewall family ethernet-switching filter
filter-ingress-vlan
user@switch# delete vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# delete vlans voice-vlan filter input mini-filteringress-vlan

2.

Commit the operation:

Troubleshooting Firewall Filters

963

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

[edit]
user@switch# commit

3.

Configure a smaller filter with fewer terms that does not exceed the amount of
available TCAM space on the switchfor example:
[edit]
user@switch# set firewall family ethernet-switching filter
newfilter-ingress-vlan ...

4.

Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interfacefor
example:
[edit]
user@switch# set vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filteringress-vlan

5.

Commit the operation:

[edit]
user@switch# commit

To apply a new firewall filter and overwrite the existing bind points:
1.

Configure a firewall filter with fewer terms than the original filter:
[edit]
user@switch# set firewall family ethernet-switching filter
new-filter-ingress-vlan...

2.

Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the
bind points of the original filterfor example:
[edit]
user@switch# set vlans voice-vlan description "smaller filter to block
rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan

3.

Commit the operation:

[edit]
user@switch# commit

Only the original bind points, and not the original firewall filter itself, are deleted.
Related Topics

964

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Firewall Filter Configuration Returns a No Space Available in TCAM Message

Chapter 53: Troubleshooting Packet Filtering

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filter Configuration Returns a No Space Available in TCAM Message

965

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

966

Firewall Filter Configuration Returns a No Space Available in TCAM Message

Chapter 54

Configuration Statements for Packet

Filtering

[edit firewall] Configuration Statement Hierarchy on page 967

Firewall Filter Configuration Statements Supported by JUNOS Software for

EX-series Switches on page 968

[edit firewall] Configuration Statement Hierarchy

firewall {
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
policer policer-name {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
}
Related Topics

Firewall Filter Configuration Statements Supported by JUNOS Software for

EX-series Switches on page 968

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

[edit firewall] Configuration Statement Hierarchy

967

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Firewall Filters for EX-series Switches Overview on page 899

Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series

Switches
You configure firewall filters to filter packets based on their components and to
perform an action on packets that match the filter.
Table 136 on page 968 lists the options that are supported for the firewall statement
in JUNOS Software for EX-series switches.
Table 136: Supported Options for Firewall Filter Statements
Statement and Option
family family-name {
}

Description
The family-name option specifies the version or type of
addressing protocol:

bridge or ethernetswitchingFilter Layer 2 (Ethernet)

packets and Layer 3 (IP) packets

inet Filter IPv4 packets

filter filter-name {
}

The filter-name option identifies the filter. The name can

contain letters, numbers, and hyphens (-) and can be up to
64 characters long. To include spaces in the name, enclose
the name in quotation marks (" " ).

term term-name {
}

The term-name option identifies the term. The name can

contain letters, numbers, and hyphens (-) and can be up to
64 characters long. To include spaces in the name, enclose
the entire name in quotation marks (" " ). Each term name
must be unique within a filter.

from {
match-conditions;
}

The from statement is optional. If you omit it, all packets are
considered to match.

then {
action;
action-modifiers;
}

For information about the action and action-modifiers options,

see Firewall Filter Match Conditions and Actions for EX-series
Switches on page 906.

policer policer-name {
}

The policer-name option identifies the policer. The name can

contain letters, numbers, and hyphens (-) and can be up to
64 characters long. To include spaces in the name, enclose
the name in quotation marks (" " ).

968

Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches

Chapter 54: Configuration Statements for Packet Filtering

Table 136: Supported Options for Firewall Filter Statements (continued)

Statement and Option

Description

if-exceeding {
bandwidth-limit bps
burst-size-limit bytes
}

The bandwidth-limit bps option specifies the traffic rate in bits

per second (bps).
You can specify bps as a decimal value or as a decimal
number followed by one of the following abbreviations:

k (thousand)

m (million)

g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

The burst-size-limit bytes option specifies the maximum allowed
burst size to control the amount of traffic bursting. To
determine the value for the burst-size limit, you can multiply
the bandwidth of the interface on which the filter is applied
by the amount of time to allow a burst of traffic at that
bandwidth to occur:
burst size = bandwidth * allowable time for burst traffic
You can specify a decimal value or a decimal number followed
by k (thousand) or m (million).
Range: 1 through 2,147,450,880 bytes
then {
policer-action
}

Use the policer-action option to specify discard to discard traffic

that exceeds the rate limits.

JUNOS software for EX-series switches does not support some of the firewall filter
statements that are supported by other JUNOS software packages. Table 137 on page
970 shows the firewall filter statements that are not supported by JUNOS Software
for EX-series switches.

Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches

969

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 137: Firewall Filter Statements That Are Not Supported byJUNOS Software for EX-series switches
Statements not supported

Statement hierarchy level

interface-set interface-set-name {
}

load-balance-group group-name {
}

three-color-policer name {
}

logical-interface-policer;

single-rate {
}

two-rate {
}

prefix-action name {
}

prefix-policer {
}

service-filter filter-name {
}

simple-filter simple-filter-name {
}

accounting-profile name;

interface-specific;

filter-specific;

logical-bandwidth-policer;

logical-interface-policer;

[edit firewall family family-name]

970

[edit firewall family family-name filter filter-name]

[edit firewall policer policer-name]

bandwidth-percent number;

Related Topics

[edit firewall]

[edit firewall policer policer-name if-exceeding]

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Firewall Filters for EX-series Switches Overview on page 899

Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches

Chapter 54: Configuration Statements for Packet Filtering

bandwidth-limit
Syntax
Hierarchy Level
Release Information
Description
Options

bandwidth-limit bps;
[edit firewall policer policer-name if-exceeding]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the traffic rate in bits per second.
bpsTraffic rate to be specified in bits per second. Specify bps as a decimal value

or as a decimal number followed by one of the following abbreviations:

k (thousand)

m (million)

g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

Required Privilege Level

Related Topics

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Understanding the Use of Policers in Firewall Filters on page 921

burst-size-limit
Syntax
Hierarchy Level
Release Information
Description
Options

burst-size-limit bytes;
[edit firewall policer policer-name if-exceeding]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the maximum allowed burst size to control the amount of traffic bursting.
bytesDecimal value or a decimal number followed by k (thousand) or m (million).

Range: 1 through 2,147,450,880 bytes

Required Privilege Level
Related Topics

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Understanding the Use of Policers in Firewall Filters on page 921

bandwidth-limit

971

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

family
Syntax

Hierarchy Level
Release Information
Description
Options

family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
[edit firewall]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a firewall filter for IP version 4.
family-nameVersion or type of addressing protocol:

bridgeFilter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.

ethernet-switchingFilter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.

inetFilter IPv4 packets.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

972

family

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filters for EX-series Switches Overview on page 899

Chapter 54: Configuration Statements for Packet Filtering

filter
Syntax

Hierarchy Level
Release Information
Description
Options

filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
[edit firewall family family-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure firewall filters.
filter-nameName that identifies the filter. The name can contain letters, numbers,

and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
The remaining statements are explained separately.
Required Privilege Level
Related Topics

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filters for EX-series Switches Overview on page 899

filter

973

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

filter
Syntax
Hierarchy Level
Release Information
Description

filter (input | output) filter-name;

[edit interfaces ge-chassis/slot/port unit logical-unit-number family family-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the
Layer 3 interface.

Default

All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.

Options

filter-nameName of a firewall filter defined in the filter statement.

Required Privilege Level

Related Topics

inputApply a firewall filter to traffic entering the port or Layer 3 interface.

outputApply a firewall filter to traffic exiting the Layer 3 interface.

interfaceTo view this statement in the configuration.

interface-controlTo add this statement to the configuration.

Configuring Gigabit Ethernet Interfaces (CLI Procedure) on page 293

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 289

JUNOS Software Network Interfaces Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

974

filter

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filters for EX-series Switches Overview on page 899

JUNOS Software Network Interfaces Configuration Guide at

www.juniper.net/techpubs/software/junos/

Chapter 54: Configuration Statements for Packet Filtering

from
Syntax

Hierarchy Level
Release Information
Description

Options

from {
match-conditions;
}
[edit firewall family family-name filter filter-name term term-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Match packet fields to values specified in a match condition. If the from statement
is not included in a firewall filter configuration, all packets are considered to match
and the actions and action modifiers in the then statement are taken.
match-conditionsConditions that define the values or fields that the incoming or

outgoing packets must contain for a match. You can specify one or more match
conditions. If you specify more than one, they all must match for a match to
occur and for the action in the then statement to be taken.
Required Privilege Level
Related Topics

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Understanding Firewall Filter Match Conditions on page 917

from

975

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

if-exceeding
Syntax

Hierarchy Level
Release Information
Description

if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
[edit firewall policer policer-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure policer rate limits.
The remaining statements are explained separately.

Required Privilege Level

Related Topics

976

if-exceeding

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Understanding the Use of Policers in Firewall Filters on page 921

Chapter 54: Configuration Statements for Packet Filtering

policer
Syntax

Hierarchy Level
Release Information

policer policer-name {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
[edit firewall]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Description

Configure policer rate limits and actions. To activate a policer, you must include the
policer action modifier in the then statement in a firewall filter term. Each policer
that you configure includes an implicit counter. To ensure term-specific packet counts,
you configure a policer for each term in the filter that requires policing.

Options

policer-nameName that identifies the policer. The name can contain letters, numbers,

hyphens (-), and can be up to 64 characters long.

The remaining statements are explained separately.
Required Privilege Level
Related Topics

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Understanding the Use of Policers in Firewall Filters on page 921

policer

977

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

term
Syntax

Hierarchy Level
Release Information
Description
Options

term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
[edit firewall family family-name filter filter-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define a firewall filter term.
term-nameName that identifies the term. The name can contain letters, numbers,

and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
The remaining statements are explained separately.
Required Privilege Level
Related Topics

978

term

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Firewall Filters for EX-series Switches Overview on page 899

Chapter 54: Configuration Statements for Packet Filtering

then
Syntax

Hierarchy Level
Release Information
Description
Options

then {
action;
action-modifiers;
}
[edit firewall family family-name filter filter-name term term-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a filter action.
actionActions to accept or discard packets that match all match conditions specified

in a filter term.
action-modifiersAdditional actions to analyze, classify, count, or police packets that

match all conditions specified in a filter term.

Required Privilege Level
Related Topics

firewallTo view this statement in the configuration.

firewall-controlTo add this statement to the configuration.

Firewall Filter Match Conditions and Actions for EX-series Switches on page 906

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Understanding Firewall Filter Match Conditions on page 917

then

979

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

then
Syntax

Hierarchy Level
Release Information
Description
Options

then {
policer-action;
}
[edit firewall policer policer-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a policer action.
policer-actionAllowed policer action is discard, which discards traffic that exceeds

the rate limits defined by the policer.

Required Privilege Level
Related Topics

980

then

firewallTo view this statement in the configuration.

firewall -controlTo add this statement to the configuration.

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Configuring Firewall Filters (CLI Procedure) on page 945

Configuring Firewall Filters (J-Web Procedure) on page 950

Understanding the Use of Policers in Firewall Filters on page 921

Chapter 55

Operational Mode Commands for Packet

Filtering

981

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

clear firewall
Syntax

Release Information
Description
Options

clear firewall
<all>
<counter counter-name>
<filter filter-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Clear statistics about configured firewall filters.
noneClear the packet and byte counts for all firewall filter counters and clear the

packet counts for all policer counters.

all(Optional) Clear the packet and byte counts for all firewall filter counters and

clear the packet counts for all policer counters.

counter counter-name(Optional) Clear the packet and byte counts for the specified

firewall filter counter.

filter filter-name(Optional) Clear the packet and byte counts for the specified firewall

filter.
Required Privilege Level
Related Topics

clear firewall (all)

clear firewall (counter
counter-name)
clear firewall (filter
filter-name)

982

clear firewall

clear

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Verifying That Policers Are Operational on page 960

Firewall Filters for EX-series Switches Overview on page 899

Understanding the Use of Policers in Firewall Filters on page 921

user@host> clear firewall all

user@host> clear firewall counter port-filter-counter

user@host> clear firewall filter ingress-port-filter

Chapter 55: Operational Mode Commands for Packet Filtering

show firewall
Syntax

Release Information
Description
Options

show firewall
<counter counter-name>
<filter filter-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display statistics about configured firewall filters.
noneDisplay statistics about all configured firewall filters, counters, and policers.
counter counter-name(Optional) Display statistics about a particular firewall filter

counter.
filter filter-name(Optional) Display statistics about a particular firewall filter.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Verifying That Policers Are Operational on page 960

Firewall Filters for EX-series Switches Overview on page 899

Understanding the Use of Policers in Firewall Filters on page 921

show firewall on page 984

show firewall (filter filter-name) on page 984
show firewall (counter counter-name) on page 984
Table 42 on page 1160 lists the output fields for the show firewall command. Output
fields are listed in the approximate order in which they appear.

Table 138: show firewall Output Fields

Field Name

Field Description

Level of Output

Filter

Name of the filter that is configured with the filter statement at the [edit firewall]
hierarchy level.

All levels

Counters

Display filter counter information:

All levels

NameName of a filter counter that has been configured with the counter
firewall filter action

BytesNumber of bytes that match the filter term where the counter
action was specified.

PacketsNumber of packets that matched the filter term where the

counter action was specified.

show firewall

983

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 138: show firewall Output Fields (continued)

Field Name

Field Description

Level of Output

Policers

Display policer information:

All levels

NameName of policer.

PacketsNumber of packets that matched the filter term where the policer
action was specified. This is the number of packets that exceed the rate
limits that the policer specifies.

show firewall

show firewall (filter

filter-name)

show firewall (counter

counter-name)

984

show firewall

user@host> show firewall

Filter: egress-vlan-filter
Counters:
Name
employee-web-counter
Filter: ingress-port-filter
Counters:
Name
ingress-port-counter
Filter: ingress-port-voip-class-filter
Counters:
Name
icmp-counter
Policers:
Name
icmp-connection-policer
tcp-connection-policer

Bytes
0

Packets
0

Bytes
0

Packets
0

Bytes
0

Packets
0

Packets
0
0

user@host> show firewall filter egress-vlan-filter

Filter: egress-vlan-filter
Counters:
Name
employee-web-counter

Bytes
0

Packets
0

user@host> show firewall counter icmp-counter

Filter: ingress-port-voip-class-filter
Counters:
Name
icmp-counter

Bytes
0

Packets
0

Chapter 55: Operational Mode Commands for Packet Filtering

show interfaces filters

Syntax

Release Information
Description
Options

show interfaces filters

<interface-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display firewall filters that are configured on each interface in a system.
noneDisplay firewall filter information about all interfaces.
interface-name(Optional) Display firewall filter information about a particular
interface: ge-fpc/pic/port.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

show interfaces policers on page 1160

show firewall on page 1160

show interfaces filters on page 985

show interfaces filters <interface-name> on page 986
Table 42 on page 1160 lists the output fields for the show interfaces filters command.
Output fields are listed in the approximate order in which they appear.

Table 139: show interfaces filters Output Fields

Field Name

Field Description

Level of Output

Interface

Name of the physical interface.

All levels

Admin

Interface state: up or down.

All levels

Link

Link state: up or down.

All levels

Proto

Protocol that is configured on the interface.

All levels

Input Filter

Name of the firewall filter to be evaluated when packers are received on the
interface.

All levels

Output Filter

Name of the firewall filter to be evaluated when packets are transmitted on

the interface.

All levels

show interfaces filters

user@host> show interfaces filters

Interface
Admin Link Proto Input Filter
ge-0/0/0
up
down
ge-0/0/0.0
up
down eth-switch unknown
ge-0/0/1
up
down
ge-0/0/1.0
up
down eth-switch unknown
ge-0/0/2
up
down

Output Filter

show interfaces filters

985

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0

show interfaces filters

<interface-name>

986

up
up
up
up
up
up
up
up
up

down
down
down
down
down
down
down
down
down

user@host> show interfaces filters ge-0/0/0

Interface
Admin Link Proto Input Filter
ge-0/0/0
up
down
ge-0/0/0.0
up
down eth-switch unknown

show interfaces filters

Output Filter

Chapter 55: Operational Mode Commands for Packet Filtering

show interfaces policers

Syntax

Release Information
Description
Options

show interfaces policers

<interface-name>

Command introduced before JUNOS Release 9.0 for EX-series switches.

Display all policers that are configured on each interface in a system.
noneDisplay policer information about all interfaces.
interface-name(Optional) display firewall filters information about a particular

interface.
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

view

show interfaces filters on page 1160

show policer on page 1160

show interfaces policers on page 987

show interfaces policers on page 988
show interfaces policers ( interface-name) on page 988
Table 42 on page 1160 lists the output fields for the show interfaces policers command.
Output fields are listed in the approximate order in which they appear.

Table 140: show interfaces policers Output Fields

Field Name

Field Description

Level of Output

Interface

Name of the interface.

All levels

Admin

Interface state: up or down.

All levels

Link

Link state: up or down.

All levels

Proto

Protocol configured on the interface.

All levels

Input Policer

Policer to be evaluated when packets are received on the interface. It has the
format interface-name-in-policer.

All levels

Output Policer

Policer to be evaluated when packets are transmitted on the interface. It has

the format interface-name-out-policer.

All levels

show interfaces policers

user@host> show interfaces policers

Interface
Admin Link Proto Input Policer
ge-0/0/0
up
down
ge-0/0/0.0
up
down
eth-switch

Output Policer

show interfaces policers

987

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Interface
ge-0/0/1
ge-0/0/1.0
Interface
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0

show interfaces policers

user@host> show interfaces policers

Interface
Admin Link Proto Input Policer
ge-0/0/0
up
down
ge-0/0/0.0
up
down
eth-switch
Interface
ge-0/0/1
ge-0/0/1.0
Interface
ge-0/0/2
ge-0/0/3
ge-0/0/4
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/10.0

show interfaces policers

( interface-name)

988

Admin Link Proto Input Policer

up
down
up
down
eth-switch
Admin Link Proto Input Policer
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
eth-switch

Admin Link Proto Input Policer

up
down
up
down
eth-switch
Admin Link Proto Input Policer
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
up
down
eth-switch

user@host> show interfaces policers ge-0/0/1

Interface
Admin Link Proto Input Policer
ge-0/0/0
up
down
ge-0/0/0.0
up
down
eth-switch

show interfaces policers

Output Policer

Output Policer

Output Policer

Output Policer

Output Policer

Output Policer

Chapter 55: Operational Mode Commands for Packet Filtering

show policer
Syntax

Release Information
Description
Options

show policer
<policer-name>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display statistics about configured policers.
noneDisplay the count of policed packets for all configured policers in the system.
policer-name(Optional) Display the count of policed packets for the specified policer.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

Verifying That Firewall Filters Are Operational on page 959

Verifying That Policers Are Operational on page 960

Firewall Filters for EX-series Switches Overview on page 899

Understanding the Use of Policers in Firewall Filters on page 921

show policer on page 989

show policer (policer-name) on page 990
Table 42 on page 1160 lists the output fields for the show policer command. Output
fields are listed in the approximate order in which they appear.

Table 141: show policer Output Fields

Field Name

Field Description

Level of Output

Filter

Name of filter that is configured with the filter statement at the [edit firewall]
hierarchy level.

All levels

Policers

Display policer information:

All levels

FilterName of filter that specifies the policer action.

NameName of policer.

PacketsNumber of packets that matched the filter term where the policer
action is specified. This is the number of packets that exceed the rate
limits that the policer specifies.

show policer

user@host> show policer

Filter: egress-vlan-filter
Filter: ingress-port-filter
Policers:
Name

Packets

show policer

989

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

icmp-connection-policer
tcp-connection-policer
Filter: ingress-vlan-rogue-block

show policer
(policer-name)

990

show policer

user@host> show policer tcp-connection-policer

Filter: ingress-port-filter
Policers:
Name
tcp-connection-policer

0
0

Packets
0

Part 12

CoS

Understanding CoS on page 993

Examples of Configuring CoS on page 1011

Configuring CoS on page 1029

Verifying CoS on page 1047

Configuration Statements for CoS on page 1055

Operational Mode Commands for CoS on page 1079

CoS

991

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

992

CoS

Chapter 56

Understanding CoS

JUNOS CoS for EX-series Switches Overview on page 993

Understanding JUNOS CoS Components for EX-series Switches on page 995

Understanding CoS Code-Point Aliases on page 997

Understanding CoS Classifiers on page 1000

Understanding CoS Forwarding Classes on page 1002

Understanding CoS Tail Drop Profiles on page 1004

Understanding CoS Schedulers on page 1004

Understanding CoS Two-Color Marking on page 1007

Understanding CoS Rewrite Rules on page 1008

JUNOS CoS for EX-series Switches Overview

When a network experiences congestion and delay, some packets must be dropped.
JUNOS Class of Service (CoS) divides traffic into classes to which you can apply
different levels of throughput and packet loss when congestion occurs. This allows
packet loss to happen according to rules that you configure.
CoS provides multiple classes of service for different applications. You can configure
multiple forwarding classes for transmitting packets, define which packets are placed
into each output queue, and schedule the transmission service level for each queue.
In designing CoS applications, you must give careful consideration to your service
needs, and you must thoroughly plan and design CoS configuration to ensure
consistency and interoperability across all platforms in a CoS domain.
Because EX-series switches implement CoS in hardware rather than in software, you
can experiment with and deploy CoS features without affecting packet forwarding
and switching performance.

How JUNOS CoS Works on page 993

Default CoS Behavior on EX-series Switches on page 994

How JUNOS CoS Works

JUNOS CoS works by examining traffic entering at the edge of your network. The
access switches classify traffic into defined service groups, to provide the special

JUNOS CoS for EX-series Switches Overview

993

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

treatment of traffic across the network. For example, voice traffic can be sent across
certain links, and data traffic can use other links. In addition, the data traffic streams
can be serviced differently along the network path to ensure that higher-paying
customers receive better service. As the traffic leaves the network at the far edge,
you can reclassify the traffic to meet the policies of the targeted peer.
To support CoS, you must configure each switch in the network. Generally, each
switch examines the packets that enter it to determine their CoS settings. These
settings then dictate which packets are transmitted first to the next downstream
switch. Switches at the edges of the network might be required to alter the CoS
settings of the packets that enter the network to classify the packet into the
appropriate service group.
Figure 51 on page 994 represents the network scenario of an enterprise. Switch A is
receiving traffic from various network nodes such as desktop computers, servers,
surveillance cameras, and VoIP telephones. As each packet enters, Switch A examines
the packets CoS settings and classifies the traffic into one of the groupings defined
by the enterprise. This definition allows Switch A to prioritize resources for servicing
the traffic streams it receives. Switch A might alter the CoS settings of the packets
to better match the enterprisess traffic groups.
When Switch B receives the packets, it examines the CoS settings, determines the
appropriate traffic group, and processes the packet according to those settings. It
then transmits the packets to Switch C, which performs the same actions. Switch D
also examines the packets and determines the appropriate group. Because Switch
D sits at the far end of the network, it might alter the CoS settings of the packets
before transmitting them.
Figure 51: Packet Flow Across the Network

Default CoS Behavior on EX-series Switches

If you do not configure any CoS settings on your switch, the software performs some
CoS functions to ensure that user traffic and protocol packets are forwarded with
minimum delay when the network is experiencing congestion. Some default mappings
are automatically applied to each logical interface that you configure. Other default
mappings, such as explicit default classifiers and rewrite rules, are in operation only
if you explicitly associate them with an interface.
Related Topics

994

Understanding JUNOS CoS Components for EX-series Switches on page 995

JUNOS CoS for EX-series Switches Overview

Chapter 56: Understanding CoS

Example: Configuring CoS on EX-series Switches on page 1011

Understanding JUNOS CoS Components for EX-series Switches

This topic describes the JUNOS CoS components for EX-series switches:

Code-Point Aliases on page 995

Policers on page 995

Classifiers on page 995

Forwarding Classes on page 996

Tail Drop Profiles on page 996

Schedulers on page 996

Rewrite Rules on page 996

Code-Point Aliases
A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.

Policers
Policers limit traffic of a certain class to a specified bandwidth and burst size. Packets
exceeding the policer limits can be discarded. You define policers with filters that
can be associated with input interfaces.
For more information about policers, see Understanding the Use of Policers in
Firewall Filters on page 921.

NOTE: You can configure policers to discard packets that exceed the rate limits. If
you want to configure CoS parameters such as loss-priority and forwarding-class, you
must use firewall filters.

Classifiers
Packet classification associates incoming packets with a particular CoS servicing
level. In JUNOS software, classifiers associate packets with a forwarding class and
loss priority and, based on the associated forwarding class, assign packets to output
queues. JUNOS software supports two general types of classifiers:

Behavior aggregate or CoS value traffic classifiersExamines the CoS value in

the packet header. The value in this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and
loss priority of a packet based on the Differentiated Services code point (DSCP)
value, IP precedence value, and IEEE 802.1p value.

Understanding JUNOS CoS Components for EX-series Switches

995

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Multifield traffic classifiersExamines multiple fields in the packet such as source

and destination addresses and source and destination port numbers of the packet.
With multifield classifiers, you set the forwarding class and loss priority of a
packet based on firewall filter rules.

Forwarding Classes
Forwarding classes group the packets for transmission. Based on forwarding classes,
you assign packets to output queues. Forwarding classes affect the forwarding,
scheduling, and marking policies applied to packets as they transit a switching
platform. By default, four categories of forwarding classes are defined: best effort,
assured forwarding, expedited forwarding, and network control. For EX-series
switches, 16 forwarding classes are supported, providing granular classification
capability.

Tail Drop Profiles

Drop profile is a mechanism that defines parameters that allow packets to be dropped
from the network. Drop profiles define the meanings of the loss priorities. When you
configure drop profiles you are essentially setting the value for queue fullness. The
queue fullness represents a percentage of the queue used to store packets in relation
to the total amount that has been allocated for that specific queue.
Loss priorities set the priority of dropping a packet. Loss priority affects the scheduling
of a packet without affecting the packets relative ordering. You can use the loss
priority setting to identify packets that have experienced congestion. Typically you
mark packets exceeding some service level with a high loss priority.

Schedulers
Each switch interface has multiple queues assigned to store packets. The switch
determines which queue to service based on a particular method of scheduling. This
process often involves determining which type of packet should be transmitted before
another. You can define the priority, bandwidth, delay buffer size, and tail drop
profiles to be applied to a particular queue for packet transmission.
Scheduler map associates a specified forwarding class with a scheduler configuration.
You can associate up to four user-defined scheduler maps with the interfaces.

Rewrite Rules
A rewrite rule sets the appropriate CoS bits in the outgoing packet thus allowing the
next downstream device to classify the packet into the appropriate service group.
Rewriting, or marking, outbound packets is useful when the switch is at the border
of a network and must alter the CoS values to meet the policies of the targeted peer.

996

Understanding JUNOS CoS Components for EX-series Switches

Chapter 56: Understanding CoS

NOTE: Rewrite rules are applied when the packets are routed. Rewrite rules are not
applied when the packets are forwarded.
Egress firewall filters can also assign forwarding class and loss priority so that the
packets are rewritten based on forwarding class and loss priority.

Related Topics

Understanding CoS Code-Point Aliases on page 997

Understanding CoS Classifiers on page 1000

Understanding CoS Forwarding Classes on page 1002

Understanding CoS Tail Drop Profiles on page 1004

Understanding CoS Schedulers on page 1004

Understanding CoS Two-Color Marking on page 1007

Understanding CoS Rewrite Rules on page 1008

Example: Configuring CoS on EX-series Switches on page 1011

Understanding CoS Code-Point Aliases

A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.
Behavior aggregate classifiers use class-of-service (CoS) values such as Differentiated
Services code points (DSCPs), IP precedence, and IEEE 802.1 bits to associate
incoming packets with a particular CoS servicing level. On a switch, you can assign
a meaningful name or alias to the CoS values and use this alias instead of bits when
configuring CoS components. These aliases are not part of the specifications but are
well known through usage. For example, the alias for DSCP 101110 is widely accepted
as ef (expedited forwarding).
When you configure classes and define classifiers, you can refer to the markers by
alias names. You can configure user-defined classifiers in terms of alias names. If
the value of an alias changes, it alters the behavior of any classifier that references
it.
You can configure code-point aliases for the following type of CoS markers :

dscpHandles incoming IPv4 packets.

ieee-802.1Handles Layer 2 CoS.

inet-precedenceHandles incoming IPv4 packets. IP precedence mapping

requires only the upper three bits of the DSCP field.

