7/22/2019 AJEX_10.b-R_SG
1/304
1194 North Mathilda Avenue
Sunnyvale, CA 94089USA
408-745-2000
www.juniper.net
Worldwide Education ServicesWorldwide Education Services
Advanced Junos Enterprise
Switching
10.b
Student Guide
Course Number: EDU-JUN-AJEX
7/22/2019 AJEX_10.b-R_SG
2/304
7/22/2019 AJEX_10.b-R_SG
3/304www.juniper.net Contents iii
ContentsChapter 1: Course Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
Chapter 2: Advanced Ethernet Switching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1Virtual Local Area NetworksAssigning User Traffic to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . .2-3
Virtual Local Area NetworksRestricting Traffic within a VLAN . . . . . . . . . . . . . . . . . . . . . . . .2-15
Automating VLAN Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-28
Tunneling Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-40
Lab 1: Advanced Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-63
Chapter 3: Advanced Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1Spanning Tree Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10
VLAN Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-23
Lab 2: Implementing MSTP and VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34
Chapter 4: Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Access Control Features: 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Access Control Features: MAC RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-28
Access Control Features: Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-34
Overview of Authentication Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-45
Lab 3: Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-51
Chapter 5: Deploying IP Telephony Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3IP Telephony Features: Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
IP Telephony Features: Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-15
IP Telephony Features: Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-28
Case Study: Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-33
Lab 4: Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-43
Chapter 6: Class of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1Class of Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Implementing Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-16
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-28
Lab 5: Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-37
Chapter 7: Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1Introduction to Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Monitoring and Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
Troubleshooting Case Studies: Reachability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27
Troubleshooting Case Studies: Network Congestion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
Lab 6: Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-41
7/22/2019 AJEX_10.b-R_SG
4/304iv Contents www.juniper.net
Appendix A: Acronym List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1Appendix B: Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
7/22/2019 AJEX_10.b-R_SG
5/304www.juniper.net Course Overview v
Course OverviewThis two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple Spanning
Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access control
for Layer 2 networks, IP telephony features, class of service (CoS) and monitoring and
troubleshooting tools and features supported on the EX Series Ethernet Switches.
Through demonstrations and hands-on labs, students will gain experience in configuring and
monitoring the Junos operating system and in monitoring device and protocol operations.
ObjectivesAfter successfully completing this course, you should be able to:
Implement filter-based VLAN assignments.
Restrict traffic flow within a VLAN.
Manage dynamic VLAN registration.
Tunnel Layer 2 traffic through Ethernet networks.
Review the purpose and operations of a spanning tree.
Implement multiple spanning tree instances in a network.
Implement one or more spanning tree instances for a VLAN.
List the benefits of implementing end-user authentication.
Explain the operations of various access control features.
Configure and monitor various access control features.
Describe processing considerations when multiple authentication and access control
features are enabled.
Describe some common IP telephony deployment scenarios.
Describe features that facilitate IP telephony deployments.
Configure and monitor features used in IP telephony deployments.
Explain the purpose and basic operations of class of service.
Describe class of service features used in Layer 2 networks.
Configure and monitor class of service in a Layer 2 network.
Describe a basic troubleshooting method.
List common issues that disrupt network operations.
Identify tools used in network troubleshooting.
Use available tools to resolve network issues.
Intended AudienceThis course benefits individuals responsible for configuring and monitoring EX Series switches.
Course LevelAdvanced Junos Enterprise Switchingis an advanced-level course.
PrerequisitesStudents should have an intermediate-level of networking knowledge and an understanding of the
Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students
should also attend the Introduction to the Junos Operating System(IJOS), theJunos Routing
Essentials(JRE), and theJunos Enterprise Switching(JEX) courses prior to attending this class.
