JUNOS EX-Switching

Thomas Stuart, Zenith Networks
info@zenithnetworks.com
Copyright 2012 (c)
www.zenithnetworks.com 2

 Partner of Juniper Networks
 HQ Philadelphia, PA
 27 Years Network Integration Services
 12 Years Education Services
 LAN / WAN Configuration and Design
 Routing, Switching and Security
 JNCIA, JNCIS-ENT, JNCI-ENT
 www.zenithnetworks.com
Copyright 2012 (c)

Founded 1996
HQ Sunnyvale, CA
Employees 9,400 + 46 countries
Award: 2011, 2012, 2013, 2014.. World’s Most Ethical
Company
Connect Everything…. Empower Everyone!
Routing, Switching, Security
www.juniper.net
Copyright 2012 (c)

Access to view the Slides……
http://www.zenithnetworks.com/education
Copyright 2012 (c)

Copyright 2012 (c)
JUNOS 12.3R6.6

Amnesiac (ttyu0)
login: root
Password:
--- JUNOS 12.3R6.6 built 2014-03-13 06:58:47 UTC
root@:RE:0%
root@:RE:0% cli
root>
root> configure
Entering configuration mode
[edit]
root#
Copyright 2012 (c)

[edit]
root# show
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
Copyright 2012 (c)

Interface ge-0/0/0
Physical
Speed and Duplex
MTU
Logical
IPAddress
root@Left# set interfaces ge-0/0/0 ?
Possible completions:
accounting-profile Accounting profile name
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
description Text description of interface
disable Disable this interface
> ether-options Ethernet interface-specific options ( physical… speed / duplex )
gratuitous-arp-reply Enable gratuitous ARP reply
> hold-time Hold time for link up and link down
mac Hardware MAC address
mtu Maximum transmit packet size (256..9216)
.
.
> unit Logical interface ( ip address )
vlan-tagging 802.1q VLAN tagging support
Copyright 2012 (c)

[edit interfaces ge-0/0/0]
1. root@Left# set ether-options no-auto-negotiation
root@Left# set ether-options speed ?
> auto-negotiation Enable auto-negotiation
10m 10Mbps
100m 100Mbps
1g 1Gbps
2. root@Left# set ether-options speed 1g
3. root@Left# set ether-options link-mode full-duplex
Copyright 2012 (c)

[edit]
1. root@Right# set interfaces ge-0/0/0 ether-options no-auto-negotiation
[edit]
2. root@Right# set interfaces ge-0/0/0 ether-options speed 1g
[edit]
3. root@Right# set interfaces ge-0/0/0 ether-options link-mode full-duplex
Copyright 2012 (c)

Place an IPv4 address on the .0 logical unit of a physical interface.
root@Left# set unit 0 family inet address 192.168.1.1/24
root@Left# show
unit 0 {
family inet {
address 192.168.1.1/24;
} ge-0/0/23
}
Copyright 2012 (c)

root@Left# set unit 0 family inet address 192.168.3.1/24 primary
root@Left# show
unit 0 {
family inet {
address 192.168.1.1/24;
address 192.168.2.1/24;
address 192.168.3.1/24 {
primary;
}
Copyright 2012 (c)

root@Left# show
unit 0 {
family inet {
address 192.168.20.1/24;
}
root@Left# delete interfaces ge-0/0/0 unit 0 family inet
[edit]
root@Left# set interfaces ge-0/0/0 unit 0 family ethernet-switching
ge-0/0/0 {
unit 0 {
}
Copyright 2012 (c)
x

root@Left> show interfaces ge-0/0/0 ?
<[Enter]> Execute this command
brief Display brief output
descriptions Display interface description strings
detail Display detailed output
extensive Display extensive output
media Display media information
routing-instance Name of routing instance
snmp-index SNMP index of interface
statistics Display statistics and detailed output
terse Display terse output
| Pipe through a command
Copyright 2012 (c)

root@Left# run show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Down
Interface index: 130, SNMP ifIndex: 506
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Duplex: Auto,
BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Remote fault: Online, Media type: Copper
Device flags : Present Running
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: 28:c0:da:2a:20:04, Hardware address: 28:c0:da:2a:20:04
Last flapped : Never
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Active alarms : LINK
Active defects : LINK
Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 69) (SNMP ifIndex 507)
Flags: Device-Down SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol eth-switch
Flags: None
Copyright 2012 (c)

root@Left# run show interfaces ge-0/0/0 terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up eth-switch
root@Left# run show interfaces ge-0/0/0 brief
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Duplex: Full-Duplex,
Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled,
Auto-negotiation: Disabled, Remote fault: Online, Media type: Copper
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
Logical interface ge-0/0/0.0
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
eth-switch
Copyright 2012 (c)

root@Left> show interfaces ge-0/0/0 detail
Interface index: 130, SNMP ifIndex: 504, Generation: 133
Remote fault: Online
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Current address: 28:c0:da:2a:2f:c0, Hardware address: 28:c0:da:2a:2f:c0
Last flapped : 2013-02-26 12:21:11 UTC (00:23:12 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 14808 0 bps
Output bytes : 27007 0 bps
Input packets: 99 0 pps
Output packets: 195 0 pps
Copyright 2012 (c)

root@Left> show interfaces ge-0/0/17 extensive
Remote fault: Online, Media type: Copper
.
.
.
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 7, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 0 0 0
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
7 network-cont 0 9620 0
Copyright 2012 (c)