This topic covers:

Default Code-Point Aliases on page 998

Understanding CoS Code-Point Aliases

997

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Default Code-Point Aliases

Table 142 on page 998 shows the default mappings between the bit values and
standard aliases.
Table 142: Default Code-Point Aliases
CoS Value Types

Mapping

DSCP CoS Values

ef

101110

af11

001010

af12

001100

af13

001110

af21

010010

af22

010100

af23

010110

af31

011010

af32

011100

af33

011110

af41

100010

af42

100100

af43

100110

be

000000

cs1

001000

cs2

010000

cs3

011000

cs4

100000

cs5

101000

nc1/cs6

110000

nc2/cs7

111000

IEEE 802.1p CoS Values

be

998

000

Understanding CoS Code-Point Aliases

Chapter 56: Understanding CoS

Table 142: Default Code-Point Aliases (continued)

CoS Value Types

Mapping

be1

001

ef

010

ef1

011

af11

100

af12

101

nc1/cs6

110

nc2/cs7

111

Legacy IP Precedence CoS Values

be

000

be1

001

ef

010

ef1

011

af11

100

af12

101

nc1/cs6

110

nc2/cs7

111

Related Topics

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032

Defining CoS Code-Point Aliases (J-Web Procedure) on page 1030

Understanding CoS Code-Point Aliases

999

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding CoS Classifiers

Packet classification associates incoming packets with a particular CoS servicing
level. Classifiers associate packets with a forwarding class and loss priority and, based
on the associated forwarding class, assign packets to output queues. There are two
general types of classifiers:

Behavior aggregate (BA) classifiers

Multifield (MF) classifiers

For a specified interface, you can configure both an MF classifier and a BA classifier
without conflicts. In such cases, BA classification is performed first, followed by MF
classification. In case of conflict, MF classifier overrides a BA classification result.

NOTE: When a source MAC address is learned, the frame that contains the source
MAC address is always sent out on queue 0 while egressing from the network
interface, irrespective of the classifier applied to the ingress interface.

Behavior Aggregate Classifiers on page 1000

Multifield Classifiers on page 1001

Behavior Aggregate Classifiers

The behavior aggregate classifier maps a class-of-service (CoS) value to a forwarding
class and loss priority. The forwarding class determines the output queue. The loss
priority is used by schedulers to control packet discard during periods of congestion.
There are three types of BA classifiers:

Differentiated Services code point (DSCP) for IP DiffServ

IP precedence bits

IEEE 802.1p CoS bits

BA classifiers are based on fixed-length fields, which makes them computationally

more efficient than MF classifiers. Therefore core devices, which handle high traffic
volumes, are normally configured to perform BA classification.
In most cases, you need to rewrite a given marker (IP precedence, DSCP, or IEEE
802.1p) at the ingress node to accommodate BA classification by core and egress
devices.

NOTE: Although you can configure many classifiers, you can apply only one classifier
on the switch. Whenever you apply a new classifier, you must explicitly remove the
currently applied classifier and then apply the new classifier.

1000

Understanding CoS Classifiers

Chapter 56: Understanding CoS

Default Behavior Aggregate Classification

JUNOS software automatically assigns implicit default classifiers to all logical interfaces
based on the type of interface. Table 143 on page 1001 lists different types of interfaces
and the corresponding implicit default classifiers.
Table 143: Default BA Classification
Type of Interface

Default BA Classification

Trunk interface

ieee8021p-default

Layer 3 interface

dscp-default

Access interface

Untrusted

When you explicitly associate a classifier with a logical interface, you are in effect
overriding the implicit default classifier with an explicit classifier.

NOTE: By default, all BA classifiers classify traffic into either best-effort forwarding
class or network-control forwarding class.

Multifield Classifiers
Multifield classifiers examine multiple fields in the packet such as source and
destination addresses and source and destination port numbers of the packet. With
MF classifiers, you set the forwarding class and loss priority of a packet based on
firewall filter rules.
MF classification is normally performed at the network edge because of the general
lack of DiffServ Code Point (DSCP) or IP precedence support in end-user applications.
On an edge switch, an MF classifier provides the filtering functionality that scans
through a variety of packet fields to determine the forwarding class for a packet.
Typically, a classifier performs matching operations on the selected fields against a
configured value.
Related Topics

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033

Defining CoS Classifiers (J-Web Procedure) on page 1034

Understanding CoS Classifiers

1001

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding CoS Forwarding Classes

It is helpful to think of forwarding classes as output queues. In effect, the end result
of classification is the identification of an output queue for a particular packet. For
a classifier to assign an output queue to each packet, it must associate the packet
with one of the following forwarding classes:

Expedited forwarding (EF)Provides a low loss, low latency, low jitter, assured
bandwidth, end-to-end service.

Assured forwarding (AF)Provides a group of values you can define and includes
four subclasses: AF1, AF2, AF3, and AF4, each with two drop probabilities: low
and high.

Best effort (BE)Provides no service profile. Loss priority is typically not carried
in a class-of-service (CoS) value.

Network control (NC)This class is typically high priority because it supports

protocol control.

EX-series switches support up to 16 forwarding classes, thus allowing granular packet

classification. For example, you can configure multiple classes of EF traffic such as
EF, EF1, and EF2.
EX-series switches support up to eight output queues. Therefore, if you configure
more than eight forwarding classes, you must map multiple forwarding classes to
single output queues.

Default Forwarding Classes on page 1002

Default Forwarding Classes

Table 144 on page 1002 shows the four forwarding classes defined by default.
If desired, you can rename the forwarding classes associated with the queues
supported on your switch. Assigning a new class name to an output queue does not
alter the default classification or scheduling that is applicable to that queue. CoS
configurations can be quite complicated, so unless it is required by your scenario,
we recommend that you not alter the default class names or queue number
associations.
Table 144: Default Forwarding Classes
Forwarding Class Name

Comments

best-effort (be)

The software does not apply any special CoS handling to packets with 000000 in
the DiffServ field. This is a backward compatibility feature. These packets are usually
dropped under congested network conditions.

expedited-forwarding (ef)

The software delivers assured bandwidth, low loss, low delay, and low delay variation
(jitter) end-to-end for packets in this service class. Software accepts excess traffic in
this class, but in contrast to assured forwarding class, out-of-profile
expedited-forwarding class packets can be forwarded out of sequence or dropped.

1002

Understanding CoS Forwarding Classes

Chapter 56: Understanding CoS

Table 144: Default Forwarding Classes (continued)

Forwarding Class Name

Comments

assured-forwarding (af)

The software offers a high level of assurance that the packets are delivered as long
as the packet flow from the customer stays within a certain service profile that you
define.
The software accepts excess traffic, but applies a tail drop profile to determine if the
excess packets are dropped and not forwarded.
Up to two drop probabilities (low and high) are defined for this service class.

network-control (nc)

The software delivers packets in this service class with a high priority. (These packets
are not delay-sensitive.)
Typically, these packets represent routing protocol hello or keepalive messages.
Because loss of these packets jeopardizes proper network operation, packet delay
is preferable to packet discard.

The following rules govern queue assignment:

Related Topics

CoS configurations that specify more queues than the switch can support are
not accepted. The commit fails with a detailed message that states the total
number of queues available.

All default CoS configurations are based on queue number. The name of the
forwarding class that shows up when the default configuration is displayed is
the forwarding class currently associated with that queue.

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Forwarding Classes (CLI Procedure) on page 1036

Defining CoS Forwarding Classes (J-Web Procedure) on page 1037

Understanding CoS Forwarding Classes

1003

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding CoS Tail Drop Profiles

Tail drop profile is a congestion management mechanism that allows switch to drop
arriving packets when queue buffers become full or begin to overflow.
Tail drop profiles define the meanings of the loss priorities. When you configure tail
drop profiles you are essentially setting the value for queue fullness. The queue
fullness represents a percentage of the memory used to store packets in relation to
the total amount that has been allocated for that specific queue.
The queue fullness defines the delay-buffer bandwidth, which provides packet buffer
space to absorb burst traffic up to the specified duration of delay. Once the specified
delay buffer becomes full, packets with 100 percent drop probability are dropped
from the tail of the buffer.
On EX-series switches, drop-probability is implicitly set to 100% and it cannot be
modified.
You specify drop probabilities in the drop profile section of the CoS configuration
hierarchy and reference them in each scheduler configuration.
By default, if you do not configure any drop profile, tail drop profile is in effect and
functions as the primary mechanism for managing congestion. In the default tail
drop profile, when the fill level is 0 percent, the drop probability is 0 percent. When
the fill level is 100 percent, the drop probability is 100 percent.

NOTE: The default drop profile associated with the packets whose loss priority is low
cannot be modified. You can configure custom drop profile only for those packets
whose loss priority is high.
Related Topics

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Understanding CoS Schedulers

You use schedulers to define the properties of output queues. These properties include
the amount of interface bandwidth assigned to the queue, the size of the memory
buffer allocated for storing packets, the priority of the queue, and the drop profiles
associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps.
You can then associate each scheduler map with an interface, thereby configuring
the queues, packet schedulers, and tail drop processes that operate according to this
mapping.

1004

Default Schedulers on page 1005

Transmission Rate on page 1005

Scheduler Buffer Size on page 1005

Understanding CoS Tail Drop Profiles

Chapter 56: Understanding CoS

Priority Scheduling on page 1006

Scheduler Drop-Profile Maps on page 1006

Scheduler Maps on page 1007

Default Schedulers
Each forwarding class has an associated scheduler priority. Only two forwarding
classes, best-effort and network-control (queue 0 and queue 7), are used in the default
scheduler configuration.
By default, the best-effort forwarding class (queue 0) receives 95 percent of the
bandwidth and buffer space for the output link, and the network-control forwarding
class (queue 7) receives 5 percent. The default drop profile causes the buffer to fill
completely and then to discard all incoming packets until it has space.
The expedited-forwarding and assured-forwarding classes have no schedulers because,
by default, no resources are assigned to queue 5 and queue 1. However, you can
manually configure resources for the expedited-forwarding and assured-forwarding
classes.
Also by default, each queue can exceed the assigned bandwidth if additional
bandwidth is available from other queues. When a forwarding class does not fully
use the allocated transmission bandwidth, the remaining bandwidth can be used by
other forwarding classes if they receive a larger amount of offered load than their
allocated bandwidth allows.

Transmission Rate
The transmission-rate control determines the actual traffic bandwidth from each
forwarding class you configure. The rate is specified in bits per second. Each queue
is allocated some portion of the bandwidth of the outgoing interface.
This bandwidth amount can be a fixed value, such as 1 megabit per second (Mbps),
a percentage of the total available bandwidth, or the rest of the available bandwidth.
You can allow transmission bandwidth to exceed the configured rate if additional
bandwidth is available from other queues. In case of congestion, configured amount
of transmission rate is guaranteed for the queue. This property allows you to ensure
that each queue receives the amount of bandwidth appropriate to its level of service.

Scheduler Buffer Size

To control congestion at the output stage, you can configure the delay-buffer
bandwidth. The delay-buffer bandwidth provides packet buffer space to absorb burst
traffic up to the specified duration of delay. Once the specified delay buffer becomes
full, packets with 100 percent drop probability are dropped from the tail of the buffer.
The default scheduler transmission rate for queues 0 through 7 are 95, 0, 0, 0, 0, 0,
0, and 5 percent of the total available bandwidth. The default buffer-size percentages
for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent of the total available
buffer.

Understanding CoS Schedulers

1005

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

For each scheduler, you can configure the buffer size as one of the following:

A percentage of the total buffer.

The remaining buffer available. The remainder is the buffer percentage that is
not assigned to other queues. For example, if you assign 40 percent of the delay
buffer to queue 0, allow queue 7 to keep the default allotment of 5 percent, and
assign the remainder to queue 3, then queue 3 uses approximately 55 percent
of the delay buffer.

Priority Scheduling
Priority scheduling determines the order in which an output interface transmits traffic
from the queues, thus ensuring that queues containing important traffic are provided
better access to the outgoing interface.
Priority scheduling is accomplished through a procedure in which the scheduler
examines the priority of the queue. JUNOS software supports two levels of
transmission priority:

LowThe scheduler determines if the individual queue is within its defined

bandwidth profile. This binary decision, which is reevaluated on a regular time
cycle, compares the amount of data transmitted by the queue against the amount
of bandwidth allocated to it by the scheduler. When the transmitted amount is
less than the allocated amount, the queue is considered to be in profile. A queue
is out of profile when its transmitted amount is larger than its allocated amount.
Out of profile queue will be transmitted only if bandwidth is available. Otherwise,
it will be buffered.
A queue from the set is selected based on the shaped deficit weighted round
robin (SDWRR) algorithm, which operates within the set.

Strict-highStrict-high priority queue receives preferential treatment over low

priority queue. Unlimited bandwidth is assigned to strict-high priority queue.
Queues are scheduled according to the queue number, starting with the highest
queue 7, with decreasing priority down through queue 0. Traffic in higher queue
numbers is always scheduled prior to traffic in lower queue numbers. In other
words, in case of two high priority queues, the queue with higher queue number
is processed first.

Packets in low priority queues are transmitted only when strict-high priority queues
are empty.

Scheduler Drop-Profile Maps

Drop-profile maps associate drop profiles with a scheduler. Drop-profile map sets
the drop profile for a specific packet loss priority (PLP) and protocol type. The inputs
for the drop-profile map are the PLP and the protocol type. The output is the drop
profile.

1006

Understanding CoS Schedulers

Chapter 56: Understanding CoS

Scheduler Maps
A scheduler map associates a specified forwarding class with a scheduler
configuration. After configuring a scheduler, you must include it in a scheduler map
and then associate the scheduler map with an output interface.
EX-series switches allow you to associate up to four user-defined scheduler maps
with interfaces.
Related Topics

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Schedulers (CLI Procedure) on page 1038

Defining CoS Schedulers (J-Web Procedure) on page 1038

Understanding CoS Two-Color Marking

Networks police traffic by limiting the input or output transmission rate of a class of
traffic on the basis of user-defined criteria. Policing traffic allows you to control the
maximum rate of traffic sent or received on an interface and to partition a network
into multiple priority levels or classes of service.
Policers require you to apply limits to the traffic flow and set a consequence for
packets that exceed these limitsusually a higher loss priority, so that packets
exceeding the policer limits are discarded first.
EX-series switches support a single-rate two-color marking type of policer, which is
a simplified version of Single-Rate-Three-Color marking, defined in RFC 2697, A
Single Rate Three Color Marker. This type of policer meters traffic based on the
configured committed information rate (CIR) and committed burst size (CBS).
The single-rate two-color marker meters traffic and marks incoming packets
depending on whether they are smaller than the committed burst size (CBS)marked
greenor exceed it marked red.
The single-rate two-color marking policer operates in color-blind mode. In this mode,
the policer's actions are not affected by any previous marking or metering of the
examined packets. In other words, the policer is blind to any previous coloring a
packet might have had.
Related Topics

Understanding JUNOS CoS Components for EX-series Switches on page 995

Understanding the Use of Policers in Firewall Filters on page 921

Configuring Policers to Control Traffic Rates (CLI Procedure) on page 954

Understanding CoS Two-Color Marking

1007

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Understanding CoS Rewrite Rules

As packets enter or exit a network, edge switches might be required to alter the
class-of-service (CoS) settings of the packets. Rewrite rules set the value of the CoS
bits within the packets header. Each rewrite rule reads the current forwarding class
and loss priority associated with the packet, locates the chosen CoS value from a
table, and writes this CoS value into the packet header.
In effect, the rewrite rule performs the opposite function of the behavior aggregate
(BA) classifier used when the packet enters the switch. As the packet leaves the
switch, the final CoS action is generally the application of a rewrite rule.
You configure rewrite rules to alter CoS values in outgoing packets on the outbound
interfaces of an edge switch to meet the policies of a targeted peer. This allows the
downstream switch in a neighboring network to classify each packet into the
appropriate service group.

NOTE: When an IP precedence rewrite rule is active, bits 3,4, and 5 of the ToS byte
are always reset to zero when code-points are rewritten.

Default Rewrite Rule on page 1008

Default Rewrite Rule

By default, rewrite rules are applied to routed packets and are not applied to forwarded
packets. If you want to apply a rewrite rule, you can either configure your own rule
or apply a default rewrite rule.
Table 145 on page 1008 shows the default rewrite rule mappings. These are based on
the default bit definitions of DSCP, IEEE 802.1p, and IP precedence values and the
default forwarding classes.
When the CoS values of a packet match the forwarding class and packet loss priority
(PLP) values, the switch rewrites markings on the packet based on rewrite-rule table.
Table 145: Default Packet Header Rewrite Mappings
Map from Forwarding Class

PLP Value

Map to DSCP/IEEE/IP

expedited-forwarding

low

ef

expedited-forwarding

high

ef

assured-forwarding

low

af11

assured-forwarding

high

af12 (DSCP)

best-effort

low

be

best-effort

high

be

1008

Understanding CoS Rewrite Rules

Chapter 56: Understanding CoS

Table 145: Default Packet Header Rewrite Mappings (continued)

Map from Forwarding Class

PLP Value

Map to DSCP/IEEE/IP

network-control

low

nc1/cs6

network-control

high

nc2/cs7

Related Topics

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Rewrite Rules (CLI Procedure) on page 1042

Defining CoS Rewrite Rules (J-Web Procedure) on page 1042

Understanding CoS Rewrite Rules

1009

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1010

Understanding CoS Rewrite Rules

Chapter 57

Examples of Configuring CoS

Example: Configuring CoS on EX-series Switches on page 1011

Example: Configuring CoS on EX-series Switches

Configure class of service (CoS) on your switch to manage traffic so that when the
network experiences congestion and delay, critical applications are protected. Using
CoS, you can divide traffic on your switch into classes and provide various levels of
throughput and packet loss. This is especially important for traffic that is sensitive
to jitter and delay, such as voice traffic.
This example shows how to configure CoS on a single EX-series switch in the network.

Requirements on page 1011

Overview and Topology on page 1011

Configuration on page 1014

Verification on page 1025

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One Juniper Networks EX-series 3200 switch

Overview and Topology

This example uses the topology shown in Figure 52 on page 1012.

Example: Configuring CoS on EX-series Switches

1011

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 52: Topology for Configuring CoS

The topology for this configuration example consists of one EX-series switch at the
access layer.
The EX-series access switch is configured to support VLAN membership. Switch ports
ge-0/0/0and ge-0/0/1 are assigned to the voice-vlan for two VoIP phones. Switch
port ge-0/0/2 is assigned to the camera-vlan for the surveillance camera. Switch ports
ge-0/0/3, ge-0/0/4, ge-0/0/5, and ge-0/0/6 are assigned to the server-vlan for the
servers hosting various applications such as those provided by Citrix, Microsoft,
Oracle, and SAP.
Table 146 on page 1013 shows the VLAN configuration components.

1012

Overview and Topology

Chapter 57: Examples of Configuring CoS

Table 146: Configuration Components: VLANs

VLAN Name

VLAN ID

VLAN Subnet and Available

IP Addresses

VLAN Description

voice-vlan

10

192.168.1.0/32
192.168.1.1 through
192.168.1.11

Voice VLAN used for

employee VoIP
communication.

192.168.1.12 is the subnets

broadcast address.
camera-vlan

20

VLAN for the surveillance

cameras.

192.168.1.13/32
192.168.1.14 through
192.168.1.20
192.168.1.21 is the subnets

broadcast address.
server-vlan

30

VLAN for the servers hosting

enterprise applications.

192.168.1.22/32
192.168.1.23 through
192.168.1.35
192.168.1.36 is the subnets

broadcast address.

Ports on the EX-series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports.
Table 147 on page 1013 shows the switch interfaces that are assigned to the VLANs
and the IP addresses for devices connected to the switch ports:
Table 147: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Interfaces

VLAN Membership

IP Addresses

Port Devices

ge-0/0/0, ge-0/0/1

voice-vlan

192.168.1.1 through
192.168.1.2

Two VoIP telephones.

ge-0/0/2

camera-vlan

192.168.1.14

Surveillance camera.

ge-0/0/3, ge-0/0/4, ge-0/0/5,

ge-0/0/6

sevrer-vlan

192.168.1.23 through
192.168.1.26

Four servers hosting

applications such as those
provided by Citrix, Microsoft,
Oracle, and SAP.

Overview and Topology

1013

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: This example shows how to configure CoS on a single EX-series switch. This
example does not consider across-the-network applications of CoS in which you
might implement different configurations on ingress and egress switches to provide
differentiated treatment to different classes across a set of nodes in a network.

Configuration
CLI Quick Configuration

To quickly configure CoS, copy the following commands and paste them into the
switch terminal window:
[edit]
set class-of-service forwarding-classes class app queue-num 5
set class-of-service forwarding-classes class mail queue-num 1
set class-of-service forwarding-classes class db queue-num 2
set class-of-service forwarding-classes class erp queue-num 3
set class-of-service forwarding-classes class video queue-num 4
set class-of-service forwarding-classes class best-effort queue-num 0
set class-of-service forwarding-classes class voice queue-num 6
set class-of-service forwarding-classes class network-control queue-num 7
set firewall family ethernet-switching filter voip_class term voip from
source-address 192.168.1.1/32
set firewall family ethernet-switching filter voip_class term voip from
source-address 192.168.1.2/32
set firewall family ethernet-switching filter voip_class term voip from protocol
udp
set firewall family ethernet-switching filter voip_class term voip from source-port
2698
set firewall family ethernet-switching filter voip_class term voip then
forwarding-class voice loss-priority low
set firewall family ethernet-switching filter voip_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter voip_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter voip_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/0 description phone1voip-ingress-port
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input voip_class
set interfaces ge-0/0/1 description phone2voip-ingress-port
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input voip_class
set firewall family ethernet-switching filter video_class term video from
source-address 192.168.1.14/32
set firewall family ethernet-switching filter video_class term video from protocol
udp
set firewall family ethernet-switching filter video_class term video from
source-port 2979
set firewall family ethernet-switching filter video_class term video then
forwarding-class video loss-priority low
set firewall family ethernet-switching filter video_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter video_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter video_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/2 description video-ingress-port
set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input video_class

1014

Chapter 57: Examples of Configuring CoS

set firewall family ethernet-switching filter app_class term app from

source-address 192.168.1.23/32
set firewall family ethernet-switching filter app_class term app from protocol
tcp
set firewall family ethernet-switching filter app_class term app from source-port
[1494 2512 2513 2598 2897]
set firewall family ethernet-switching filter app_class term app then
forwarding-class app loss-priority low
set firewall family ethernet-switching filter app_class term mail from
source-address 192.168.1.24/32
set firewall family ethernet-switching filter app_class term mail from protocol
tcp
set firewall family ethernet-switching filter app_class term mail from source-port
[25 143 389 691 993 3268 3269]
set firewall family ethernet-switching filter app_class term mail then
forwarding-class mail loss-priority low
set firewall family ethernet-switching filter app_class term db from source-address
192.168.1.25/32
set firewall family ethernet-switching filter app_class term db from protocol tcp
set firewall family ethernet-switching filter app_class term db from source-port
[1521 1525 1527 1571 1810 2481]
set firewall family ethernet-switching filter app_class term db then
forwarding-class db loss-priority low
set firewall family ethernet-switching filter app_class term erp from
source-address 192.168.1.26/32
set firewall family ethernet-switching filter app_class term erp from protocol
tcp
set firewall family ethernet-switching filter app_class term erp from source-port
[3200 3300 3301 3600]
set firewall family ethernet-switching filter app_class term erp then
forwarding-class erp loss-priority low
set firewall family ethernet-switching filter app_class term network_control from
precedence [net-control internet-control]
set firewall family ethernet-switching filter app_class term network_control then
forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter app_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/3 unit 0 family ethernet-switching filter input app_class
set interfaces ge-0/0/4 unit 0 family ethernet-switching filter input app_class
set interfaces ge-0/0/5 unit 0 family ethernet-switching filter input app_class
set interfaces ge-0/0/6 unit 0 family ethernet-switching filter input app_class
set class-of-service schedulers voice-sched buffer-size percent 10
set class-of-service schedulers voice-sched priority strict-high
set class-of-service schedulers voice-sched transmit-rate percent 10
set class-of-service schedulers video-sched buffer-size percent 15
set class-of-service schedulers video-sched priority low
set class-of-service schedulers video-sched transmit-rate percent 15
set class-of-service schedulers app-sched buffer-size percent 10
set class-of-service schedulers app-sched priority low
set class-of-service schedulers app-sched transmit-rate percent 10
set class-of-service schedulers mail-sched buffer-size percent 5
set class-of-service schedulers mail-sched priority low
set class-of-service schedulers mail-sched transmit-rate percent 5
set class-of-service schedulers db-sched buffer-size percent 10
set class-of-service schedulers db-sched priority low
set class-of-service schedulers db-sched transmit-rate percent 10
set class-of-service schedulers erp-sched buffer-size percent 10
set class-of-service schedulers erp-sched priority low
set class-of-service schedulers erp-sched transmit-rate percent 10
set class-of-service schedulers nc-sched buffer-size percent 5
set class-of-service schedulers nc-sched priority strict-high

Configuration

1015

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

set class-of-service schedulers nc-sched transmit-rate percent 5

set class-of-service schedulers be-sched buffer-size percent 35
set class-of-service schedulers be-sched priority low
set class-of-service schedulers be-sched transmit-rate percent 35
set class-of-service scheduler-maps ethernet-cos-map forwarding-class voice
scheduler voice-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class video
scheduler video-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class app scheduler
app-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class mail
scheduler mail-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class db scheduler
db-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class erp scheduler
erp-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class
network-control scheduler nc-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class best-effort
scheduler be-sched
set class-of-service interfaces ge-0/0/20 scheduler-map ethernet-cos-map

Step-by-Step Procedure

To configure and apply CoS:

1.

Configure one-to-one mapping between eight forwarding classes and eight

queues:
[edit class-of-service]
user@switch# set forwarding-classes class app queue-num 5
user@switch# set forwarding-classes class mail queue-num 1
user@switch# set forwarding-classes class db queue-num 2
user@switch# set forwarding-classes class erp queue-num 3
user@switch# set forwarding-classes class video queue-num 4
user@switch# set forwarding-classes class best-effort queue-num 0
user@switch# set forwarding-classes class voice queue-num 6
user@switch# set forwarding-classes class network-control queue-num 7

2.

Define the firewall filter voip_class to classify the VoIP traffic:

[edit firewall]
user@switch# set family ethernet-switching filter voip_class

3.

Define the term voip:

[edit firewall]
user@switch# set family ethernet-switching filter
from source-address 192.168.1.1/32
user@switch# set family ethernet-switching filter
from source-address 192.168.1.2/32
user@switch# set family ethernet-switching filter
protocol udp
user@switch# set family ethernet-switching filter
source-port 2698
user@switch# set family ethernet-switching filter
then forwarding-class voice loss-priority low

4.

1016

Configuration

Define the term network_control:

voip_class term voip

voip_class term voip
voip_class term voip
voip_class term voip
voip_class term voip

Chapter 57: Examples of Configuring CoS

[edit firewall]
user@switch# set family ethernet-switching filter voip_class term
network_control from precedence [net-control internet-control]
user@switch# set family ethernet-switching filter voip_class term
network_control then forwarding-class network-control loss-priority low

5.

Define the term best_effort_traffic with no match conditions:

[edit firewall]
user@switch# set family ethernet-switching filter voip_class term
best_effort_traffic then forwarding-class best-effort loss-priority low

6.

Apply the firewall filter voip_class as an input filter to the interfaces for the VoIP
phones:
[edit interfaces]
user@switch# set ge-0/0/0
user@switch# set ge-0/0/0
voip_class
user@switch# set ge-0/0/1
user@switch# set ge-0/0/1
voip_class

7.

description phone1voip-ingress-port
unit 0 family ethernet-switching filter input
description phone2voip-ingress-port
unit 0 family ethernet-switching filter input

Define the firewall filter video_class to classify the video traffic:

[edit firewall]
user@switch# set family ethernet-switching filter video_class

8.

Define the term video:

[edit firewall]
user@switch# set family ethernet-switching filter
from source-address 192.168.1.14/32
user@switch# set family ethernet-switching filter
protocol udp
user@switch# set family ethernet-switching filter
source-port 2979
user@switch# set family ethernet-switching filter
then forwarding-class video loss-priority low

9.

video_class term video

video_class term video
video_class term video
video_class term video

Define the term network_control (for the video_class filter) :

[edit firewall]
user@switch# set family ethernet-switching filter video_class term
network_control from precedence [net-control internet-control]
user@switch# set family ethernet-switching filter video_class term
network_control then forwarding-class network-control loss-priority low

10.