7/22/2019 AJEX_10.b-R_SG
6/304vi Course Agenda www.juniper.net
Course AgendaDay 1
Chapter 1: Course Introduction
Chapter 2: Advanced Ethernet Switching
Lab 1: Advanced Ethernet Switching
Chapter 3: Advanced Spanning Tree
Lab 2: Implementing MSTP and VSTP
Chapter 4: Authentication and Access Control
Lab 3: Authentication and Access Control
Day 2Chapter 5: Deploying IP Telephony Features
Lab 4: Deploying IP Telephony Features
Chapter 6: Class of Service
Lab 5: Class of Service
Chapter 7: Monitoring and Troubleshooting
Lab 6: Monitoring and Troubleshooting Layer 2 Networks
http://-/?-http://-/?-http://../LG/L1_Advanced%20Ethernet%20Switching.pdfhttp://-/?-http://../LG/L2_Implementing%20MSTP%20and%20VSTP.pdfhttp://-/?-http://../LG/L3_Authentication%20and%20Access%20Control.pdfhttp://-/?-http://../LG/L4_Deploying%20IP%20Telephony%20Features.pdfhttp://-/?-http://../LG/L5_Class%20of%20Service.pdfhttp://-/?-http://../LG/L6_Monitoring%20and%20Troubleshooting.pdfhttp://../LG/L6_Monitoring%20and%20Troubleshooting.pdfhttp://-/?-http://../LG/L5_Class%20of%20Service.pdfhttp://-/?-http://../LG/L4_Deploying%20IP%20Telephony%20Features.pdfhttp://-/?-http://../LG/L3_Authentication%20and%20Access%20Control.pdfhttp://-/?-http://../LG/L2_Implementing%20MSTP%20and%20VSTP.pdfhttp://-/?-http://../LG/L1_Advanced%20Ethernet%20Switching.pdfhttp://-/?-http://-/?-7/22/2019 AJEX_10.b-R_SG
7/304www.juniper.net Document Conventions vii
Document ConventionsCLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Input Text Versus Output TextYou will also frequently see cases where you must enter input text yourself. Often these instances
will be shown in the context of where you must enter them. We use bold style to distinguish text
that is input versus text that is simply displayed.
Defined and Undefined Syntax VariablesFinally, this course distinguishes between regular text and syntax variables, and it also
distinguishes between syntax variables where the value is already assigned (defined variables) and
syntax variables where you must assign the value (undefined variables). Note that these styles can
be combined with the input style as well.
Style Description Usage Example
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
Cour i er New Console text:
Screen captures
Noncommand-related
syntax
GUI text elements:
Menu names
Text field entry
commi t compl et e
Exi t i ng conf i gur at i on mode
Select Fi l e > Open, and then clickConf i gur at i on. confin theFi l enametext box.
Style Description Usage Example
Nor mal CLI
Nor mal GUI
No distinguishing variant. Physi cal i nt er f ace: f xp0,Enabl ed
View configuration history by clicking
Conf i gur at i on > Hi st ory.
CLI Input
GUI Input
Text that you must enter. l ab@San_J ose> show route
Select Fi l e > Save, and typeconfig.iniin the Fi l enamefield.
Style Description Usage Example
CLI Variable
GUI Variable
Text where variable value is already
assigned.
pol i cy my-peers
Click my-peersin the dialog.
CLI Undefined
GUI Undefined
Text where the variables value is
the users discretion or text where
the variables value as shown in
the lab guide might differ from the
value the user must input
according to the lab topology.
Type set policypolicy-name.
ping 10.0.x.y
Select Fi l e > Save, and typefilenamein the Fi l enamefield.
7/22/2019 AJEX_10.b-R_SG
8/304viii Additional Information www.juniper.net
Additional InformationEducation Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class
locations from the World Wide Web by pointing your Web browser to:
http://www.juniper.net/training/education/.
About This PublicationTheAdvanced Junos Enterprise Switching Student Guide was developed and tested using softwareRelease 10.4R3.4. Previous and later versions of software might behave differently so you should
always consult the documentation and release notes for the version of code you are running before
reporting errors.
This document is written and maintained by the Juniper Networks Education Services development
team. Please send questions and suggestions for improvement to [email protected].
Technical PublicationsYou can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http://www.juniper.net/techpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
Juniper Networks SupportFor technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or
at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).
7/22/2019 AJEX_10.b-R_SG
9/304
Advanced Junos Enterprise Switching
Chapter 1: Course Introduction
7/22/2019 AJEX_10.b-R_SG
10/304
Advanced Junos Enterprise Switching
Chapter 12 Course Introduction www.juniper.net
This Chapter Discusses: Objectives and course content information;
Additional Juniper Networks, Inc. courses; and
The Juniper Networks Certification Program.
