AJEX_10.b-R_LGH

8/12/2019 AJEX_10.b-R_LGH

1/70

1194 North Mathilda AvenueSunnyvale, CA 94089USA408-745-2000www.juniper.net

Worldwide Education ServicesWorldwide Education Services

Advanced Junos Enterprise Switching10.b

High-Level Lab Guide

Course Number: EDU-JUN-AJEX

8/12/2019 AJEX_10.b-R_LGH

2/70

This document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper NetworksEducation Services.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and othercountries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registeredtrademarks, or registered service marks are the property of their respective owners.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

YEAR 2000 NOTICE

Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system hasno known time-related limitations through the year 20 38. However, the NTP application is known to have some dif ficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in anagreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand a ndagree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the JuniperNetworks software, may contain prohibitions against cer tain uses, and may state conditions under which the license is automatically terminated. You shouldconsult the software license for further details.

Advanced Junos Enterprise Switching High-Level Lab Guide , Revision 10.b

Copyright 2011 Juniper Networks, Inc. All rights reserved.

Printed in USA.

Revision History:

Revision 10.aApril 2011

Revision 10.bJune 2011

The information in this document is current as of the date listed above.

The information in this document has been carefully verified and is believed to be accurate for software Release 10.4R3.4. Juniper Networks assumes noresponsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary,incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

8/12/2019 AJEX_10.b-R_LGH

3/70www.juniper.net Contents iii

Contents

Lab 1: Advanced Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1Part 1: Logging In Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Part 2: Configuring and Monitoring Filter-Based VLAN Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Part 3: Configuring and Monitoring a PVLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4Part 4: Configuring and Monitoring MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Part 5: Configuring and Monitoring Q-in-Q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Lab 2: Implementing MSTP and VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Part 2: Configuring and Monitoring MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2Part 3: Configuring and Monitoring VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Lab 3: Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2Part 2: Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Part 3: Configuring and Monitoring Other Access and Authentication Features . . . . . . . . . . . . . . . . . . . . . . . 3-5

Lab 4: Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2Part 2: Configuring and Monitoring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2Part 3: Configuring and Monitoring LLDP and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4Part 4: Configuring and Monitoring the Voice VLAN Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Lab 5: Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1Part 1: Exploring the Default CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2Part 2: Configuring and Monitoring CoS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4Part 3: Implementing CoS Using the EZQoS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Lab 6: Monitoring and Troubleshooting Layer 2 Networks . . . . . . . . . . . . . . . . . . . 6-1Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2Part 2: Determining Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2Part 3: Verifying Hardware Components and System Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3Part 4: Verifying Ethernet Switching, MSTP, and Aggregate Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . 6-5Part 5: Configuring Port Mirroring and sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

8/12/2019 AJEX_10.b-R_LGH

4/70iv Contents www.juniper.net

8/12/2019 AJEX_10.b-R_LGH

5/70www.juniper.net Course Overview v

Course Overview

This two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple SpanningTree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access controlfor Layer 2 networks, IP telephony features, class of service (CoS) and monitoring andtroubleshooting tools and features supported on the EX Series Ethernet Switches.

Through demonstrations and hands-on labs, students will gain experience in configuring andmonitoring the Junos operating system and in monitoring device and protocol operations.

Objectives

After successfully completing this course, you should be able to:

Implement filter-based VLAN assignments.

Restrict traffic flow within a VLAN.

Manage dynamic VLAN registration.

Tunnel Layer 2 traffic through Ethernet networks.

Review the purpose and operations of a spanning tree.

Implement multiple spanning tree instances in a network.

Implement one or more spanning tree instances for a VLAN. List the benefits of implementing end-user authentication.

Explain the operations of various access control features.

Configure and monitor various access control features.

Describe processing considerations when multiple authentication and access controlfeatures are enabled.

Describe some common IP telephony deployment scenarios.

Describe features that facilitate IP telephony deployments.

Configure and monitor features used in IP telephony deployments.

Explain the purpose and basic operations of class of service.

Describe class of service features used in Layer 2 networks.

Configure and monitor class of service in a Layer 2 network.

Describe a basic troubleshooting method.

List common issues that disrupt network operations.

Identify tools used in network troubleshooting.

Use available tools to resolve network issues.

Intended Audience

This course benefits individuals responsible for configuring and monitoring EX Series switches.

Course Level

Advanced Junos Enterprise Switching is an advanced-level course.

Prerequisites

Students should have an intermediate-level of networking knowledge and an understanding of theOpen Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Studentsshould also attend the Introduction to the Junos Operating System (IJOS), the Junos RoutingEssentials (JRE), and the Junos Enterprise Switching (JEX) courses prior to attending this class.

8/12/2019 AJEX_10.b-R_LGH

6/70vi Course Agenda www.juniper.net

Course Agenda

Day 1

Chapter 1: Course Introduction

Chapter 2: Advanced Ethernet Switching

Lab 1: Advanced Ethernet Switching

Chapter 3: Advanced Spanning Tree

Lab 2: Implementing MSTP and VSTP

Chapter 4: Authentication and Access Control

Lab 3: Authentication and Access Control

Day 2

Chapter 5: Deploying IP Telephony Features

Lab 4: Deploying IP Telephony Features

Chapter 6: Class of Service

Lab 5: Class of Service

Chapter 7: Monitoring and Troubleshooting

Lab 6: Monitoring and Troubleshooting Layer 2 Networks
http://../SG/C1_CourseIntroduction.pdfhttp://../SG/C2_AdvancedEthernetSwitching.pdfhttp://../SG/C3_AdvancedSpanningTree.pdfhttp://../SG/C4_Authentication_and_AccessControl.pdfhttp://../SG/C5_Deploying_IP_Telephony_Features.pdfhttp://../SG/C6_Class_of_Service.pdfhttp://../SG/C7_Monitoring_and_Troubleshooting.pdfhttp://../SG/C7_Monitoring_and_Troubleshooting.pdfhttp://../SG/C6_Class_of_Service.pdfhttp://../SG/C5_Deploying_IP_Telephony_Features.pdfhttp://../SG/C4_Authentication_and_AccessControl.pdfhttp://../SG/C3_AdvancedSpanningTree.pdfhttp://../SG/C2_AdvancedEthernetSwitching.pdfhttp://../SG/C1_CourseIntroduction.pdf

8/12/2019 AJEX_10.b-R_LGH

7/70www.juniper.net Document Conventions vii

Document Conventions

CLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)or a graphical user interface (GUI). To make the language of these documents easier to read, wedistinguish GUI and CLI text from chapter text according to the following table.

Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instanceswill be shown in the context of where you must enter them. We use bold style to distinguish textthat is input versus text that is simply displayed.

Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it alsodistinguishes between syntax variables where the value is already assigned (defined variables) andsyntax variables where you must assign the value (undefined variables). Note that these styles canbe combined with the input style as well.

Style Description Usage Example

Franklin Gothic Normal text. Most of what you read in the Lab Guideand Student Guide.

Cour i er New Console text:

Screen captures

Noncommand-relatedsyntax

GUI text elements:

Menu names

Text field entry

commi t compl et e

Exi t i ng conf i gur at i on mode

Select Fi l e > Open , and then clickConf i gur at i on. conf in theFi l ename text box.

Style Description Usage Example

Nor mal CLI

Nor mal GUI

No distinguishing variant. Physi cal i nt er f ace: f xp0,Enabl ed

View configuration history by clickingConf i gur at i on > Hi st ory .

CLI Input

GUI Input

Text that you must enter. l ab@San_J ose> show route

Select Fi l e > Save , and typeconfig.ini in the Fi l ename field.

Style Description Usage ExampleCLI Variable

GUI Variable

Text where variable value is alreadyassigned.

pol i cy my-peers

Click my-peers in the dialog.

CLI Undefined

GUI Undefined

Text where the variables value isthe users discretion or text wherethe variables value as shown inthe lab guide might differ from thevalue the user must inputaccording to the lab topology.

Type set policy policy-name .

ping 10.0. x.y

Select Fi l e > Save , and typefilename in the Fi l ename field.