Link flags : None
Traffic statistics:
Copyright 2012 (c)

root@Left> clear interfaces statistics ge-0/0/0
Copyright 2012 (c)

Link flags : None
Statistics last cleared: 2013-02-26 12:44:52 UTC (00:00:03 ago)
Traffic statistics:
Copyright 2012 (c)

root@Left> monitor interface ge-0/0/0
Seconds: 188 Time: 14:31:05
Delay: 0/0/20
Interface: ge-0/0/0, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics: Current delta
Input bytes: 65730 (816 bps) [17412]
Output bytes: 65601 (816 bps) [17400]
Input packets: 374 (1 pps) [163]
Output packets: 376 (1 pps) [163]
Error statistics:
Input errors: 0 [0]
Input drops: 0 [0]
Input framing errors: 0 [0]
Policed discards: 0 [0]
L3 incompletes: 0 [0]
L2 channel errors: 0 [0]
L2 mismatch timeouts: 0 Carrier transition [0]
Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'
Copyright 2012 (c)

root@Left> monitor traffic interface ge-0/0/0 ?
absolute-sequence Display absolute TCP sequence numbers
brief Display brief output
count Number of packets to receive (0..1000000 packets)
layer2-headers Display link-level header on each dump line
matching Expression for headers of receive packets to match
no-domain-names Don't display domain portion of hostnames
no-promiscuous Don't put interface into promiscuous mode
no-resolve Don't attempt to print addresses symbolically
no-timestamp Don't print timestamp on each dump line
print-ascii Display packets in ASCII when displaying in hexadecimal format
print-hex Display packets in hexadecimal format
resolve-timeout Period of time to wait for each name resolution (seconds)
size Amount of each packet to receive (bytes)
Copyright 2012 (c)

root@Left> monitor traffic interface ge-0/0/0 detail
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 1514 bytes
11:19:44.332148 In STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id
8000.28:c0:da:2a:20:01.8201, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.28:c0:da:2a:20:01, root-pathcost 0, port-role Designated
11:19:46.207063 In STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id
8000.28:c0:da:2a:20:01.8201, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.28:c0:da:2a:20:01, root-pathcost 0, port-role Designated
Copyright 2012 (c)

1. root@Leftt# set interfaces ge-0/0/0 disable
2. root@Left# commit
configuration check succeeds
commit complete
3. root@Left# run show interfaces ge-0/0/0
Physical interface: ge-0/0/0, Administratively down, Physical link is Down
4. root@Left# run show interfaces ge-0/0/0 terse
ge-0/0/0 down down
ge-0/0/0.0 up down eth-switch
[edit]
5. root@Left# delete interfaces ge-0/0/0 disable
Copyright 2012 (c)

[edit]
root@Left# set interfaces ge-0/0/0 description ****WEB-SERVER****
root@Left# commit
commit complete
root@Left# run show interfaces ge-0/0/0
Interface index: 129, SNMP ifIndex: 504
Description: ****WEB-SERVER****
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Duplex: Full-Duplex,
Copyright 2012 (c)

1. Define “range-name” and place interfaces into range group….
1. root@Left# set interfaces interface-range server-ports member-range ge-0/0/5 to ge-0/0/10
2. Associate a vlan with the prior defined range group….
2. root@Left# set interfaces interface-range server-ports unit 0 family ethernet-switching vlan members
server-vlan
3. root@Left# show interfaces interface-range server-ports
member-range ge-0/0/5 to ge-0/0/10;
unit 0 {
family ethernet-switching {
vlan {
members server-vlan;
Copyright 2012 (c)

[edit]
root@Left# run show vlans
Name Tag Interfaces
server-vlan 100 ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0
Copyright 2012 (c)

** All Interfaces have been reset to the default vlan **
root# run show vlans
Name Tag Interfaces
default
ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0,
ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0,
ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0
Copyright 2012 (c)

[edit]
root@Left# set vlans default vlan-id 50
Perform a Commit!!!
Name Tag Interface
default 50 ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0,
ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0,
ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0
Copyright 2012 (c)

[edit]
root@Left# set vlans marketing vlan-id ?
<vlan-id> 802.1q tag (1..4094)
[edit]
root@Left# set vlans marketing vlan-id 30
[edit]
root@Left# set vlans engineering vlan-id 40
root@Left# commit
commit complete
Copyright 2012 (c)

[edit]
Name Tag Interfaces
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0,
ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0,
ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0
engineering 40
None
marketing 30
None
Copyright 2012 (c)

root@Left# edit interfaces ge-0/0/11 unit 0 family ethernet-switching
[edit interfaces ge-0/0/11 unit 0 family ethernet-switching]
root@Left# set vlan members engineering
root@Left# commit
commit complete
root@Left# run show vlans engineering
Name Tag Interfaces
engineering 40 ge-0/0/11.0
Copyright 2012 (c)