Define the term best_effort_traffic (for the video_class filter) :

[edit firewall]
user@switch# set family ethernet-switching filter video_class term
best_effort_traffic then forwarding-class best-effort loss-priority low

Configuration

1017

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

11.

Apply the firewall filter video_class as an input filter to the interface for the
surveillance camera:
[edit interfaces]
user@switch# set ge-0/0/2 description video-ingress-port
user@switch# set ge-0/0/2 unit 0 family ethernet-switching filter input
video_class

12.

Define the firewall filter app_class to classify the application server traffic:
[edit firewall]
user@switch# set family ethernet-switching filter app_class

13.

Define the term app:

[edit firewall]
user@switch# set family ethernet-switching
source-address 192.168.1.23/32
user@switch# set family ethernet-switching
protocol tcp
user@switch# set family ethernet-switching
source-port [1494 2512 2513 2598 2897]
user@switch# set family ethernet-switching
forwarding-class app loss-priority low

14.

filter app_class term app from

filter app_class term app
filter app_class term app
filter app_class term app then

Define the term mail:

[edit firewall]
user@switch# set family ethernet-switching filter app_class term mail from
source-address 192.168.1.24/32
user@switch# set family ethernet-switching filter app_class term mail
protocol tcp
user@switch# set family ethernet-switching filter app_class term mail
source-port [25 143 389 691 993 3268 3269]
user@switch# set family ethernet-switching filter app_class term mail then
forwarding-class mail loss-priority low

15.

Define the term db:

[edit firewall]
user@switch# set family ethernet-switching filter
source-address 192.168.1.25/32
user@switch# set family ethernet-switching filter
protocol tcp
user@switch# set family ethernet-switching filter
source-port [1521 1525 1527 1571 1810 2481]
user@switch# set family ethernet-switching filter
forwarding-class db loss-priority low

16.

app_class term db from

app_class term db
app_class term db
app_class term db then

Define the term erp:

[edit firewall]
user@switch# set family ethernet-switching filter app_class term erp from
source-address 192.168.1.26/32

1018

Configuration

Chapter 57: Examples of Configuring CoS

user@switch# set family ethernet-switching filter app_class term erp

protocol tcp
user@switch# set family ethernet-switching filter app_class term erp
source-port [3200 3300 3301 3600]
user@switch# set family ethernet-switching filter app_class term erp then
forwarding-class erp loss-priority low

17.

Define the term network_control (for the app_class filter) :

[edit firewall]
user@switch# set family ethernet-switching filter app_class term
network_control from precedence [net-control internet-control]
user@switch# set family ethernet-switching filter app_class term
network_control then forwarding-class network-control loss-priority low

18.

Define the term best_effort_traffic (for the app_class filter) :

[edit firewall]
user@switch# set family ethernet-switching filter app_class term
best_effort_traffic then forwarding-class best-effort loss-priority low

19.

Apply the firewall filter app_class as an input filter to the interfaces for the
servers hosting applications:
[edit interfaces]
user@switch# set ge-0/0/3
app_class
user@switch# set ge-0/0/4
app_class
user@switch# set ge-0/0/5
app_class
user@switch# set ge-0/0/6
app_class

20.

unit 0 family ethernet-switching filter input

unit 0 family ethernet-switching filter input
unit 0 family ethernet-switching filter input
unit 0 family ethernet-switching filter input

Configure schedulers:
[edit class-of-service]
user@switch# set schedulers voice-sched buffer-size percent 10
user@switch# set schedulers voice-sched priority strict-high
user@switch# set schedulers voice-sched transmit-rate percent 10
user@switch# set schedulers video-sched buffer-size percent 15
user@switch# set schedulers video-sched priority low
user@switch# set schedulers video-sched transmit-rate percent 15
user@switch# set schedulers app-sched buffer-size percent 10
user@switch# set schedulers app-sched priority low
user@switch# set schedulers app-sched transmit-rate percent 10
user@switch# set schedulers mail-sched buffer-size percent 5
user@switch# set schedulers mail-sched priority low
user@switch# set schedulers mail-sched transmit-rate percent 5
user@switch# set schedulers db-sched buffer-size percent 10
user@switch# set schedulers db-sched priority low
user@switch# set schedulers db-sched transmit-rate percent 10
user@switch# set schedulers erp-sched buffer-size percent 10
user@switch# set schedulers erp-sched priority low
user@switch# set schedulers erp-sched transmit-rate percent 10
user@switch# set schedulers nc-sched buffer-size percent 5

Configuration

1019

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch#
user@switch#
user@switch#
user@switch#
user@switch#

21.

set
set
set
set
set

schedulers
schedulers
schedulers
schedulers
schedulers

nc-sched
nc-sched
be-sched
be-sched
be-sched

priority strict-high
transmit-rate percent 5
buffer-size percent 35
priority low
transmit-rate percent 35

Assign the forwarding classes to schedulers with the scheduler

map:ethernet-cos-map:
[edit class-of-service]
user@switch# set scheduler-maps ethernet-cos-map forwarding-class voice
scheduler voice-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class video
scheduler video-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class app
scheduler app-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class mail
scheduler mail-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class db
scheduler db-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class erp
scheduler erp-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class
network-control scheduler nc-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class
best-effort scheduler be-sched

22.

Associate the scheduler-map with the outgoing interface:

[edit class-of-service interfaces]
user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map

Results

Display the results of the configuration:

user@switch# show firewall
firewall family ethernet-switching {
filter voip_class {
term voip {
from {
source-address {
192.168.1.1/32;
192.168.1.2/32;
}
protocol udp;
source-port 2698;
}
then {
forwarding-class voice;
loss-priority low;
}
}
term network control {
from {

1020

Configuration

Chapter 57: Examples of Configuring CoS

precedence [net-control internet-control];

}
then {
forwarding-class network-control;
loss-priority low;
}
}
term best_effort_traffic {
then {
forwarding-class best-effort;
loss-priority low;
}
}
}
filter video_class {
term video {
from {
source-address {
192.168.1.14/32;
}
protocol udp;
source-port 2979;
}
then {
forwarding-class video;
loss-priority low;
}
}
term network control {
from {
precedence [net-control internet-control];
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term best_effort_traffic {
then {
forwarding-class best-effort;
loss-priority low;
}
}
}
filter app_class {
term app {
from {
source-address {
192.168.1.23/32;
}
protocol tcp;
source-port [1491 2512 2513 2598 2897];
}
then {
forwarding-class app;
loss-priority low;

Configuration

1021

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
term mail {
from {
source-address {
192.168.1.24/32;
}
protocol tcp;
source-port [25 143 389 691 993 3268 3269];
}
then {
forwarding-class mail;
loss-priority low;
}
}
term db {
from {
source-address {
192.168.1.25/32;
}
protocol tcp;
source-port [1521 1525 1527 1571 1810 2481];
}
then {
forwarding-class db;
loss-priority low;
}
}
term erp {
from {
source-address {
192.168.1.26/32;
}
protocol tcp;
source-port [3200 3300 3301 3600];
}
then {
forwarding-class erp;
loss-priority low;
}
}
term network control {
from {
precedence [net-control internet-control];
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term best_effort_traffic {
then {
forwarding-class best-effort;
loss-priority low;
}
}

1022

Configuration

Chapter 57: Examples of Configuring CoS

}
}
user@switch# show class-of-service
forwarding-classes {
class app queue-num 5;
class mail queue-num 1;
class db queue-num 2;
class erp queue-num 3;
class video queue-num 4;
class best-effort queue-num 0;
class voice queue-num 6;
class network-control queue-num 7;
}
schedulers {
voice-sched {
buffer-size percent 10;
priority strict-high;
transmit-rate percent 10;
}
video-sched {
buffer-size percent 15;
priority low;
transmit-rate percent 15;
}
app-sched {
buffer-size percent 10;
priority low;
transmit-rate percent 10;
}
mail-sched {
buffer-size percent 5;
priority low;
transmit-rate percent 5;
}
db-sched {
buffer-size percent 10;
priority low;
transmit-rate percent 10;
}
erp-sched {
buffer-size percent 10;
priority low;
transmit-rate percent 10;
}
nc-sched {
buffer-size percent 5;
priority strict-high;
transmit-rate percent 5;
}
be-sched {
buffer-size percent 35;
priority low;
transmit-rate percent 35;
}

Configuration

1023

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
scheduler-maps {
ethernet-cos-map {
forwarding-class voice scheduler voice-sched;
forwarding-class video scheduler video-sched;
forwarding-class app scheduler app-sched;
forwarding-class mail scheduler mail-sched;
forwarding-class db scheduler db-sched;
forwarding-class erp scheduler erp-sched;
forwarding-class network-control scheduler nc-sched;
forwarding-class best-effort scheduler be-sched;
}
}
user@switch# show interfaces
ge-0/0/0 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet {
filter {
input video_class;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet {
filter {

1024

Configuration

Chapter 57: Examples of Configuring CoS

input app_class;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/20 {
scheduler-map ethernet-cos-map;
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues on page 1025

Verifying That the Forwarding Classes Have Been Assigned to

Schedulers on page 1026

Verifying That the Scheduler Map Has Been Applied to the Interface on page 1027

Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues
Purpose

Action

Verify that the following forwarding classes app, db, erp, mail, video, and voice have
been defined and mapped to queues.
user@switch> show class-of-service forwarding-class
Forwarding class
ID
Queue
app
0
5
db
1
2
erp
2
3
best-effort
3
0
mail
4
1
voice
5
6
video
6
4
network-control
7
7

Verification

1025

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Meaning

This output shows that the forwarding classes have been defined and mapped to
appropriate queues.

Verifying That the Forwarding Classes Have Been Assigned to Schedulers

Purpose

Action

Verify that the forwarding classes have been assigned to schedulers.

user@switch> show class-of-service scheduler-map
Scheduler map: ethernet-cos-map, Index: 2
Scheduler: voice-sched, Forwarding class: voice, Index: 22
Transmit rate: 5 percent, Rate Limit: none, Buffer size: 15 percent,
Priority: Strict-high
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: video-sched, Forwarding class: video, Index: 22
Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: app-sched, Forwarding class: app, Index: 22
Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: mail-sched, Forwarding class: mail, Index: 22
Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: db-sched, Forwarding class: db, Index: 22
Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>

1026

Verifying That the Forwarding Classes Have Been Assigned to Schedulers

Chapter 57: Examples of Configuring CoS

Scheduler: erp-sched, Forwarding class: erp, Index: 22

Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: be-sched, Forwarding class: best-effort, Index: 20
Transmit rate: 35 percent, Rate Limit: none, Buffer size: 35 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: nc-sched, Forwarding class: network-control, Index: 22
Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent,
Priority: Strict-high
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>

Meaning

This output shows that the forwarding classes have been assigned to schedulers.

Verifying That the Scheduler Map Has Been Applied to the Interface
Purpose

Action

Meaning

Related Topics

Verify that the scheduler map has been applied to the interface.
user@switch> show class-of-service interface
...
Physical interface: ge-0/0/20, Index: 149
Queues supported: 8, Queues in use: 8
Scheduler map: ethernet-cos-map, Index: 43366
Input scheduler map: <default>, Index: 3
...

This output shows that the scheduler map (ethernet-cos-map) has been applied to the
interface (ge-0/0/20).

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032

Defining CoS Classifiers (CLI Procedure) on page 1033

Defining CoS Forwarding Classes (CLI Procedure) on page 1036

Defining CoS Schedulers (CLI Procedure) on page 1038

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Verifying That the Scheduler Map Has Been Applied to the Interface

1027

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1028

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Configuring Firewall Filters (CLI Procedure) on page 945

Verifying That the Scheduler Map Has Been Applied to the Interface

Chapter 58

Configuring CoS

Configuring CoS (J-Web Procedure) on page 1029

Defining CoS Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032

Defining CoS Classifiers (CLI Procedure) on page 1033

Defining CoS Classifiers (J-Web Procedure) on page 1034

Defining CoS Forwarding Classes (CLI Procedure) on page 1036

Defining CoS Forwarding Classes (J-Web Procedure) on page 1037

Defining CoS Schedulers (CLI Procedure) on page 1038

Defining CoS Schedulers (J-Web Procedure) on page 1038

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Defining CoS Rewrite Rules (CLI Procedure) on page 1042

Defining CoS Rewrite Rules (J-Web Procedure) on page 1042

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Assigning CoS Components to Interfaces (J-Web Procedure) on page 1045

Configuring CoS (J-Web Procedure)

The Class of Service Configuration pages allow you to configure the JUNOS CoS
components. You can configure forwarding classes for transmitting packets, define
which packets are placed into each output queue, and schedule the transmission
service level for each queue. After defining the CoS components you must assign
classifiers to the required physical and logical interfaces.
Using the Class of Service Configuration pages, you can configure various CoS
components individually or in combination to define particular CoS services.
To configure CoS components :
1.

In the J-Web interface, select Configure>Class of Service.

2.

On the Class of Service Configuration page, select one of the following options
depending on the CoS component that you want to define. Enter information
into the pages as described in the respective table:

Configuring CoS (J-Web Procedure)

1029

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

To define or edit CoS value aliases, select CoS Value Aliases .

To define or edit forwarding classes and assign queues, select Forwarding

Classes.

To define or edit classifiers, select Classifiers .

To define or edit rewrite rules, select Rewrite Rules.

To define or edit schedulers, select Schedulers.

To define or edit virtual channel groups, select Interface Associations.

3.

Click Apply after completing configuration on any Configuration page.

Defining CoS Classifiers (J-Web Procedure) on page 1034

Defining CoS Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Forwarding Classes (J-Web Procedure) on page 1037

Defining CoS Rewrite Rules (J-Web Procedure) on page 1042

Defining CoS Schedulers (J-Web Procedure) on page 1038

Assigning CoS Components to Interfaces (J-Web Procedure) on page 1045

Defining CoS Code-Point Aliases (J-Web Procedure)

To define CoS Value Aliases, select Configure > Class of Service > CoS Value Aliases
in the J-Web interface.
Table 148 on page 1030 describes the related fields. By defining aliases you can assign
meaningful names to a particular set of bit values and refer to them when configuring
CoS components.
Table 148: CoS Value Aliases Configuration Pages Summary
Field

Function

Your Action

Allows you to define aliases for DiffServ code

point (DSCP) IPv4 values.

Click DSCP.

CoS Value Alias Summary

DSCP

You can refer to these aliases when you

configure classes and define classifiers.
IPv4 Precedence

Allows you to define aliases for IPv4

precedence values.

Click IPv4 Precedence.

Precedence values are modified in the IPv4

type-of-service (TOS) field and mapped to
values that correspond to levels of service.
Alias Name

1030

Displays names given to CoS valuesfor

example, af11 or be.

Defining CoS Code-Point Aliases (J-Web Procedure)

None.

Chapter 58: Configuring CoS

Table 148: CoS Value Aliases Configuration Pages Summary (continued)

Field

Function

Your Action

Default Value

Displays the default values mapped to standard

aliases. For example, ef (expedited forwarding)
is a standard alias for DSCP bits 101110.

None.

You cannot delete default values. The check

box next to these values is unavailable.
Configured Value

Displays the CoS values that you have assigned

to specific aliases.

None.

You can delete a configured alias.

Add

Opens a page that allows you to define CoS

value aliases.

Click Add.

Delete

Allows you to delete a configured CoS value

alias.

Select the check box next to the CoS value alias

and click Delete.

You cannot delete a default alias.

Add a CoS Value Alias

CoS Value Alias

Assigns a name to a CoS value. A CoS value

can be of different typesDSCP or IP
precedence.

To define an alias for a CoS value, type a

namefor example, my1.

CoS Value Alias Bits

Specifies the CoS value for which an alias is

defined.

To specify a CoS value, type it in an appropriate

format:

Changing this value alters the behavior of all

classifiers that refer to this alias.

Related Topics

For DSCP CoS values, use the format

xxxxxx, where x is 1 or 0for example,
101110.

For IP precedence CoS values, use the

format xxx, where x is 1 or 0for
example, 111.

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032

Monitoring CoS Value Aliases on page 1053

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (J-Web Procedure)

1031

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Defining CoS Code-Point Aliases (CLI Procedure)

You can use code-point aliases to streamline the process of configuring CoS features
on your EX-series switch. A code-point alias assigns a name to a pattern of code-point
bits. You can use this name instead of the bit pattern when you configure other CoS
components such as classifiers, drop-profile maps, and rewrite rules.
You can configure code-point aliases for the following CoS marker types:

DSCPHandles incoming IPv4 packets.

IEEE 802.1pHandles Layer 2 CoS.

Inet precedenceHandles incoming IPv4 packets. IP precedence mapping

requires only the higher order three bits of the DSCP field.

To configure a code-point alias for a specified CoS marker type (dscp), assign an alias
(my1) to the code-point (110001):
[edit class-of-service code-point-aliases]
user@switch# set dscp my1 110001

Related Topics

1032

Defining CoS Code-Point Aliases (J-Web Procedure) on page 1030

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Value Aliases on page 1053

Understanding CoS Code-Point Aliases on page 997

Defining CoS Code-Point Aliases (CLI Procedure)

Chapter 58: Configuring CoS

Defining CoS Classifiers (CLI Procedure)

Packet classification associates incoming packets with a particular CoS servicing
level. Classifiers associate packets with a forwarding class and loss priority and, based
on the associated forwarding class, assign packets to output queues. JUNOS software
supports two general types of classifiers:

Behavior aggregate or CoS value traffic classifiersExamines the CoS value in

the packet header. The value in this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and
loss priority of a packet based on the Differentiated Services code point (DSCP)
value, IP precedence value, and IEEE 802.1p value. The default classifier is based
on the DSCP value.

Multifield traffic classifiersExamines multiple fields in the packet such as source

and destination addresses and source and destination port numbers of the packet.
With multifield classifiers, you set the forwarding class and loss priority of a
packet based on firewall filter rules.

This procedure describes how to configure the DSCP BA classifier ba-classifier as the
default DSCP map and apply it to the Gigabit Ethernet interface ge-0/0/0 of the
EX-series switch. The BA classifier assigns loss priorities, as shown in
Table 149 on page 1033, to incoming packets in the four forwarding classes.
Table 149: BA-classifier Loss Priority Assignments
Forwarding Class

For CoS Traffic Type

ba-classifier Assignment

be

Best-effort traffic

High-priority code point: 000001

ef

Expedited-forwarding traffic

High-priority code point: 101110

af

Assured-forwarding traffic

High-priority code point: 001100

nc

Network-control traffic

High-priority code point: 110001

To configure CoS classifiers using the CLI:

1.

Associate code point 000001 with forwarding class be and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier import default forwarding-class be
loss-priority high code-points 000001

2.

Associate code point 101110 with forwarding class ef and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier forwarding-class ef loss-priority high
code-points 101110

3.

Associate code point 001100 with forwarding class af and loss priority high:
[edit class-of-service classifiers]

Defining CoS Classifiers (CLI Procedure)

1033

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

user@switch# set dscp ba-classifier forwarding-class af loss-priority high

code-points 001100

4.

Associate code point 110001 with forwarding class nc and loss priority high:
[edit class-of-service classifiers]
user@switch# set dscp ba-classifier forwarding-class nc loss-priority high
code-points 110001

5.

Apply the DSCP BA classifier to Gigabit Ethernet interface ge-0/0/0:

[edit class-of-service interfaces]
user@switch# set ge-0/0/0 unit 0 classifiers dscp ba-classifier

Related Topics

Defining CoS Classifiers (J-Web Procedure) on page 1034

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Monitoring CoS Classifiers on page 1047

Understanding CoS Classifiers on page 1000

Defining CoS Classifiers (J-Web Procedure)

Classifiers examine the CoS value or alias of an incoming packet and assign the
packet a level of service by setting its forwarding class and loss priority. To define
classifiers, select Configure > Class of Service > Classifiers in the J-Web
interface.Table 150 on page 1034describes the related fields.
Table 150: Classifiers Configuration Page Summary
Field

Function

Your Action

DSCP

Defines classifiers for DSCP code point values.

Click DSCP.

IPv4 Precedence

Defines classifiers for IPv4 precedence values.

Click IPv4 Precedence.

Classifier Name

Displays the names of classifiers.

To edit a classifier, click its name.

Classifier Summary

Allows you to edit a specific classifier.

Incoming Code Point
(Alias)

Displays CoS values and aliases to which

forwarding class and loss priority are mapped.

None.

Classify to Forwarding
Class

Displays forwarding classes that are assigned

to specific CoS values and aliases of a classifier.

None.

Classify to Loss Priority

Displays loss priorities that are assigned to

specific CoS values and aliases of a classifier.

None.

1034

Defining CoS Classifiers (J-Web Procedure)

Chapter 58: Configuring CoS

Table 150: Classifiers Configuration Page Summary (continued)

Field

Function

Your Action

Add

Opens a page that allows you to define

classifiers.

To add a classifier, click Add.

Delete

Deletes a specified classifier.

To delete a classifier, locate the classifier, select

the check box next to it, and click Delete.

Add a Classifier/Edit Classifier

Classifier Name

Specifies the name for a classifier.

To name a classifier, type the namefor

example, ba-classifier.

Classifier Code Point

Mapping

Sets the forwarding classes and the packet loss

priorities (PLPs) for specific CoS values and
aliases.

None.

Incoming Code Point

Specifies the CoS value in bits and the alias of

a classifier for incoming packets.

To specify a CoS value and alias, either select

preconfigured ones from the list or type new
ones.
For information about forwarding classes and
aliases assigned to well-known DSCPs, see the
JUNOS Class of Service Configuration Guide.

Forwarding Class

Loss Priority

Add

Assigns the forwarding class to the specified

CoS value and alias.

Assigns a loss priority to the specified CoS value

and alias.

Assigns a forwarding class and loss priority to

the specified CoS value and alias.

To assign a forwarding class, select either one

of the following default forwarding classes or
one that you have configured:

expedited-forwardingProvides low loss,

low delay, low jitter, assured bandwidth,
and end-to-end service. Packets can be
forwarded out of sequence or dropped.

best-effortProvides no special CoS

handling of packets. Typically, RED drop
profile is aggressive and no loss priority is
defined.

assured-forwardingProvides high
assurance for packets within the specified
service profile. Excess packets are
dropped.

network-controlPackets can be delayed

but not dropped.

To assign a loss priority, select one:

highPacket has a high loss priority.

lowPacket has a low loss priority.

To assign a forwarding class and loss priority

to a specific CoS value and alias, click Add.

A classifier examines the incoming packet's

header for the specified CoS value and alias
and assigns it the forwarding class and loss
priority that you have defined.

Defining CoS Classifiers (J-Web Procedure)

1035

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 150: Classifiers Configuration Page Summary (continued)

Field

Function

Your Action

Delete

Removes the forwarding class and loss priority

assignment from the classifier.

To remove the forwarding class and loss priority

assignment, select it and click Delete.

Related Topics

Defining CoS Classifiers (CLI Procedure) on page 1033

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Classifiers on page 1047

Understanding CoS Classifiers on page 1000

Defining CoS Forwarding Classes (CLI Procedure)

Forwarding classes allow you to group packets for transmission. Based on forwarding
classes, you assign packets to output queues.
By default, four categories of forwarding classes are defined: best effort, assured
forwarding, expedited forwarding, and network control. EX-series switches support
up to 16 forwarding classes.
You can configure forwarding classes in one of the following ways:

Using class statementYou can configure up to 16 forwarding classes and you

can map multiple forwarding classes to single queue.

Using queue statementYou can configure up to 8 forwarding classes and you

can map one forwarding class to one queue.
This example uses the class statement to configure forwarding classes.

To configure CoS forwarding classes, map the forwarding classes to queues:

[edit class-of-service forwarding-classes]
user@switch# set class be queuenum 0
user@switch# set class ef queuenum 1
user@switch# set class af queuenum 2
user@switch# set class nc queuenum 3
user@switch# set class ef1 queuenum 4
user@switch# set class ef2 queuenum 5
user@switch# set class af1 queuenum 6
user@switch# set class nc1 queuenum 7

Related Topics

1036

Defining CoS Forwarding Classes (J-Web Procedure) on page 1037

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Monitoring CoS Forwarding Classes on page 1048

Understanding CoS Forwarding Classes on page 1002

Defining CoS Forwarding Classes (CLI Procedure)

Chapter 58: Configuring CoS

Defining CoS Forwarding Classes (J-Web Procedure)

To define forwarding classes, select Configure > Class of Service> Forwarding Classes
in the J-Web interface. Table 151 on page 1037 describes the related fields. By assigning
a forwarding class to a queue number, you affect the scheduling and marking of a
packet as it transits an EX-series switch.
Table 151: Forwarding Classes Configuration Pages Summary
Field

Function

Your Action

Displays internal queue numbers to which

forwarding classes are assigned.

To edit an assigned forwarding class, click the

queue number to which the class is assigned.

Forwarding Class Summary

Queue #

By default, if a packet is not classified, it is

assigned to the class associated with queue 0.
You can have more than one forwarding class
to a queue number.
Allows you to edit an assigned forwarding class.
Forwarding Class Name

Displays the forwarding class names assigned

to specific internal queue numbers.

None.

By default, four forwarding classes are assigned

to queue numbers 0 (best-effort), 1
(assured-forwarding), 5 (expedited-forwarding),
and 7 (network-connect).
Add

Opens a page that allows you to assign

forwarding classes to internal queue numbers.

To add a forwarding class, click Add.

Add a Forwarding Class/Edit Forwarding Class Queue #

Queue #

Specifies the internal queue number to which

a forwarding class is assigned.

To specify an internal queue number, type an

integer from 0 through 7, as supported by your
platform.

Forwarding Class Name

Specifies the forwarding class name assigned

to the internal queue number.

To assign a forwarding class name to a queue,

type the namefor example, be-class.

Related Topics

Defining CoS Forwarding Classes (CLI Procedure) on page 1036

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Forwarding Classes on page 1048

Assigning CoS Components to Interfaces (J-Web Procedure) on page 1045

Understanding CoS Forwarding Classes on page 1002

Defining CoS Forwarding Classes (J-Web Procedure)

1037

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Defining CoS Schedulers (CLI Procedure)

You use schedulers to define the CoS properties of output queues. These properties
include the amount of interface bandwidth assigned to the queue, the size of the
memory buffer allocated for storing packets, the priority of the queue, and the tail
drop profiles associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps.
You can then associate each scheduler map with an interface, thereby configuring
the queues and packet schedulers that operate according to this mapping.
You can associate up to four user-defined scheduler maps with the interfaces.
To configure CoS schedulers using the CLI:
1.

Create a scheduler (be-sched) with low priority:

[edit class-of-service schedulers]
user@switch# set be-sched priority low

2.

Configure a scheduler map (be-map) that associates the scheduler (be-sched) with
the forwarding class (best-effort):
[edit class-of-service scheduler-maps]
user@switch# set be-map forwarding-classbest-effort scheduler be-sched

3.

Assign the scheduler map (be-map) to a Gigabit Ethernet interface (ge-0/0/1):

[edit class-of-service interfaces]
user@switch# set ge-0/0/1 scheduler-map be-map

Related Topics

Defining CoS Schedulers (J-Web Procedure) on page 1038

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Monitoring CoS Scheduler Maps on page 1051

Understanding CoS Schedulers on page 1004

Defining CoS Schedulers (J-Web Procedure)

Using schedulers, you can assign attributes to queues and thereby provide congestion
control for a particular class of traffic. These attributes include the amount of interface
bandwidth, memory buffer size, transmit rate, and schedule priority.
To configure schedulers using the Configuration pages:
1.

1038

Create a scheduler and specify attributes for it. For a description of

scheduler-related fields, see Table 152 on page 1039.

Defining CoS Schedulers (CLI Procedure)

Chapter 58: Configuring CoS

2.

Associate the scheduler to a forwarding class. Because the forwarding class is

assigned to a queue number, the queue inherits this scheduler's attributes. For
a description of scheduler map-related fields, see Table 152 on page 1039.

Table 152: Schedulers Configuration Page Summary

Field

Function

Your Action

Displays the names of defined schedulers.

To edit a scheduler, click its name.

Scheduler Summary

Scheduler Name

Allows you to edit a specific scheduler.

Scheduler Information

Displays a summary of defined settings for a

scheduler, such as bandwidth, delay buffer size,
and transmit rates.

None.

Add

Opens a page that allows you to add a

scheduler.