8/12/2019 AJEX_10.b-R_LGH

8/70viii Additional Information www.juniper.net

Additional Information

Education Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and classlocations from the World Wide Web by pointing your Web browser to:http://www.juniper.net/training/education/.

About This Publication

The Advanced Junos Enterprise Switching High-Level Lab Guide was developed and tested usingsoftware Release 10.4R3.4. Previous and later versions of software might behave differently soyou should always consult the documentation and release notes for the version of code you arerunning before reporting errors.

This document is written and maintained by the Juniper Networks Education Services developmentteam. Please send questions and suggestions for improvement to [email protected].

Technical Publications

You can print technical manuals and release notes directly from the Internet in a variety of formats:

Go to http://www.juniper.net/techpubs/.

Locate the specific software or hardware release and title you need, and choose the

format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office oraccount representative.

Juniper Networks Support

For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, orat 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

8/12/2019 AJEX_10.b-R_LGH

9/70

www.juniper.net Advanced Ethernet Switching Lab 1110.b.10.4R3.4

Lab 1

Advanced Ethernet Switching

Overview

In this lab, you familiarize yourself with the starting configuration and the labenvironment. You will also use the command-line interface (CLI) to configure and monitorvarious Ethernet switching features covered in the corresponding lecture.

The lab is available in two formats: a high-level format designed to make you think througheach step and a detailed format that offers step-by-step instructions complete withsample output from most commands.

By completing this lab you will perform the following tasks:

Familiarize yourself with the lab environment.

Configure and monitor filter-based VLAN assignments.

Configure and monitor a private VLAN (PVLAN).

Configure and monitor the Multiple VLAN Registration Protocol (MVRP).

Configure and monitor Q-in-Q tunneling.

8/12/2019 AJEX_10.b-R_LGH

10/70

Advanced Junos Enterprise Switching

Lab 12 Advanced Ethernet Switching www.juniper.net

Part 1: Logging In Using the CLI

In this lab part, you familiarize yourself with the access details used to connect tothe lab equipment. Once you are familiar with the access details, you will use the CLIto log in to your teams designated switch and become familiar with this labsenvironment.

Step 1.1

Ensure that you know to which switch you have been assigned. Check with yourinstructor if you are not certain. Consult the Management Network Diagram todetermine your switchs management address.

Question: What is the management addressassigned to your switch?

Step 1.2

Access the CLI for your switch using either the console, Telnet, or SSH as directed byyour instructor. Refer to the Management Network Diagram for the IP addressassociated with your teams station. The following example uses Telnet and theSecureCRT program:

Step 1.3

Log in as user lab with the password supplied by your instructor.

Note

The lab equipment used in this class islikely to be remote from your physicallocation. The instructor will provide accessdetails to get you logged in to your assigneddevice.

8/12/2019 AJEX_10.b-R_LGH

11/70


www.juniper.net Advanced Ethernet Switching Lab 13

Part 2: Configuring and Monitoring Filter-Based VLAN Assignments

In this lab part, you configure and monitor filter-based VLAN assignments. You willfirst verify the state of the starting configuration. You will then configure and apply afirewall filter used for a filter-based VLAN assignment. You will then associate theinterfaces.

Step 2.1

Use the show interfaces terse command to ensure ge-0/0/7.0, ge-0/0/8.0,and ge-0/0/12.0 are all enabled for Layer 2 operations and are up , both physicallyand administratively.

Question: Are the referenced interfaces enabled forLayer 2 operations and up , physically andadministratively?

Step 2.2

Use the show vlans command to ensure ge-0/0/7.0 and ge-0/0/8.0 areassociated with the v11 and v12 VLANs respectively. Use the same command toensure ge-0/0/12.0 is associated with both v11 and v12.

Question: Are the referenced interfaces associatedwith the correct VLANs?

Question: What operational mode command canyou issue to determine the port modes currentlyassigned with the referenced interfaces?

Step 2.3

Enter configuration mode and navigate to the [ edi t f i r ewal l f ami l yet her net - swi t chi ng] hierarchy. Create a firewall filter named fbva thatmatches any source IP address in the 172.23.15.0/24 subnet and associates therelated traffic with VLAN v15 . Ensure that all other traffic is permitted.

Step 2.4

Navigate to the [edit interfaces] hierarchy and associate the newly defined filter withge-0/0/7.0 as an input filter.

8/12/2019 AJEX_10.b-R_LGH

12/70



Step 2.5

Navigate to the [ edi t vl ans] hierarchy and define VLAN v15 to use VLAN ID 15.Associate ge-0/0/12.0 and ge-0/0/7.0 with this VLAN. Note that to correctlyassociate ge-0/0/7.0 with the newly defined VLAN, you must use the mapping

policy statement. Activate the changes using commit .

Step 2.6

Issue the run show vlans v15 detail command and verify the designatedaccess port and trunk port are associated with VLAN v15.

Question: Are the expected interfaces nowassociated with VLAN v15?

Question: Based on the current configuration, withwhich VLAN would traffic entering ge-0/0/7.0 with

an IP source address of 172.23.16.100 beassociated?

Step 2.7

Issue the top save /var/home/lab/ajex/ lab1part2.conf command tosave the entire configuration. Note that you will need to reload this configuration ata later time so ensure the entire configuration is saved.

STOP Before proceeding ensure that the remote team is done with Part 2.

Part 3: Configuring and Monitoring a PVLAN

In this lab part, you configure and monitor a PVLAN. You will first delete the currentVLAN configuration. You will then configure and monitor a PVLAN named pvlan-50 with two community VLANs named finance and sales . Refer to the networkdiagram for configuration details associated with this lab.

Step 3.1

Delete all configuration under the [ edi t vl ans] hierarchy level.

Step 3.2

Delete all configuration under the [ edi t f i r ewal l ] hierarchy and remove theapplication of the fbva firewall filter from the ge-0/0/7.0 interface.

8/12/2019 AJEX_10.b-R_LGH

13/70



Step 3.3

Configure a primary VLAN named pvlan-50 with a VLAN ID of 50. Associate thege-0/0/12 interface with this newly defined VLAN. Configure ge-0/0/12 to functionas a PVLAN trunk port.

Step 3.4

Use the details shown on the network diagram for this lab and configure twocommunity VLANs: one named finance and the other named sales . Ensure thatge-0/0/7.0 and ge-0/0/8.0 are associated with their respective community VLANsand that both community VLANs are linked to the primary VLAN ( pvlan-50 ).

Step 3.5

Attempt to activate the changes using the commit command.

Question: Does the commit operation succeed? Ifnot can you explain why not?

Step 3.6

Remove the vlan members all statement from the ge-0/0/12.0 interfaceconfiguration and attempt the commit operation once again.

Question: Does the commit operation succeednow?

Step 3.7

Issue the run show vlans pvlan-50 extensive command to determine thecurrent PVLAN designations for the associated interfaces and community VLANs.

Question: Are the expected access and trunk portslisted in the output?

Question: Based on the output, is the ge-0/0/12.0properly enabled as a PVLAN trunk port?

8/12/2019 AJEX_10.b-R_LGH

14/70



Note

Step 3.8

Open a separate session to your assigned gateway. Note you can connect to yourgateway using the console connection through the terminal server or through aTelnet or SSH session using the SRX devices management IP address. Consult withyour instructor if you have questions.

Step 3.9

Log in to your assigned SRX device using the lab user account and the password

provided by your instructor.Step 3.10

From both of the VRs attached to your assigned EX Series switch, attempt to ping theother VR attached to your assigned EX Series switch, as well as the two VRsattached to the remote student EX Series switch. Refer to the network diagram forthe instance names and the IP addresses assigned to the various VRs and do notforget to reference the correct routing instance.

You will now log in to your assignedSRX device. The gateway is configured withmultiple virtual routers (VRs), which arelogical devices created on your assignedgateway. Most of the configuration requiredfor the SRX device has already been

defined. You will, however, be required tomodify the existing configurationthroughout the labs. Refer to theManagement Network Diagram for the IPaddress of your assigned SRX device. Ifneeded, work with your instructor to obtainthe required information.