[edit]
root@Left# set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members marketing
root@Left# commit
commit complete
[edit]
root@Left# show vlans
engineering {
vlan-id 40;
}
marketing {
vlan-id 30;
Copyright 2012 (c)

root@Right# set vlans engineering vlan-id 40
[edit]
root@Right# set vlans marketing vlan-id 30
[edit]
root@Right# commit
commit complete
[edit]
root@Right# show vlans
engineering {
vlan-id 40;
}
marketing {
vlan-id 30;
Copyright 2012 (c)

root@Right# set vlan members engineering
[edit]
root@Right# set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members marketing
root@Right# commit
commit complete
Copyright 2012 (c)

root@Right# run show vlans
Name Tag Interfaces
ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0,
ge-0/0/9.0, ge-0/0/10.0, ge-0/0/13.0, ge-0/0/14.0,
ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0,
ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0,
ge-0/0/23.0
engineering 40
ge-0/0/11.0
marketing 30
ge-0/0/12.0
Copyright 2012 (c)

Driven via the VLAN level, and NOT the interface level....
[edit]
root@Right# set vlans test interface ge-0/0/24
[edit]
engineering {
vlan-id 40;
}
marketing {
vlan-id 30;
}
test {
vlan-id 200;
interface {
ge-0/0/24.0;
Copyright 2012 (c)

engineering {
vlan-id 40;
}
marketing {
vlan-id 30;
root@Right# edit interfaces ge-0/0/19 unit 0 family ethernet-switching
root@Right# set vlan members 40
root@Right# show
vlan {
members 40;
Copyright 2012 (c)

802.1q Trunks....
Copyright 2012 (c)

root@Left# edit interfaces ge-0/0/20 unit 0 family ethernet-switching
root@Left# set port-mode trunk
root@Left# set vlan members [30 40]
root@Left# show
port-mode trunk;
vlan {
members [ 30 40 ];
}
root@Left# commit
commit complete
Copyright 2012 (c)

root@Right# set interfaces ge-0/0/20 unit 0 family ethernet-switching port-mode trunk
root@Right# set vlan members [marketing engineering ]
root@Right# show
port-mode trunk;
vlan {
members [ marketing engineering ];
}
root@Right# commit
commit complete
Copyright 2012 (c)

Name Tag Interfaces
default ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/13.0,
engineering 40
ge-0/0/11.0*, ge-0/0/20.0* ( 11 is an access ports and 20 is trunk )
marketing 30
Copyright 2012 (c)

root@Left> show ethernet-switching interfaces ge-0/0/11 ( Access Interface )
Interface State VLAN members Tag Tagging Blocking
ge-0/0/11.0 up engineering 40 untagged unblocked
root@Left> show ethernet-switching interfaces ge-0/0/12 ( Access Interface )
ge-0/0/12.0 up marketing 30 untagged unblocked
root@Left> show ethernet-switching interfaces ge-0/0/20 ( Trunk Interface )
ge-0/0/20.0 up engineering 40 tagged unblocked
marketing 30 tagged unblocked
Copyright 2012 (c)

root@Right# run show vlans
Name Tag Interfaces
default ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/13.0,
engineering 40
marketing 30
Copyright 2012 (c)

root@Right> show ethernet-switching interfaces ge-0/0/11 ( Access Interface )
ge-0/0/11.0 up engineering 40 untagged unblocked
root@Right> show ethernet-switching interfaces ge-0/0/12 ( Access Interface )
ge-0/0/12.0 up marketing 30 untagged unblocked
root@Right> show ethernet-switching interfaces ge-0/0/20 ( Trunk Interface )
ge-0/0/20.0 up engineering 40 tagged unblocked
marketing 30 tagged unblocked
Copyright 2012 (c)

In the simplest of terms….
 Bandwidth ( additional traffic lanes!! )
 Redundancy ( backup traffic lanes!! )
 Use of existing network resources!!
 Reduce level of dependency on Spanning-Tree protocol
Copyright 2012 (c)

Multiple physical
interfaces acting
As a single pipe!!
Copyright 2012 (c)

Link failure!
Existing links
continue to
send traffic!
Copyright 2012 (c)

 Create a virtual LAG group / interface
 Hard-code speed and duplex for member interfaces
 Place multiple physical ports into LAG
 Intelligence (802.1q, vlans, protocols ) is placed onto LAG
interface
 Bandwidth!!! Redundancy!!!
Copyright 2012 (c)
LAG

Load balance traffic across the multiple physical ports
Ports within LAG must be of same type, speed and FDX
Maximum # of ports within a LAG is 8
Maximum number of LAG’s….. EX4200 is 111
Copyright 2012 (c)

 LACP: Optional… Not required
 LACP: Detects misconfiguration on the LAG
 Failed ports, speed / duplex, wrong LAG group
 LACP: Configured on both end of connection
 LACP: Active / Active…. or Active / Passive
 LACP: Auto join and delete individual links to ae
Copyright 2012 (c)

On both ethernet switches… create virtual ae ( aggregated ethernet interface )
tom@LAG-1# set chassis aggregated-devices ethernet device-count 1
tom@LAG-2# set chassis aggregated-devices ethernet device-count 1
tom@LAG-1# run show interfaces terse | match ae
ae0 up down
Copyright 2012 (c)