7/22/2019 AJEX_10.b-R_SG
11/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 13
IntroductionsThe slide asks several questions for you to answer during class introductions.
7/22/2019 AJEX_10.b-R_SG
12/304
Advanced Junos Enterprise Switching
Chapter 14 Course Introduction www.juniper.net
Course ContentsThe slide lists the topics we discuss in this course.
7/22/2019 AJEX_10.b-R_SG
13/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 15
PrerequisitesThe slide lists the prerequisites for this course.
7/22/2019 AJEX_10.b-R_SG
14/304
Advanced Junos Enterprise Switching
Chapter 16 Course Introduction www.juniper.net
General Course AdministrationThe slide documents general aspects of classroom administration.
7/22/2019 AJEX_10.b-R_SG
15/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 17
Training and Study MaterialsThe slide describes Education Services materials that are available for reference both in the
classroom and online.
7/22/2019 AJEX_10.b-R_SG
16/304
Advanced Junos Enterprise Switching
Chapter 18 Course Introduction www.juniper.net
Additional ResourcesThe slide provides links to additional resources available to assist you in the installation,
configuration, and operation of Juniper Networks products.
7/22/2019 AJEX_10.b-R_SG
17/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 19
Satisfaction FeedbackJuniper Networks uses an electronic survey system to collect and analyze your comments and
feedback. Depending on the class you are taking, please complete the survey at the end of the class,
or be sure to look for an e-mail about two weeks from class completion that directs you to complete
an online survey form. (Be sure to provide us with your current e-mail address.)
Submitting your feedback entitles you to a certificate of class completion. We thank you in advance
for taking the time to help us improve our educational offerings.
7/22/2019 AJEX_10.b-R_SG
18/304
Advanced Junos Enterprise Switching
Chapter 110 Course Introduction www.juniper.net
Juniper Networks Education Services CurriculumJuniper Networks Education Services can help ensure that you have the knowledge and skills to
deploy and maintain cost-effective, high-performance networks for both enterprise and service
provider environments. We have expert training staff with deep technical and industry knowledge,
providing you with instructor-led hands-on courses in the classroom and online, as well as
convenient, self-paced eLearning courses.
Course ListYou can access the latest Education Services offerings covering a wide range of platforms at
http://www.juniper.net/training/technical_education/.
7/22/2019 AJEX_10.b-R_SG
19/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 111
Juniper Networks Certification ProgramA Juniper Networks certification is the benchmark of skills and competence on Juniper Networks
technologies.
7/22/2019 AJEX_10.b-R_SG
20/304
Advanced Junos Enterprise Switching
Chapter 112 Course Introduction www.juniper.net
Juniper Networks Certification Program OverviewThe Juniper Networks Certification Program (JNCP) consists of platform-specific, multitiered tracks
that enable participants to demonstrate competence with Juniper Networks technology through a
combination of written proficiency exams and hands-on configuration and troubleshooting exams.
Successful candidates demonstrate thorough understanding of Internet and security technologies
and Juniper Networks platform configuration and troubleshooting skills.
The JNCP offers the following features:
Multiple tracks;
Multiple certification levels;
Written proficiency exams; and
Hands-on configuration and troubleshooting exams.
Each JNCP track has one to four certification levelsAssociate-level, Specialist-level,
Professional-level, and Expert-level. Associate-level and Specialist-level exams are computer-based
exams composed of multiple choice questions administered at Prometric testing centers worldwide.
Professional-level and Expert-level exams are composed of hands-on lab exercises administered at
select Juniper Networks testing centers. Professional-level and Expert-level exams require that you
first obtain the next lower certification in the track. Please visit the JNCP Web site at
http://www.juniper.net/certification for detailed exam information, exam pricing, and exam
registration.
7/22/2019 AJEX_10.b-R_SG
21/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 113
Preparing and StudyingThe slide lists some options for those interested in preparing for Juniper Networks certification.
7/22/2019 AJEX_10.b-R_SG
22/304
Advanced Junos Enterprise Switching
Chapter 114 Course Introduction www.juniper.net
Find Us OnlineThe slide lists some online resources to learn and share information about Juniper Networks.