8/12/2019 AJEX_10.b-R_LGH

15/70



Question: Do the ping tests between the VRsassociated with the same community VLANssucceed?


Part 4: Configuring and Monitoring MVRP

In this lab part, you configure and monitor MVRP. You will first load the configurationfile saved in a previous lab part and make some minor modifications. You will thenconfigure and monitor MVRP. Refer to the network diagram for configuration detailsassociated with this lab.

Step 4.1

Return to your EX Series switch.

Navigate to the root of the hierarchy level and use the load override andcommit commands to restore the configuration saved at the end of Part 2. Notethat the configuration file should be in the /var/home/lab/ajex/ directory andshould be named lab1part2.conf .

Step 4.2

Remove the vlan members all statement from the ge-0/0/12.0 interfaceconfiguration.

Step 4.3

Delete the ge-0/0/12.0 interface from all currently defined VLANs. Issue thecommit command to activate the changes.

Step 4.4

Issue the run show vlans command to ensure the ge-0/0/12.0 interface is nolonger associated with any of the defined VLANs.

Question: Is the ge-0/0/12.0 interface currently

associated with any of the defined VLANs?

Step 4.5

Enable MVRP on the ge-0/0/12.0 interface. Activate the change using the commit command.

8/12/2019 AJEX_10.b-R_LGH

16/70



Note

Step 4.6

Issue the run show vlans command once again to determine whether thege-0/0/12.0 interface is now associated with the defined VLANs.

Question: Is the ge-0/0/12.0 interface nowassociated with the defined VLANs?

Step 4.7

Issue the run show mvrp statistics command to display MVRP statistics.

Question: Does the output show non-zero countersfor the MRPDU r ecei ved and MRPDUt r ansmi t t ed lines?


Part 5: Configuring and Monitoring Q-in-Q Tunneling

In this lab part, you configure and monitor Q-in-Q tunneling. You will first modify theexisting configuration file. You will then configure and monitor Q-in-Q tunneling andLayer 2 Protocol Tunneling (L2PT). Refer to the network diagram for configurationdetails associated with this lab.

Step 5.1

Enable ge-0/0/6 for Layer 2 operations as an access port.

Step 5.2

Configure a new VLAN named cust-1 with a VLAN ID of 200. Associate the newlydefined access port (ge-0/0/6.0) with this new VLAN. Issue the commit commandto activate the changes.

Step 5.3

Return to the session opened for your SRX device.

Before proceeding, ensure that the remoteteam in your pod finishes the previous step.

8/12/2019 AJEX_10.b-R_LGH

17/70



From the VR attached to your assigned EX Series switch that represents thecustomer bridge and attached network, attempt to ping the IP address of the remoteVR performing the same function for the remote team. Refer to the network diagramfor the instance names and the IP address information. Do not forget to referencethe correct routing instance when performing this operation.

Question: Does the ping operation succeed? Canyou explain why?

Step 5.4

Return to the session opened for your EX Series switch.

Enable Q-in-Q tunneling for all defined VLANs. Ensure that all Layer 2 protocol trafficis permitted through the Q-in-Q tunnel for traffic associated with the cust-1 VLAN.Activate the changes and return to operational mode using the commit and-quitcommand.

Step 5.5

Issue the show vlans cust-1 detail command.

Question: Based on the output, are Q-in-Q tunnelingand L2PT now enabled?

Step 5.6

Return to the session opened for your SRX device.

Use the ping utility once again and verify reachability between customer sites. Referto the network diagram for the instance names and the IP address information. Donot forget to reference the correct routing instance when performing this operation.

Question: Does the ping operation succeed now?

STOP Tell your instructor that you have completed Lab 1.

8/12/2019 AJEX_10.b-R_LGH

18/70



8/12/2019 AJEX_10.b-R_LGH

19/70

www.juniper.net Implementing MSTP and VSTP Lab 2110.b.10.4R3.4

Lab 2

Implementing MSTP and VSTP

Overview

In this lab, you will use the command-line interface (CLI) to configure and monitor theMultiple Spanning Tree Protocol (MSTP) and VLAN STP (VSTP).



Modify the existing configuration.

Configure and monitor MSTP.

Configure and monitor VSTP.

8/12/2019 AJEX_10.b-R_LGH

20/70


Lab 22 Implementing MSTP and VSTP www.juniper.net

Part 1: Modifying the Existing Configuration

In this lab part, you will modify the existing configuration on your EX Series switchand perform some basic verification tasks to prepare for subsequent lab parts.Refer to network diagram for this lab for topological and configuration details.

Step 1.1

Enter configuration mode and configure the ge-0/0/9 and ge-0/0/10 interfaces forLayer 2 operations and as trunk ports.

Step 1.2

Associate these newly defined trunk ports with all currently defined VLANs. Notethat the VLANs must be statically associated with these new trunk ports, becausethe attached SRX devices do not support the Multiple VLAN registration Protocol(MVRP). Also note that you cannot use the vlan members all statementbecause Q-in-Q tunneling is in place.

Step 1.3

Activate the configuration changes using the commit command and verify thespanning-tree topology details using the run show spanning-tree bridge command.

Question: Which device is elected as the rootbridge? Which interface will your switch use toforward traffic through the Layer 2 network?

Question: What limitation exists with the currentspanning-tree implementation? What options exist

that overcome this limitation?

Part 2: Configuring and Monitoring MSTP

In this lab part, you configure and monitor MSTP. You create two multiplespanning-tree instances (MSTIs); one for all VLAN IDs between 1 and 199, and asecond for all VLAN IDs between 200 and 399. Once configured, you use variousoperational mode commands to monitor MSTP.

Step 2.1Delete RSTP, under the [ edi t pr ot ocol s] hierarchy.

Step 2.2

Configure MSTP to include two MSTIs (MSTI 1 and MSTI 2). Associate MSTI 1 withVLAN IDs 1 through 199 and MSTI 2 with VLAN IDs 200 through 399. Name theMSTP configuration my-mstp-config . Activate the configuration using commit .

8/12/2019 AJEX_10.b-R_LGH

21/70


www.juniper.net Implementing MSTP and VSTP Lab 23

Step 2.3

Return to the session opened for your assigned SRX device. If needed, open a newsession and log in using the credentials provided by your instructor.

Enter configuration mode and navigate to [ edi t pr ot ocol s] hierarchy.

Step 2.4

Delete the existing RSTP configuration on your assigned SRX device.

Step 2.5

Configure MSTP to include two MSTIs (MSTI 1 and MSTI 2). Associate MSTI 1 withVLAN IDs 1 through 199 and MSTI 2 with VLAN IDs 200 through 399. Name theMSTP configuration my-mstp-config .

Step 2.6

Question: Configure a non-default bridge priority foreach MSTI. If you are assigned srx X -1, specify abridge priority of 4k for MSTI 1 and 8k for MSTI 2. Ifyou are assigned srx X -2, specify a bridge priority of8k for MSTI 1 and 4k for MSTI 2. Activate thechanges using the commit command. Based onthe current configurations, what forwarding pathswould you expect for traffic associated with thevarious VLANs currently in use?

Note

Step 2.7

Return to the session opened for your EX Series switch.

Issue the run show spanning-tree bridge command and answer thequestions that follow.

Question: Are the expected devices elected rootbridges for MSTI 1 and MSTI 2?

Question: Which device has been elected as theroot bridge for the Common and Internal SpanningTree (CIST)?


8/12/2019 AJEX_10.b-R_LGH

22/70



Question: What configuration change can you maketo ensure srx X -1 is always the root bridge as long asit is available?

Step 2.8

On your assigned EX Series switch, issue the run show spanning-tree mstp

configuration command.

Question: Does the output display the expectedVLAN to MSTI mapping information?

Question: Which three components in the displayedoutput must match for switches participating in thesame MST region?

Question: How is the configuration digestdetermined?

Step 2.9

Issue the top save /var/home/lab/ajex/ mstp.conf command to save thecurrent configuration on your EX Series switch to the /var/tmp directory.