On both ethernet switches… set speed / duplex for interfaces to be part of ae0
tom@LAG-1# set interfaces ge-0/0/0 ether-options link-mode full-duplex
tom@LAG-1# set interfaces ge-0/0/0 ether-options speed 1g
Copyright 2012 (c)

On both ethernet switches… set speed / duplex for interfaces to be part of ae0
Copyright 2012 (c)

On both ethernet switches… marry physical interfaces to LAG ae0
tom@LAG-1# set interfaces ge-0/0/0 ether-options 802.3ad ae0
Copyright 2012 (c)

On both ethernet switches… configure an ip address on the ae0 LAG
tom@LAG-1# set interfaces ae0 unit 0 family inet address 192.168.1.1/24
tom@LAG-2# set interfaces ae0 unit 0 family inet address 192.168.1.2/24
Copyright 2012 (c)

root@LAG-1# run show interfaces terse | match ae
ge-0/0/0.0 up up aenet --> ae0.0
ae0 up up
ae0.0 up up inet 192.168.1.1/24
Copyright 2012 (c)

root@LAG-1# run ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=3.399 ms
Copyright 2012 (c)

root@LAG-1# run show interfaces ae0 extensive
Physical interface: ae0, Enabled, Physical link is Up
Traffic statistics:
Copyright 2012 (c)

root@LAG-1# run show interfaces ae0 extensive
Logical interface ae0.0(Index 67) (SNMP ifIndex 658) (Generation 132)
Flags: SNMP-Traps 0x0 Encapsulation: ENET2
Statistics Packets pps Bytes bps
Bundle:
Input : 36 0 4892 0
Output: 111 0 8618 0
Marker Statistics: Marker Rx Resp Tx Unknown Rx Illegal Rx
ge-0/0/0.0 0 0 0 0
ge-0/0/1.0 0 0 0 0
ge-0/0/2.0 0 0 0 0
Protocol inet, Generation: 148, Route table: 0
Flags: Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 192.168.1/24, Local: 192.168.1.1, Broadcast: 192.168.1.255,
Generation: 135
Copyright 2012 (c)

Interface Monitoring:
1. Copy packets to local interface for monitoring
2. Packets entering or exiting an interface (up tp 256 interfaces)
VLAN Monitoring:
1. Copy packets to a analyzer VLAN for remote monitoring
2. Packets entering VLAN (up to 256 vlan’s)
Policy:
1. Policy-Based (firewall filter define traffic to be mirrored)
Copyright 2012 (c)

Local Port Mirroring of Server Traffic
set interfaces ge-0/0/10 unit 0 family ethernet-switching
set interfaces ge-0/0/20 unit 0 family ethernet-switching
set ethernet-switching-options analyzer monitor-traffic input ingress interface ge-0/0/10.0
set ethernet-switching-options analyzer monitor-traffic output interface ge-0/0/20.0
Copyright 2012 (c)

{master:0}[edit ethernet-switching-options]
root@flyers# show
analyzer monitor-traffic {
input {
ingress {
interface ge-0/0/10.0;
}
}
output {
interface {
ge-0/0/20.0;
}
}
}
Copyright 2012 (c)

root@flyers# run show analyzer
Analyzer name : monitor-traffic
Output interface : ge-0/0/20.0 ( sniffer )
Mirror ratio : 1
Loss priority : Low
Ingress monitored interfaces : ge-0/0/10.0 ( device being monitored )
Copyright 2012 (c)

Copyright 2012 (c)
Allowed MAC
MAC Limiting
DHCP Snoop
Arp Inspection
IP Source Guard

Copyright 2012 (c)
Define allowed MAC address on an interface
[edit ethernet-switching-options secure-access-port]
root@New-York# set interface ge-0/0/15 allowed-mac 40:6c:8f:3f:f8:2d
root@New-York# set interface ge-0/0/16 allowed-mac [40:6c:8f:3f:f8:2e 40:6c:8f:11:22:33]
root@New-York# show
interface ge-0/0/15.0 {
allowed-mac 40:6c:8f:3f:f8:2d;
}
allowed-mac [ 40:6c:8f:3f:f8:2e 40:6c:8f:11:22:33 ]

Copyright 2012 (c)
Limit number of MAC addresses learned on an interface
1. root@New-York# set interface ge-0/0/17 mac-limit ?
<limit> Number of dynamic MAC addresses allowed on this interface
action Action to take if limit is exceeded
2. root@New-York# set interface ge-0/0/17 mac-limit 1 action ?
drop Drop the packet and log it ( only packets over defined limit )
log Log a message ( no drop, just log )
none Take no action ( fine control, while other interfaces have a global action )
shutdown Shut down the interface ( shutdown the full interface )

Copyright 2012 (c)
Continue with Limit number of MAC addresses learned on an interface
root@New-York# set interface ge-0/0/17 mac-limit 1 action drop
root@New-York# show
}
mac-limit 1 action drop;
}