7/22/2019 AJEX_10.b-R_SG
23/304
Advanced Junos Enterprise Switching
www.juniper.net Course Introduction Chapter 115
Any Questions?If you have any questions or concerns about the class you are attending, we suggest that you voice
them now so that your instructor can best address your needs during class.
This chapter contains no review questions.
7/22/2019 AJEX_10.b-R_SG
24/304
Advanced Junos Enterprise Switching
Chapter 116 Course Introduction www.juniper.net
7/22/2019 AJEX_10.b-R_SG
25/304
Advanced Junos Enterprise Switching
Chapter 2: Advanced Ethernet Switching
7/22/2019 AJEX_10.b-R_SG
26/304
Advanced Junos Enterprise Switching
Chapter 22 Advanced Ethernet Switching www.juniper.net
This Chapter Discusses: Implementation of filter-based virtual LAN (VLAN) assignments;
Restricting traffic flows within a VLAN;
Management of dynamic VLAN registration; and
Tunneling Layer 2 traffic through Ethernet networks.
7/22/2019 AJEX_10.b-R_SG
27/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 23
Virtual Local Area NetworksAssigning User Traffic to VLANsThe slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
7/22/2019 AJEX_10.b-R_SG
28/304
Advanced Junos Enterprise Switching
Chapter 24 Advanced Ethernet Switching www.juniper.net
Default DesignationsThe factory-default configuration associates all installed interfaces with the def aul t VLAN. In thissample output shown on the slide we can see that the def aul t VLAN does not use an 802.1Q tag.
Because all installed interfaces are pre-configured for Layer 2 operations and are associated with
the def aul t VLAN, you can simply insert an EX Series switch in basic single-broadcast domainenvironments without much or any configuration. If a switch supports multiple broadcast domains,
you might want to define additional VLANs to separate the traffic associated with each subnet at
Layer 2.
Continued on the next page.
7/22/2019 AJEX_10.b-R_SG
29/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 25
Default Designation contd.)You can assign an 802.1Q tag with the default VLAN as shown in the following output:
[edi t ]r oot # set vlans default vlan-id 100
[edi t ]r oot # commit and-quitconf i gurat i on check succeedscommi t compl ete
Exi t i ng conf i gur ati on mode
r oot > show vlansName Tag I nter f acesdef aul t 100
ge- 0/ 0/ 0. 0, ge- 0/ 0/ 1. 0, ge- 0/ 0/ 2. 0, ge- 0/ 0/ 3. 0, ge- 0/ 0/ 4. 0, ge- 0/ 0/ 5. 0, ge- 0/ 0/ 6. 0*, ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 8. 0*, ge- 0/ 0/ 9. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 11. 0*, ge- 0/ 0/ 12. 0*, ge- 0/ 0/ 13. 0*, ge- 0/ 0/ 14. 0*, ge- 0/ 0/ 15. 0*, ge- 0/ 0/ 16. 0, ge- 0/ 0/ 17. 0, ge- 0/ 0/ 18. 0, ge- 0/ 0/ 19. 0, ge- 0/ 0/ 20. 0, ge- 0/ 0/ 21. 0, ge- 0/ 0/ 22. 0, ge- 0/ 0/ 23. 0, xe- 0/ 1/ 0. 0
7/22/2019 AJEX_10.b-R_SG
30/304
Advanced Junos Enterprise Switching
Chapter 26 Advanced Ethernet Switching www.juniper.net
Changing Default DesignationsYou can easily change the default VLAN designations by adding new VLANs and associating
interfaces with those user-defined VLANs. You can also create trunk ports which are used to service
one or more VLANs. We review the key attributes of access and trunk ports on a subsequent slide.
7/22/2019 AJEX_10.b-R_SG
31/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 27
Access and Trunk PortsThis slide is designed as a review of the key attributes of access and trunk ports. The tables
associated with the two port modes provide the key characteristics of each and highlight the
differences between the two types.