Step 2.10

Change the revision level to test the effects of mismatched settings that arerequired to match on switches participating in the same MST region. If you areassigned ex X -1, set your revision number to 1. If you are assigned ex X -2, set yourrevision number to 2. Issue commit to activate the configuration change.

Step 2.11

Issue the run show spanning-tree mstp configuration command toverify the change. Next issue the run show spanning-tree bridge command to verify the current state of the MSTP topology and root bridge electiondetails.

Question: What impact did changing the revisionlevel have on the MSTP topology and root bridgeelection for MSTI 1 and MSTI 2?

8/12/2019 AJEX_10.b-R_LGH

23/70


www.juniper.net Implementing MSTP and VSTP Lab 25

Part 3: Configuring and Monitoring VSTP

In this lab part, you configure and monitor VSTP. Once configured, you use variousoperational mode commands to verify VSTP operations. Note that SRX devices donot currently support VSTP. Because of this fact, you will need to alter the currenttopology to exclude the SRX devices for this lab part.

Step 3.1

Issue the set rstp and commit commands in an attempt to enable RSTP alongwith MSTP.

Question: Did the commit operation succeed? Ifnot, why not?

Step 3.2

Delete MSTP and attempt the commit operation once again.

Step 3.3

Delete the ge-0/0/9 and ge-0/0/10 interface references from under the [ edi ti nt er f aces] and [ edi t vl ans] hierarchy levels.

Step 3.4

Configure VSTP to support the currently defined VLANs independently. Refer to thefollowing table for the bridge-priority values. Activate the changes using the commitcommand.

Note

Step 3.5

Issue the run show spanning-tree bridge command to determine the currentroot bridge designations for each VLAN.

exX -1 ex X -2

v11 4k 8k

v12 4k 8k

v15 8k 4k

cust-1 8k 4k


8/12/2019 AJEX_10.b-R_LGH

24/70



Question: Based on the configuration, are thecorrect root bridges currently elected? Can youexplain why?

Step 3.6

Manually associate the ge-0/0/12.0 interface with all currently defined VLANs.Activate the configuration changes using the commit command.

Note

Step 3.7

Issue the run show spanning-tree bridge command once again to determinethe current root bridge designations for each VLAN.

Question: Are the correct root bridges now elected?

Step 3.8

Use the load override command to restore the mstp.conf configuration filesaved in the /var/home/lab/ajex/ directory. Activate the changes and return tooperational mode using the commit and-quit command.



8/12/2019 AJEX_10.b-R_LGH

25/70

www.juniper.net Authentication and Access Control Lab 3110.b.10.4R3.4

Lab 3

Authentication and Access Control

Overview

In this lab, you will use the command-line interface (CLI) to configure and monitor variousauthentication and access control features supported on EX Series switches.



Modify the existing configuration.

Configure and monitor 802.1X.

Configure and monitor other authentication and access features.

8/12/2019 AJEX_10.b-R_LGH

26/70


Lab 32 Authentication and Access Control www.juniper.net

Part 1: Modifying the Existing Configuration

In this lab part, you modify the existing configuration. In preparation for Part 2, youmust modify the Q-in-Q and filter-based VLAN configuration because those featurescannot be enabled with 802.1X on the same interface at the same time.

Step 1.1

Enter configuration mode and navigate to the [ edi t vl ans] hierarchy.

Step 1.2

Delete the dot1q-tunneling statement from the v11 and v12 VLANs.

Step 1.3

Delete the v15 VLAN and all configuration related to the filter-based VLANassignment defined in Lab 1.

Step 1.4

Navigate to the [ edi t et her net - swi t chi ng] hierarchy and set theEthernet-type for the switch to 0x8100. Activate the changes and return tooperational mode using the commit and-quit command.

Step 1.5


Use the ping utility and attempt to verify access to and reachability through theLayer 2 network. Use the virtual routers (VRs) associated with your assignedSRX device as the source devices for these tests. Use the corresponding VRconnected to the remote teams EX Series switch as the destination. Refer to thenetwork diagram for the instance names and the IP addresses assigned to the

various VRs. Do not forget to reference the correct routing instance.

Question: Did the ping operations succeed? Canyou explain why?

Step 1.6

On your assigned SRX device, enter configuration mode, navigate to the [ edi tvl ans] hierarchy, and delete the v15 VLAN.

Note

Changing the Ethernet-type to 0x8100allows trunk ports to support VLANsconfigured for Q-in-Q tunneling as well asstandard 802.1Q VLANs at the same time.In production environments, ensure theEthernet-type is set consistently on all

devices within a given forwarding path.

8/12/2019 AJEX_10.b-R_LGH

27/70


www.juniper.net Authentication and Access Control Lab 33

Step 1.7

Delete the dot1q-tunneling statement from the v11 and v12 VLANs.

Step 1.8

Navigate to the [ edi t et her net - swi t chi ng] hierarchy and set theEthernet-type for the switch to 0x8100. Activate the changes and return tooperational mode using the commit and-quit command.

Step 1.9Use the ping utility and attempt to verify access to and reachability through theLayer 2 network. Use the VRs associated with your assigned SRX device as thesource devices for these tests. Use the corresponding VR connected to the remoteteams EX Series switch as the destination. Refer to the network diagram for theinstance names and the IP addresses assigned to the various VRs. Do not forget toreference the correct routing instance.

Question: Do the ping operations succeed?

Part 2: Configuring 802.1X

In this lab part, you configure the 802.1X and the static MAC bypass option. Onceconfigured, you use relevant operational mode commands to monitor operations.Refer to the network diagram for this lab for topological and configuration details.

Step 2.1

Return to the session opened for your assigned EX Series switch.

Display the Ethernet switching table to determine what MAC addresses have beenlearned for the v11 and v12 VLANs.

Question: Do the MAC addresses learned for thev11 and v12 VLANs match the MAC addressesshown on the network diagram for this lab?

Step 2.2

Enter configuration mode and navigate to the [ edi t access] hierarchy level.Define a RADIUS server using the IP address of the server located in themanagement network and a secret of Juniper . Refer to the Management NetworkDiagram or consult with your instructor as needed.

Step 2.3

Create an authentication profile named my-profile . Define an authenticationorder of RADIUS only and use the IP address of the RADIUS defined in the previousstep as the authentication server.

8/12/2019 AJEX_10.b-R_LGH

28/70



Step 2.4

Navigate to the [ edi t pr ot ocol s dot 1x] hierarchy and configure your switchas an 802.1X authenticator. Use the authentication profile defined in the previousstep and enable 802.1X authentication for the ge-0/0/7.0 and ge-0/0/8.0interfaces. Activate the configuration changes using the commit command.

Step 2.5

Issue the run show dot1x interface detail command and answer thequestions that follow.

Question: What is the current supplicant modeenabled for the listed interfaces?

Question: If an 802.1X client authenticated throughthe ge-0/0/7.0 or ge-0/0/8.0 interfaces, would thatclient be forced to reauthenticate after a period oftime? If so, after what period of time?

Step 2.6

Set the supplicant mode for the ge-0/0/7.0 and ge-0/0/8.0 interfaces to thesingle-secure supplicant mode. Disable reauthentication on the ge-0/0/7.0interface and double the reauthentication interval on the ge-0/0/8.0 interface to7200 seconds (2 hours).

Step 2.7

Activate the configuration changes using the commit command. Next, issue the

run show dot1x interface detail command and answer the questions thatfollow.

Question: Have the recent changes taken effect?

Step 2.8

Return to the session opened for your assigned SRX device.

Use the ping utility and attempt to verify access to and reachability through theLayer 2 network. Use the VRs associated with your assigned SRX device as the

source devices for these tests. Use the corresponding VR connected to the remoteteams EX Series switch as the destination. Refer to the network diagram for theinstance names and the IP addresses assigned to the various VRs. Do not forget toreference the correct routing instance.

Question: Can the VRs access the Layer 2 networkthrough your assigned EX Series switch?

8/12/2019 AJEX_10.b-R_LGH

29/70



Step 2.9


Configure the static MAC bypass option to always permit the MAC addresses shownon the network diagram. Associate the illustrated MAC addresses with theircorresponding access ports. Refer to the network diagram for this lab as needed.Activate the changes using the commit command.