Click Add.

Delete

Removes a scheduler.

Click Delete.

Add a Scheduler/Edit Scheduler

Scheduler Name

Specifies the name for a scheduler.

To name a scheduler, type the namefor

example, be-scheduler.

Buffer Size

Defines the size of the delay buffer.

To define a delay buffer size for a scheduler,

select the appropriate option:

By default, queues 0 through 7 have the

following percentage of the total available
buffer space:

Queue 095 percent

Queue 10 percent

Queue 20 percent

Queue 30 percent

Queue 40 percent

Queue 50 percent

Queue 60 percent

Queue 75 percent

To specify no buffer size, select

Unconfigured.

To specify buffer size as a percentage of

the total buffer, select Percent and type
an integer from 1 through 100.

To specify buffer size as the remaining

available buffer, select Remainder.

NOTE: A large buffer size value correlates with

a greater possibility of packet delays. This
might not be practical for sensitive traffic such
as voice or video.

Defining CoS Schedulers (J-Web Procedure)

1039

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 152: Schedulers Configuration Page Summary (continued)

Field

Function

Your Action

Scheduling Priority

Sets the transmission priority of the scheduler,

which determines the order in which an output
interface transmits traffic from the queues.

To specify a priority, select one:

lowPackets in this queue are transmitted

last.

You can set scheduling priority at different

levels in an order of increasing priority from
low to high.

stricthighPackets in this queue are

transmitted first.

A high-priority queue with a high transmission

rate might lock out lower-priority traffic.
Transmit Rate

Defines the transmission rate of a scheduler.

The transmit rate determines the traffic
bandwidth from each forwarding class you
configure.
By default, queues 0 through 7 have the
following percentage of transmission capacity:

Queue 095 percent

Queue 10 percent

Queue 20 percent

Queue 35 percent

Queue 40 percent

Queue 60 percent

Queue 75 percent

To define a transmit rate, select the appropriate

option:

To not specify transmit rate, select

Unconfigured.

To specify the remaining transmission

capacity, select Remainder Available.

To specify a percentage of transmission

capacity, select Percent and type an
integer from 1 through 100.

To enforce the exact transmission rate or

percentage you configured, select the Exact
Transmit Rate check box.

Table 153: Scheduler Maps Configuration Page Summary

Field

Function

Your Action

Displays the names of defined scheduler maps.

Scheduler maps link schedulers to forwarding
classes.

To edit a scheduler map, click its name.

Scheduler Maps Summary

Scheduler Map Name

Allows you to edit a scheduler map.

Scheduler Map Information

For each map, displays the schedulers and the

forwarding classes that they are assigned to.

None.

Add

Opens a page that allows you to add a

scheduler map.

Click Add.

Delete

Removes a scheduler map.

Select it and click Delete.

Add a Scheduler Map/Edit Scheduler Map

Scheduler Map Name

1040

Specifies the name for a scheduler map.

Defining CoS Schedulers (J-Web Procedure)

To name a map, type the namefor example,

be-scheduler-map.

Chapter 58: Configuring CoS

Table 153: Scheduler Maps Configuration Page Summary (continued)

Field

Function

Your Action

Scheduler Mapping

Allows you to associate a preconfigured

scheduler with a forwarding class.

To associate a scheduler with a forwarding class,

locate the forwarding class and select the
scheduler in the box next to it.

After scheduler maps have been applied to an

interface, they affect the hardware queues,
packet schedulers.

Related Topics

Defining CoS Schedulers (CLI Procedure) on page 1038

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Scheduler Maps on page 1051

Configuring CoS Tail Drop Profiles (CLI Procedure)

Tail drop is a simple and effective traffic congestion avoidance mechanism. When
you apply this mechanism to manage congestion, packets are dropped when the
output queue is full.
To configure CoS tail-drop profiles, create a drop profile name (be-dp) and assign a
fill level (25):
[edit class-of-service drop-profiles]
user@switch# set be-dp fill-level 25

Related Topics

Example: Configuring CoS on EX-series Switches on page 1011

Understanding CoS Tail Drop Profiles on page 1004

Configuring CoS Tail Drop Profiles (CLI Procedure)

1041

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Defining CoS Rewrite Rules (CLI Procedure)

You configure rewrite rules to alter CoS values in outgoing packets on the outbound
interfaces of an EX-series switch to match the policies of a targeted peer. Policy
matching allows the downstream router in a neighboring network to classify each
packet into the appropriate service group.
In addition, you often need to rewrite a given marker such as IP precedence, DSCP,
or IEEE 802.1p at the switch's inbound interfaces to accommodate behavior aggregate
(BA) classification by core devices.
You do not need to explicitly apply rewrite rules to interfaces. By default, rewrite
rules are applied to routed packets.
To configure CoS rewrite rules, associate the rewrite rule (customup-rw) with forwarding
class, loss priority, and code-point:
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority low
code-point 000
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority high
code-point 001
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority low
code-point 010
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority high
code-point 011
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority low
code-point 100
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority high
code-point 101
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority low
code-point 110
[edit class-of-service rewrite-rules]
user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority high
code-point 111

Related Topics

Defining CoS Rewrite Rules (J-Web Procedure) on page 1042

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Rewrite Rules on page 1050

Understanding CoS Rewrite Rules on page 1008

Defining CoS Rewrite Rules (J-Web Procedure)

To define rewrite rules, select Configure > Class of Service > Rewrite Rules in the
J-Web interface. Table 154 on page 1043 describes the related fields. Use the rewrite
rules to alter the CoS values in outgoing packets to meet the requirements of the

1042

Defining CoS Rewrite Rules (CLI Procedure)

Chapter 58: Configuring CoS

targeted peer. A rewrite rule examines the forwarding class and loss priority of a
packet and sets its bits to a corresponding value specified in the rule.
Table 154: Rewrite Rules Configuration Page Summary
Field

Function

Your Action

DSCP

Redefines DSCP code point values of outgoing

packets.

Click DSCP.

IPv4 Precedence

Redefines IPv4 precedence code point values.

Click IPv4 Precedence.

Rewrite Rule Name

Displays names of defined rewrite rules.

To edit a rule, click its name.

Rewrite Rules Summary

Allows you to edit a specific rule.

Forwarding Class

Displays forwarding classes associated with a

specific rewrite rule.

None.

Loss Priority

Displays loss priority values associated with a

specific rewrite rule.

None.

Rewrite Outgoing Code

Point To

Displays the CoS values and aliases that a

specific rewrite rule has set for a specific
forwarding class and loss priority.

None.

Add

Opens a page that allows you to define a new

rewrite rule.

To add a rewrite rule, click Add.

Delete

Removes specified rewrite rules.

To remove a rule, select the check box next to

it and click Delete.

Add a Rewrite Rule/Edit Rewrite Rule

Rewrite Rule Name

Specifies a rewrite rule name.

To name a rule, type the namefor example,

rewrite-dscps.

Defining CoS Rewrite Rules (J-Web Procedure)

1043

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 154: Rewrite Rules Configuration Page Summary (continued)

Field

Function

Your Action

Code Point Mapping

Rewrites outgoing CoS values of a packet based

on the forwarding class and loss priority.

To configure the CoS value assignment, follow

these steps:

Allows you to remove a code point mapping

entry.

1.

From the Forwarding Class list, select a

class.

2.

Select a priority from the following:

3.

lowRewrite rule applies to packets

with a low loss priority.

highRewrite rule applies to packets

with a high loss priority.

For Rewritten Code Point, either select a

predefined CoS value and alias or type a
new CoS value and alias.
For information about predefined CoS
values and aliases, see the JUNOS Class of
Service Configuration Guide.

4.

Click Add.

To remove a code point mapping entry, select

it and click Delete.

Related Topics

Defining CoS Rewrite Rules (CLI Procedure) on page 1042

Understanding CoS Rewrite Rules on page 1008

Monitoring CoS Rewrite Rules on page 1050

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure)

After you have defined the following CoS components, you must assign them to
logical or physical interfaces. (Only these three types of CoS components get assigned
to interfaces.)

Forwarding classesAssign only to logical interfaces.

ClassifiersAssign only to logical interfaces.

Scheduler mapsAssign to either physical or logical interfaces.

To assign CoS components to interfaces, associate a CoS component (scheduler map

named ethernet-cos-map) with an interface (ge-0/0/20):
[edit class-of-service interfaces]
user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map

Related Topics

1044

Assigning CoS Components to Interfaces (J-Web Procedure) on page 1045

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure)

Chapter 58: Configuring CoS

Monitoring Interfaces That Have CoS Components on page 1049

Understanding JUNOS CoS Components for EX-series Switches on page 995

Assigning CoS Components to Interfaces (J-Web Procedure)

After you have defined CoS components, you must assign them to logical or physical
interfaces. The CoS Configuration pages allow you to assign scheduler maps to
physical or logical interfaces and to assign forwarding classes, or classifiers to logical
interfaces.
To assign CoS components to interfaces:
1.

In the J-Web interface, select Configure>Class of Service>Interface Association.

2.

Enter information into these pages, as described in Table 155 on page 1045.

3.

Click one:

To apply the configuration click OK.

To cancel your entries click Cancel.

Table 155: Assigning CoS Components to Interfaces

Field

Function

Your Action

Add CoS Service to a Physical Interface/Edit CoS Physical Interface

Physical Interface
Name

Specifies the name of a physical interface. Allows

you to assign CoS components to a set of interfaces
at the same time.

To specify an interface for CoS assignment, type

its name in the Physical Interface Name box.
To specify a set of interfaces for CoS assignment,
use the wildcard character (*)for example,
ge-0/*/0.

Scheduler Map

Specifies a predefined scheduler map for the

physical interface.

To specify a map for an interface, select it from

the Scheduler Map list.

A scheduler map enables the physical interface to

have more than one set of output queues.
Add

Allows you to add a CoS service to a logical

interface on a specified physical interface.

To add a CoS Service to a logical interface, click

Add.

Add CoS Service to a Logical Interface Unit/Edit CoS Logical Interface Unit
Logical Interface
Unit Name

Specifies the name of a logical interface. Allows

you to assign CoS components to a logical interface
configured on a physical interface at the same time.

To specify an interface for CoS assignment, type

its name in the Logical Interface Unit Name box.
To assign CoS services to all logical interfaces
configured on this physical interface, type the
wildcard character (*).

Forwarding Class

Assigns a predefined forwarding class to incoming

packets on a logical interface.

To assign a forwarding class to the interface, select

it.

Assigning CoS Components to Interfaces (J-Web Procedure)

1045

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 155: Assigning CoS Components to Interfaces (continued)

Field

Function

Your Action

Classifiers

Allows you to apply classification maps to a logical

interface. Classifiers assign a forwarding class and
loss priority to an incoming packet based on its
CoS value.

To assign a classification map to the interface,

select an appropriate classifier for each CoS value
type used on the interface.

Related Topics

1046

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring Interfaces That Have CoS Components on page 1049

Assigning CoS Components to Interfaces (J-Web Procedure)

Chapter 59

Verifying CoS

Monitoring CoS Classifiers on page 1047

Monitoring CoS Forwarding Classes on page 1048

Monitoring Interfaces That Have CoS Components on page 1049

Monitoring CoS Rewrite Rules on page 1050

Monitoring CoS Scheduler Maps on page 1051

Monitoring CoS Value Aliases on page 1053

Monitoring CoS Classifiers

Purpose

Action

Use the monitoring functionality to display the mapping of incoming CoS values to
forwarding class and loss priority for each classifier.
To monitor CoS classifiers in the J-Web interface, select Monitor>Class of
Service>Classifiers
To monitor CoS classifiers in the CLI, enter the following CLI command:
show class-of-service classifier

Meaning

Table 156 on page 1047 summarizes key output fields for CoS classifiers.

Table 156: Summary of Key CoS Classifier Output Fields

Field

Values

Additional Information

Classifier Name

Name of a classifier.

To display classifier assignments, click the

plus sign (+).

CoS Value Type

The classifiers are displayed by type:

dscpAll classifiers of the DSCP type.

ieee-802.1All classifiers of the IEEE

802.1 type.

inet-precedenceAll classifiers of the

IP precedence type.
Index

Internal index of the classifier.

Monitoring CoS Classifiers

1047

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 156: Summary of Key CoS Classifier Output Fields (continued)

Field

Values

Incoming CoS Value

CoS value of the incoming packets, in bits.

These values are used for classification.

Assign to Forwarding Class

Forwarding class that the classifier assigns

to an incoming packet. This class affects the
forwarding and scheduling policies that are
applied to the packet as it transits the
switch.

Assign to Loss Priority

Loss priority value that the classifier assigns

to the incoming packet based on its CoS
value.

Related Topics

Additional Information

Defining CoS Classifiers (CLI Procedure) on page 1033

Defining CoS Classifiers (J-Web Procedure) on page 1034

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Forwarding Classes

Purpose

Use the monitoring functionality to view the current assignment of CoS forwarding
classes to queue numbers on the system.

Action

To monitor CoS forwarding classes in the J-Web interface, select Monitor>Class of

Service>Forwarding Classes.
To monitor CoS forwarding classes in the CLI, enter the following CLI command:
show class-of-service forwarding-class

Meaning

1048

Table 157 on page 1049 summarizes key output fields for CoS forwarding classes.

Monitoring CoS Forwarding Classes

Chapter 59: Verifying CoS

Table 157: Summary of Key CoS Forwarding Class Output Fields

Field

Values

Forwarding Class

Names of forwarding classes assigned to

queue numbers. By default, the following
forwarding classes are assigned to queues
0, 1, 5, or 7:

Additional Information

best-effortProvides no special CoS

handling of packets. Loss priority is

typically not carried in a CoS value.

expedited-forwardingProvides low loss,

low delay, low jitter, assured

bandwidth, and end-to-end service.

assured-forwardingProvides high

assurance for packets within specified

service profile. Excess packets are
dropped.

network-controlPackets can be

delayed but not dropped.

Queue

Queue number corresponding to the

forwarding class name.

Related Topics

By default, four queues, 0, 1, 5 or 7, are

assigned to forwarding classes.

Defining CoS Forwarding Classes (CLI Procedure) on page 1036

Defining CoS Forwarding Classes (J-Web Procedure) on page 1037

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring Interfaces That Have CoS Components

Purpose

Action

Use the monitoring functionality to display details about the physical and logical
interfaces and the CoS components assigned to them.
To monitor interfaces that have CoS components in the J-Web interface, select
Monitor>Class of Service>Interface Association.
To monitor interfaces that have CoS components in the CLI, enter the following
command:
show class-of-service interface interface

Meaning

Table 158 on page 1049 summarizes key output fields for CoS interfaces.

Table 158: Summary of Key CoS Interfaces Output Fields

Field

Values

Additional Information

Interface

Name of a physical interface to which CoS

components are assigned.

To display names of logical interfaces

configured on this physical interface, click
the plus sign (+).

Monitoring Interfaces That Have CoS Components

1049

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 158: Summary of Key CoS Interfaces Output Fields (continued)

Field

Values

Scheduler Map

Name of the scheduler map associated with

this interface.

Queues Supported

Number of queues you can configure on the

interface.

Queues in Use

Number of queues currently configured.

Logical Interface

Name of a logical interface on the physical

interface to which CoS components are
assigned.

Object

Category of an objectfor example,

classifier, scheduler-map, or rewrite.

Name

Name that you have given to an objectfor

example, ba-classifier.

Type

Type of an objectfor example, dscp for a

classifier.

Index

Index of this interface or the internal index

of a specific object.

Related Topics

Additional Information

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044

Assigning CoS Components to Interfaces (J-Web Procedure) on page 1045

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Rewrite Rules

Purpose

Action

Use the monitoring functionality to display information about CoS value rewrite rules,
which are based on the forwarding class and loss priority.
To monitor CoS rewrite rules in the J-Web interface, select Monitor>Class of
Service>Rewrite Rules.
To monitor CoS rewrite rules in the CLI, enter the following command:
show class-of-service rewrite-rules

Meaning

Table 159 on page 1050 summarizes key output fields for CoS rewrite rules.

Table 159: Summary of Key CoS Rewrite Rules Output Fields

Field

Values

Rewrite Rule Name

Names of rewrite rules.

1050

Monitoring CoS Rewrite Rules

Additional Information

Chapter 59: Verifying CoS

Table 159: Summary of Key CoS Rewrite Rules Output Fields (continued)
Field

Values

Additional Information

CoS Value Type

Rewrite rule type:

To display forwarding classes, loss priorities,

and rewritten CoS values, click the plus sign
(+).

dscpFor IPv4 DiffServ traffic.

ieee-802.1For Layer 2 traffic.

inet-precedenceFor IPv4 traffic.

Index

Internal index for this particular rewrite rule.

Forwarding Class

Forwarding class that is used to determine

CoS values for rewriting in combination with
loss priority.

Loss Priority

Loss priority that is used to determine CoS

values for rewriting in combination with
forwarding class.

Rewrite CoS Value To

Value that the CoS value is rewritten to.

Related Topics

Rewrite rules are applied to CoS values in

outgoing packets based on forwarding class
and loss priority setting.

Defining CoS Rewrite Rules (CLI Procedure) on page 1042

Defining CoS Rewrite Rules (J-Web Procedure) on page 1042

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Scheduler Maps

Purpose

Action

Use the monitoring functionality to display assignments of CoS forwarding classes

to schedulers.
To monitor CoS scheduler maps in the J-Web interface, select Monitor>Class of
Service>Scheduler Maps.
To monitor CoS scheduler maps in the CLI, enter the following CLI command:
show class-of-service scheduler-map

Meaning

Table 160 on page 1051 summarizes key output fields for CoS scheduler maps.

Table 160: Summary of Key CoS Scheduler Maps Output Fields

Field

Values

Additional Information

Scheduler Map

Name of a scheduler map.

For details, click the plus sign (+).

Index

Index of a specific objectscheduler maps,

schedulers, or drop profiles.

Scheduler Name

Name of a scheduler.

Monitoring CoS Scheduler Maps

1051

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Table 160: Summary of Key CoS Scheduler Maps Output Fields (continued)
Field

Values

Forwarding Class

Forwarding classes this scheduler is

assigned to.

Transmit Rate

Configured transmit rate of the scheduler

in bits per second (bps). The rate value can
be either of the following:

A percentageThe scheduler receives

the specified percentage of the total
interface bandwidth.

remainder The scheduler receives the

Additional Information

remaining bandwidth of the interface

after bandwidth allocation to other
schedulers.
Buffer Size

Delay buffer size in the queue or the amount

of transmit delay (in milliseconds). The
buffer size can be either of the following:

A percentageThe buffer is a
percentage of the total buffer
allocation.

remainderThe buffer is sized

according to what remains after other

scheduler buffer allocations.
Priority

Scheduling priority of a queue:

strict-highPackets in this queue are

transmitted first.

lowPackets in this queue are

transmitted last.
Drop Profiles

Name and index of a drop profile that is

assigned to a specific loss priority and
protocol pair.

Loss Priority

Packet loss priority corresponding to a drop

profile.

Protocol

Transport protocol corresponding to a drop

profile.

Drop Profile Name

Name of the drop profile.

Index

Index of a specific objectscheduler maps,

schedulers, or drop profiles.

Related Topics

1052

Defining CoS Schedulers (CLI Procedure) on page 1038

Defining CoS Schedulers (J-Web Procedure) on page 1038

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Scheduler Maps

Chapter 59: Verifying CoS

Monitoring CoS Value Aliases

Purpose

Action

Use the monitoring functionality to display information about the CoS value aliases
that the system is currently using to represent DSCP, IEEE 802.1p, and IPv4
precedence bits.
To monitor CoS value aliases in the J-Web interface, select Monitor>Class of
Service>CoS Value Aliases.
To monitor CoS value aliases in the CLI, enter the following command:
show class-of-service code-point-aliases

Meaning

Table 161 on page 1053 summarizes key output fields for CoS value aliases.

Table 161: Summary of Key CoS Value Alias Output Fields

Field

Values

Additional Information

CoS Value Type

Type of the CoS value:

To display aliases and bit patterns, click the

plus sign (+).

dscpExamines Layer 3 packet

headers for IP packet classification.

ieee-802.1Examines Layer 2 packet

headers for packet classification.

inet-precedenceExamines Layer 3

packet headers for IP packet

classification.
CoS Value Alias

Name given to a set of bitsfor example,

af11 is a name for 001010 bits.

CoS Value

Set of bits associated with an alias.

Related Topics

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032

Defining CoS Code-Point Aliases (J-Web Procedure) on page 1030

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Value Aliases

1053

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1054

Monitoring CoS Value Aliases

Chapter 60

Configuration Statements for CoS

[edit class-of-service] Configuration Statement Hierarchy on page 1055

[edit class-of-service] Configuration Statement Hierarchy

class-of-service {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority loss-priority {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
}
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
forwarding-classes {
class class-name queue-num queue-number;
}
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
forwarding-class class-name {
loss-priority loss-priority code-point (alias | bits);
}
}
}

[edit class-of-service] Configuration Statement Hierarchy

1055

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
}
Related Topics

1056

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

[edit class-of-service] Configuration Statement Hierarchy

Chapter 60: Configuration Statements for CoS

buffer-size
Syntax
Hierarchy Level
Release Information
Description

buffer-size (percent percentage | remainder);

[edit class-of-service schedulers scheduler-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify buffer size.

Default

If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.

Options

percent percentageBuffer size as a percentage of total buffer.

remainderRemaining buffer available.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Understanding CoS Schedulers on page 1004

buffer-size

1057

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

class
Syntax
Hierarchy Level
Release Information
Description

Options

class class-name queue-num queue-number;

[edit class-of-service forwarding-classes]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure up to 16 forwarding classes with multiple forwarding classes mapped to
single queues. If you want to configure up to eight forwarding classes with one-to-one
mapping to output queues, use the queue statement instead of the class statement
at the [edit class-of-service forwarding-classes] hierarchy level.
class-nameName of forwarding class..
queue-num queue-numberOutput queue number.

Range: 0 through 15.

Required Privilege Level
Related Topics

1058

class

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Understanding CoS Forwarding Classes on page 1002

Chapter 60: Configuration Statements for CoS

class-of-service
Syntax

class-of-service {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
}
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
forwarding-classes {
class class-name queue-num queue-number;
}
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
forwarding-class class-name {
loss-priority priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}

class-of-service

1059

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
Hierarchy Level
Release Information
Description

[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure class-of-service parameters on EX-series switches.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

1060

class-of-service

If you do not configure any CoS features, the default CoS settings are used.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

JUNOS CoS for EX-series Switches Overview on page 993

Chapter 60: Configuration Statements for CoS

classifiers
Syntax

Hierarchy Level

Release Information
Description

classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
}
[edit class-of-service],
[edit class-of-service interfaces interface-name unit logical-unit-number]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Apply a CoS aggregate behavior classifier to a logical interface. You can apply a
default classifier or one that has been previously defined.
The statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

Understanding CoS Classifiers on page 1000

classifiers

1061

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

code-point-aliases
Syntax

Hierarchy Level
Release Information
Description

code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
[edit class-of-service]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define an alias for a CoS marker.
The statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Understanding CoS Code-Point Aliases on page 997

code-points
Syntax
Hierarchy Level

Release Information
Description

Options

code-points [ aliases ] [ 6 bit-patterns ];

[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) forwarding-class
class-name loss-priority level]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify one or more DSCP code-point aliases or bit sets for association with a
forwarding class.
aliasesName of the DSCP alias.
6 bit-patternsValue of the code-point bits, in decimal form.

Required Privilege Level

Related Topics

1062

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Understanding CoS Classifiers on page 1000

code-point-aliases

Chapter 60: Configuration Statements for CoS

drop-profile-map
Syntax
Hierarchy Level
Release Information
Description
Options

drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;

[edit class-of-service schedulers scheduler-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define the loss priority value for the specified drop profile.
drop-profile profile-nameName of the drop profile.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Understanding CoS Schedulers on page 1004

drop-profile-map

1063

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

dscp
Syntax

Hierarchy Level

Release Information
Description

Options

dscp classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
[edit class-of-service rewrite-rules]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define the Differentiated Services code point (DSCP) mapping that is applied to the
packets.
classifier-nameName of the classifier.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

1064

dscp

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

Understanding CoS Classifiers on page 1000

Chapter 60: Configuration Statements for CoS

forwarding-class
Syntax

Hierarchy Level

Release Information
Description
Options

forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define forwarding class name and option values.
class-nameName of the forwarding class.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Understanding CoS Forwarding Classes on page 1002

forwarding-class

1065

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

forwarding-class
Syntax

Hierarchy Level

Release Information
Description
Options

forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Define forwarding class name and option values.
class-nameName of the forwarding class.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

1066

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Understanding CoS Forwarding Classes on page 1002

forwarding-class

Chapter 60: Configuration Statements for CoS

ieee-802.1
Syntax

Hierarchy Level

Release Information
Description
Options

ieee-802.1 classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
[edit class-of-service rewrite-rules]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Apply an IEEE-802.1 rewrite rule.
classifier-nameName of the classifier.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Understanding CoS Classifiers on page 1000

Understanding CoS Rewrite Rules on page 1008

ieee-802.1

1067

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

import
Syntax
Hierarchy Level

Release Information
Description
Options

import (classifier-name | default);

[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],
[edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify a default or previously defined classifier.
classifier-nameName of the classifier mapping configured at the [edit class-of-service
classifiers] hierarchy level.
defaultDefault classifier mapping.

Required Privilege Level

Related Topics

1068

import

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Understanding CoS Classifiers on page 1000

Understanding CoS Rewrite Rules on page 1008

Chapter 60: Configuration Statements for CoS

inet-precedence
Syntax

Hierarchy Level

Release Information

inet-precedence classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
}
}
[edit class-of-service classifiers],
[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
[edit class-of-service rewrite-rules]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Description

Apply an IPv4 precedence rewrite rule.

Options

classifier-nameName of the classifier.

The remaining statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Code-Point Aliases (CLI Procedure) on page 1032 or Defining CoS
Code-Point Aliases (J-Web Procedure) on page 1030

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Understanding CoS Classifiers on page 1000

Understanding CoS Rewrite Rules on page 1008

inet-precedence

1069

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interfaces
Syntax

Hierarchy Level
Release Information
Description
Options

interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
}
}
[edit class-of-service]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure interface-specific CoS properties for incoming packets.
interface-nameName of the interface.

The statements are explained separately.

Required Privilege Level
Related Topics

1070

interfaces

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

EX-series Switches Interfaces Overview on page 259

Chapter 60: Configuration Statements for CoS

loss-priority
Syntax

Hierarchy Level

Release Information
Description

Options

loss-priority level {
code-points [ aliases ] [ 6bit-patterns ];
}
[edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name
forwarding-class class-name],
[edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name
forwarding-class class-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify packet loss priority value for a specific set of code-point aliases and bit
patterns.
levelCan be one of the following:

highPacket has high loss priority.

lowPacket has low loss priority.

The remaining statement is explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Classifiers (CLI Procedure) on page 1033 or Defining CoS Classifiers
(J-Web Procedure) on page 1034

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Understanding CoS Classifiers on page 1000

Understanding CoS Rewrite Rules on page 1008

loss-priority

1071

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

priority
Syntax
Hierarchy Level
Release Information
Description
Options

Required Privilege Level

Related Topics

priority priority;
[edit class-of-service schedulers scheduler-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify packet-scheduling priority value.
priorityIt can be one of the following:

lowScheduler has low priority.

strict-highScheduler has strictly high priority.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Understanding CoS Schedulers on page 1004

protocol
Syntax
Hierarchy Level
Release Information
Description
Options

protocol protocol drop-profile profile-name;

[edit class-of-service schedulers scheduler-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the protocol type for the specified drop profile.
drop-profile profile-nameName of the drop profile.
protocolType of protocol. It can be:

Required Privilege Level

Related Topics

1072

priority

anyAccept any protocol type.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Configuring CoS Tail Drop Profiles (CLI Procedure) on page 1041

Understanding CoS Tail Drop Profiles on page 1004

Chapter 60: Configuration Statements for CoS

rewrite-rules
Syntax

Hierarchy Level
Release Information
Description

rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
forwarding-class class-name {
loss-priority level code-point (alias | bits);
}
}
}
[edit class-of-service]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify a rewrite-rules mapping for the traffic that passes through all queues on the
interface.
The remaining statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Rewrite Rules (CLI Procedure) on page 1042 or Defining CoS Rewrite
Rules (J-Web Procedure) on page 1042

Understanding CoS Rewrite Rules on page 1008

scheduler-map
Syntax
Hierarchy Level
Release Information
Description
Options
Required Privilege Level
Related Topics

scheduler-map map-name;
[editclass-of-service interfaces]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Associate a scheduler map name with an interface.
map-nameName of the scheduler map.