Copyright 2012 (c)
root@New-York# run show ethernet-switching table
Ethernet-switching table: 2 entries, 1 learned, 0 persistent entries
VLAN MAC address Type Age Interfaces
default * Flood - All-members
default b0:e8:92:08:66:e8 Learn 1:21 ge-0/0/17.0 ( Only 1 allowed MAC )
root@New-York# run show log messages
Mar 13 12:00:00 New-York newsyslog[1615]: logfile turned over due to size>128K
Mar 13 12:00:02 New-York eswd[1286]: ESWD_MAC_LIMIT_DROP: MAC limit (1) exceeded at
ge-0/0/17.0: dropping the packet from src 7c:d1:c3:77:64:46

Copyright 2012 (c)
1. root@New-York# set vlan engineering mac-move-limit ?
<limit> Number of MAC movements allowed on this VLAN
action Action to be taken in case the MAC movement limit is exceeded
2. root@New-York# set vlan engineering mac-move-limit 2 action ?
drop Drop the packet and log it
log Log a message
none Take no action
shutdown Shut down the interface
3. root@New-York# show
vlan engineering {
mac-move-limit 2 action log;

Copyright 2012 (c)
Multiple purposes:
1. Prevent rogue DHCP devices from impacting users
2. Capture DHCP messages and build snoop table
3. Deny rogue dhcp server from receiving dhcp requests
4. Prevent ARP Spoofing
Rogue DHCP Device

Copyright 2012 (c)
1. root@San-Fran# set interface ge-0/0/10 dhcp-trusted ( receive DHCP traffic )
2. root@San-Fran# set interface ge-0/0/0 no-dhcp-trusted ( deny DHCP traffic )
3. root@San-Fran# set vlan market examine-dhcp ( enable dhcp snooping )
root@San-Fran# show
dhcp-trusted;
}
no-dhcp-trusted;
x

Copyright 2012 (c)
root@San-Fran> show dhcp-snooping binding
DHCP Snooping Information:
MAC Address IP Address Lease Type VLAN Interface
----------------- ---------- ----- ---- ---- ---------
01:02:03:04:05:06 192.168.1.50 590 dynamic market ge-0/0/2.0

Copyright 2012 (c)
ARP Spoofing… Man in the middle… DOS…. Not good.
DAI – Dynamic Arp Inspection: Used to prevent ARP Spoof Attacks
Inspect ARP packets against Snoop-DB… if invalid… drop!
Arp packets are compared to a switch-based DHCP Snooping DB.
Ports / Interfaces
Access: Untrusted ( perform inspection )
Trunk: Trusted ( bypass ARP inspection )

Copyright 2012 (c)
1. DHCP Snooping Process
Switch reads DHCP lease information
Switch adds entries to the local switch DHCP Snoop-DB
root@San-Fran> show dhcp snooping binding
2. DAI Process
Switch inspects arp packets on untrusted ports
check source mac - drop invalid ip – mac entries

Copyright 2012 (c)
Set DHCP Server interface as Trusted
root@San-Fran# set ethernet-switching-options secure-access-port interface ge-0/0/15 dhcp-trusted
Enable DHCP Snooping
root@San-Fran# set ethernet-switching-options secure-access-port vlan market examine-dhcp
Enable DAI
root@San-Fran# set ethernet-switching-options secure-access-port vlan market arp-inspection

Copyright 2012 (c)
Check the results of the configuration:
root@San-Fran# show
dhcp-trusted;
}
vlan market {
arp-inspection;
examine-dhcp;
}

Copyright 2012 (c)
root@San-Fran> show arp inspection statistics
Interface Packets received ARP inspection pass ARP inspection failed
ge-0/0/0 0 0 0
ge-0/0/10 0 0 0
 The switch compares the ARP requests and replies against the entries
 in the DHCP snooping database.
 If a MAC address or IP address in the ARP packet does
 not match a valid entry in the database, the packet is dropped.

Copyright 2012 (c)
Prevent IP Spoofing Attacks…. Invalid addresses!!
Uses DHCP Snooping DB
1. Inspect Source IP and Source MAC on untrusted interfaces… Compare to Snoop DB
2. If interface traffic does NOT match Snoop DB….. drop traffic.

Copyright 2012 (c)
Set DHCP Server interface as Trusted
root@San-Fran# set ethernet-switching-options secure-access-port interface ge-0/0/15 dhcp-trusted
Enable DHCP Snooping on the VLAN
[root@San-Fran# set ethernet-switching-options secure-access-port vlan default examine-dhcp
Enable IP Source Guard on the VLAN
root@San-Fran# set ethernet-switching-options secure-access-port vlan default ip-source-guard

Copyright 2012 (c)
root@San-Fran# show
vlan default {
examine-dhcp;
ip-source-guard;
}

Copyright 2012 (c)
01:02:03:04:05:06 192.168.1.20 600 dynamic default ge-0/0/0.0
11:22:33:44:55:66 192.168.1.25 653 dynamic default ge-0/0/10.0
root@San-Fran> show ip-source-guard
IP source guard information:
Interface Tag IPAddress MAC Address VLAN
ge-0/0/0.0 0 192.168.1.20 01:02:03:04:05:06 default
ge-0/0/10.0 0 192.168.1.25 11:22:33:44:55:66 default