Question: Did the commit operation succeed? Ifnot, why not?

Step 2.10

Change the supplicant mode on the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the multiple supplicant mode. Issue the commit command to activate the changes.

Note

Step 2.11


Use the ping utility and attempt to verify access to and reachability through theLayer 2 network. Use the VRs associated with your assigned SRX device as thesource devices for these tests. Use the corresponding VR connected to the remoteteams EX Series switch as the destination. Refer to the network diagram for theinstance names and the IP addresses assigned to the various VRs. Do not forget toreference the correct routing instance.

Question: Can the VRs access the Layer 2 networkthrough your assigned EX Series switch?

Part 3: Configuring and Monitoring Other Access and Authentication Features

In this lab part, you configure the MAC RADIUS, guest VLAN, and server fail fallbackfeatures. Once configured, you use various operational mode commands to verifyproper operations.

Step 3.1


Issue the run show dot1x static-mac-address command to view the MACaddresses currently permitted through static MAC bypass. Delete all static MACbypass entries and activate the changes using the commit command.

Before proceeding, ensure that the remote

team in your pod finishes the previous step.

8/12/2019 AJEX_10.b-R_LGH

30/70



Question: Based on the current configuration, willtraffic from the VRs, representing hosts without the802.1X client, be permitted through the switch?

Step 3.2

Configure MAC RADIUS on the ge-0/0/7.0 and ge-0/0/8.0 interfaces. Use the

restrict option for both interfaces to ensure that no Extensible AuthenticationProtocol over LAN (EAPoL) traffic is sent from your switch. Issue the commit command to activate the changes.

Step 3.3

Issue the run show dot1x interface ge-0/0/7.0 detail command to verifythe settings associated with MAC RADIUS on the ge-0/0/7.0 interface.

Question: Is MAC RADIUS currently enabled? WillEAPoL traffic be sent out the ge-0/0/7.0 interface?

Step 3.4

Issue the run show dot1x interface to determine the current state of thege-0/0/7.0 and ge-0/0/8.0 interfaces.

Question: What is the state of these interfaces?What does this state indicate?

Step 3.5


Use the ping utility to test access into the Layer 2 network. Use the VRs associatedwith your assigned SRX device as the source devices for these tests. Use thecorresponding VR connected to the remote teams EX Series switch as thedestination. Refer to the network diagram for the instance names and the IPaddresses assigned to the various VRs. Do not forget to reference the correctrouting instance.

Question: Do the ping tests succeed? If not, whatmight be the cause of this failure?

Step 3.6


Configure the server fail fallback option for the ge-0/0/7.0 and ge-0/0/8.0interfaces. Use the permit action for this feature on both access ports.

8/12/2019 AJEX_10.b-R_LGH

31/70



Step 3.7

Change the IP address of the RADIUS server to 1.1.1.1 to ensure that your switchdoes not receive an access-reject message when an authentication request is madeto the RADIUS server. Use the replace pattern command to simplify this task.Use the commit and-quit command to activate the configuration changes andreturn to operational mode.

Note

Step 3.8


Use the ping utility to send traffic from the VRs attached to your assigned EX Seriesswitch. Use the corresponding VR connected to the remote teams EX Series switchas the destination. Note that these ping tests should initially fail until the MACRADIUS authentication attempts timeout and the server fail fallback feature

authenticates the required ports. Work with the remote team as needed.

Question: Do the ping tests eventually succeed?



8/12/2019 AJEX_10.b-R_LGH

32/70

8/12/2019 AJEX_10.b-R_LGH

33/70

www.juniper.net Deploying IP Telephony Features Lab 4110.b.10.4R3.4

Lab 4

Deploying IP Telephony Features

Overview

In this lab, you implement various features that are commonly used in IP telephonydeployments. Specifically you will use the command-line interface (CLI) to configure andmonitor Power over Ethernet (PoE), the Link Layer Discovery Protocol (LLDP) and LLDPMedia Endpoint Discovery (LLDP-MED), and the voice VLAN feature.



Modify the existing configurations.

Configure and monitor PoE.

Configure and monitor LLDP and LLDP-MED.

Configure and monitor a voice VLAN.

8/12/2019 AJEX_10.b-R_LGH

34/70


Lab 42 Deploying IP Telephony Features www.juniper.net

Part 1: Modifying the Existing Configurations

In this lab part, you modify the existing configurations on your assigned EX andSRX devices. You will enter configuration mode and load and activate a predefinedconfiguration saved on your assigned devices.

Step 1.1


Enter configuration mode and override the existing configuration file with thelab4-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit and-quit command to activate the newconfiguration file and return to operational mode.

Step 1.2

Return to the session opened for your assigned EX Series switch. If needed, open anew session and log in using the credentials provided by your instructor.

Enter configuration mode and override the existing configuration file with thelab4-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit command to activate the new configuration file.

Part 2: Configuring and Monitoring PoE

In this lab part, you will configure and monitor PoE on EX Series switches. Thepurpose of this lab part is to illustrate proper configuration and monitoring stepswhen working with PoE.

Step 2.1

On your assigned EX Series switch, issue the run show chassis hardware command.

Question: How many PoE ports does your switchsupport?

Question: What is the capacity of your switchs

power supply?

Step 2.2

Issue the run show poe interface command to determine the current stateof all PoE interfaces.

8/12/2019 AJEX_10.b-R_LGH

35/70

8/12/2019 AJEX_10.b-R_LGH

36/70



Step 2.7

Issue the run show poe interface command again to ensure the priority levelhas been adjusted properly for the ge-0/0/6 and ge-0/0/7 PoE interfaces.

Question: What is the current PoE priority level forthe ge-0/0/6 and ge-0/0/7 interfaces?

Part 3: Configuring and Monitoring LLDP and LLDP-MED

In this lab part, you will configure and monitor LLDP and LLDP-MED.

Step 3.1

Navigate to the [ edi t pr ot ocol s] hierarchy and configure LLDP and LLDP-MEDfor all interfaces. Activate the configuration changes using the commit command.

Note

Step 3.2

Issue the run show lldp local-information command to view informationabout your assigned EX Series switch that will be communicated to attachedneighbors.

Question: Based on the output, what is the chassisID assigned to your switch?

Question: Based on the output, what are the systemcapabilities of your switch?

Question: Based on the output, what are thedescriptions for the ge-0/0/6.0 and ge-0/0/7.0interfaces?

LLDP and LLDP-MED have beenpreconfigured on the SRX devices.

8/12/2019 AJEX_10.b-R_LGH

37/70


www.juniper.net Deploying IP Telephony Features Lab 45

Step 3.3

Configure descriptions of v10 access port and v11 access port forthe ge-0/0/6.0 and ge-0/0/7.0 interfaces respectively. Issue the commit command to activate the change.

Step 3.4

Issue the run show lldp local-information command to verify theinterface descriptions for LLDP have been updated.

Question: Have the interface descriptions beenupdated?

Step 3.5

Disable LLDP and LLDP-MED on the me0.0 interface. Activate the change using thecommit command. Note you typically would not disable LLDP or LLDP-MED on

internal interfaces, including the me0.0 interface. You disable the me0.0 interfacein this task for verification purposes only.

Step 3.6

Issue the run show lldp detail command to view detailed LLDP and LLDP-MEDinformation.

Question: Based on the output, what is the currentLLDP and LLDP-MED status of the me0.0 interface?What is the status of the other configuredinterfaces?

Question: Based on the output, what are thesupported LLDP MED TLVs?

Question: Based on the output, how manyneighbors has your switch detected?

Note


8/12/2019 AJEX_10.b-R_LGH

38/70



Step 3.7

Issue the run show lldp neighbors command to view the attached LLDPneighbors.

Question: Does your switch show a neighbor for allconfigured access and trunk ports?

Step 3.8

Issue the run show lldp statistics command to view LLDP statistics.

Question: Is your switch sending and receiving LLDPpackets?

STOP Do NOT continue to the next lab part until both teams within your

assigned pod have reached this point.