7/22/2019 AJEX_10.b-R_SG
32/304
Advanced Junos Enterprise Switching
Chapter 28 Advanced Ethernet Switching www.juniper.net
Port-Based VLAN AssignmentsIn the Junos Enterprise Switching course we introduced you to the port-based VLAN assignment
method. Using the port-based VLAN assignment method, you associate ports with user-defined
VLANs. Typically, access ports are associated with a single VLAN whereas trunk ports are often
associated with multiple VLANs. The slide provides a basic configuration example that associates
access and trunk ports with their respective VLANs. Note that in this example vlan-10 and vlan-20
are associated with the 172.23.10.0/24 and 172.23.20.0/24 subnets respectively.
7/22/2019 AJEX_10.b-R_SG
33/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 29
Test Your KnowledgeThis slide is designed to test the learners understanding based on the scenario and configuration
provided. Based on the configuration, all traffic received through the ge-0/0/6.0 interface,
regardless of its associated subnet, will be tagged with VLAN-ID 10 and flooded out interfaces
associated with the vlan-10 VLAN. The end result is that all traffic sourced from Host-B will be
associated with vlan-10 and forwarded or flooded on to nodes that are also associated with vlan-10.
It is important to note that although VLANs are typically associated with a single subnet, this is not a
strict requirement. In other words, you can have multiple subnets associated with a single VLAN.
7/22/2019 AJEX_10.b-R_SG
34/304
Advanced Junos Enterprise Switching
Chapter 210 Advanced Ethernet Switching www.juniper.net
Filter-Based VLAN AssignmentUsing the port-based VLAN assignment method, all traffic received through an access port is
associated with the VLAN assigned to that access port. This approach is all-encompassing and
provides no evaluation of source subnet information.
The filter-based VLAN assignment method provides flexibility by evaluating information, such as the
source IP address, and making VLAN assignments based on evaluation results. The filter-based
VLAN assignment method uses firewall filters to aid in the evaluation and assignment process. This
feature might be used in scenarios that include multiple devices attached to a single switch port
through an attached hub or passive switch, as shown on the slide.
7/22/2019 AJEX_10.b-R_SG
35/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 211
Implementing Filter-Based VLAN AssignmentsThis slide provides a basic overview of how filter-based VLAN assignments are implemented. We
cover each of the highlighted steps in more detail on subsequent slides.
Note that filter-based VLAN assignments are not supported on access ports that are configured for
802.1X. If both features are configured at the same time, the configuration will not commit as shown
in the following output:
[ edi t pr ot ocol s dot 1x]user @swi t ch# commiter r or : Dot 1x: Aut hent i cat or can' t be conf i gur ed on mappi ng "pol i cy" enabl ed i nt er f aceer r or : conf i gur at i on check- out f ai l ed
7/22/2019 AJEX_10.b-R_SG
36/304
Advanced Junos Enterprise Switching
Chapter 212 Advanced Ethernet Switching www.juniper.net
Defining and Applying the Firewall FilterThe first two steps when implementing filter-based VLAN assignments are to define and apply a
Layer 2 firewall filter. Note that Layer 2 filters are associated with the et her net - swi t chi ngprotocol family.
In the example shown on the slide, we define a Layer 2 firewall filter that matches on the source IP
subnet 172.23.20.0/24 and associates matching traffic with the VLAN named vl an- 20using thethen vlanstatement. Because the default action for all traffic not explicitly accepted is discard,
we include a second term that accepts all other traffic. The el se- accept term not only allows theswitch to accept all other traffic but by doing so also allows the switch to associate all other traffic
with VLAN vl an- 10, which is the port-based VLAN assignment for the ge-0/0/6.0 access port.
Note that the slide also shows the application of the vl an- assi gnfirewall filter. In this case thevl an- assi gnfirewall filter is applied as an input filter to the ge-0/0/6.0 access port.
7/22/2019 AJEX_10.b-R_SG
37/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 213
Associating Access Port with Secondary VLANThe third step when implementing filter-based VLAN assignments is to associate the access port,
ge-0/0/6.0 in our example, with the secondary VLAN (vl an- 20). Because the matching criteriadefined in the firewall filter (illustrated on the previous slide) must be met, this secondary VLAN
association for the ge-0/0/6.0 access port is conditional in nature. To form a conditional association
between an access port and a secondary VLAN, you use themapping policystatement, as
shown in the example on the slide.