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

Understanding CoS Schedulers on page 1004

rewrite-rules

1073

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

scheduler-maps
Syntax

Hierarchy Level
Release Information
Description

Options

scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
[edit class-of-service]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify a scheduler map name and associate it with the scheduler configuration and
forwarding class.
map-nameName of the scheduler map.

The remaining statement is explained separately.

Required Privilege Level
Related Topics

1074

scheduler-maps

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Forwarding Classes (CLI Procedure) on page 1036 or Defining CoS
Forwarding Classes (J-Web Procedure) on page 1037

Understanding CoS Schedulers on page 1004

Understanding CoS Forwarding Classes on page 1002

Chapter 60: Configuration Statements for CoS

schedulers
Syntax

Hierarchy Level
Release Information
Description
Options

schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
[edit class-of-service]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify scheduler name and parameter values.
scheduler-nameName of the scheduler.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Understanding CoS Schedulers on page 1004

schedulers

1075

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

shaping-rate
Syntax
Hierarchy Level
Release Information
Description

shaping-rate (percent percentage | rate);

[edit class-of-service schedulers scheduler-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

The transmit-rate statement at the [edit class-of-service schedulers scheduler-name]
hierarchy level configures the minimum bandwidth allocated to a queue. The
transmission bandwidth can be configured as an exact value or allowed to exceed
the configured rate if additional bandwidth is available from other queues.
You should configure the shaping rate as an absolute maximum usage and not the
additional usage beyond the configured transmit rate.

Default

If you do not include this statement, the default shaping rate is 100 percent, which
is the same as no shaping at all.

Options

percent percentageShaping rate as a percentage of the available interface bandwidth..

Range: 0 through 100 percent

ratePeak rate, in bits per second (bps). You can specify a value in bits per second

either as a complete decimal number or as a decimal number followed by the

abbreviation k (1000), m (1,000,000), or g (1,000,000,000).
Range: 3200 through 32,000,000,000 bps
Required Privilege Level
Related Topics

1076

shaping-rate

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Understanding JUNOS CoS Components for EX-series Switches on page 995

Example: Configuring CoS on EX-series Switches on page 1011

Chapter 60: Configuration Statements for CoS

transmit-rate
Syntax
Hierarchy Level
Release Information
Description

transmit-rate (rate | percent percentage | remainder);

[edit class-of-service schedulers scheduler-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the transmit rate or percentage for a scheduler.

Default

If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.

Options

rateTransmission rate, in bps. You can specify a value in bits per second either as

a complete decimal number or as a decimal number followed by the abbreviation

k (1000), m (1,000,000), or g (1,000,000,000).
Range: 3200 through 160,000,000,000 bps
percent percentagePercentage of transmission capacity. A percentage of zero drops

all packets in the queue.

Range: 0 through 100 percent
remainderRemaining rate available
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Defining CoS Schedulers (CLI Procedure) on page 1038 or Defining CoS Schedulers
(J-Web Procedure) on page 1038

Understanding CoS Schedulers on page 1004

transmit-rate

1077

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

unit
Syntax

Hierarchy Level
Release Information
Description

Options

unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
[edit class-of-service interfaces interface-name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a logical interface on the physical device. You must configure a logical
interface to be able to use the physical device.
logical-unit-numberNumber of the logical unit.

Range: 0 through 16,385

The remaining statements are explained separately.
Required Privilege Level
Related Topics

1078

unit

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring CoS on EX-series Switches on page 1011

Assigning CoS Components to Interfaces (CLI Procedure) on page 1044 or Assigning

CoS Components to Interfaces (J-Web Procedure) on page 1045

Chapter 61

Operational Mode Commands for CoS

1079

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show class-of-service
Syntax
Release Information
Description
Options
Required Privilege Level
Related Topics

List of Sample Output

Output Fields

show class-of-service

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the class of service (CoS) information.
This command has no options.
view

Example: Configuring CoS on EX-series Switches on page 1011

Monitoring CoS Value Aliases on page 1053

Monitoring CoS Classifiers on page 1047

Monitoring CoS Forwarding Classes on page 1048

Monitoring CoS Scheduler Maps on page 1051

Monitoring CoS Rewrite Rules on page 1050

show class-of- service on page 1081

Table 162 on page 1080 lists the output fields for the show class-of-service command.
Output fields are listed in the approximate order in which they appear.

Table 162: show class-of-service Output Fields

Field Name

Field Description

Level of Output

Forwarding class

The forwarding class configuration:

All levels

Code point type

Forwarding className of the forwarding class.

IDForwarding class ID.

QueueQueue number.

The type of code-point alias:

dscpAliases for DiffServ code point (DSCP) values.

ieee802.1Aliases for IEEE 802.1p values.

inet-precedenceAliases for IP precedence values.

All levels

Alias

Names given to CoS values.

All levels

Bit pattern

Set of bits associated with an alias.

All levels

Classifier

Name of the classifier.

All levels

Code point

Code-point values.

All levels

Loss priority

Loss priority assigned to specific CoS values and aliases of the classifier.

All levels

1080

show class-of-service

Chapter 61: Operational Mode Commands for CoS

Table 162: show class-of-service Output Fields (continued)

Field Name

Field Description

Level of Output

Rewrite rule

Name of the rewrite-rule.

All levels

Drop profile

Name of the drop profile.

All levels

Type

Type of drop profile. EX-series switches support only the discrete type of
drop-profile.

All levels

Fill level

Percentage of queue buffer fullness of high packets after which high packets
are dropped.

All levels

Scheduler

Name of the scheduler.

All levels

Transmit rate

Transmission rate of the scheduler.

All levels

Buffer size

Delay buffer size in the queue.

All levels

Drop profiles

Drop profiles configured for the specified scheduler.

All levels

Protocol

Transport protocol corresponding to the drop profile.

All levels

Name

Name of the drop profile.

All levels

Queues supported

Number of queues that can be configured on the interface.

All levels

Queues in use

Number of queues currently configured.

All levels

Physical interface

Name of the physical interface.

All levels

Scheduler map

Name of the scheduler map.

All levels

Index

Internal index of a specific object.

All levels

show class-of- service

user@switch> show class-of-service

Forwarding class
best-effort
expedited-forwarding
assured-forwarding
network-control

ID
0
1
2
3

Queue
0
5
1
7

Code point type: dscp

Alias
Bit pattern
af11
001010
af12
001100
...
...
Code point type: ieee-802.1
Alias
Bit pattern
af11
010
...
...
Code point type: inet-precedence
Alias
Bit pattern

show class-of-service

1081

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

af11
...

001
...

Classifier: dscp-default, Code point type: dscp, Index: 7

Code point
Forwarding class
Loss priority
000000
best-effort
low
000001
best-effort
low
...
...
...
Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11
Code point
Forwarding class
Loss priority
000
best-effort
low
001
best-effort
low
010
best-effort
low
011
best-effort
low
100
best-effort
low
101
best-effort
low
110
network-control
low
111
network-control
low
Classifier: ipprec-default, Code point type: inet-precedence, Index: 12
Code point
Forwarding class
Loss priority
000
best-effort
low
001
best-effort
low
010
best-effort
low
011
best-effort
low
100
best-effort
low
101
best-effort
low
110
network-control
low
111
network-control
low
Classifier: ieee8021p-untrust, Code point type: ieee-802.1, Index: 16
Code point
Forwarding class
Loss priority
000
best-effort
low
001
best-effort
low
010
best-effort
low
011
best-effort
low
100
best-effort
low
101
best-effort
low
110
best-effort
low
111
best-effort
low
Rewrite rule: dscp-default, Code point type: dscp, Index:
Forwarding class
Loss priority
best-effort
low
best-effort
high
expedited-forwarding
low
expedited-forwarding
high
assured-forwarding
low
assured-forwarding
high
network-control
low
network-control
high

27
Code point
000000
000000
101110
101110
001010
001100
110000
111000

Rewrite rule: ieee8021p-default, Code point type: ieee-802.1, Index: 30

Forwarding class
Loss priority
Code point
best-effort
low
000
best-effort
high
001
expedited-forwarding
low
100
expedited-forwarding
high
101
assured-forwarding
low
010
assured-forwarding
high
011

1082

show class-of-service

Chapter 61: Operational Mode Commands for CoS

network-control
network-control

low
high

110
111

Rewrite rule: ipprec-default, Code point type: inet-precedence, Index: 31

Forwarding class
Loss priority
Code point
best-effort
low
000
best-effort
high
000
expedited-forwarding
low
101
expedited-forwarding
high
101
assured-forwarding
low
001
assured-forwarding
high
001
network-control
low
110
network-control
high
111
Drop profile:<default-drop-profile>, Type: discrete, Index: 1
Fill level
100
Scheduler map: <default>, Index: 2
Scheduler:<default-be>, Forwarding class: best-effort, Index: 20
Transmit rate: 95 percent, Rate Limit: none, Buffer size: 95 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Scheduler: <default-nc>, Forwarding class: network-control, Index: 22
Transmit rate: 5 percent, Rate Limit: none, Buffer size: 5 percent,
Priority: low
Drop profiles:
Loss priority
Protocol
Index
Name
Low
non-TCP
1
<default-drop-profile>
Low
TCP
1
<default-drop-profile>
High
non-TCP
1
<default-drop-profile>
High
TCP
1
<default-drop-profile>
Physical interface: ge-0/0/0, Index: 129
Queues supported: 8, Queues in use: 4
Scheduler map: <default>, Index: 2
Physical interface: ge-0/0/1, Index: 130
Queues supported: 8, Queues in use: 4
Scheduler map: <default>, Index: 2
...

...

...

Fabric priority: low

Scheduler: <default-fabric>, Index: 23
Drop profiles:
Loss priority
Protocol
Index
Low
non-TCP
1
Low
TCP
1
High
non-TCP
1
High
TCP
1

Name
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>

Fabric priority: high

Scheduler: <default-fabric>, Index: 23

show class-of-service

1083

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Drop profiles:
Loss priority
Low
Low
High
High

1084

show class-of-service

Protocol
non-TCP
TCP
non-TCP
TCP

Index
1
1
1
1

Name
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>
<default-drop-profile>

Part 13

PoE

Understanding PoE on page 1087

Examples of Configuring PoE on page 1091

Configuring PoE on page 1099

Verifying PoE on page 1103

Configuration Statements for PoE on page 1105

Operational Mode Commands for PoE on page 1115

PoE

1085

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1086

PoE

Chapter 62

Understanding PoE

PoE and EX-series Switches Overview on page 1087

PoE and EX-series Switches Overview

Power over Ethernet (PoE) is the implementation of IEEE 802.3af, allowing both data
and electric power to pass over a copper Ethernet LAN cable. This technology allows
VoIP telephones, wireless access points, video cameras, and point-of-sale devices to
safely receive power from the same access ports that are used to connect personal
computers to the network.
This topic covers:

PoE and Power Supply Units in EX-series Switches on page 1087

Power Management Mode on page 1088

Classes of Powered Devices on page 1088

Global and Specific PoE Parameters on page 1088

PoE and Power Supply Units in EX-series Switches

EX-series switch models provide either 8, 24, or 48 PoE ports. The total number of
PoE ports for an EX-series switch can be extended by inserting additional PoE cards.
Power supply units with three different power capacities are available for use with
the EX-series switches:

320-W power supply unit: Supports 8 ports of PoE power at 15.4 W per port,
plus system power.

600-W power supply unit: Supports 24 ports of PoE power at 15.4 W per port,
plus system power.

930-W power supply unit: Supports 48 ports of PoE power at 15.4 W per port,
plus system power.

All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if
you follow the recommended guidelines for selecting power supply units to support
the number of PoE ports, the switch should be able to supply power to all connected
powered devices. If you install a higher capacity power supply unit on a switch model
that has only 8 PoE ports, it does not extend PoE capabilities to the non-PoE ports.

PoE and EX-series Switches Overview

1087

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Power Management Mode

The power management mode is used to determine the number of interfaces that
can be provided with power. There are two modes of power management:

StaticIn this mode the power allocated for each interface can be configured.

ClassIn this mode the power allocation for interfaces is decided based on the
class of powered device connected.

Classes of Powered Devices

A powered device is classified based on the maximum power that it draws across
all input voltages and operational modes. The most common class is 0, in which the
switch allows a maximum draw of 15.4 W per port. The switch provides 15.4 W at
the port in order to guarantee enough power to run a device, after accounting for
line loss. For example, 15.4 W - power loss (16%) = 12.95 W. Table 163 on page
1088 lists the classes of powered devices and associated power levels.
Table 163: Class of Powered Device and Power Levels
Class

Usage

Minimum Power Levels Output

from PoE Port

Range of Maximum Power required by the

Powered Device

Default

15.4 W

0.44 through 12.95 W

Optional

4.0 W

0.44 through 3.84 W

Optional

7.0 W

6.49 through 12.95 W

Optional

15.4 W

6.49 through 12.95 W

Global and Specific PoE Parameters

All EX-series switches with PoE ports have a PoE controller. The PoE controller keeps
track of the switch's power consumption and distributes the available power to
individual PoE ports. You can set the PoE controller to reserve a limited amount of
power (up to 19 W) to handle a power spike. The default is that no power is kept on
reserve.
The factory default configuration creates a PoE interface for all the PoE ports on the
switch. You can specify maximum power, priority, and telemetries for each PoE
interface.

1088

maximum-powerThis setting defaults to 15.4 W. If you follow the recommended

guidelines for the installed power supply unit (see Table 163 on page 1088), the
switch should be able to provide sufficient power for all PoE ports using the
default power setting.

priorityThis setting defaults to low. If a port is set as high priority and a situation
arises where there is not sufficient power for all the PoE ports, the available
power is directed to the higher priority port(s). If the switch needs to shut down
powered devices because a power supply fails and there is insufficient power,

PoE and EX-series Switches Overview

Chapter 62: Understanding PoE

low priority devices are shut before high priority powered devices. Thus, security
cameras, emergency phones, and other high priority phones should be set to
high priority.

Related Topics

telemetriesThis setting allows you to monitor per port PoE power consumption.
It is not included in the default PoE configuration.

EX-series Switches Interfaces Overview on page 259

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

PoE and EX-series Switches Overview

1089

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1090

PoE and EX-series Switches Overview

Chapter 63

Examples of Configuring PoE

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Example: Configuring PoE Interfaces on an EX-series Switch

All EX-series switches except the EX 4200-24F model provide Power over Ethernet
(PoE) ports. The PoE ports supply electric power over the same ports that are used
to connect network devices and allow you to plug in devices that require both network
connectivity and electric power, such as VoIP phones, wireless access points, and
some IP cameras. The factory default configuration specifies PoE interfaces for the
PoE ports. Therefore, you do not need to configure PoE unless you wish to modify
the default values or disable a specific PoE interface.
This example describes a default configuration of PoE interfaces on an EX-series
switch:

Requirements on page 1091

Overview and Topology on page 1092

Configuration on page 1092

Verification on page 1093

Troubleshooting on page 1093

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches

One EX-series 4200 switch

Before you configure PoE, be sure you have:

Example: Configuring PoE Interfaces on an EX-series Switch

1091

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (CLI Procedure) on page 57 or Connecting and Configuring
the EX-series Switch (J-Web Procedure) on page 58 for details.

Overview and Topology

The topology used in this example consists of one EX 4200-24T switch, which has
a total of 24 ports. Eight of the ports support PoE, which means they provide both
network connectivity and electric power for devices such as VoIP phones, wireless
access points, and some IP security cameras. The remaining 16 ports provide only
network connectivity. You use the standard ports to connect devices that have their
own power sources, such as desktop and laptop computers, printers, and servers.
Table 164 on page 1092 details the topology used in this configuration example.
Table 164: Components of the PoE Configuration Topology
Property

Settings

Switch hardware

EX-series 4200-E-24T switch, with 24 Gigabit Ethernet

ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16
non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to a wireless access point (requires PoE)

ge-0/0/0

Connections to Avaya IP telephonewith integrated hub, to connect

phone and desktop PC to a single port (requires PoE)

ge-0/0/1 through ge-0/0/7

Direct connections to desktop PCs, file servers, integrated

printer/fax/copier machines (no PoE required)

ge-0/0/8 through ge-0/0/20

Unused ports (for future expansion)

ge-0/0/21 through ge-0/0/23

Configuration
To enable the default PoE configuration on the switch:
CLI Quick Configuration

By default, PoE interfaces are created for all PoE ports and PoE is enabled. You can
simply connect powered devices to the PoE ports.

Step-by-Step Procedure

To use the PoE interfaces with default values:

1092

1.

Make sure the switch is powered on.

2.

Connect the wireless access point to switch port ge-0/0/0.

3.

Connect the eight Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.

Overview and Topology

Chapter 63: Examples of Configuring PoE

Verification
To verify that PoE interfaces have been created and are operational, perform this
task:

Verifying That the PoE Interfaces Have Been Created on page 1093

Verifying That the PoE Interfaces Have Been Created

Purpose
Action

Verify that the PoE interfaces have been created on the switch.
List all the PoE interfaces configured on the switch:
user@switch> show poe interface
Interface Enabled status
ge-0/0/0
Enabled
ON
ge-0/0/1
Enabled
ON
ge-0/0/2
Enabled
ON
ge-0/0/3
Enabled
ON
ge-0/0/4
Enabled
ON
ge-0/0/5
Enabled
ON
ge-0/0/6
Enabled
ON
ge-0/0/7
Enabled
ON

Meaning

on page 1117
max-power priority
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low

power-consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0

The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This output shows that eight
interfaces have been created with default values and are consuming power at the
expected rates.

Troubleshooting
Troubleshooting PoE Interfaces
Problem

The PoE port is not supplying power to the port.

Solution

Check for the following:

Items to Check

Explanation

Is the switch a full PoE model or partial PoE?

If you are using a partial PoE model, only interfaces ge-0/0/0

through ge-0/0/7 can function as PoE ports.

Has the PoE interface been disabled for that port?

Use the show poe interface on page 1117 command to check

PoE interface status.

Is the cable properly seated in the port socket?

Check the hardware.

Enable telemetries for the interface.

Check the history of power consumption on the interface by

using the show poe telemetries interface on page 1119
command.

Verification

1093

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Related Topics

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch
EX-series switches provide Power over Ethernet (PoE) ports, which supply electric
power over the same ports that are used to connect network devices. These ports
allow you to plug in devices that need both network connectivity and electric power,
such as VoIP phones, wireless access points, and some IP cameras. You can configure
a particular PoE interface to have a high priority setting. If a port is set as high priority
and a situation arises where there is not sufficient power for all the PoE ports, the
available power is directed to the higher priority ports. If the switch needs to shut
down powered devices because a power supply fails and there is insufficient power,
low priority devices are shut down before high priority powered devices. Thus,
security cameras, emergency phones, and other high priority phones should be set
to high priority.
This example describes how to configure a few high priority PoE interfaces for an
EX-series switch (by default, interfaces are set to low priority):

Requirements on page 1094

Overview and Topology on page 1094

Configuration on page 1095

Verification on page 1096

Troubleshooting on page 1097

Requirements
This example uses the following software and hardware components:

JUNOS Release 9.0 or later for EX-series switches

One EX-series 4200 switch

Before you configure PoE, be sure you have:

Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (CLI Procedure) on page 57 or Connecting and Configuring
the EX-series Switch (J-Web Procedure) on page 58 for details.

Overview and Topology

The topology used in this example consists of one EX 4200-24T switch, which has
a total of 24 ports. Eight of the ports support PoE, which means they provide both
network connectivity and electric power for devices such as VoIP telephones, wireless

1094

Example: Configuring PoE Interfaces with Different Priorities on an EX-series Switch

Chapter 63: Examples of Configuring PoE

access points, and some IP security cameras. The remaining 16 ports provide only
network connectivity. You use the standard ports to connect devices that have their
own power sources, such as desktop and laptop computers, printers, and servers.
Table 165 on page 1095 details the topology used in this configuration example.
Table 165: Components of the PoE Configuration Topology
Property

Settings

Switch hardware

EX-series 4200E-24T switch, with 24 Gigabit Ethernet

ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16
non-PoE ports (ge-0/0/8 through ge-0/0/23)

VLAN name

default

Connection to a wireless access point (requires PoE)

ge-0/0/0

Security IP Cameras (require PoE)

ge-0/0/1 and ge-0/0/2 high

Emergency VoIP phone (requires PoE)

ge-0/0/3 high

VoIP phone in Executive Office (requires PoE)

ge-0/0/4 high

Other VoIP phones (require PoE)

ge-0/0/5 through ge-0/0/7

Direct connections to desktop PCs, file servers, integrated

printer/fax/copier machines (no PoE required)

ge-0/0/8 through ge-0/0/20

Unused ports (for future expansion)

ge-0/0/21 through ge-0/0/23

Configuration
Configure Power over Ethernet Interfaces:

Configuring Desired Priority for PoE Interface and Enabling Telemetries

CLI Quick Configuration

By default, PoE interfaces are created for all PoE ports and PoE is enabled. The default
priority for PoE interfaces is low.
To quickly configure PoE with some interfaces set to high priority and others to the
default low priority, and to include a description of the interfaces, copy the following
commands and paste them into the switch terminal window:
[edit]
set poe interface ge-0/0/1 priority
set poe interface ge-0/0/2 priority
set poe interface ge-0/0/3 priority
set poe interface ge-0/0/4 priority
set poe interface all
set interfaces ge-0/0/0 description
set interfaces ge-0/0/1 description
set interfaces ge-0/0/2 description
set interfaces ge-0/0/3 description
set interfaces ge-0/0/4 description
set interfaces ge-0/0/5 description

high
high
high
high

telemetries
telemetries
telemetries
telemetries

"wireless access point"

"security camera front door"
"security camera back door"
"emergency phone"
"Executive Office VoIP phone"
"staff VoIP phone"

Configuration

1095

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

set interfaces ge-0/0/6 description "staff VoIP phone"

set interfaces ge-0/0/7 description "staff VoIP phone"

Step-by-Step Procedure

To configure PoE interfaces with different priorities:

1.

Configure the PoE interfaces at the [edit poe] hierarchy level with some interfaces
set to high priority and others to the default low priority, thus enabling the
logging of per-port power consumption for the high priority ports.
[edit poe]
user@switch#
user@switch#
user@switch#
user@switch#
user@switch#

2.

set
set
set
set
set

interface
interface
interface
interface
interface

priority
priority
priority
priority

high
high
high
high

telemetries
telemetries
telemetries
telemetries

Specify a description for the PoE interfaces:

[edit interfaces]
user@switch# set ge-0/0/0
user@switch# set ge-0/0/1
user@switch# set ge-0/0/2
user@switch# set ge-0/0/3
user@switch# set ge-0/0/4
user@switch# set ge-0/0/5
user@switch# set ge-0/0/6
user@switch# set ge-0/0/7

Results

ge-0/0/1
ge-0/0/2
ge-0/0/3
ge-0/0/4
all

description
description
description
description
description
description
description
description

"wireless access point"

"security camera front door"
"security camera back door"
"emergency phone"
"Executive Office VoIP phone"
"staff VoIP phone"
"staff VoIP phone"
"staff VoIP phone"

3.

Connect the wireless access point to switch interface ge-0/0/0. This interface
is PoE-enabled for the default settings based on the factory configuration.
Telemetries are not enabled.

4.

Connect the two security cameras to switch interfaces ge-0/0/1 and ge-0/0/2.
These interfaces are set to high priority with telemetries enabled.

5.

Connect the emergency VoIP phone to switch interface ge-0/0/3. This interface
is set to high priority with telemetries enabled.

6.

Connect the Executive Office VoIP phone to switch interface ge-0/0/4. This
interface is set to high priority with telemetries enabled.

Connect the staff VoIP phones to switch interfaces ge-0/0/5 through ge-0/0/7. These
interfaces are set to the default values. Telemetries are not enabled.

Verification
To verify that PoE interfaces have been created and are operational, perform the
following tasks:

Verifying That the PoE Interfaces Have Been Created with Desired
Priorities on page 1096

Verifying That the PoE Interfaces Have Been Created with Desired Priorities
Purpose

1096

Verification

Verify that the PoE interfaces on the switch are now set to the desired priority settings.

Chapter 63: Examples of Configuring PoE

Action

List all the PoE interfaces configured on the switch:

user@switch> show poe interface
Interface Enabled Status
ge-0/0/0
Enabled
ON
ge-0/0/1
Enabled
ON
ge-0/0/2
Enabled
ON
ge-0/0/3
Enabled
ON
ge-0/0/4
Enabled
ON
ge-0/0/5
Enabled
ON
ge-0/0/6
Enabled
ON
ge-0/0/7
Enabled
OFF

Meaning

on page 1117
Max-Power Priority
15.4W
Low
15.4W
High
15.4W
High
15.4W
High
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low

Power-Consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
0 W
0

The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This output shows that eight
PoE interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as
priority high. The remaining interfaces are configured with the default values.

Troubleshooting
Troubleshooting PoE Interfaces
Problem

The PoE port is not supplying power to the port.

Solution

Check for the following:

Items to Check

Explanation

Is the switch a full PoE model or partial PoE?

If you are using a partial PoE model, only interfaces ge-0/0/0

through ge-0/0/7 can function as PoE ports.

Has the PoE interface been disabled for that port?

Use the show poe interface on page 1117 command to check

PoE interface status.

Is the cable properly seated in the port socket?

Check the hardware.

Enable telemetries for the interface.

Check the history of power consumption on the interface by

using the show poe telemetries interface on page 1119
command.

Related Topics

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

Troubleshooting

1097

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1098

Troubleshooting PoE Interfaces

Chapter 64

Configuring PoE

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

Configuring PoE (CLI Procedure)

EX-series switch models provide either 8, 24, or 48 PoE ports, which supply electric
power over the same ports that are used to connect network devices. These ports
allow you to plug in devices that require both network connectivity and electric
power, such as VoIP phones, wireless access points, and some IP cameras.
The factory default configuration for EX-series switches specifies and enables PoE
interfaces for the PoE ports.
To configure PoE using the CLI:
1.

Enable PoE:

For all PoE interfaces:

[edit]
user@switch# set

poe

interface all

For a specific PoE interface:

[edit]
user@switch# set poe interface ge-0/0/0

2.

Set the power priority:

For all PoE interfaces:

[edit]
user@switch# set poe interface all priority low

For a specific PoE interface:

[edit]
user@switch# set poe interface ge-0/0/0 priority high

Configuring PoE (CLI Procedure)

1099

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

3.

Set the maximum PoE wattage available (the default is 15.4):

For all PoE interfaces:

[edit]
user@switch# set poe interface all maximum-power 14

For a specific PoE interface:

[edit]
user@switch# set poe interface ge-0/0/0 maximum power 12.8

4.

Enable logging of PoE power consumption with the default telemetries settings:

For all PoE interfaces:

[edit]
user@switch# set poe interface all telemetries

For a specific PoE interface:

[edit]
user@switch# set poe interface ge-0/0/0 telemetries

5.

Reserve a specified wattage of power for the switch in case of a spike in PoE
consumption (the default is 0):
[edit]
user@switch# set poe guard-band 15

Related Topics

Configuring PoE (J-Web Procedure) on page 1100

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Monitoring PoE on page 1103

PoE and EX-series Switches Overview on page 1087

Configuring PoE (J-Web Procedure)

EX-series switch models provide either 8, 24, or 48 PoE ports, which supply electric
power over the same ports that are used to connect network devices. These ports
allow you to plug in devices that require both network connectivity and electric
power: such as VoIP phones, wireless access points, and some IP cameras. Using
the Power over Ethernet (PoE) configuration page, you can modify the settings of all
interfaces that are PoE-enabled.

1100

Configuring PoE (J-Web Procedure)

Chapter 64: Configuring PoE

To modify PoE settings:

1.

In the Configure menu, select Power over Ethernet.

The page displays a list of all interfaces except uplink ports. Specific operational
details about an interface are displayed in the Details section of the page. The
details include the PoE Operational Status and Port class.

2.

Click one:

Edit Changes PoE settings for the selected port as described in

Table 166 on page 1101.

System Settings Modifies general PoE settings as described in

Table 167 on page 1101.