Copyright 2012 (c)
root@San-Fran# set unit 0 family inet address 192.168.10.1/24
root@San-Fran# show
unit 0 {
family inet {
address 192.168.10.1/24;
}
}

Copyright 2012 (c)
Major VLAN Interface Configuration Steps…..
1) Create your Layer Three VLAN Interfaces
2) Configure your corresponding Layer Two VLAN (name, vlan-id, bind L3-L2)
3) On the physical interface…. Assign Layer Two VLAN
4) Show Interface VLAN
5) Ping L3 vlan interface

Copyright 2012 (c)
[edit]
root@San-Fran# set interfaces vlan unit 100 family inet address 192.168.100.1/24
[edit]
root@San-Fran# show interfaces vlan
unit 100 {
family inet {
address 192.168.100.1/24;
}
}

Copyright 2012 (c)
[edit]
root@San-Fran# set vlans accounting vlan-id 100
[edit]
root@San-Fran# show vlans
accounting {
vlan-id 100;
}

Copyright 2012 (c)
root@San-Fran> show interfaces vlan.100
Logical interface vlan.100 (Index 91) (SNMP ifIndex 664)
Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 0
Output packets: 1
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 192.168.100/24, Local: 192.168.100.1,
Broadcast: 192.168.100.255
root@San-Fran# set vlans accounting l3-interface vlan.100 ( Bind L2 and L3 )
root@San-Fran# show vlans
accounting {
vlan-id 100;
l3-interface vlan.100;

Copyright 2012 (c)
root@San-Fran> ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
ping: sendto: No route to host
^C
1. root@San-Fran> show vlans accounting ( configuration )
Name Tag Interfaces
accounting 100 None ( no interfaces are within the accounting vlan )
2. root@San-Fran# set vlans accounting interface ge-0/0/0 ( bind ge-0/0/0 to accounting vlan )
3. root@San-Fran# show vlans
accounting {
vlan-id 100;
interface {
ge-0/0/0.0;
}
l3-interface vlan.100;

Copyright 2012 (c)
root@San-Fran> show vlans accounting ( status )
Name Tag Interfaces
accounting 100 ge-0/0/0.0
root@San-Fran> show interfaces ge-0/0/0 terse
ge-0/0/0 up up
ge-0/0/0.0 up up eth-switch
root@San-Fran> ping 192.168.100.1 ( ping L3 vlan interface )
PING 192.168.100.1 (192.168.100.1): 56 data bytes

Copyright 2012 (c)
Major VLAN Interface Configuration Steps…..
1) Create your Layer Three VLAN Interfaces
2) Configure your corresponding Layer Two VLAN (name, vlan-id, bind L3-L2)
3) On the physical interface…. Assign Layer Two VLAN
4) Show Interface VLAN
5) Ping L3 vlan interface

Copyright 2012 (c)
1. RSTP is the default L2 spanning-tree protocol.
2. Avoid L2 network loops
3. Fast convergence time v. STP 802.1d
Port State:
F = Forward
B = Block
Port Role:
DESG = (designated)
Alt = Alternate Path
R = Root

Copyright 2012 (c)
Root Switch
1. Lowest Priority ( default is 32768… range is 0 thru 65535 )
OR
2. Lowest Bridge-ID ( MAC + Priority )
Root Switch Ports: Always… F – D
Other Switches:
Port with lowest cost is F –R
Shared LAN segment:
Switch with Low Bridge-ID is F-D
Other shared LAN switch is B - Alt

Copyright 2012 (c)
Top Switch
root@Top> show spanning-tree bridge
STP bridge parameters
Context ID : 0
Enabled protocol : RSTP
Root ID : 4096.28:c0:da:2a:2f:c1
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 0
Number of topology changes : 7
Time since last topology change : 1942 seconds
Topology change initiator : ge-0/0/0.0
Topology change last recvd. from : 28:c0:da:2a:20:03
Local parameters
Bridge ID : 4096.28:c0:da:2a:2f:c1
Extended system ID : 0
Internal instance ID : 0

Copyright 2012 (c)
root@Top> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 4096.28c0da2a2fc1 20000 FWD DESG
ge-0/0/1.0 128:514 128:514 4096.28c0da2a2fc1 20000 FWD DESG

Copyright 2012 (c)
root@Left> show spanning-tree interface
ge-0/0/0.0 128:513 128:513 4096.28c0da2a2fc1 20000 FWD ROOT
ge-0/0/2.0 128:515 128:515 32768.28c0da2a2001 20000 FWD DESG

Copyright 2012 (c)
www.zenithnetworks.com
10
0
root@Right> show spanning-tree interface
ge-0/0/0.0 128:513 128:514 4096.28c0da2a2fc1 20000 FWD ROOT
ge-0/0/2.0 128:515 128:515 32768.28c0da2a2001 20000 BLK ALT

Copyright 2012 (c)
10
1
Enable RSTP…..
root@Top# set protocols ?
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
.
.
.
> rstp Rapid Spanning Tree Protocol options
> rsvp RSVP options
> sflow SFLOW protocol
> stp Spanning Tree Protocol options
root@Top# set protocols rstp