7/22/2019 AJEX_10.b-R_SG
38/304
Advanced Junos Enterprise Switching
Chapter 214 Advanced Ethernet Switching www.juniper.net
Monitoring the ResultsHere we can see that the ge-0/0/6.0 access port is now associated with vl an- 10and vl an- 20.Note the unique Mappi ng pol i cy i nt er f acesassociation ge-0/0/6.0 has with vl an- 20.This unique association is indicative of a filter-based VLAN assignment, which, as previously stated,
is conditional in nature.
Based on the current configuration and associations, if traffic enters ge-0/0/6.0 and matches the
defined conditions in the firewall filter, then that traffic should be associated with vl an- 20. Allother traffic should be associated with vl an- 10.
Once traffic passes through ge-0/0/6.0, the switch will add the related media access control (MAC)
addresses to the corresponding VLAN in the bridge table. If no MAC entry exists in the bridge table,
the switch uses the flood entry assigned to each VLAN to facilitate the required communications. Thefollowing output shows the bridge table assignments for ge-0/0/6.0:
user @AS- 2> show ethernet-switching table interface ge-0/0/6Et her net - swi t chi ng t abl e: 0 uni cast ent r i es VLAN MAC addr ess Type Age I nt er f aces vl an- 10 * Fl ood - Al l - member s vl an- 20 * Fl ood - Al l - member s
7/22/2019 AJEX_10.b-R_SG
39/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 215
Virtual Local Area NetworksRestricting Traffic within a VLANThe slide highlights the topic we discuss next.
7/22/2019 AJEX_10.b-R_SG
40/304
Advanced Junos Enterprise Switching
Chapter 216 Advanced Ethernet Switching www.juniper.net
Typical VLAN DeploymentsAlthough not strictly required, a common VLAN deployment involves a one-to-one mapping between a
VLAN and a corresponding broadcast domain. This deployment design results in end-to-end
communications between all devices participating in the same VLAN.
7/22/2019 AJEX_10.b-R_SG
41/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 217
Restricting TrafficIn some situations you might want to sub-divide groups within the same broadcast domain and
restrict communications between the different groups. For example, you might have a single subnet
on which multiple workgroups participate, such as the Sales and Finance workgroups, and want to
restrict direct communications between those workgroups. A primary reason for restricting
communications between workgroups in the same broadcast domain is to increase network security.
7/22/2019 AJEX_10.b-R_SG
42/304
Advanced Junos Enterprise Switching
Chapter 218 Advanced Ethernet Switching www.juniper.net
Private VLANThe Private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated
broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN consists of a primary
VLAN with other VLANs, called secondary VLANs, nested inside. PVLANs are useful for restricting the
flow of broadcast and unknown unicast traffic and for limiting the communication between known
hosts.
A PVLAN can be configured on a single switch or can be configured to span multiple switches. A
PVLAN can span different models of EX Series switches. Note that the PVLAN feature is not
supported on all EX Series switches. Refer to the technical publications for a list of switches that
support this feature.
The voice VLAN and PVLAN features cannot both be enabled at the same time on the sameinterface. We discuss the voice VLAN feature in detail in a subsequent chapter.
7/22/2019 AJEX_10.b-R_SG
43/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 219
Primary VLANThe primary VLAN is the main VLAN within a configured PVLAN, and other VLANs are nested inside
that VLAN as secondary VLANs. The primary VLAN must be associated with an 802.1Q tag regardless
of whether the PVLAN is configured on a single switch or is configured to span multiple switches. The
primary VLAN is used to forward frames downstream to all secondary VLANs (isolated and
community VLANs).
Secondary VLANsSecondary VLANs are nested inside the primary VLAN. Secondary VLANs require 802.1Q tags only
when a PVLAN spans multiple switches. The types of secondary VLANs supported on EX Series
switches along with a brief description of each follows:
Community VLAN: A secondary VLAN that transports frames among interfaces within
the same community and forwards frames upstream to the primary VLAN.
Isolated VLAN: A secondary VLAN that receives packets only from the primary VLAN and
forwards frames upstream to the primary VLAN. Isolated VLANs can be used when a
PVLAN is configured on one switch or spans multiple switches in a PVLAN domain.