Table 166: PoE Edit Settings

Field

Description

Your Action

Enable PoE

Specifies that PoE is enabled on the interface.

Select this option to enable PoE on the

interface.

Priority

Lists the power priority (Low or High) configured on

ports enabled for PoE.

Set the priority as High or Low.

Maximum Power

Specifies the maximum PoE wattage available to

provision active PoE ports on the switch.

Select a value in watts. If no value is

specified, the default is 15.4.

Table 167: System Settings

Field

Description

Your Action

Guard Band

Specifies the band to control power availability

on the switch.

Enter a value to set the guard band value. The

default value is 0.

Related Topics

Configuring PoE (CLI Procedure) on page 1099

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Monitoring PoE on page 1103

PoE and EX-series Switches Overview on page 1087

Configuring PoE (J-Web Procedure)

1101

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1102

Configuring PoE (J-Web Procedure)

Chapter 65

Verifying PoE

Monitoring PoE on page 1103

Verifying Status of PoE Interfaces on an EX-series Switch on page 1104

Monitoring PoE
Purpose

Action

Use the monitoring functionality to view real-time data of the power consumed by
each PoE interface, and to enable and configure Telemetries values. When Telemetries
is enabled, the software measures the power consumed by each interface and stores
the data for future reference.
To monitor PoE using the J-Web interface, select Monitor > Power over Ethernet.
To monitor PoE using the CLI:

To display the real-time PoE status for all PoE interfaces, enter show poe
interface on page 1117.

To display the real-time PoE status for a specific PoE interface, enter show poe
interface interface-name.

The show poe interface on page 1117 command displays the power consumption of the
interface at the moment that the command is issued.
To monitor the PoE interface's power consumption over a period of time, you can
enable telemetries for the interface with the telemetries configuration statement.
When Telemetries is enabled, you can display the log of the interface's power
consumption by using the CLI command:
show poe telemetries interface on page 1119 interface-name all| x
Meaning

In the J-Web interface the PoE Monitoring screen is divided into two parts. The top
half of the screen displays real-time data of the power consumed by each interface
and a list of ports that utilize maximum power.
Select a particular interface to view a graph of the power consumed by the selected
interface.
The bottom half of the screen displays telemetries values for interfaces. The telemetry
status displays whether telemetry has been enabled on the interface. Click the Show
Graph button to view a graph of the telemetries. The graph can be based on power
or voltage. To modify telemetries values, click Edit. Specify Interval in minutes,

Monitoring PoE

1103

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Duration in hours, and select Log Telemetries to enable telemetries on the selected
interface.
Related Topics

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Verifying Status of PoE Interfaces on an EX-series Switch on page 1104

Verifying Status of PoE Interfaces on an EX-series Switch

Purpose

Action

Verify that the PoE interfaces on the switch are enabled and set to the desired priority
settings.
List all the PoE interfaces configured on the switch:
user@switch> show poe interface
Interface Enabled Status
ge-0/0/0
Enabled
ON
ge-0/0/1
Enabled
ON
ge-0/0/2
Enabled
ON
ge-0/0/3
Enabled
ON
ge-0/0/4
Enabled
ON
ge-0/0/5
Enabled
ON
ge-0/0/6
Enabled
ON
ge-0/0/7
Enabled
OFF

Meaning

Related Topics

1104

on page 1117
Max-Power Priority
15.4W
Low
15.4W
High
15.4W
High
15.4W
High
15.4W
Low
15.4W
Low
15.4W
Low
15.4W
Low

Power-Consumption Class
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
12.95W
0
0 W
0

The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This command has been executed
on a switch with partial PoE (8 PoE ports). The output shows that all eight PoE
interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as priority
high. The remaining interfaces were configured with the default values.

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Monitoring PoE on page 1103

Verifying Status of PoE Interfaces on an EX-series Switch

Chapter 66

Configuration Statements for PoE

[edit poe] Configuration Statement Hierarchy on page 1105

[edit poe] Configuration Statement Hierarchy

poe {
guard-band watts;
interface (all | interface-name) {
disable;
maximum-power watts;
priority value;
telemetries {
disable;
duration hours;
interval minutes;
}
}
management type;
}
Related Topics

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

[edit poe] Configuration Statement Hierarchy

1105

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

disable
Syntax
Hierarchy Level

Release Information
Description

disable;
[edit poe interface (all | interface-name)],
[edit poe interface (all | interface-name) telemetries]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Disables the PoE capabilities of this port. The port operates as a standard network
access port. If the disable statement is specified after the telemetries statement, it
disables the logging of PoE power consumption for this port.
To disable the monitoring and retain the stored configuration values for interval and
duration for possible future use, you can specify the disable substatement in the
substanza for telemetries.

Default

Required Privilege Level

Related Topics

1106

disable

The PoE capabilities are automatically enabled when a PoE interface is set. If the
telemetries statement is specified, monitoring of PoE per-port power consumption
is enabled.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

Chapter 66: Configuration Statements for PoE

duration
Syntax
Hierarchy Level
Release Information
Description

Options

duration hours;
[edit poe interface (all | interface-name) telemetries]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Modify the duration for logging telemetries if you are monitoring the per-port power
consumption for PoE interfaces.
hoursHours the logging continues.

Range: 1 through 24 hours

Default: 1 hour
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

duration

1107

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

guard-band
Syntax
Hierarchy Level
Release Information
Description

guard-band watts;
[edit poe]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Reserve the specified amount of power for the switch in case of a spike in PoE
consumption.

Default

0W

Options

wattsAmount of power to be reserved for the switch in case of a spike in PoE

consumption.
Range: 0 through 19 W
Default: 0 W
Required Privilege Level
Related Topics

1108

guard-band

routerTo view this statement in the configuration.

router-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

Chapter 66: Configuration Statements for PoE

interface
Syntax

Hierarchy Level
Release Information
Description

interface (all | interface-name) {

disable;
maximum-power watts;
priority value;
telemetries {
disable;
interval minutes;
duration hours;
}
}
[edit poe]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Enable a PoE interface for a PoE port. An interface must be enabled in order for the
port to provide power to a connected powered device.

Default

The PoE interface is enabled by default.

Options

allAll interfaces on the switch.

interface-nameName of the specific interface.

The remaining statements are explained separately.

Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

interface

1109

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interval
Syntax
Hierarchy Level
Release Information
Description

Options

interval minutes;
[edit poe interface (all | interface-name) telemetries]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Modify the interval for logging telemetries if you are monitoring the per-port power
consumption for PoE interfaces.
minutesFrequency of logging.

Range: 1 through 30 minutes

Default: 5 minutes
Required Privilege Level
Related Topics

1110

interval

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

Chapter 66: Configuration Statements for PoE

management
Syntax
Hierarchy Level
Release Information
Description

management type;
[edit poe]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Designate the way that the switch's PoE controller allocates power to the PoE ports.

Default

static

Options

typeManagement type:

staticThe switch reserves a certain amount of power for the PoE port even

when a powered device is not connected to the port. This setting ensures that
power is available when needed.
Required Privilege Level
Related Topics

routerTo view this statement in the configuration.

router-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

management

1111

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

maximum-power
Syntax
Hierarchy Level
Release Information
Description

maximum-power watts;
[edit poe interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Maximum amount of power that can be supplied to the port.

Default

15.4 W

Options

watts

Range: 0 through 15.4

Default: 15.4 W
Required Privilege Level
Related Topics

1112

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

maximum-power

Chapter 66: Configuration Statements for PoE

priority
Syntax
Hierarchy Level
Release Information
Description

priority value;
[edit poe interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Set the priority for shutdown of individual ports when there is insufficient power for
all PoE ports. If a port is set as high priority and a situation arises where there is not
sufficient power for all the PoE ports, the available power is directed to the higher
priority port(s). If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, low priority devices are shut down before
high priority devices.

Default

low

Options

valuehigh or low:

highSpecifies that this port is to be treated as high priority in terms of power

allocation. If there is insufficient power for all the PoE ports, the available power
is directed to this port. If the switch needs to shut down powered devices because
a power supply fails and there is insufficient power, the power is not shut down
on this port until after it has been shut down on all the low priority ports.

lowSpecifies that this port is to be treated as low priority in terms of power

allocation. If there is insufficient power for all the PoE ports, power is not supplied
to this port. If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, the power is shut down on this port
before it is shut down on high priority ports.
Required Privilege Level
Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

priority

1113

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

telemetries
Syntax

Hierarchy Level
Release Information
Description

telemetries {
disable;
duration hours;
interval minutes;
}
[edit poe interface (all | interface-name)]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Allows you to log per port PoE power consumption.
If you want to log per-port power consumption, you must explicitly specify the
telemetries statement. You can enable telemetries for all the PoE interfaces by setting
poe interface all. However, if you modify the configuration of any individual PoE
interface (for example, to change the priority, you must also specify the telemetries
for that interface in order to maintain the logging. If you do not specify telemetries
for a PoE interface, logging is disabled.
The statements are explained separately.

Default

Required Privilege Level

Related Topics

1114

telemetries

If the telemetries statement is specified, logging is enabled with the default values
for interval and duration,
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Configuring PoE (CLI Procedure) on page 1099

Configuring PoE (J-Web Procedure) on page 1100

PoE and EX-series Switches Overview on page 1087

Chapter 67

Operational Mode Commands for PoE

1115

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show poe controller

Syntax

Release Information
Description
Options

show poe controller

<detail | summary>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the status of the Power over Ethernet (PoE) software module controller.
noneDisplay general parameters of the PoE software module controller.
detail | summary(Optional) Display the specified level of output.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

show poe interface on page 1117

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Monitoring PoE on page 1103

show poe controller on page 1116

Table 168 on page 1116 lists the output fields for the show poe controller command.
Output fields are listed in the approximate order in which they appear.

Table 168: show poe controller Output Fields

Field Name

Field Description

Ctrl-index

Identifies the controller.

Max-power

Specifies the maximum power that can be provided by the switch to PoE ports.

power-consumption

Specifies the total amount of power being used by the PoE ports, as measured
by the specified telemetries settings.

Guard-band

Specifies the amount of power that has been placed in reserve.

Management

Specifies the management mode. Static is the only management mode

supported.

show poe controller

user@host> show poe controller

Ctrl-index
0

1116

show poe controller

Max-power power-consumption
305 W
0W

Guard-band
15W

Management
Static

Chapter 67: Operational Mode Commands for PoE

show poe interface

Syntax
Release Information
Description
Options

show poe interface <ge-fpc/pic/port>

Command introduced in JUNOS Release 9.0 for EX-series switches.

Display the status of Power over Ethernet (PoE) ports.
noneDisplay status of all PoE ports on the switch.
ge-fpc/pic/port(Optional) Display the status of a specific PoE port on the switch.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Monitoring PoE on page 1103

show status for all poe interfaces on the switch on page 1117
show status for a specific PoE interface on the switch on page 1118
Table 169 on page 1117 lists the output fields for the show poe interface command.
Output fields are listed in the approximate order in which they appear.

Table 169: show poe interface Output Fields

Field Name

Field Description

PoE Interface

Specifies the interface address.

Enabled

Specifies whether PoE capabilities are enabled or disabled.

status

Specifies whether PoE is currently being provided to the port.

max-power

Specifies the maximum power that can be provided to the port.

priority

Specifies whether the port is high or low priority.

power-consumption

Specifies how much power is being used by the port, as measured by the specified telemetries settings.

Class

Indicates the IEEE 802.af classification that defines the maximum power requirements for a powered device.

show status for all poe

interfaces on the switch

user@host> show poe interface

Interface Enabled status max-power
ge-0/0/1 Enabled OFF
15.4W
ge-0/0/3 Enabled OFF
12.0W
ge-0/0/5 Enabled OFF
15.4W

priority
Low
High
Low

power-consumption Class
0.0W
0
0.0W
0
0.0W
0

show poe interface

1117

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show status for a

specific PoE interface on
the switch

1118

user@host> show poe interface ge-0/0/3

PoE interface status:
PoE interface
:
PoE capability of the interface
:
Current status of power supply on interface :
Power limit on the interface
:
Priority
:
Power consumed
:
Class of power device
:

show poe interface

ge-0/0/3
Enabled
OFF
12.0W
High
0.0W
0

Chapter 67: Operational Mode Commands for PoE

show poe telemetries interface

Syntax

show poe telemetries interface ge-fpc/pic/port all | x

Release Information

Command introduced in JUNOS Release 9.0 for EX-series switches.

Description

Display a history of power consumption on the specified interface.

Options

ge-fpc/pic/portDisplay telemetries for the specified PoE interface.

allDisplay all telemetries records for the specified PoE interface.
xDisplay the specified number of telemetries records for the specified PoE interface.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

view

show poe interface on page 1117

Example: Configuring PoE Interfaces on an EX-series Switch on page 1091

Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch on page 1094

Monitoring PoE on page 1103

show poe telemetries interface ( Last 10 Records) on page 1119

show poe telemetries interface (All Records) on page 1120
Table 170 on page 1119 lists the output fields for the show poe telemetries interface
command. Output fields are listed in the approximate order in which they appear.

Table 170: show poe telemetries interface Output Fields

Field Name

Field Description

S1 No

Number of the record for the specified port. Record number 1 is the most
recent.

Timestamp

Time that the power-consumption data was gathered.

Power

Amount of power provided by the specified port at the time the data was
gathered.

Voltage

Maximum voltage provided by the specified port at the time the data was
gathered.

show poe telemetries

interface ( Last 10
Records)

user@switch> show poe telemetries

Sl No
Timestamp
1
01-27-2008 18:19:58 UTC
2
01-27-2008 18:18:58 UTC
3
01-27-2008 18:17:58 UTC
4
01-27-2008 18:16:58 UTC

interface ge-0/0/0 10
Power
Voltage
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V

show poe telemetries interface

1119

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

5
6
7
8
9
10

show poe telemetries

interface (All Records)

1120

01-27-2008
01-27-2008
01-27-2008
01-27-2008
01-27-2008
01-27-2008

18:15:58
18:14:58
18:13:58
18:12:57
18:11:57
18:10:57

UTC
UTC
UTC
UTC
UTC
UTC

user@switch> show poe telemetries

Sl No
Timestamp
1
01-27-2008 18:19:58 UTC
2
01-27-2008 18:18:58 UTC
3
01-27-2008 18:17:58 UTC
4
01-27-2008 18:16:58 UTC
5
01-27-2008 18:15:58 UTC
6
01-27-2008 18:14:58 UTC
7
01-27-2008 18:13:58 UTC
8
01-27-2008 18:12:57 UTC
9
01-27-2008 18:11:57 UTC
10
01-27-2008 18:10:57 UTC
11
01-27-2008 18:09:57 UTC
12
01-27-2008 18:08:57 UTC
13
01-27-2008 18:07:57 UTC
14
01-27-2008 18:06:57 UTC
15
01-27-2008 18:05:57 UTC
16
01-27-2008 18:04:56 UTC
17
01-27-2008 18:03:56 UTC
18
01-27-2008 18:02:56 UTC
19
01-27-2008 18:01:56 UTC
20
01-27-2008 18:00:56 UTC
21
01-27-2008 17:59:56 UTC
22
01-27-2008 17:58:56 UTC
23
01-27-2008 17:57:56 UTC
24
01-27-2008 17:56:55 UTC
25
01-27-2008 17:55:55 UTC
26
01-27-2008 17:54:55 UTC
27
01-27-2008 17:53:55 UTC
28
01-27-2008 17:52:55 UTC
29
01-27-2008 17:51:55 UTC
30
01-27-2008 17:50:55 UTC
31
01-27-2008 17:49:55 UTC
32
01-27-2008 17:48:55 UTC
33
01-27-2008 17:47:54 UTC
34
01-27-2008 17:46:54 UTC
35
01-27-2008 17:45:54 UTC
36
01-27-2008 17:44:54 UTC
37
01-27-2008 17:43:54 UTC
38
01-27-2008 17:42:54 UTC
39
01-27-2008 17:41:54 UTC
40
01-27-2008 17:40:54 UTC
41
01-27-2008 17:39:53 UTC
42
01-27-2008 17:38:53 UTC
43
01-27-2008 17:37:53 UTC
44
01-27-2008 17:36:53 UTC

show poe telemetries interface

15.4W
15.4W
15.4W
15.4W
15.4W
15.4W

51.6V
51.6V
51.6V
51.6V
51.6V
51.6V

interface ge-0/0/0 all

Power
Voltage
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V
15.4W
51.6V

Part 14

Port Mirroring

Understanding Port Mirroring on page 1123

Examples of Configuring Port Mirroring on page 1127

Configuring Port Mirroring on page 1139

Configuration Statements for Port Mirroring on page 1147

Operational Mode Commands for Port Mirroring on page 1159

Port Mirroring

1121

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1122

Port Mirroring

Chapter 68

Understanding Port Mirroring

Port Mirroring on EX-series Switches Overview on page 1123

Port Mirroring on EX-series Switches Overview

Use port mirroring to facilitate analyzing traffic on your switch on a packet level. Use
port mirroring as part of monitoring switch traffic for such purposes as enforcing
policies concerning network usage and file sharing, and identifying sources of
problems on your network by locating abnormal or heavy bandwidth usage from
particular stations or applications.
Port mirroring copies packets entering or exiting an interface, or entering a VLAN,
to either a local interface for local monitoring or to a VLAN for remote monitoring.

Port Mirroring Overview on page 1123

Port Mirroring Terminology on page 1124

Port Mirroring Overview

Port mirroring is needed for traffic analysis on a switch because a switch, unlike a
hub, does not broadcast packets to every port on the device. The switch sends packets
only to the port to which the destination device is connected. You configure port
mirroring on the switch to send copies of unicast traffic to either a local analyzer
interface or an analyzer VLAN. Then you can analyze the mirrored traffic using a
protocol analyzer application. The protocol analyzer application can run either on a
computer connected to the analyzer output interface or on a remote monitoring
station.
We recommend that you disable port mirroring when you are not using it, and select
specific interfaces as input to the port mirror analyzer in preference to using the all
keyword. You can also limit the amount of mirrored traffic by using statistical
sampling setting a ratio to select a statistical sample, or using a firewall filter. Mirroring
only the necessary packets reduces any potential performance impact.
With local port mirroring, traffic from multiple ports is replicated to the analyzer
output interface. If the output interface for an analyzer reaches capacity, packets are
dropped. You should consider whether the traffic being mirrored exceeds the capacity
of the analyzer output interface.

Port Mirroring on EX-series Switches Overview

1123

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

You can use port mirroring on an EX-series switch to mirror any of the following:

Packets entering or exiting a portIn any combination. For example, you can
send copies of the packets entering some ports and the packets exiting other
ports to the same local analyzer port or analyzer VLAN.

Packets entering a VLANYou can mirror the packets entering a VLAN to either
a local analyzer port or to an analyzer VLAN.

Statistical sampleSample of the packets entering or exiting a port or entering

a VLAN. Specify the sample number of packets by setting the ratio. You can send
the sample of packets to either a local analyzer port or to an analyzer VLAN.

Policy-based sampleSample of packets entering a port or VLAN. You can

configure a firewall filter to establish a policy to select certain packets. You can
send the sampled packets to a local analyzer interface or to an analyzer VLAN.

NOTE: Firewall filters are not supported on egress ports, therefore you cannot specify
policy-based sampling of packets exiting an interface.

NOTE: JUNOS software for EX-series switches implements port mirroring differently
than other JUNOS software packages. JUNOS software for EX-series switches does
not include the port-mirroring statement found in the edit forwarding-options level of
the hierarchy of other JUNOS software packages, nor the port-mirror action in firewall
filter terms.

Limitations of Port Mirroring

Port mirroring on EX-series switches has the following limitations:

Only one port mirroring instance can be configured on an EX-series switch.

Packets with physical layer errors are filtered out and thus are not sent to the
analyzer port or VLAN.

Only one VLAN can be configured as input to an analyzer.

The following interfaces cannot be configured as input to an analyzer:

Aggregated port (LAG)

Dedicated virtual chassis ports

Management port (me0 or vme0)

Port Mirroring Terminology

Term

1124

Description

Port Mirroring on EX-series Switches Overview

Chapter 68: Understanding Port Mirroring

Analyzer

A port-mirroring configuration on an EX-series switch. The analyzer includes a name,

source ports or source VLAN, a destination for mirrored packets (either a monitor port or
an analyzer VLAN), optional ratio field for specifying statistical sampling of packets, and
loss-priority setting.

Analyzer output interface

Interface to which mirrored traffic is sent and to which a protocol analyzer application is
connected.

Also known as monitor interface

The following limitations apply to analyzer output interfaces:

Cannot also be a source port.

Cannot be used for switching.

Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when
it is part of a port mirroring configuration.

When configured as an analyzer output interface, it loses any existing VLAN

associations.

If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from
the source ports, overflow packets are dropped.
Analyzer VLAN

VLAN to which mirrored traffic is sent and to which a protocol analyzer application. The
analyzer VLAN is spread across the switches in your network.

Also known as monitor VLAN

Input interface

An interface on the switch that is being mirrored, either on traffic entering or exiting the
interface. An input interface cannot also be an output interface for an analyzer.

Also known as mirrored ports or

monitored interfaces
Mirror ratio

See statistical sampling.

Monitoring station

A computer running a protocol analyzer application.

Remote port mirroring

Functions the same as local port mirroring, except that the traffic that is mirrored is not
copied to a local analyzer port but is instead flooded into an analyzer VLAN that you create
specifically for the purpose of receiving mirrored traffic.

Policy-based mirroring

Mirroring of packets that match the match items in the defined firewall filter term. The
action item analyzer analyzer-name is used in the firewall filter to send the packets to the
port mirror analyzer.

Protocol analyzer application

An application used to examine packets transmitted across a network segment. Also

commonly called network analyzer, packet sniffer, or probe.

Statistical sampling

You can configure the system to mirror a sampling of the packets, by setting a ratio of
1:x, where x is a value from 1 through 2047.
For example, when the ratio is set to 1, all packets are copied to the analyzer. When the
ratio is set to 200, 1 of every 200 packets is copied.

Related Topics

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1143 or

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1139

Port Mirroring on EX-series Switches Overview

1125

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1126

analyzer configuration statement

show analyzer on page 1160 command

Port Mirroring on EX-series Switches Overview

Chapter 69

Examples of Configuring Port Mirroring

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches
EX-series switches allow you to configure port mirroring to send copies of packets
entering or exiting an interface, or entering a VLAN, to an analyzer interface or VLAN.
You can analyze the mirrored traffic using a protocol analyzer application installed
on a system connected to the local destination interface (or a running on a remote
monitoring station if you are sending mirrored traffic to an analyzer VLAN).
This example describes how to configure an EX-series switch to mirror traffic entering
interfaces connected to employee computers to an analyzer output interface on the
same switch.
This example describes how to configure local port mirroring:

Requirements on page 1127

Overview and Topology on page 1128

Mirroring All Employee Traffic for Local Analysis on page 1128

Mirroring Employee-to-Web Traffic for Local Analysis on page 1130

Verification on page 1132

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX 3200 or EX 4200 switch

Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches

1127

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Overview and Topology

This topic includes two related examples that describe how to mirror traffic entering
ports on the switch to a destination interface on the same switch. The first example
shows how to mirror all traffic entering the ports connected to employee computers.
The second example shows the same scenario, but includes a filter to mirror only
the employee traffic going to the Web.

Network Topology
In this example, ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.
In this example, one interface, ge-0/0/10, is reserved for analysis of mirrored traffic.
Connect a PC running a protocol analyzer application to the analyzer output interface
to analyze the mirrored traffic.

NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped
packets.
Figure 53 on page 1128 shows the network topology for this example.
Figure 53: Network Topology for Local Port Mirroring Example

Mirroring All Employee Traffic for Local Analysis

To configure port mirroring for all employee traffic for local analysis, perform these
tasks:
CLI Quick Configuration

To quickly configure local port mirroring for ingress traffic to the two ports connected
to employee computers, copy the following commands and paste them into the
switch terminal window:
[edit ethernet-switching-options]

1128

Overview and Topology

Chapter 69: Examples of Configuring Port Mirroring

set analyzer employeemonitor input ingress interface ge-0/0/0.0

set analyzer employeemonitor input ingress interface ge-0/0/1.0
set analyzer employeemonitor output interface ge-0/0/10.0

J-Web Quick
Configuration

Step-by-Step Procedure

To configure the employee-monitor analyzer with the J-Web interface:

1.

From the Configure menu, select Security > Port Mirroring

2.

Click Add.

3.

Enter employee-monitor in the Analyzer Name field.

4.

In the Analyzer Port field, click Select to select ge-0/0/10 as the output interface.

5.

Click Add to select the ingress interfaces. Select ge-0/0/0 and click OK.

6.

Click Add to select the ingress interfaces. Select ge-0/0/1 and click OK.

7.

Click OK to save the configuration.

To configure an analyzer called employee-monitor and specify the input (source)

interfaces and the analyzer output interface.
1.

Configure each interface connected to employee computers as an input interface

for the port-mirror analyzer that we are calling employee-monitor:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress interface
ge0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface
ge0/0/1.0

2.

Configure the output analyzer interface for the employee-monitor analyzer. This
will be the destination interface for the mirrored packets:
set analyzer employee-monitor output interface ge-0/0/10.0

3.
Results

commit

Check the results of the configuration:

[edit]
user@switch# show
ethernet-switching-options {
analyzer employee-monitor {
input {
ingress {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
}
output {
interface {
ge-0/0/10.0;
}
}

Mirroring All Employee Traffic for Local Analysis

1129

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}

Mirroring Employee-to-Web Traffic for Local Analysis

To configure port mirroring for employee to web traffic, perform these tasks:
CLI Quick Configuration

To quickly configure local port mirroring of traffic from the two ports connected to
employee computers, filtering so that only traffic to the external Web is mirrored,
copy the following commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options analyzer employeewebmonitor output interface
ge-0/0/10.0
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from destination-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from source-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
then accept
set firewall family ethernet-switching filter watch-employee term employee-to-web
from destination-port 80
set firewall family ethernet-switching filter watch-employee term
employee_to_internet then analyzer employee-web-monitor
set firewall family ethernet-switching filter watch-employee
edit interfaces set ge-0/0/0 unit 0 family ethernet-switching filter input
watch-employee
edit interfaces set ge-0/0/1 unit 0 family ethernet-switching filter input
watch-employee

Step-by-Step Procedure

To configure local port mirroring of employee-to-Web traffic from the two ports
connected to employee computers:
1.

Configure the local analyzer interface:

[edit interfaces]
user@switch# set interfaces ge-0/0/10 unit 0 family ethernet-switching

2.

Configure the employee-web-monitor analyzer output (the input to the analyzer

comes from the action of the filter):
[edit ethernet-switching-options]
user@switch# set analyzer employee-web-monitor output interface ge-0/0/10.0

3.

Configure a firewall filter called watch-employee to send mirrored copies of

employee requests to the Web to the employee-web-monitor analyzer. Accept all
traffic to and from the corporate subnet (destination or source address of
192.0.2.16/28). Send mirrored copies of all packets destined for the Internet
(destination port 80) to the employee-web-monitor analyzer.
[edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from
destination-address 192.0.2.16/28

1130

Mirroring Employee-to-Web Traffic for Local Analysis

Chapter 69: Examples of Configuring Port Mirroring

user@switch# set filter watch-employee

source-address 192.0.2.16/28
user@switch# set filter watch-employee
user@switch# set filter watch-employee
destination-port 80
user@switch# set filter watch-employee
employee-web-monitor

4.

term employee-to-corp from

term employee-to-corp then accept
term employee-to-web from
term employee-to-web then analyzer

Apply the watch-employee filter to the appropriate ports:

[edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input
watch-employee
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input
watch-employee

5.
Results

commit

Check the results of the configuration:

[edit]
user@switch# show
ethernet-switching-options {
analyzer employee-web-monitor {
output {
interface ge-0/0/10.0
}
}
}
...
firewall family ethernet-switching {
filter watch-employee {
term employee-to-corp {
from {
destination-address 192.0.2.16/28
source-address 192.0.2.16/28
}
then
accept
term employee-to-web
from {
destination-port 80
}
then
analyzer employee-web-monitor
...
interfaces
ge-0/0/0 {
unit 0
family ethernet-switching {
port-mode trunk;
vlan members [employee-vlan, voice-vlan];
filter {
input watch-employee;

Mirroring Employee-to-Web Traffic for Local Analysis

1131

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

}
}
}
ge-0/0/1 {
family ethernet-switching {
port-mode trunk;
vlan members [employee-vlan, voice-vlan];
filter {
input watch-employee;
}
}
}

Verification
To confirm that the configuration is correct, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created on page 1132

Verifying That the Analyzer Has Been Correctly Created

Purpose

Action

Verify that the analyzer named employee-monitor or employee-web-monitor has been

created on the switch with the appropriate input interfaces, and appropriate output
interface.
You can verify the port mirror analyzer is configured as expected using the show
analyzer command.
user@switch> show analyzer
Analyzer name
:
Analyzer mirror ratio
:
Analyzer loss priority
:
Analyzer ingress monitored interfaces:

employee-monitor
1
Low
ge-0/0/0.0
ge-0/0/1.0
Analyzer egress monitored interfaces : None
Analyzer monitor interface
: ge-0/0/10.0
Analyzer monitor VLAN
: None

Meaning

Related Topics

1132

Verification

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring
every packet, the default setting), a loss priority of low (set this option to high only
when the analyzer output is to a VLAN), is mirroring the traffic entering the ge-0/0/0
and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface.