Part 4: Configuring and Monitoring the Voice VLAN Feature

In this part, you will configure and monitor the voice VLAN feature.

Step 4.1


Enter configuration mode and navigate to the [ edi t i nt er f aces ] hierarchy.Activate vlan-tagging and unit 25 for the ge-0/0/6 and ge-0/0/7 interfaces. Alsodeactivate unit 0 for the same interfaces. Issue the commit and-quit commandto activate the new configuration file and return to operational mode.

Step 4.2


Navigate to the [ edi t vl ans] hierarchy and configure a new VLAN namedvoice with a VLAN ID of 25. Associate the trunk ports configured on your switchwith this new VLAN. Activate the changes using the commit command. Refer to thenetwork diagram for this lab as needed.

Note

Voice VLAN has been preconfigured on theSRX devices.

8/12/2019 AJEX_10.b-R_LGH

39/70


www.juniper.net Deploying IP Telephony Features Lab 47

Step 4.3

Navigate to the [ edi t et her net - swi t chi ng- opt i ons] hierarchy. Configurethe voice VLAN feature to support all access ports.

Step 4.4

Before activating the voice VLAN feature, use the run monitor trafficinterface ge-0/0/6 detail print-ascii no-resolve command tomonitor LLDP-MED packets for the ge-0/0/6 interface. Once an outgoing LLDPframe has been sent (within 30 seconds or less), issue the Ctrl + c key sequence tostop the monitoring process.

Question: Did your sample capture include at leastone outgoing LLDP packet?

Question: What is the name of the VLAN currently

being sent through LLDP-MED?

Step 4.5

Activate the changes and return to operational mode by issuing the commitand-quit command.

Step 4.6

Use the monitor traffic interface ge-0/0/6 detail print-asciino-resolve command to monitor LLDP-MED packets for the ge-0/0/6 interface.Once an outgoing LLDP frame has been sent (within 30 seconds or less), issue theCtrl + c key sequence to stop the monitoring process.

Question: What VLAN values are currently beingsent and received through LLDP MED?

Step 4.7

Issue the show vlans command to verify the current VLAN assignments.

Question: To which VLANs are the ge-0/0/6.0 andge-0/0/7.0 access ports assigned?

8/12/2019 AJEX_10.b-R_LGH

40/70



Step 4.8


Use the ping utility and verify traffic with a VLAN tag of 25 can pass through thege-0/0/6.0 and ge-0/0/7.0 access ports. Note that the interfaces on theSRX devices are configured for 802.1Q operations with a VLAN ID of 25. Refer to thenetwork diagram for the instance names and the IP addresses assigned to thevarious VRs. Do not forget to reference the correct routing instance.

Question: Did the ping tests succeed?


8/12/2019 AJEX_10.b-R_LGH

41/70

8/12/2019 AJEX_10.b-R_LGH

42/70


Lab 52 Class of Service www.juniper.net

Part 1: Exploring the Default CoS Configuration

In this lab part, you will explore the default CoS configuration on your EX Seriesswitch and perform some basic verification tasks to understand how the default CoSconfiguration works.

Step 1.1

On your assigned EX Series switch, issue the show class-of-serviceinterface ge-0/0/6 command to determine the default assignments for thege-0/0/6 interface.

Question: How many queues are supported on thege-0/0/6 interface? How many are currently in use?

Question: What classifier is assigned to the

ge-0/0/6 interface?

Step 1.2

Issue the show class-of-service classifier name ieee8021p-untrust command to determine the code point to forwarding class for the defaulti eee8021p- unt r ust classifier.

Question: Based on this default classifier, to which

forwarding class will traffic entering thege-0/0/6interface with the 802.1P CoS bits 111 beassigned?

Step 1.3

Issue the show class-of-service interface ge-0/0/12 command todetermine the default classifier assigned to the ge-0/0/12interface.

Question: What classifier is assigned to thege-0/0/12interface?

8/12/2019 AJEX_10.b-R_LGH

43/70


www.juniper.net Class of Service Lab 53

Question: Why are default classifiers assigned tothe ge-0/0/12 and ge-0/0/6 interfaces different?

Step 1.4

Issue the show class-of-service classifier name ieee8021p-default command to determine the code point to forwarding class for the defaulti eee8021p- def aul t classifier.

Question: Based on this default classifier, to whichforwarding class will traffic entering thege-0/0/12interface with the 802.1P CoS bits 111be assigned?

Step 1.5

Issue the show class-of-service classifier type ? command todetermine which types of classifiers are supported on EX Series switches.

Question: What classifier types are supported onyour EX Series switch?

Question: Which type of classifier is typically usedwhen classifying voice over IP (VoIP) traffic?

Step 1.6

Issue the show class-of-service classifier type dscp command.

Question: Which two forwarding classes are used bythe dscp- def aul t classifier?

8/12/2019 AJEX_10.b-R_LGH

44/70



Question: To which forwarding class would trafficwith the DSCP code point value 000000 beassigned? What about traffic with the DSCP codepoint value 111111?

Question: Based on the output, what loss priorityvalue is assigned, by default, to traffic with thevarious code point values?

Step 1.7

Issue the show class-of-service forwarding-class command todetermine the default forwarding classes and their assigned queues.

Question: What are the default forwarding classesand their corresponding queues?

Step 1.8

Issue the show interfaces ge-0/0/6 extensive | find "Egress queues" command to view queue and scheduler details for the ge-0/0/6 interface.

Question: Which queues currently show non-zerocounters? Can you explain why the other queues donot show non-zero counters?

Question: Which queues are currently beingserviced by the default scheduler map? Whatpercentage of the available bandwidth and buffer isallocated to each queue being serviced?

Part 2: Configuring and Monitoring CoS Components

In this lab part, you configure and monitor various CoS components. Refer to thenetwork diagram for this lab for topological and configuration details.

8/12/2019 AJEX_10.b-R_LGH

45/70



Step 2.1

On your assigned EX Series switch, enter configuration mode and navigate to the[ edi t c l ass- of - ser vi ce] hierarchy.

Step 2.2

Create four custom forwarding classes named my-be , my-ef , my-af , and my-nc .Associate these forwarding classes with queues 0 , 5 , 1 , and 7 respectively.

Step 2.3Use the commit command to activate the changes. Next, issue the run showinterfaces ge-0/0/6 extensive | find "Queue counters" command toview the current forwarding class information for the ge-0/0/6 interface.

Question: Are the custom forwarding classes now ineffect and associated with the ge-0/0/6 interface?

Question: Which queues are currently beingserviced by the default scheduler map?

Step 2.4

Create a custom DSCP classifier named my-dscp-classifier . Associatecode-point alias ef (101110) with the my-ef forwarding class, code-point aliasaf 41 (100010) with the my-af forwarding class, and code-point aliases cs3 (011000) and af 31 (011010) with the my-nc forwarding class. Ensure that thiscustom classifier inherits all default code point aliases not specified in these customdefinitions. Ensure that these custom definitions use the low loss priority level.

Step 2.5

For the my-be forwarding class, change the default loss priority level of low to highfor the code-point alias be (000000).

Step 2.6

Associate this newly defined DSCP classifier with all logical Gigabit Ethernetinterfaces. Use the commit command to activate the recent changes.

Note

The attached SRX deviceshave been pre-configured witha similar CoS configuration.

8/12/2019 AJEX_10.b-R_LGH

46/70



Step 2.7

Issue the run show class-of-service interface ge-0/0/6 command toverify that the new custom DSCP classifier is now associated with the ge-0/0/6 interface.

Question: Is the custom DSCP classifier now

associated with the ge-0/0/6.0 interface?

Step 2.8

Issue the run show class-of-service classifier name my-dscp-classifier command to verify that the recent changes have taken

effect.

Question: Are the correct code-point to forwardingclass mappings and loss priority levels now activefor the custom DSCP classifier?

Step 2.9

Create a new scheduler for each queue defined earlier. Use the following table forconfiguration details for each scheduler.

Step 2.10

Create a scheduler map named my-scheduler-map that maps the recentlydefined schedulers with their corresponding forwarding classes and queues.