Copyright 2012 (c)
10
2
Used to determine Root Switch
Default is 32768
Lower Bridge-Priority number will be the Root Switch
If default values are used ( tie ), then Root is determined by lowest MAC
[edit]
root@Top# set protocols rstp bridge-priority ?
<bridge-priority> Priority of the bridge (in increments of 4k - 0, 4k, 8k,.. 60k)
root@Top# set protocols rstp bridge-priority 4
error: bridge-priority: '4': Must be a multiple of 4096
root@Top# set protocols rstp bridge-priority 4096

Copyright 2012 (c)
10
3
root@Top> show spanning-tree bridge
Context ID : 0
Root ID : 4096.28:c0:da:2a:2f:c1
Message age : 0
Topology change last recvd. from : 28:c0:da:2a:20:03
Local parameters
Bridge ID : 4096.28:c0:da:2a:2f:c1

Copyright 2012 (c)
10
4
root@Left> show spanning-tree bridge
Context ID : 0
Root ID : 4096.28:c0:da:2a:2f:c1
Root cost : 20000
Root port : ge-0/0/0.0
Message age : 1
Topology change last recvd. from : 28:c0:da:2a:2f:c3
Local parameters
Bridge ID : 32768.28:c0:da:2a:20:01 ( Local Bridge-ID )

Copyright 2012 (c)
10
5
Discarding, Learning and Forwarding….
Convergence:
- Fast Convergence is desirable
- Configurable interface RSTP parameters
Point-To-Point
- Very fast fail-over to backup link
[edit protocols rstp]
root@Top-Left# set interface ge-0/0/0 mode point-to-point
root@Bottom# set interface ge-0/0/0 mode point-to-point

Copyright 2012 (c)
10
6
Discarding, Learning and Forwarding….
Edge-Port
- Always in forwarding state… bypass listening and learning stages
- LAN with no other switches attached
[edit]
root@Left# set protocols rstp interface ge-0/0/10 edge
BPDU Protection!!!
[edit]
root@Left# set protocols rstp bpdu-block-on-edge

[edit virtual-chassis]
root# show
preprovisioned;
member 0 {
role routing-engine;
serial-number BM0210466816;
}
member 1 {
role routing-engine;
}
member 2 {
role line-card;
}
Copyright 2012 (c)
10
8

root> show virtual-chassis
Preprovisioned Virtual Chassis
Virtual Chassis ID: 31d5.c5f9.4578
Mastership Neighbor List
Member ID Status Serial No Model priority Role ID Interface
0 (FPC 0) Prsnt BM0210466816 ex4200-24t 129 Master* 1 vcp-0
2 vcp-1
1 (FPC 1) Prsnt BM0210463478 ex4200-24t 129 Backup 2 vcp-0
0 vcp-1
2 (FPC 2) Prsnt BM0210466754 ex4200-24t 0 Linecard 0 vcp-0
1 vcp-1
Copyright 2012 (c)
10
9

root> show version ( or show version all ) ( or show version member 2 )
fpc0:
--------------------------------------------------------------------------
Model: ex4200-24t
JUNOS Base OS boot [10.3R1.9]
JUNOS Base OS Software Suite [10.3R1.9]
JUNOS Kernel Software Suite [10.3R1.9]
JUNOS Crypto Software Suite [10.3R1.9]
JUNOS Online Documentation [10.3R1.9]
JUNOS Enterprise Software Suite [10.3R1.9]
JUNOS Packet Forwarding Engine Enterprise Software Suite [10.3R1.9]
JUNOS Routing Software Suite [10.3R1.9]
JUNOS Web Management [10.3R1.9]
Copyright 2012 (c)
11
0

fpc1:
--------------------------------------------------------------------------
Model: ex4200-24t
Copyright 2012 (c)
11
1

fpc2:
--------------------------------------------------------------------------
Model: ex4200-24t
Copyright 2012 (c)
11
2

root> request system reboot ?
all-members Reboot all virtual chassis members
at Time at which to perform the operation
in Number of minutes to delay before operation
local Reboot local virtual chassis member
media Boot media for next boot
member Reboot specific virtual chassis member (0..9)
message Message to display to all users
slice Partition on boot media to boot from
Copyright 2012 (c)
11
3

root> show interfaces terse
ge-0/0/0 up down
ge-0/0/1 up down
……..
……..
ge-1/0/0 up down
ge-1/0/1 up down 0
ge-1/0/2 up down
……
…… 1
ge-2/0/0 up down
ge-2/0/1 up down 2
ge-2/0/2 up down
Copyright 2012 (c)
11
4

root> show interfaces terse | match ge-2
ge-2/0/0 up down
ge-2/0/1 up down
ge-2/0/2 up down
ge-2/0/3 up down
ge-2/0/4 up down
ge-2/0/5 up down
ge-2/0/6 up down
ge-2/0/7 up down
ge-2/0/8 up down
2
Copyright 2012 (c)
11
5

root> show virtual-chassis ?
active-topology Virtual chassis active topology
device-topology PFE device topology
fast-failover Fast failover status
login
protocol Show virtual chassis protocol information
status Virtual chassis information
vc-path Show virtual-chassis packet path
vc-port Virtual chassis port information
Copyright 2012 (c)
11
6