Port Mirroring on EX-series Switches Overview on page 1123

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1143

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1139

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

analyzer Configuration Statement

show analyzer on page 1160 command

Chapter 69: Examples of Configuring Port Mirroring

Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource

Use on EX-series Switches
EX-series switches allow you to configure port mirroring to send copies of packets
entering or exiting an interface, or entering a VLAN, to an analyzer interface or a
VLAN. You can analyze the mirrored traffic using a protocol analyzer application
running on a remote monitoring station if you are sending mirrored traffic to an
analyzer VLAN.
This topic includes two related examples that describe how to mirror traffic entering
ports on the switch to the remote-analyzer VLAN so that you can perform analysis
from a remote monitoring station. The first example shows how to mirror all traffic
entering the ports connected to employee computers. The second example shows
the same scenario, but includes a filter to mirror only the employee traffic going to
the Web.
This example describes how to configure remote port mirroring:

Requirements on page 1133

Overview and Topology on page 1133

Mirroring All Employee Traffic for Remote Analysis on page 1134

Mirroring Employee-to-Web Traffic for Remote Analysis on page 1136

Verification on page 1138

Requirements
This example uses the following hardware and software components:

JUNOS Release 9.0 or later for EX-series switches

One EX 3200 or EX 4200 switch connected to a distribution layer switch

One uplink module to connect to the distribution layer switch

Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.

Overview and Topology

This topic includes two related examples that describe how to configure port mirroring
to the remote-analyzer VLAN so that analysis can be performed from a remote
monitoring station. The first example shows how to configure an EX-series switch
to mirror all traffic from employee computers. The second example shows the same
scenario, but the setup includes a filter to mirror only the employee traffic going to
the Web.

Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches

1133

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Figure 54: Remote Port Mirroring Example Network Topology

In this example:

Ports ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.

Interface ge-0/1/1 is a Layer 2 interface on the uplink module that connects to

a distribution switch.

VLAN remote-analyzer is configured on all switches in the topology to carry the

mirrored traffic.

NOTE: The interface connected to the remote monitoring station must be a member
of VLAN remote-analyzer, and this VLAN must be configured on all switches between
the monitored switch and the monitoring station.

Mirroring All Employee Traffic for Remote Analysis

To configure port mirroring for remote traffic analysis for all employee traffic, perform
these tasks:
CLI Quick Configuration

To quickly configure remote port mirroring of all traffic from the two ports connected
to employee computers, copy the following commands and paste them into the
terminal window:
[edit]
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 999
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/0.0
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/1.0
set ethernet-switching-options analyzer employeemonitor loss-priority high output
vlan remote-analyzer

1134

Mirroring All Employee Traffic for Remote Analysis

Chapter 69: Examples of Configuring Port Mirroring

Step-by-Step Procedure

To configure basic remote port mirroring:

1.

Configure the VLAN tag IDs for the remote-analyzer VLAN:

[edit vlans]
user@switch# set remote-analyzer vlan-id 999

2.

Configure the interface on the uplink module connected to the distribution

switch for trunk mode and associate it with the remote-analyzer VLAN:
[edit interfaces]
user@switch# set ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
user@switch# set ge-0/1/1 unit 0 family ethernet-switching vlan members
999

3.

Configure the employee-monitor analyzer:

[edit ethernet-switching-options]
user@switch#set analyzer employeemonitor loss-priority high input ingress
interface ge-0/0/0.0
user@switch#set analyzer employeemonitor input ingress interface
ge-0/0/1.0
user@switch#set analyzer employeemonitor output vlan remote-analyzer

4.
Results

commit

Check the results of the configuration:

[edit]
user@switch# show
analyzer employee-monitor {
loss-priority high;
input {
ingress {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
}
output {
vlan {
remote-analyzer;
}
}
}

Mirroring All Employee Traffic for Remote Analysis

1135

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Mirroring Employee-to-Web Traffic for Remote Analysis

To configure port mirroring for remote traffic analysis of employee to web traffic,
perform these tasks:
CLI Quick Configuration

To quickly configure port mirroring mirror employee traffic to the external Web,
copy the following commands and paste them into the terminal window:
[edit]
set ethernet-switching-options analyzer employee-web-monitor loss-priority high
output vlan 999
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/1/1 unit 0 family ethernet-switching port mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members 999
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from destination-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from source-address 192.0.2.16/28
set firewall family ethernet-switching filter watch-employee term employee-to-corp
then accept
set firewall family ethernet-switching filter watch-employee term employee-to-web
from destination-port 80
set firewall family ethernet-switching filter watch-employee term employee-to-web
then analyzer employeeweb-monitor
edit interfaces set ge-0/1/1.0 unit 0 family ethernet-switching filter input
watch-employee

Step-by-Step Procedure

To configure port mirroring of all traffic from the two ports connected to employee
computers to the remote-analyzer VLAN for use from a remote monitoring station:
1.

Configure the employee-monitor analyzer:

[edit ethernet-switching-options]
user@switch# set analyzer employee-web-monitor loss-priority high output
vlan 999

2.

Configure the VLAN tag IDs for the remote-analyzer VLAN:

[edit vlans]
user@switch# set remote-analyzer vlan-id 999

3.

Configure the interface to associate it with the remote-analyzer VLAN:

[edit interfaces]
user@switch# set ge-0/1/1 unit 0 family ethernet-switching vlan members
999

4.

Configure the firewall filter called watch-employee:

[edit firewall family ethernet-switching]
user@switch# set filter watch-employee term employee-to-corp from
destination-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp from
source-address 192.0.2.16/28
user@switch# set filter watch-employee term employee-to-corp then accept

1136

Mirroring Employee-to-Web Traffic for Remote Analysis

Chapter 69: Examples of Configuring Port Mirroring

user@switch# set filter watch-employee term employee-to-web from

destination-port 80
user@switch# set filter watch-employee term employee-to-web then analyzer
employee-web-monitor

5.

Apply the firewall filter to the employee ports:

[edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input
employee-to-web
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input
employee-to-web

6.
Results

commit

Check the results of the configuration:

[edit]
user@switch# show
interfaces {
...
ge-0/1/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members remote-analyzer;
}
filter {
input watch-employee;
}
}
}
}
...
firewall {
family ethernet-switching {
...
filter watch-employee {
term employee-to-corp {
from {
source-address {
192.0.2.16/28;
}
destination-address {
192.0.2.16/28;
}
}
then accept;
}
term employee-to-web {
from {
destination-port 80;
}

Mirroring Employee-to-Web Traffic for Remote Analysis

1137

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

then analyzer employee-web-monitor;

}
}
ethernet-switching-options {
analyzer employee-web-monitor {
loss-priority high;
output {
vlan {
999;
}
}
}

Verification
To confirm that the configuration is working properly, perform these tasks:

Verifying That the Analyzer Has Been Correctly Created on page 1138

Verifying That the Analyzer Has Been Correctly Created

Purpose

Verify that the analyzer named employee-monitor or employee-web-monitor has been

created on the switch with the appropriate input interfaces, and appropriate output
interface.

Action

You can verify the port mirror analyzer is configured as expected using the show
analyzer command. To view previously created analyzers that are disabled, go to the
J-Web interface.
user@switch> show analyzer
Analyzer name
:
Analyzer mirror ratio
:
Analyzer loss priority
:
Analyzer ingress monitored interfaces:
ge-0/0/1.0
Analyzer egress monitored interfaces :
Analyzer monitor interface
:
Analyzer monitor VLAN
:

Meaning

Related Topics

1138

Verification

employee-monitor
1
High
ge-0/0/0.0
None
None
remote-analyzer

This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring
every packet, the default), a loss priority of high (set this option to high whenever
the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and
ge-0/0/1, and sending the mirrored traffic to the analyzer called remote-analyzer.

Port Mirroring on EX-series Switches Overview on page 1123

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1143

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1139

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

analyzer Configuration Statement

show analyzer on page 1160 command

Chapter 70

Configuring Port Mirroring

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1139

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1143

Configuring Port Mirroring to Analyze Traffic (CLI Procedure)

You configure port mirroring in order to copy packets so that you can analyze traffic
using a protocol analyzer application. You can mirror traffic entering or exiting an
interface, or entering a VLAN. You can send the mirrored packets to a local interface
to monitor traffic locally or to a VLAN to monitor traffic remotely.
Mirroring a high volume of traffic can be performance intensive for the EX-series
switch. Therefore, you should disable port mirroring when you are not using it and
select specific input interfaces in preference to using the all keyword. You can also
limit the amount of mirrored traffic by using a firewall filter or the ratio keyword to
mirror only a selection of packets.

NOTE: Only one analyzer can be enabled on an EX-series switch. To create additional
analyzers, first disable any existing analyzers using the disable analyzer analyzer-name
command or the J-Web port mirroring configuration page.

NOTE: Interfaces used as input or output for a port mirror analyzer must be configured
as family ethernet-switching.

Configuring Port Mirroring for Local Traffic Analysis on page 1140

Configuring Port Mirroring for Remote Traffic Analysis on page 1140

Filtering the Traffic Entering a Port Mirroring Analyzer on page 1141

Configuring Port Mirroring to Analyze Traffic (CLI Procedure)

1139

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

Configuring Port Mirroring for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:
1.

Choose a name for the port mirroring configurationin this case,

employee-monitor, and specify the inputin this case, packets entering ge-0/0/0
and ge-0/0/1:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor input ingress interface ge0/0/0.0
user@switch# set analyzer employee-monitor input ingress interface
ge0/0/1.0

2.

Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer.
You can use statistical sampling to reduce the volume of mirrored traffic, as a
high volume of mirrored traffic can be performance intensive for the switch.
3.

Configure the destination interface for the mirrored packets:

[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0

4.

commit

Configuring Port Mirroring for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for
analysis from a remote location:
1.

Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer
and given the ID of 999 by convention in this documentation:
[edit]
user@switch# set vlans remote-analyzer vlan-id 999

2.

Set the uplink module interface that is connected to the distribution switch to
trunk mode and associate it with the remote-analyzer VLAN:
[edit]
user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching
port-mode trunk vlan members 999

3.

Configure the analyzer:

a.

1140

Choose a name and set the loss priority to high. Loss priority should always
be set to high when configuring for remote port mirroring:

Configuring Port Mirroring for Local Traffic Analysis

Chapter 70: Configuring Port Mirroring

[edit ethernet-switching-options]
user@switch# set analyzer employeemonitor loss-priority high

b.

Specify the traffic to be mirrored in this example the packets entering

ports ge-0/0/0 and ge0/0/1:
[edit ethernet-switching-options]
user@switch# set analyzer employeemonitor input ingress interface
ge-0/0/0.0
user@switch# set analyzer employeemonitor input ingress interface
ge-0/0/1.0

c.

Specify the remote-analyzer VLAN as the output for the analyzer:

[edit ethernet-switching-options]
user@switch#set analyzer employeemonitor output vlan 999

4.

Optionally, you can specify a statistical sampling of the packets by setting a ratio:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor ratio 200

When the ratio is set to 200, 1 out of every 200 packets is mirrored to the
analyzer. You can use this to reduce the volume of mirrored traffic as a very high
volume of mirrored traffic can be performance intensive for the switch.
5.

commit

Filtering the Traffic Entering a Port Mirroring Analyzer

To filter which packets are mirrored to an analyzer, create the analyzer, then use it
as the action in the firewall filter. You can use firewall filters in both local and remote
port mirroring configurations.
If the same analyzer is used in multiple filters or terms, the packets are copied to
the analyzer output port or analyzer VLAN only once.

NOTE: Port mirroring is supported for packets exiting an interface, however firewall
filters are not. Therefore, you cannot use filters where the analyzer input is the traffic
exiting an interface.
To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter
can use any of the available match conditions and must have an action of analyzer
analyzer-name. The action of the firewall filter provides the input to the analyzer.

Filtering the Traffic Entering a Port Mirroring Analyzer

1141

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

To configure port mirroring with filters:

1.

Configure the analyzer name and output:

a.

For local analysis, set the output to the local interface to which you will
connect the computer running the protocol analyzer application:
[edit ethernet-switching-options]
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0

b.

For remote analysis, set the loss-priority to high and set the output to the
remote-analyzer VLAN:
[edit ethernet-switching-options]
user@switch#set analyzer employeemonitor loss-priority high output vlan
999

2.

Create a firewall filter using any of the available match conditions and specify
the action as analyzer analyzer-name:
This example shows a firewall filter called example-filter, with two terms:
a.

Create the first term to define the traffic that should not pass through to the
analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter examplefilter term term1 from match-condition1
user@switch# set filter examplefilter term term1 from match-condition2
user@switch# set filter examplefilter term term1 then accept

b.

Create the second term to define the traffic that should pass through to the
analyzer:
[edit firewall family ethernet-switching]
user@switch# set filter examplefilter term term2 from match-condition3
user@switch# set filter examplefilter term term2 then analyzer
analyzer-name

3.

Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
[edit]
user@switch# set interfaces interface-name unit 0 family ethernet-switching
filter input example-filter
user@switch# set vlan vlan-name unit 0 family ethernet-switching filter
input example-filter

Related Topics

1142

4.

commit

Port Mirroring on EX-series Switches Overview on page 1123

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure) on page 1143

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Filtering the Traffic Entering a Port Mirroring Analyzer

Chapter 70: Configuring Port Mirroring

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Firewall Filters for EX-series Switches Overview on page 899

Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches on page 923

analyzer Configuration Statement

egress

ethernet-switching-options

ingress

input

interface

loss-priority

output

ratio

vlan

show analyzer on page 1160 command

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)

To configure port mirroring using the J-Web interface:
1.

From the Configure menu, select Security > Port Mirroring.

The first part of the screen displays analyzer details such as the name, status,
analyzer port, ratio, and loss priority.
The second part of the screen lists ingress and egress ports of the selected
analyzer.

2.

Click one:

AddAdd an analyzer. Enter information as specified in

Table 171 on page 1144.

EditModify details of the selected analyzer. Enter information as specified

in Table 171 on page 1144.

DeleteDeletes the selected analyzer.

Enable/DisableEnable or disable the selected analyzer (toggle).

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)

1143

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

NOTE: Only one analyzer can be enabled at a time. You can have multiple disabled
analyzer configurations.
When an analyzer is deleted or disabled, any filter association is removed.

Table 171: Port Mirroring Configuration Settings

Field

Function

Your Action

Analyzer
Name

Specifies the name of the analyzer.

Type a name for the analyzer.

Ratio

Specifies the ratio of packets to be mirrored. For example:

Enter a number from 0 through 2047.

Loss Priority

A ratio of 1 sends copies of all packets.

A ratio of 2047 sends copies of 1 out of every 2047

packets.

Specifies the loss priority of the mirrored packets.

Keep the default of low, unless the output is

to a VLAN.

By default, the switch applies a lower priority to mirrored

data than to regular port-to-port datamirrored traffic is
dropped in preference for regular traffic when capacity is
exceeded.
For port mirroring configurations with output to an analyzer
VLAN, set the loss priority to high.
Analyzer Port

Specifies a local interface or VLAN to which mirrored packets

are sent.
NOTE: A VLAN must have only one associated interface to
be specified as an analyzer interface.

Ingress

Specifies interfaces or VLANs for which entering traffic is

mirrored.

Click Select. In the Select Analyzer Port/VLAN

window, select either port or VLAN as the
Analyzer Type. Next, select the required port
or VLAN.

Click Add and select Port or VLAN. Next,

select the interfaces or VLANs.
Click Remove to delete an ingress interface
or VLAN.

Egress

Specifies interfaces for which traffic exiting the interfaces is

mirrored.

Click Add to add egress interfaces.

Click Remove to delete an egress interface.

Related Topics

1144

Port Mirroring on EX-series Switches Overview on page 1123

Configuring Port Mirroring to Analyze Traffic (CLI Procedure) on page 1139

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)

Chapter 70: Configuring Port Mirroring

analyzer Configuration Statement

show analyzer on page 1160 command

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)

1145

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1146

Configuring Port Mirroring to Analyze Traffic (J-Web Procedure)

Chapter 71

Configuration Statements for Port

Mirroring

[edit ethernet-switching-options] Configuration Statement Hierarchy on page 1147

[edit ethernet-switching-options] Configuration Statement Hierarchy

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
mac-limit limit action action;
static-ip ip-address {

[edit ethernet-switching-options] Configuration Statement Hierarchy

1147

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;
no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable
| no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Related Topics

1148

Port Mirroring on EX-series Switches Overview on page 1123

Port Security for EX-series Switches Overview on page 654

Understanding 802.1X and VoIP on EX-series Switches on page 652

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding 802.1X and VoIP on EX-series Switches on page 652

[edit ethernet-switching-options] Configuration Statement Hierarchy

Chapter 71: Configuration Statements for Port Mirroring

analyzer
Syntax

Hierarchy Level
Release Information
Description

analyzer {
name {
ratio number;
loss-priority priority;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
[editethernet-switching-options ]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure port mirroring. One analyzer (port mirroring configuration) can be enabled
on the switch at a time, other analyzers can be present and disabled.

Default

Port mirroring is disabled and JUNOS software creates no default analyzers.

Options

nameName that identifies the analyzer. The name can be up to 125 characters
long, must begin with a letter, and can include uppercase letters, lowercase
letters, numbers, dashes, and underscores. No other special characters are
allowed.
The remaining statements are explained separately.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Port Mirroring on EX-series Switches Overview on page 1123

analyzer

1149

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

egress
Syntax

Hierarchy Level
Release Information
Description

egress {
interface (all | interface-name);
}
[edit ethernet-switching-options analyzer name input]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify ports for which traffic exiting the interface is mirrored in an port mirroring
configuration.
The statement is explained separately.

Default
Required Privilege Level
Related Topics

1150

egress

No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Port Mirroring on EX-series Switches Overview on page 1123

Chapter 71: Configuration Statements for Port Mirroring

ethernet-switching-options
Syntax

ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
}
}
bpdu-block {
interface (all | [interface-name]);
disable-timeout timeout;
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
interface interface-name;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit limit action action;
static-ip ip-address {
vlan vlan-name;
mac mac-address;
}
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
(ip-source-guard | no-ip-source-guard);
mac-move-limit limit action action;
}
}
storm-control {
interface (all | interface-name) {
level level;

ethernet-switching-options

1151

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

no-broadcast;
no-unknown-unicast;
}
}
traceoptions {
file filename <files number> <no-stamp> <replace> <size size> <world-readable |
no-world-readable>;
flag flag <disable>;
}
voip {
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
Hierarchy Level
Release Information
Description

[edit]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Support for storm control and BPDU protection added in JUNOS Release 9.1.
Configure Ethernet switching options.
The statements are explained separately.

Required Privilege Level

Related Topics

1152

routingTo view this statement in the configuration.

routingcontrolTo add this statement to the configuration.

Understanding BPDU Protection for STP, RSTP, and MSTP on EX-series

Switches on page 422

Port Mirroring on EX-series Switches Overview on page 1123

Port Security for EX-series Switches Overview on page 654

Understanding Redundant Trunk Links on EX-series Switches on page 365

Understanding Storm Control on EX-series Switches on page 367

Understanding 802.1X and VoIP on EX-series Switches on page 652

ethernet-switching-options

Chapter 71: Configuration Statements for Port Mirroring

ingress
Syntax

Hierarchy Level
Release Information
Description

ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
[edit ethernet-switching-options analyzer name input]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure ports or VLANs for which the entering traffic is mirrored as part of an port
mirroring configuration.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Port Mirroring on EX-series Switches Overview on page 1123

ingress

1153

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

input
Syntax

Hierarchy Level
Release Information
Description

input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
interface (all | interface-name);
}
}
[edit ethernet-switching-options analyzer name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

The definition of traffic to be mirrored in a port mirroring configurationcan be a
combination of traffic entering or exiting specific ports, and traffic entering a VLAN.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

1154

input

No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Port Mirroring on EX-series Switches Overview on page 1123

Chapter 71: Configuration Statements for Port Mirroring

interface
Syntax
Hierarchy Level

Release Information
Description
Options

interface (all | interface-name);

[edit ethernet-switching-options analyzer name input egress],
[edit ethernet-switching-options analyzer name input ingress],
[edit ethernet-switching-options analyzer name output]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the interfaces for which traffic is mirrored.
allApply port mirroring to all interfaces on the switch. Mirroring a high volume of
traffic can be performance intensive for the switch. Therefore, you should
generally select specific input interfaces in preference to using the all keyword,
or use the all keyword in combination with setting a ratio for statistical sampling.
interface-nameApply port mirroring to the specified interface only.

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Port Mirroring on EX-series Switches Overview on page 1123

interface

1155

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

loss-priority
Syntax
Hierarchy Level
Release Information
Description

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure a loss priority for mirrored packets. By default, the switch applies a lower
priority to mirrored data than to regular port-to-port datamirrored traffic is dropped
in preference for regular traffic when capacity is exceeded. For port mirroring
configurations with output to an analyzer VLAN, set the loss priority to high.
Low

Options

priorityThe value for priority can be low or high.

Default: low

Related Topics

[edit ethernet-switching-options analyzer name]

Default

Required Privilege Level

1156

loss-priority priority;

loss-priority

routingTo view this statement in the configuration.routing-controlTo add this

statement to the configuration.

Port Mirroring on EX-series Switches Overview on page 1123

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Chapter 71: Configuration Statements for Port Mirroring

output
Syntax

Hierarchy Level
Release Information
Description

output {
interface interface-name;
vlan (vlan-id | vlan-name);
}
[edit ethernet-switching-options analyzer name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the destination for mirrored traffic, either an interface on the switch, for
local monitoring, or a VLAN, for remote monitoring.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

No default.
routingTo view this statement in the configuration.
routing-controlTo add this statement to the configuration.

Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

Use on EX-series Switches on page 1127

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Port Mirroring on EX-series Switches Overview on page 1123

output

1157

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

ratio
Syntax
Hierarchy Level
Release Information
Description

ratio number;
[edit ethernet-switching-options analyzer name]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure port mirroring to copy a sampling of packets, by setting a ratio of 1:x, A
ratio of 1 mirrors all packets, and 2047 mirrors 1 out of every 2047 packets.

Default

Options

numberThe number of packets in the sample, out of which 1 packet is mirrored.

Range: 1 through 2047
Default: 1

Required Privilege Level

Related Topics

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Port Mirroring on EX-series Switches Overview on page 1123

vlan
Syntax
Hierarchy Level

Release Information
Description
Options

vlan (vlan-id | vlan-name);

[edit ethernet-switching-options analyzer name input ingress],
[edit ethernet-switching-options analyzer name output]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure mirrored traffic to be sent to a VLAN for remote monitoring.
vlan-idNumeric VLAN identifer.
vlan-nameName of the VLAN.

Required Privilege Level

Related Topics

1158

ratio

routingTo view this statement in the configuration.

routing-controlTo add this statement to the configuration.

Example: Configuring Port Mirroring for Remote Monitoring of Employee

Resource Use on EX-series Switches on page 1133

Port Mirroring on EX-series Switches Overview on page 1123

Chapter 72

Operational Mode Commands for Port

Mirroring

1159

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show analyzer
Syntax

show analyzer analyzer-name

Release Information

Command introduced in JUNOS Release 9.0 for EX-series switches.

Description

Display information about analyzers configured for port mirroring.

Options
Required Privilege Level
List of Sample Output
Output Fields

analyzer-name(Optional) Displays the status of a specific analyzer on the switch.

view
show analyzer on page 1160
Table 42 on page 1160 lists the output fields for the command-name command. Output
fields are listed in the approximate order in which they appear.

Table 172: command-name Output Fields

Field Name

Field Description

name

Displays the name of the analyzer.

mirror ratio

Displays the ratio of packets to be mirrored, between 1 and 2047 where 1

sends copies of all packets and 2047 sends copies of 1 out of every 2047
packets.

loss priority

Displays the loss priority of the mirrored packets. By default, the switch
applies a lower priority to mirrored data than to regular port-to-port
datamirrored traffic is dropped in preference for regular traffic when
capacity is exceeded. For port mirroring configurations with output to an
analyzer VLAN, set the loss priority to high.

ingress monitored interfaces

Displays interfaces for which traffic entering the interfaces is mirrored.

egress monitored interfaces

Displays interfaces for which traffic exiting the interfaces is mirrored.

ingress monitored VLANs

Displays VLANs for which traffic entering the VLAN is mirrored.

monitor interface

Specifies a local interface to which mirrored packets are sent.

monitor VLAN

Specifies a VLAN to which mirrored packets are sent.

show analyzer

1160

show analyzer

user@host> show analyzer

Analyzer name
:
Analyzer mirror ratio
:
Analyzer loss priority
:
Analyzer ingress monitored interfaces:
ge-0/0/1.0
Analyzer egress monitored interfaces :
Analyzer monitor interface
:
Analyzer monitor VLAN
:

employee-monitor
1
High
ge-0/0/0.0
None
None
remote-analyzer

Part 15

Network Management

Configuration Statements for Network Management on page 1163

Network Management

1161

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1162

Network Management

Chapter 73

Configuration Statements for Network

Management
[edit snmp] Configuration Statement Hierarchy on page 1163

[edit snmp] Configuration Statement Hierarchy

snmp {
rmon {
history index {
bucket-size number;
interface interface-name;
interval seconds;
owner owner-name;
}
}
}
Related Topics

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

[edit snmp] Configuration Statement Hierarchy

1163

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

bucket-size
Syntax
Hierarchy Level
Release Information
Description

bucket-size number;
[edit snmp rmon history]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure the sampling of Ethernet statistics for network fault diagnosis, planning,
and performance tuning.

Default

50

Options

numberNumber of discrete samples of Ethernet statistics requested.

Required Privilege Level

Related Topics

snmpTo view this statement in the configuration.

snmpcontrolTo add this statement to the configuration.

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

1164

bucket-size

Chapter 73: Configuration Statements for Network Management

history
Syntax

Hierarchy Level
Release Information
Description

history history-index {
bucket-size number;
interface interface-name;
interval seconds;
owner owner-name;
}
[edit snmp rmon]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Configure RMON history group entries. This RMON feature can be used with the
Simple Network Management Protocol (SNMP) agent in the switch to monitor all the
traffic flowing among switches on all connected LAN segments. It collects statistics
in accordance with user-configurable parameters.
The history group controls the periodic statistical sampling of data from various types
of networks. This group contains configuration entries that specify an interface,
polling period, and other parameters. The interface interface-name statement is
mandatory. Other statements in the history group are optional.

Default

Not configured.

Options

history-indexIdentifies this history entry as an integer.

Range: 1 through 655535

Required Privilege Level
Related Topics

snmpTo view this statement in the configuration.

snmpcontrolTo add this statement to the configuration.

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

history

1165

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

interface
Syntax
Hierarchy Level
Release Information
Description

interface interface-name;
[edit snmp rmon history history-index]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the interface to be monitored in the specified RMON history entry.
Only one interface can be specified for a particular RMON history index. There is a
one-to-one relationship between the interface and the history index. The interface
must be specified in order for the RMON history to be created.

Options

interface-nameSpecify the interface to be monitored within the specified entry of

the RMON history of Ethernet statistics.

Required Privilege Level
Related Topics

snmpTo view this statement in the configuration.

snmpcontrolTo add this statement to the configuration.

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

owner
Syntax
Hierarchy Level
Release Information
Description
Options

owner owner-name;
[edit snmp rmon history]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

Specify the user or group responsible for this configuration.
owner-nameThe user or group responsible for this configuration.