Inter-switch isolated VLAN: A secondary (internal) VLAN that is used to forward isolated
VLAN traffic from one switch to another through pvl an- t r unkports. We discusspvl an- t r unkports on a later slide. Inter-switch isolated VLANs are used when aPVLAN spans multiple switches.
7/22/2019 AJEX_10.b-R_SG
44/304
Advanced Junos Enterprise Switching
Chapter 220 Advanced Ethernet Switching www.juniper.net
PVLAN Port Designations: Part 1This slide illustrates and describes some of the PVLAN port designations. We illustrate and describe
the remainder of the port designations on the next slide.
7/22/2019 AJEX_10.b-R_SG
45/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 221
PVLAN Port Designations: Part 2This slide illustrates and describes the remainder of the PVLAN port designations.
7/22/2019 AJEX_10.b-R_SG
46/304
Advanced Junos Enterprise Switching
Chapter 222 Advanced Ethernet Switching www.juniper.net
Test Your KnowledgeThis slide is designed to test your understanding of PVLAN port accessibility. Remember that only
promiscuous ports (or traffic that has entered the PVLAN domain from a promiscuous port) can
access isolated ports. Because of this rule, only R1 can access the file server in the isolated VLAN.
7/22/2019 AJEX_10.b-R_SG
47/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 223
Case Study: Topology and ObjectivesThe slide displays the topology and objectives for our case study.
7/22/2019 AJEX_10.b-R_SG
48/304
Advanced Junos Enterprise Switching
Chapter 224 Advanced Ethernet Switching www.juniper.net
Configuring PVLANs: Part 1This slide shows a portion of the required PVLAN configuration for our case study. Here we illustrate
the configuration associated with the primary VLAN, named pvl an- 100. Note that theconfiguration associated with the isolation VLAN is defined within the primary VLAN. All access ports
(ge-0/0/8.0 on AS-1 in our example) defined within the primary VLAN are considered isolation ports
and are associated with the isolation VLAN-ID.
In our example the VLAN-ID associated with the primary VLAN is 100 while the VLAN-ID associated
with the isolation VLAN is 30. The isolation VLAN-ID is configured under the primary VLAN using the
isolation-id command option. Remember that a VLAN-ID is not always necessary
when implementing a PVLAN. Because this PVLAN spans multiple switches (AS-1 and AS-2) the
inclusion of the isolation-idstatement is required.
7/22/2019 AJEX_10.b-R_SG
49/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 225
Configuring PVLANs: Part 2This slide shows the remainder of the required PVLAN configuration for our case study. Here we
illustrate the configuration associated with the community VLANs, named sal es and f i nance.Note that there are no trunk ports referenced within the community VLAN configuration. All
pvlan-trunk or promiscuous trunk ports are associated with community VLANs through the linking of
the primary and community VLANs. Primary and community VLANs are linked through the
primary-vlan statement as shown on the slide. Note that ge-0/0/6.0 and
ge-0/0/7.0 are both configured as access ports.
Note that isolation and community VLANs do not require a VLAN-ID unless the PVLAN spans multiple
switches. Because the PVLAN spans multiple switches, the inclusion of the VLAN-IDs 10 and 20, for
the sal es and f i nancecommunity VLANs respectively, is required.
7/22/2019 AJEX_10.b-R_SG
50/304
Advanced Junos Enterprise Switching
Chapter 226 Advanced Ethernet Switching www.juniper.net
Monitoring PVLANs: Part 1This slide and the next illustrate the basics of monitoring the PVLAN feature. This slide illustrates the
show vlanscommand which is helpful in determining port-to-VLAN associations. Note that all
configured pvlan and promiscuous trunk ports should be associated with all secondary VLANs. The
slide shows the expected output on AS-1. The expected output for AS-2 follows:
user @AS- 2> show vlansName Tag I nter f aces__pvl an_pvl an- 100_i si v__ 30
ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*def aul t
Nonef i nance 20
ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*pvl an- 100 100
ge- 0/ 0/ 6. 0*, ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*sal es 10
ge- 0/ 0/ 6. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*
7/22/2019 AJEX_10.b-R_SG
51/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 227
Monitoring PVLANs: Part 2This slide illustrates the show vlans extensivecommand which provides additional details
related to the PVLAN feature. In the sample output on the slide, we see details related to PVLANs
which indicate that the configured PVLAN spans multiple switches.