Step 2.11

Associate the newly defined scheduler map with all physical Gigabit Ethernetinterfaces. Issue the commit command to activate the configuration changes.

Scheduler Configuration Details

Name Transmit rate Buffer size Priority

my-be-sched 30% 50% Low

my-af-sched 70% 20% Low

my-ef-sched N/A 20% Strict High

my-nc-sched N/A 10% Strict High

8/12/2019 AJEX_10.b-R_LGH

47/70



Note

Step 2.12

Issue the run show class-of-service interface ge-0/0/10 command to

verify that the newly defined and applied scheduler map has been associated withthe ge-0/0/10 interface.

Question: Is the custom scheduler map associatedwith the ge-0/0/10 interface?

Step 2.13

Issue the run show interfaces ge-0/0/10 extensive | find "Queuecounters" command to view current scheduler details and statistics for thege-0/0/10 interface.

Question: Which queues currently show non-zerocounters for the ge-0/0/10 interface?

Step 2.14

Associate the default DSCP rewrite rule with all logical Gigabit Ethernet interfaces.Activate the change using the commit command.

Note

Step 2.15

Issue the run show class-of-service interface ge-0/0/10

command to ensure that the default DSCP rewrite rule has been applied to thege-0/0/10.0 interface.

Question: Is the default DSCP rewrite rule nowassociated with the ge-0/0/10.0 interface?



8/12/2019 AJEX_10.b-R_LGH

48/70



Step 2.16


Use the ping utility to send traffic from your assigned vr x 0 virtual router (VR) to yourassigned vr y 1 VR, where y is either 1 or 2 depending on your assigned devices. Asthe destination IP address, use the IP address from the 172.23.25.0/24 subnetassigned to your vr y 1 VR. To test proper classification, use the tos option with

values 0 , 96 , 104 , 136 , and 184 when performing your ping tests. Refer to thenetwork diagram for the instance names and the IP addresses assigned to your VRs.Do not forget to reference the correct routing instance.

Step 2.17


Issue the run show interfaces queue ge-0/0/7 command to verify that allqueues for the ge-0/0/7 interface show a non-zero counter value for egress traffic.

Question: Do all queues for the ge-0/0/7 interfaceshow a non-zero counter value for egress traffic?

Note


Part 3: Implementing CoS Using the EZQoS Template

In this lab part, you use the EZQoS template to simplify the implementation of CoScomponents.

Step 3.1

On your EX Series switch, delete all configuration under the [ edi tcl ass- of - ser vi ce] hierarchy. Use the commit command to activate theconfiguration changes.

Step 3.2

Navigate to the root hierarchy level and issue the load merge /etc/config/ezqos-voip.conf command to load the EZQoS configuration template.

Step 3.3

Issue the set apply-groups ezqos-voip command to apply the ezqos- voi p configuration group loaded in the previous step.

You can perform similar tests with trafficdestined to the remote VRs.

8/12/2019 AJEX_10.b-R_LGH

49/70



Step 3.4

Associate the ezqos-dscp-classifier with all logical Gigabit Ethernetinterfaces.

Step 3.5

Associate the ezqos-voip-sched-maps with all physical Gigabit Ethernetinterfaces.

Step 3.6Issue the commit command to activate the configuration changes. Next, issue therun show class-of-service interface ge-0/0/6 command to verify thecurrent CoS components associated with the ge-0/0/6 interface.

Question: Are the CoS components defined withinthe template now associated with the ge-0/0/6 interface?

Question: How many queues are currently in use?Can you explain why ?

Step 3.7

Associate the default DSCP rewrite rule with all logical Gigabit Ethernet interfaces.Activate this configuration change using the commit command.

Step 3.8

Issue the run show class-of-service interface ge-0/0/6 command toverify that the default DSCP rewrite rule is now associated with the ge-0/0/6interface.

Question: Is the default DSCP rewrite rule nowassociated with the ge-0/0/6.0 interface?

Step 3.9

Add the ezqos- voi ce- f c forwarding class as the designated forwarding class forthe voice VLAN defined in a previous lab. Activate the configuration change andreturn to operational mode using the commit and-quit command.

8/12/2019 AJEX_10.b-R_LGH

50/70



Note


If time permits, you can perform verification testsusing the ping utility on your assigned SRX deviceas you did toward the end of Part 2 of this lab.

8/12/2019 AJEX_10.b-R_LGH

51/70

8/12/2019 AJEX_10.b-R_LGH

52/70


Lab 62 Monitoring and Troubleshooting Layer 2 Networks www.juniper.net

Part 1: Modifying the Existing Configurations

In this lab part, you load and activate a predefined configuration saved on yourassigned devices. This predefined configuration will introduce a number of issues inyour network. You will then troubleshoot the issues to restore network functionality.

Step 1.1


Enter configuration mode and override the existing configuration file with thelab6-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit and-quit command to activate the newconfiguration file and return to operational mode.

Step 1.2


Enter configuration mode and override the existing configuration file with thelab6-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit command to activate the new configuration file.

Part 2: Determining Success

In this lab part, you will examine key processes and hardware components todetermine why vr10 cannot communicate with vr20.

Step 2.1

On your assigned SRX device, use the ping utility and verify communication betweenthe vr10 and the vr20 devices. Note that the interfaces on the SRX devices areconfigured for 802.1Q operations with a VLAN ID of 10. Refer to the networkdiagram for the instance names and the IP addresses assigned to the various virtualrouters (VRs). Do not forget to reference the correct routing instance.

Step 2.2

On your assigned SRX device, use the ping utility and verify communication betweenthe vr11 and the vr21 devices. Note that the interfaces on the SRX devices areconfigured for 802.1Q operations with a VLAN ID of 11. Refer to the networkdiagram for the instance names and the IP addresses assigned to the various VRs.Do not forget to reference the correct routing instance.

Question: What do the ping tests reveal?

8/12/2019 AJEX_10.b-R_LGH

53/70


www.juniper.net Monitoring and Troubleshooting Layer 2 Networks Lab 63

Question: Can any value be gained from testingLayer 4 or higher?

Question: What criteria will determine if the networkhas returned to a functioning state?

Part 3: Verifying Hardware Components and System Processes

In this lab part, you will verify your assigned EX Series switchs hardwarecomponents and system processes in an effort to find what is causing the issue.

Step 3.1

On your assigned EX Series switch, issue the run show chassisrouting-engine command.

Question: What CPU and memory utilization ispresent in the output?

Step 3.2

Issue the run show chassis alarms and run show system alarms commands.

Question: Are any problems detected?

Step 3.3

Issue the run show interfaces terse ge* command.

Question: What does this output reveal?

Question: Does the problem appear to be a Layer 1issue?

8/12/2019 AJEX_10.b-R_LGH

54/70



Step 3.4

Issue the run show system processes extensive command.

Question: Is the daemon that controls the Ethernetswitching functions running?

Question: Does the absence of the eswd daemonaffect traffic flows between the VR devices?

Step 3.5

To determine why the eswd daemon is not running, examine the log messages file on your assigned EX Series switch. Use the | match eswd option to narrow

your search.

Question: What does this output reveal?

Step 3.6

Restart the eswd daemon by issuing the run restart ethernet-switching command.

Question: What is the result of attempting to restartthe eswd daemon?

Step 3.7

Navigate to the [ edi t syst em pr ocesses] hierarchy level and remove theconfiguration that is disabling the eswd daemon. Activate the changes using thecommit command.

Step 3.8

Check the status of the eswd daemon by issuing the run show system processes extensive | match eswd command.

Question: Is the eswd daemon running?

8/12/2019 AJEX_10.b-R_LGH

55/70



STOP Before proceeding ensure that the remote student team in your pod

finishes the previous steps.

Step 3.9

Return to your assigned SRX device, use the ping utility and verify communicationbetween the vr10 and the vr20 devices. Refer to the network diagram for the

instance names and the IP addresses assigned to the various VRs. Do not forget toreference the correct routing instance.

Step 3.10

On your assigned SRX device, use the ping utility and verify communication betweenthe vr11 and the vr21 devices. Refer to the network diagram for the instance namesand the IP addresses assigned to the various VRs. Do not forget to reference thecorrect routing instance.