root> show virtual-chassis vc-port ?
all-members Show virtual chassis ports on all virtual chassis members
local Show virtual chassis ports on local virtual chassis member
member Show virtual chassis ports on specific virtual chassis member
statistics Show virtual chassis port statistics
Copyright 2012 (c)
11
7

root> show virtual-chassis vc-port all-members
fpc0:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor 128Gbps Backplane
or ID (mbps) ID Interface
PIC / Port
vcp-0 Dedicated 2 Up 32000 1 vcp-1
fpc1:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor
PIC / Port
fpc2:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor
PIC / Port
Copyright 2012 (c)
11
8

root> show virtual-chassis vc-port statistics ?
<interface-name> Name of virtual chassis port
vcp-0
vcp-1
all-members Show virtual chassis ports statistics on all virtual chassis members
brief Display brief output (default)
local Show virtual chassis ports statistics on local virtual chassis member
member Show virtual chassis ports statistics on specific virtual chassis member
Copyright 2012 (c)
11
9

root> show virtual-chassis vc-port statistics vcp-0 member 2
fpc2:
--------------------------------------------------------------------------
Interface Input Octets/Packets Output Octets/Packets
vcp-0 9125591 / 56412 9531594 / 56437
 VCCP packets are being TX / RX
Copyright 2012 (c)
12
0

root> show virtual-chassis protocol adjacency
fpc0:
--------------------------------------------------------------------------
Interface System State Hold (secs)
internal-0/27 28c0.da2a.2fc1 Up 65535 ( packet forwarding engine 1 )
internal-1/24 28c0.da2a.2fc0 Up 65535 ( packet forwarding engine 2 )
vcp-0.32768 28c0.da2e.93c1 Up 57 ( vcp port )
vcp-1.32768 28c0.da2a.2000 Up 58 ( vcp port )
fpc1:
--------------------------------------------------------------------------
internal-0/27 28c0.da2e.93c1 Up 65535 ( packet forwarding engine 1 )
internal-1/24 28c0.da2e.93c0 Up 65535 ( packet forwarding engine 2 )
vcp-0.32768 28c0.da2a.2001 Up 58 ( vcp port )
vcp-1.32768 28c0.da2a.2fc0 Up 58 ( vcp port )
fpc2:
--------------------------------------------------------------------------
internal-0/27 28c0.da2a.2001 Up 65535 ( packet forwarding engine 1 )
internal-1/24 28c0.da2a.2000 Up 65535 ( packet forwarding engine 2 )
vcp-0.32768 28c0.da2a.2fc1 Up 58 ( vcp port )
vcp-1.32768 28c0.da2e.93c0 Up 58 ( vcp port )
Copyright 2012 (c)
12
1

root> show virtual-chassis protocol database member 1
fpc1:
--------------------------------------------------------------------------
LSP ID Sequence Checksum Lifetime
28c0.da2a.2000.00-00 0xafc 0xc08f 116
28c0.da2a.2001.00-00 0xafa 0xea08 116
28c0.da2a.2fc0.00-00 0xaf6 0x5bd4 116
28c0.da2a.2fc1.00-00 0xafa 0x6f45 115
28c0.da2e.93c0.00-00 0xaf9 0x4f84 116
28c0.da2e.93c1.00-00 0xaff 0x4580 117
6 LSPs ( VC has a total of 6 PFE’s… across 3 ex4200-24 )
Copyright 2012 (c)
12
2

show virtual-chassis vc-path source-interface ge-0/0/0 destination-interface ge-2/0/0
vc-path from ge-0/0/0 to ge-2/0/0
Hop Member PFE-Device Interface
0 0 1 ( my local pfe ) ge-0/0/0 ( source )
1 2 6 ( swt #2 vcp port pfe ) vcp-1 (conn in between mem 0 and mem 2)
2 2 7 ( swt #2 local pfe ) ge-2/0/0 ( destination )
0
1
2
Copyright 2012 (c)
12
3

*** info@zenithnetworks.com ***
www.juniper.net
*** extjumpstart-junos@juniper.net ***
*** junostraining@juniper.net ***
Copyright 2012 (c)
12
4

Troubleshooting Certification Courses!!!
Junos Troubleshooting in the NOC (JTNOC)
Advanced Junos Service Provider Troubleshooting (AJSPT)
Advanced Junos Enterprise Switching Troubleshooting (AJEXT)
Advanced Junos Enterprise Security Troubleshooting (AJEST)
Copyright 2012 (c)
12
5

 www.juniper.net/education
 Multiple Tracks
 Enterprise Routing and Switching
 JNCIA-JUNOS, JNCIS-ENT, JNCIP-ENT, JNCIE-ENT
 Service Provider Routing and Switching
 JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, JNCIE-SP
 JUNOS Security
 JNCIA-JUNOS, JNCIS-SEC, JNCIP-SEC, JNCIE-SEC
12
6
Copyright 2012 (c)
ZenithNetworks, Inc.

Access to view the Slides……
 http://www.zenithnetworks.com/education
Copyright 2012 (c)
12
7

JUNOS EX-Switching

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie JUNOS EX-Switching

Ähnlich wie JUNOS EX-Switching (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

JUNOS EX-Switching