Range: 0 through 32 alphanumeric characters

Required Privilege Level
Related Topics

snmpTo view this statement in the configuration.

snmpcontrolTo add this statement to the configuration.

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

1166

interface

Chapter 73: Configuration Statements for Network Management

rmon
Syntax

Hierarchy Level
Release Information
Description

rmon {
history history-index {
interface interface-name;
bucket-size number;
interval seconds;
owner owner-name;
}
}
[edit snmp]

Statement introduced in JUNOS Release 9.0 for EX-series switches.

RMON is an existing feature of JUNOS software.
The RMON specification provides network administrators with comprehensive
network fault diagnosis, planning, and performance tuning information. It delivers
this information in nine groups of monitoring elements, each providing specific sets
of data to meet common network monitoring requirements. Each group is optional,
so that vendors do not need to support all the groups within the MIB.
JUNOS software supports RMON Statistics, History, Alarm, and Event groups. The
EX-series documentation describes only the rmon history statement, which was added
with this release.
The statements are explained separately.

Default
Required Privilege Level
Related Topics

Disabled.
snmpTo view this statement in the configuration.
snmpcontrolTo add this statement to the configuration.

Configuring SNMP (J-Web Procedure) on page 596

JUNOS Software Network Management Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html

rmon

1167

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1168

rmon

Part 16

Index

Index on page 1171

Index

1169

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

1170

Index

Index
Symbols
802.1X settings
configuring..........................................................758
monitoring..........................................................785
802.3ad statement.....................................................312

.226,
1057,
980,
979,
978,
977,
976,
975,
974,
973,
972,
971,
863,
862,
861,
860,
859,
857,
855,
853,
849,
848,
846,
838,
837,
836,
835,
834,
833,
832,
829,
828,
827,
826,
824,
823,
822,
820,
819,
818,
817,
815,
814,
813,
812,
811,
809,
808,
806,
805,
804,
622,
621,
620,
539,
538,
537,
534,
533,
532,
531,
529,
528,
527,
526,
525,
524,
523,
522,
521,
520,
519,
518,
517,
516,
515,
514,
513,
512,
511,
510,
507,
506,
505,
503,
502,
500,
499,
498,
497,
496,
495,
494,
493,
492,
491,
490,
489,
488,
330,
329,
328,
327,
326,
325,
324,
323,
322,
321,
320,
319,
318,
317,
316,
315,
314,
313,
312,
309,
233,
230,
229,
1058,
1059,
1061,
1062,
1063,
1064,
1065,
1066,
1067,
1068,
1069,
1070,
1071,
1072,
1073,
1074,
1075,
1076,
1077,
1078,
1107,
1108,
1109,
1110,
1111,
1112,
1113,
1114,
1149,
1150,
1151,
1153,
1154,
1155,
1156,
1157,
1158,
1164,
1166,
1167

analyzer statement..................................................1149
arp-inspection statement............................................806
AS path, displaying....................................................611
ASs (autonomous systems)
AS number .........................................................590
authentication
specifying access privileges ................................108
authentication-order statement..................................807
authentication-profile-name statement.......................809
authentication-server statement.................................810
authenticator statement.............................................808
auto-negotiation statement........................................313

A
access privileges
specifying ..........................................................108
access statement........................................................801
accounting statement.................................................802
accounting-server statement......................................803
active alarms
checking.............................................................113
active routes, displaying.............................................610
Add a RADIUS Server page
field summary....................................................109
Add a User Configuration page
field summary....................................................109
addresses
BGP local address ..............................................590
BGP peer address ...............................................590
destination, displaying........................................610
advertisement-interval statement...............................804
alarm severity
major (red) ...........................................................91
See also major alarms
minor (yellow)......................................................92
See also minor alarms
alarm statement
STP.....................................................................488
alarms
major See major alarms
minor See minor alarms
overview...............................................................91
red See major alarms
yellow See minor alarms
all-failures (tracing flag)
STP.....................................................................534
allowed-mac statement..............................................805

B
backbone area
area ID ...............................................................595
area type ............................................................595
bandwidth-limit statement.........................................971
BGP (Border Gateway Protocol)
AS number .........................................................590
See also ASs (autonomous systems), AS
number
Configuration......................................................589
enabling .............................................................589
local address ......................................................590
monitoring..........................................................603
peer address ......................................................590
peer AS number..................................................590
router ID ............................................................589
statistics..............................................................603
status..................................................................604
BGP groups, displaying..............................................603
BGP neighbors
displaying...........................................................604
BGP peers See BGP neighbors
peer address ......................................................590
peer AS number .................................................590
BGP routing information............................................603
BGP sessions, status...................................................604
block statement
STP.....................................................................489
boot operations, DHCP...............................................592
bpdu (tracing flag)......................................................534
bpdu-block statement
STP.....................................................................490

Index

1171

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

bpdu-block-on-edge statement
STP.....................................................................491
bpdu-timeout-action statement
STP.....................................................................492
bridge-detection-state-machine (tracing flag)..............534
bridge-priority statement...........................................493
bucket-size statement..............................................1164
buffer-size statement...............................................1057
burst-size-limit statement...........................................971

C
ca-type statement......................................................811
ca-value statement.....................................................812
certificates See SSL certificates
chassis
alarm condition indicator....................................114
chassis software process..............................................18
chassisd process..........................................................18
checking
active alarms......................................................113
civic-based statement.................................................813
Class of Service classifiers page................................1034
field summary..................................................1034
Class of Service Cos value aliases page
field summary..................................................1030
Class of Service forwarding classes page..................1037
field summary..................................................1037
Class of Service rewrite rules page...........................1042
field summary..................................................1043
Class of Service scheduler maps page......................1038
field summary..................................................1040
Class of Service schedulers page..............................1038
field summary..................................................1039
class statement........................................................1058
class-of-service statement........................................1059
classifiers
adding and editing ...........................................1035
defining ...........................................................1034
summary .........................................................1034
classifiers statement.................................................1061
classifiers, CoS.........................................................1047
clear
snmp rmon history.............................................126
clear arp inspection statistics command....................866
clear dhcp snooping binding command.....................867
clear dot1x command................................................868
clear ethernet-switching bpdu-error command..........542
clear firewall command..............................................982
clear gvrp statistics command....................................543
clear igmp-snooping membership command.............628
clear igmp-snooping statistics command...................629
clear lldp neighbors command...................................869
clear lldp statistics command.....................................870
clear snmp rmon historycommand............................126
clear spanning-tree statistics command.....................544

1172

Index

clear virtual-chassis vc-port statistics command.........238

CLI terminal.................................................................50
overview...............................................................50
code-point-aliases statement....................................1062
code-points statement..............................................1062
command forwarding................................................213
command-name command......................................1160
committed configuration
methods...............................................................73
summaries............................................................73
compact flash
displaying usage.................................................105
configuration
upgrading (J-Web).................................................67
uploading .............................................................77
Configuration
adding users.......................................................108
CoS classifiers page...........................................1034
CoS forwarding classes page.............................1037
CoS scheduler maps page.................................1038
CoS schedulers page.........................................1038
CoS value aliases page......................................1030
rewrite rules page.............................................1042
secure Web access................................................93
configuration database, summary................................74
configuration history
database summary...............................................74
summary..............................................................73
Configuration text
editing............................................................48, 49
viewing.................................................................47
configuration-name statement
STP.....................................................................494
Configuring
802.1X settings...................................................758
EX-series switch..............................................57, 58
firewall filters......................................................950
Link Layer Discovery Protocol.............................765
LLDP...................................................................765
management access.............................................93
PoE...................................................................1100
port mirroring...................................................1143
SNMP..................................................................596
configuring
link aggregation..................................................296
port security.......................................................769
Virtual Chassis............................................197, 199
VLANs.........................................................407, 409
congestion control
with CoS schedulers .........................................1038
CoS (class of service)
classifiers..........................1034, 1047 See classifiers
CoS value aliases See CoS value aliases
forwarding classes.....1037, 1048 See forwarding
c
l
a
s
s
e
s
interfaces..........................................................1049

Index

loss priority.......................................................1052
packet loss priority............................................1052
rewrite rules See rewrite rules
scheduler maps See scheduler maps
schedulers See schedulers
CoS value aliases
adding .............................................................1031
summary .........................................................1030
cost statement
STP.....................................................................495
country-code statement.............................................814
CPU utilization, displaying..........................................106

D
daemons See processes, software
default gateway
defining................................................................94
default gateway, static routing...................................601
deleting
current rescue configuration (CLI configuration
editor).............................................................112
licenses (J-Web).....................................................86
description statement........................................314, 496
destination address, displaying..................................610
DHCP
monitor...............................................................605
DHCP (Dynamic Host Configuration Protocol)
Configuration......................................................590
conflicts..............................................................605
DHCP leases
configuring .........................................................591
monitoring..........................................................605
DHCP pages
field summary....................................................591
DHCP pools
configuring (Quick Configuration).......................591
monitoring..........................................................605
DHCP server
boot operations ..................................................592
Configuration......................................................590
information ........................................................591
monitoring operations........................................605
static bindings ....................................................592
subnet for configuration (Quick
Configuration).................................................591
dhcp-trusted statement..............................................815
diagnose
CLI terminal..........................................................50
packet capture....................................................101
diagnosing
traceroute tool....................................................103
diagnosis
DHCP conflicts....................................................605
viewing active alarms.........................................114

disable statement
802.1X................................................................816
GVRP..................................................................496
IGMP snooping....................................................617
LLDP...................................................................817
LLDP MED..........................................................817
power over Ethernet
telemetries.................................................1106
STP.....................................................................497
disable-timeout statement
STP.....................................................................498
dot1x statement.........................................................818
downloading
licenses (J-Web).....................................................87
drop profiles See CoS; RED drop profiles
drop-profile-map statement.....................................1063
dscp statement........................................................1064
duration statement...................................................1107

E
edge statement..........................................................499
Edit
configuration text.................................................49
egress statement
port mirroring...................................................1150
elin statement............................................................819
ether-options statement.............................................315
Ethernet interfaces
status information, displaying
Gigabit Ethernet...................................332, 342
Ethernet ports
alarm condition indicator....................................114
ethernet-switching-options statement......500, 820, 1151
event viewer, J-Web
overview.............................................................114
See also system log messages
events (tracing flag)
STP.....................................................................534
examine-dhcp statement............................................822

F
family statement........................................................316
firewall filters......................................................972
fast-start statement....................................................823
files
managing............................................................110
filter statement..........................................317, 502, 974
firewall filters......................................................973
Firewall filters
configuring..........................................................950
flow-control statement...............................................318
forward-delay statement............................................503

Index

1173

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

forwarding classes
adding and editing............................................1037
assigning to output queues ...............................1037
defining ...........................................................1037
summary .........................................................1037
forwarding software process........................................18
forwarding-class statement........................................824
class of service........................................1065, 1066
from statement..........................................................975
fwdd process................................................................18

G
Gigabit Ethernet interfaces
diagnostics information, displaying.....................353
status information, displaying.....................332, 342
group statement
IGMP snooping....................................................617
group-name statement...............................................504
groups
BGP, displaying...................................................603
guard-band statement..............................................1108
guest-vlan statement..................................................825
GVRP
configuration
show............................................................555
statistics
clearing........................................................543
show............................................................557
gvrp statement...........................................................505

H
halting a switching platform
with J-Web..........................................................107
halting a switching platform immediately
with J-Web .........................................................107
hardware
major (red) alarm conditions on............................91
hello-time statement..................................................506
history statement
RMON...............................................................1165
hold-multiplier statement...........................................826
hostname
pinging (J-Web)...................................................100
HTTP (Hypertext Transfer Protocol)
enabling Web access ............................................93
HTTPS (Hypertext Transfer Protocol over SSL)
enabling secure access .........................................93
Quick Configuration..............................................93
Hypertext Transfer Protocol See HTTP
Hypertext Transfer Protocol over SSL See HTTPS

I
idle time, displaying...................................................106

1174

Index

ieee802.1 statement..............................................1067
if-exceeding statement...............................................976
ifd process...................................................................18
IGMP snooping
group statement..................................................617
static statement..................................................617
igmp-snooping statement...........................................618
immediate-leave statement........................................619
import statement.....................................................1068
inet-precedence statement.......................................1069
ingress statement.....................................................1153
input statement........................................................1154
Install Remote page
field summary......................................................67
installation
licenses (J-Web).....................................................86
software upgrades, from a remote server.............67
software upgrades, uploading...............................68
interface
monitoring..........................................................299
interface (Storm Control) statement...................510, 532
interface software process...........................................18
interface statement............................................827, 830
802.1X................................................................831
Ethernet switching options.................................509
GVRP..................................................................508
IGMP snooping....................................................620
LLDP...................................................................829
LLDP-MED..........................................................828
port mirroring...................................................1155
power over Ethernet.........................................1109
RMON history...................................................1166
STP.............................................................507, 511
interfaces statement
class of service..................................................1070
interval statement....................................................1110
ip-source-guard statement..........................................832

J
J-Web interface
event viewer.......................................................114
join-timer statement
GVRP..................................................................512
JUNOS CLI
overview...............................................................50
JUNOS Internet software
version, displaying..............................................105
JUNOS software
overview...............................................................17
Packet Forwarding Engine....................................17
processes..............................................................18
Routing Engine.....................................................17
JUNOScript API
enabling secure access..........................................93
JUNOScript over SSL....................................................93

Index

L
l3-interface statement........................................318, 512
LACP
configuring..........................................................296
lacp statement...........................................................319
laptop See management device
leave-timer statement
GVRP..................................................................514
leaveall-timer statement
GVRP..................................................................513
level statement...........................................................515
license keys
displaying (J-Web).................................................86
Licenses
managing........................................................84, 85
licenses
adding (J-Web)......................................................86
deleting (J-Web)....................................................86
downloading (J-Web).............................................87
link aggregation
configuring..........................................................296
Link Layer Discovery Protocol
configuring..........................................................765
link-mode statement..................................................320
LLDP
configuring..........................................................765
lldp statement............................................................833
lldp-med statement....................................................834
loading a configuration file
uploading .............................................................77
location statement.....................................................835
login classes
specifying ..........................................................108
login time, displaying.................................................106
loss priority, CoS......................................................1052
loss-priority statement.............................................1156
class of service..................................................1071

M
mac statement...........................................................836
mac-limit statement...........................................516, 837
mac-move-limit statement.........................................838
mac-persistence-timer statement...............................226
mac-table-aging-time statement.................................517
major (red) alarms
description............................................................91
Management access
configuring............................................................93
management device
connecting through the CLI.................................119
connecting to console port..................................119
management software process....................................18
management statement...........................................1111

Managing
files.....................................................................110
licenses...........................................................84, 85
managing
reboots...............................................................107
mapping, CoS forwarding classes to schedulers.......1038
mastership.................................................................204
mastership-priority statement....................................227
max-age statement....................................................518
max-hops statement..................................................519
maximum-power statement.....................................1112
maximum-requests statement...................................839
member statement....................................................228
members statement
interfaces....................................................321, 520
memory utilization, displaying...................................106
mgd process................................................................18
minor (yellow) alarms
description............................................................92
mode (STP) statement................................................521
monitoring
BGP.....................................................................603
interface.............................................................299
OSPF...................................................................607
RIP......................................................................609
routing tables......................................................610
system process information................................106
system properties...............................................105
Virtual Chassis....................................................219
Monitoring
802.1X settings...................................................785
DHCP services....................................................605
PoE...................................................................1103
port security.......................................................786
msti statement...........................................................522
MSTP
configuration
displaying....................................................568
mstp statement..........................................................523
mtu statement...........................................................322
multicast-router-interface statement
IGMP snooping....................................................620

N
native-vlan-id statement.....................................322, 524
network interfaces
enabling RIP on..................................................596
next hop
address for static routes......................................601
next hop, displaying...................................................610
no-broadcast statement..............................................525
no-management-vlan statement.................................229
no-reauthentication statement...................................839
no-root-port statement
STP.....................................................................526

Index

1175

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

no-unknown-unicast statement..................................527
NSSAs (not-so-stubby areas)
area ID ...............................................................595
area type ............................................................595

O
Open Shortest Path First See OSPF
operating system See JUNOS software
order statement.........................................................840
OSPF (Open Shortest Path First)
area type ............................................................595
Configuration......................................................594
designating OSPF interfaces ...............................595
enabling .............................................................595
monitoring..........................................................606
router ID ............................................................594
statistics..............................................................608
OSPF interfaces
displaying...........................................................607
enabling..............................................................595
status..................................................................607
OSPF neighbors
displaying...........................................................607
status..................................................................607
OSPF page
field summary....................................................594
OSPF routing information..........................................606
output statement
port mirroring...................................................1157
owner statement......................................................1166

P
packet capture...........................................................101
Packet Forwarding Engine...........................................17
packet loss priority, CoS...........................................1052
passwords
for downloading software upgrades......................65
RADIUS secret....................................................109
root password, recovering..................................119
PC See management device
periodic statement.....................................................323
Ping Host page
field summary....................................................100
PoE
configuring........................................................1100
monitoring........................................................1103
poe
controller..........................................................1116
show interfaces command................................1117
policer statement.......................................................977
Port Mirroring
configuring........................................................1143
port security
configuring..........................................................769

1176

Index

Port security
monitoring..........................................................786
port-information-state-machine (tracing flag).............534
port-migration-state-machine (tracing flag)................534
port-mode statement.........................................324, 528
port-receive-state-machine (tracing flag)
STP.....................................................................535
port-role-select-state-machine (tracing flag)
STP.....................................................................535
port-role-transit-state-machine (tracing flag)
STP.....................................................................535
port-state-transit-state-machine (tracing flag)
STP.....................................................................535
port-transmit-state-machine (tracing flag)
STP.....................................................................535
power over ethernet See poe
ppmd (tracing flag)
STP.....................................................................535
preprovisioned statement..........................................230
preprovisioning..........................................................184
priority statement
class of service..................................................1072
power over Ethernet.........................................1113
STP.....................................................................529
process ID, displaying................................................106
process information, system, monitoring...................106
process owner, displaying..........................................106
process start time, displaying.....................................107
process state, displaying............................................106
processes, software
chassis process.....................................................18
forwarding process...............................................18
interface process...................................................18
management process............................................18
routing protocol process.......................................18
profile statement........................................................841
properties, system, monitoring..................................105
protocol statement...................................................1072
protocols
originating, displaying.........................................610
OSPF, monitoring...............................................606
RIP, monitoring..................................................608
routing protocols, monitoring.............................603

Q
query-interval statement
IGMP snooping....................................................621
query-last-member-interval statement.......................621
query-response-interval statement.............................622
quiet-period statement...............................................842

R
RADIUS
secret .................................................................109

Index

radius statement........................................................843
radius-options statement ...........................................123
ratio statement.........................................................1158
reauthentication statement........................................844
reboot immediately
with J-Web..........................................................107
rebooting
with J-Web .........................................................107
redundant-trunk-group statement..............................530
remote server, upgrading from....................................67
request session member command...........................239
request system configuration rescue delete
command...............................................................112
request virtual-chassis recycle command...................240
request virtual-chassis vc-port (dedicated port)
command...............................................................243
request virtual-chassis vc-port (uplink port)
command...............................................................241
request virtualchassis renumber command..............245
Rescue configuration
setting.................................................................113
retries statement........................................................845
rewrite rules
adding and editing (Quick Configuration)..........1043
defining (Configuration)....................................1042
summary .........................................................1043
rewrite-rules statement............................................1073
RIP (Routing Information Protocol)
Configuration......................................................595
designating RIP interfaces...................................596
enabling .............................................................596
monitoring..........................................................608
statistics..............................................................609
RIP neighbors
displaying...........................................................609
status..................................................................609
RIP page
field summary....................................................596
RIP routing information.............................................608
rmon
history................................................................127
rmon statement.......................................................1167
robust-count statement..............................................622
role............................................................................231
role statement............................................................231
root password recovery..............................................119
Routing Engine
software component.............................................17
routing policies
export, displaying...............................................604
import, displaying...............................................604
routing protocol software process................................18
routing table
displaying...........................................................610
rpd process..................................................................18
rstp statement............................................................531

S
scheduler maps
adding and editing ...........................................1040
defining ...........................................................1038
summary .........................................................1040
scheduler-map statement.........................................1073
scheduler-maps statement.......................................1074
schedulers
adding and editing ...........................................1039
defining ...........................................................1038
mapping to forwarding classes ........................1038
scheduler maps See scheduler maps
summary .........................................................1039
schedulers statement...............................................1075
scheduling a reboot
with J-Web..........................................................107
secret
RADIUS ..............................................................109
secure access
JUNOScript SSL access..........................................93
Secure Access page
field summary......................................................94
secure-access-port statement.....................................846
serial number
routing platform..................................................105
serial-number statement............................................232
server-timeout statement...........................................847
sessions
BGP peer, status details.......................................604
BGP peer, status summary..................................604
shaping-rate statement.............................................1076
show arp inspection statistics command....................871
show bgp neighbor command....................................603
show bgp summary command...................................603
show class-of-service classifier command................1047
show class-of-service code-point-aliases
command.............................................................1053
show class-of-service command...............................1080
show class-of-service forwarding-class
command.............................................................1048
show command.........................................................555
show dhcp snooping binding command.....................872
show dot1x authentication-failed-users
command...............................................................876
show dot1x command...............................................873
show dot1x static-mac-address command.................877
show ethernet-switching interfaces command...........545
show ethernet-switching mac-learning-log
command...............................................................548
show ethernet-switching table command...................550
show firewall
sub-topic.............................................................983
show firewall command.............................................983
show gvrp statistics command...................................557
show igmp-snooping membership command............630
show igmp-snooping route command........................632

Index

1177

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

show igmp-snooping statistics command...................634

show igmp-snooping vlans command........................635
show interfaces (10-Gigabit Ethernet) command........342
show interfaces (Gigabit Ethernet) command.............332
show interfaces diagnostics optics command.............353
show interfaces filters command...............................985
show interfaces policers command............................987
show ip-source-guard command................................879
show lldp command..................................................881
show lldp local-info command...................................886
show lldp neighbors command..................................888
show lldp statistics command....................................891
show network-access aaa statistics accounting...........893
show network-access aaa statistics accounting
command...............................................................893
show network-access aaa statistics authentication
command...............................................................894
show network-access aaa statistics dynamic-requests
command...............................................................895
show ospf interfaces command.................................606
show ospf neighbors command.................................606
show ospf statistics command...................................606
show poe controller command.................................1116
show poe interface command..................................1117
show poe telemetries interface command................1119
show policer command..............................................989
show redundant-trunk-group command.....................559
show rip neighbors command....................................609
show rip statistics command......................................608
show route detail command.......................................610
show route terse command........................................610
show snmp rmon history command..........................127
show spanning-tree bridge command........................560
show spanning-tree interface command....................564
show spanning-tree mstp configuration
command...............................................................568
show spanning-tree statistics command.....................569
show system processes command.............................106
show system uptime..................................................246
show virtual-chassis status command........................250
show virtual-chassis vc-port command...............248, 252
show virtual-chassis vc-port statistics command........255
show vlans command................................................570
snmp
rmon history.......................................................127
SNMP
configuring..........................................................596
SNMP features...........................................................596
snmp rmon history
clear....................................................................126
software.......................................................................17
halting immediately (J-Web) ...............................107
version, displaying..............................................105
See also JUNOS software

1178

Index

Spanning Tree
BPDU errors
clearing........................................................542
speed statement.........................................................325
SSL (Secure Sockets Layer)
enabling secure access (Quick Configuration).......93
SSL certificates
adding .................................................................95
state-machine-variables (tracing flag)
STP.....................................................................535
static routes
Configuration......................................................601
Static Routes page
field summary....................................................601
static routing
default gateway..................................................601
static statement.........................................................848
IGMP snooping....................................................617
static-ip statement......................................................849
statistics
BGP.....................................................................603
DHCP..................................................................606
OSPF...................................................................608
RIP......................................................................609
status
BGP.....................................................................604
OSPF interfaces..................................................607
OSPF neighbors..................................................607
RIP neighbors.....................................................609
stop-on-access-deny statement..................................849
stop-on-failure statement...........................................850
STP
bridge
displaying....................................................560
interface
displaying....................................................564
statistics
clearing........................................................544
displaying....................................................569
stp statement.............................................................533
stub areas
area ID ...............................................................595
area type ............................................................595
supplicant statement..................................................851
supplicant-timeout statement.....................................852
switching
configuring..................................................407, 409
switching platform
halting (J-Web)....................................................107
rebooting (J-Web)................................................107
system identification, displaying................................105
system log messages
event viewer.......................................................114
monitoring (Quick Configuration).......................114
system overview
software................................................................17

Index

system process information, displaying.....................107

system storage, displaying.........................................105
system time
defining ...............................................................96
system time, displaying.............................................105
system uptime
Virtual Chassis....................................................246

transmit-delay statement...........................................859
transmit-period statement..........................................859
transmit-rate statement............................................1077
troubleshooting
root password recovery......................................119
TTY, displaying..........................................................106

U
T
telemetries statement..............................................1114
term statement..........................................................978
then statement...................................................979, 980
time zone
defining ...............................................................95
timers (tracing flag)
STP.....................................................................535
topic1
sub-topci.5455
,485
,505
,708
,668
,678
,688
,698
,718
,728
,738
,768
,778
,798
,818
,888
,918
,948
,959
,829
,859
,879
,891
,0801
,160
topic2
subt-opci.5455
,485
,505
,708
,668
,678
,688
,698
,718
,728
,738
,768
,778
,798
,818
,888
,918
,948
,959
,829
,839
,859
,879
,891
,0801
,160
topology-change-state-machine (tracing flag)
STP.....................................................................535
traceoptions statement..............................534, 853, 857
IGMP snooping....................................................623
LLDP...................................................................855
Virtual Chassis....................................................233
tracing flags
all........................................................................534
all-failures
STP..............................................................534
bpdu...................................................................534
bridge-detection-state-machine...........................534
events
STP..............................................................534
port-information-state-machine..........................534
port-migration-state-machine..............................534
port-receive-state-machine
STP..............................................................535
port-role-select-state-machine
STP..............................................................535
port-role-transit-state-machine
STP..............................................................535
port-state-transit-state-machine
STP..............................................................535
port-transmit-state-machine
STP..............................................................535
ppmd
STP..............................................................535
state-machine-variables
STP..............................................................535
timers
STP..............................................................535
topology-change-state-machine
STP..............................................................535
translate statement............................................326, 537

unit statement
class of service..................................................1078
interfaces............................................................327
upgrades
installing by uploading..........................................68
installing from remote server................................67
Upload package page
field summary......................................................68
uploading a configuration file.......................................77
username
displaying...........................................................106
specifying ..........................................................108
users
adding ...............................................................108
displaying...........................................................105

V
version
software, displaying............................................105
View
configuration text.................................................47
view and edit
uploading a file.....................................................77
View Events page
field summary (filtering log messages)................114
field summary (viewing log messages)................116
Virtual Chassis
active topology...................................................248
and link aggregation...........................................144
command forwarding.........................................213
components........................................................135
configuration, understanding..............................144
configuring..................................................197, 199
configuring across multiple wiring closets...........163
configuring master and backup...........................147
dedicated VCP....................................................243
electing the master.............................................140
expanding...........................................................152
global management............................................141
mastership..........................................................204
member id..........................................................240
member ID.........................................................250
members of........................................................228
monitoring..........................................................219
nonvolatile storage..............................................143
overview.............................................................133

Index

1179

Complete Software Guide for JUNOS for EX-series Software, Release 9.2

preprovisioning...................................................184
renumber............................................................245
replacing a member switch.................................219
session................................................................239
setting uplink port as VCP...................................206
software upgrade................................................140
system uptime....................................................246
timer configuration.............................................210
troubleshooting...................................................223
uplink VCP..........................................................241
version compatibility..........................................146
Virtual Chassis ports...........................................250
VME configuration..............................................210
Virtual Chassis configuration
Virtual Chassis port.............................................252
Virtual Chassis ports
clear statistics.....................................................238
statistics..............................................................255
virtual-chassis statement............................................235
vlan statement...................................................860, 861
IGMP snooping....................................................625
interfaces....................................................328, 538
MSTI...................................................................538
port mirroring...................................................1158
vlan-assignment statement........................................861
vlan-id statement.......................................................539
vlan-range statement.................................................539
VLANs
configuring..........................................407, 409, 540
configuring VLAN range......................................539
vlans statement..........................................................540
voip statement...........................................................862

W
Web access, secure See secure access
what statement..........................................................863

Y
yellow alarms See minor alarms

1180

Index