Part 4: Verifying Ethernet Switching MSTP and Aggregate Ethernet Interfaces

In this part, you will examine the Ethernet switching table and the aggregatedEthernet interfaces. You will then troubleshoot and fix any problems that are found.

Step 4.1

Open a new session to the SRX device assigned to the remote team. Log in to thatdevice using the credentials provided by your instructor. Find the media accesscontrol (MAC) address associated with the vr y 0 device, where y is either 1 or 2depending on the SRX device. Refer to the network diagram for this lab as needed.

Question: What is the current MAC addressassigned to the remote vr y 0 device?

Step 4.2


On your assigned EX Series switch, display the Ethernet switching table anddetermine whether the MAC address associated with the remote teams vr y 0 deviceis present.

Question: Is the MAC address for the remote teamsvry 0 device present?

8/12/2019 AJEX_10.b-R_LGH

56/70



Question: Can you find any problems with the MACaddress entry?

Step 4.3

Remove any static MAC address entries configured on your assigned EX Seriesswitch. Activate the changes using the commit command.

Step 4.4

Examine the Ethernet switching table.

Question: Is the static MAC address entry present?



Step 4.5


Use the ping utility and verify communication between the vr10 and the vr20devices. Refer to the network diagram for the instance names and the IP addressesassigned to the various VRs. Do not forget to reference the correct routing instance.

Step 4.6



Step 4.7


On your assigned EX Series switch, examine the Ethernet switching interfaceinformation.

8/12/2019 AJEX_10.b-R_LGH

57/70



Question: Why do the ge-0/0/6 and ge-0/0/7interfaces show a value of unt agged in the

Taggi ng field?

Question: Can having these two interfaces

configured as access ports cause problems withyour setup? Why?

Question: What can you do to overcome this issue?

Step 4.8

Configure the ge-0/0/6 and ge-0/0/7 interfaces to receive and send 802.1Qframes. Activate the changes using the commit command.

Step 4.9

Examine the Ethernet switching interface information again.

Question: Will the ge-0/0/6 and ge-0/0/7interfaces receive and send 802.1Q taggedframes?



Step 4.10Return to your assigned SRX device, use the ping utility and verify communicationbetween the vr10 and the vr20 devices. Refer to the network diagram for theinstance names and the IP addresses assigned to the various VRs. Do not forget toreference the correct routing instance.

8/12/2019 AJEX_10.b-R_LGH

58/70



Step 4.11



Question: Is the issue resolved yet? Why or why not?

Step 4.12

On your assigned SRX device, use the ping utility to generate a constant stream oftraffic between the vr10 and vr20 devices. Issue the command pingrouting-instance vry0 172.23.10.10 z rapid count 10000000 .

Note

Step 4.13


On your assigned EX Series switch, examine which interfaces are being used for thistraffic by issuing the command run monitor interface traffic . Press theCtrl + d or Ctrl + u key combinations to scroll down or up. Press the q key when youare finished examining the output.

Question: What interfaces are being used for theping traffic?

The value of y is 1 if your assignedSRX device is SRX1. The value of y is 2 ifyour assigned SRX device is SRX2.

The value of z is 2 if your assignedSRX device is SRX1. The value of z is 1 ifyour assigned SRX device is SRX2.

8/12/2019 AJEX_10.b-R_LGH

59/70



Step 4.14

Traffic flows exceeding 1 Gbps is expected from the VR devices connected to yourassigned EX Series switch. The traffic flows must traverse the aggregate Ethernetlinks in the switched topology to accommodate this requirement. The GigabitEthernet links are only to be used if an aggregate Ethernet link fails.

Collect spanning-tree protocol information by issuing the command run showspanning-tree bridge .

Question: What spanning-tree protocol is in use?

Question: What is the regional root bridge ID forMSTI 1?

Step 4.15

Return to your assigned SRX device, stop the ping test by pressing the Ctrl + c keycombination, and collect spanning-tree protocol information by issuing thecommand show spanning-tree bridge .

Question: What is the regional root bridge ID forMSTI 1?

Question: All devices in the network should be usingthe same regional root bridge for MSTI 1. What cancause two regional root bridges to appear?

Step 4.16

On your assigned SRX device, examine the configuration digest by issuing thecommand show spanning-tree mstp configuration .

Step 4.17

On your assigned EX Series switch, examine the configuration digest by issuing thecommand run show spanning-tree mstp configuration .

Question: Does a configuration digest mismatchexist? Why?

8/12/2019 AJEX_10.b-R_LGH

60/70



Question: What can you do to fix this problem?

Step 4.18

Navigate to the [ edi t pr ot ocol s mst p] hierarchy level and add VLAN 10 toMSTI 1. Activate the changes using the commit command.



Step 4.19

On your assigned EX Series switch, issue the command run showspanning-tree bridge .

Step 4.20

Return to your assigned SRX device and issue the command showspanning-tree bridge .

Question: Do both of your assigned devices nowshow the same regional root bridge for MSTI 1?

Step 4.21


Note

Note


The value of z is 2 if your assignedSRX device is SRX1. The value of z is 1 if

your assigned SRX device is SRX2.

If the ping operation is not successful, work with theremote team in your pod and verify that all studentdevices show the same regional root bridge for MSTI 1.

Do not proceed until the continuous ping operationshows success. If needed, work with your instructor.

8/12/2019 AJEX_10.b-R_LGH

61/70



Step 4.22

Return to your assigned EX Series switch and examine the traffic flow using therun monitor interface traffic command. Press the Ctrl + d or Ctrl + ukey combinations to scroll down or up. Press the q key when you are finishedexamining the output.

Question: Which interfaces are being used for thetraffic flow?

Question: Do you currently have enough informationto determine why the traffic is not using the ae0interface?

Step 4.23

Exit the current output by pressing the q key. Examine the status of the ae0 interfaceby issuing the command run show interface terse | match ae0 .

Question: Can you determine the problem from thisoutput?

Step 4.24Examine the Ethernet switching table.

Question: What can you determine from thisoutput?

Step 4.25

Examine the interface statuses of MSTI 1 by issuing the command run showspanning-tree interface msti 1 .


8/12/2019 AJEX_10.b-R_LGH

62/70



Step 4.26

Examine the traffic entering and exiting the ae0 interface by issuing the commandrun monitor traffic interface ae0 . Press the Ctrl + c key combinationwhen you are finished.


Step 4.27

Examine the traffic entering and exiting the ge-0/0/9 interface, which is a childinterface of the ae0 interface. Issue the command run monitor trafficinterface ge-0/0/9 . Press the Ctrl + c key combination when you are finished.


Step 4.28

Examine all the interfaces that have LACP configured by issuing the commandrun show lacp interfaces .


Step 4.29

Configure LACP to actively attempt to configure its remote partner on the ae0interface. Activate the change using the commit command.

Step 4.30

Issue the command run show lacp interfaces .




8/12/2019 AJEX_10.b-R_LGH

63/70



Step 4.31


Note

Note

Step 4.32

Return to your assigned EX Series switch and examine the traffic flow using therun monitor interface traffic command. Press the Ctrl + d or Ctrl + ukey combinations to scroll down or up. Press the q key when you are finishedexamining the output.

Question: Which interfaces is the traffic using?

Question: Has the network been restored to afunctioning condition?

Part 5: Configuring Port Mirroring and sFlow

In this lab part, you will configure port mirroring and sFlow collection. You will thenmonitor the operation of both.

Step 5.1

Configure the ge-0/0/13 interface to participate in familyethernet-switching .


The value of z is 2 if your assignedSRX device is SRX1. The value of z is 1 ifyour assigned SRX device is SRX2.

If the ping operation is not successful, you might need to wait for amoment for MSTP changes to occur on all participating devices.

Do not proceed until the continuous ping operation showssuccess. If needed, work with your instructor.

8/12/2019 AJEX_10.b-R_LGH

64/70



Step 5.2

Navigate to the [ edi t et her net -

AJEX_10.b-R_LGH

Documents