7/22/2019 AJEX_10.b-R_SG
52/304
Advanced Junos Enterprise Switching
Chapter 228 Advanced Ethernet Switching www.juniper.net
Automating VLAN AdministrationThe slide highlights the topic we discuss next.
7/22/2019 AJEX_10.b-R_SG
53/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 229
Test Your Knowledge: Part 1This slide and the next are designed to test your understanding of basic bridging operations in an
environment with multiple VLANs. As the slide indicates, all switches are configured to support all
VLANs on their respective trunk ports (the ports interconnecting the switches). Because of this
configuration, all broadcast and unknown unicast traffic sourced and destined within a given VLAN
should be flooded throughout the entire Layer 2 network passing through all access and distribution
switches.
7/22/2019 AJEX_10.b-R_SG
54/304
Advanced Junos Enterprise Switching
Chapter 230 Advanced Ethernet Switching www.juniper.net
Test Your Knowledge: Part 2The scenario illustrated in this slide builds on the details covered on the previous slide. In this
example, the end-user device named Host-I, which is connected to the AS-3 switch, is no longer
active (meaning that AS-3 no longer has any active access ports for VLAN 10). Even though AS-3 no
longer has active end-user devices participating in VLAN 10, it will still receive all broadcast and
unknown unicast traffic associated with VLAN 10 because of the current configurations on the
connected switches.
In order to stop this unwanted traffic from being flooded on to AS-3, you must modify the
configurations on the connected distribution switches (DS-1 and DS-2) so that their trunk ports,
which connect to AS-3, no longer service VLAN 10.
7/22/2019 AJEX_10.b-R_SG
55/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 231
Introducing MVRPTo simplify VLAN management you can enable Multiple VLAN Registration Protocol (MVRP) on your
EX Series Ethernet Switches. MVRP dynamically manages VLAN registration in a LAN. MVRP helps
reduce administration and network overhead by dynamically pruning VLAN information when a
switch no longer has active access ports for a configured VLAN. In addition to the pruning
functionality, MVRP can also be used to dynamically create VLANs in switching networks.
MVRP is an application protocol of the Multiple Registration Protocol (MRP) and is defined in the
IEEE 802.1ak standard. MRP and MVRP were designed by Institute of Electrical and Electronics
Engineers (IEEE) to perform the same functions as Generic Attribute Registration Protocol (GARP)
and GARP VLAN Registration Protocol (GVRP). MRP and MVRP overcome some GARP and GVRP
limitations, in particular limitations involving bandwidth usage and convergence time in large
networks with large numbers of VLANs.
MVRP was created by IEEE as a replacement application for GVRP. EX Series switches support MVRP
and GVRP; however, MVRP and GVRP cannot be enabled at the same time to share VLAN
information. We do not cover GVRP in this course.
7/22/2019 AJEX_10.b-R_SG
56/304
Advanced Junos Enterprise Switching
Chapter 232 Advanced Ethernet Switching www.juniper.net
Exchanging VLAN Membership InformationMVRP uses protocol data units (PDUs) to send VLAN registration information which includes the
current VLAN membership details of the sending switch. The VLAN membership information is used
to communicate which switches are members of which VLANs and which switch interfaces are in
which VLAN. MVRP shares all information in the PDU with all switches participating in MVRP in the
switching network.
MVRP stays synchronized using these PDUs. The MVRP PDUs are sent to other switches on the
network only when an MVRP state change occurs. Switches participating in MVRP receive these
PDUs during state changes and update their MVRP states accordingly. MVRP timers dictate when
PDUs can be sent and when switches receiving MVRP PDUs can update their MVRP information.
MVRP registration and updates are controlled by timers that are part of the MRP protocol. Thesetimers are set on a per-interface basis and define when MVRP PDUs can be sent and when MVRP
information can be updated on a switch. The following timers are used to control MVRP operations:
J oi n: Controls the interval for the next MVRP PDU transmit opportunity.
Leave: Controls the period of time that an interface on the switch waits in the Leavestate before changing to the unregistered state.
LeaveAl l : Controls the frequency with which the interface generates LeaveAllmessages.
Continued on the next page.
7/22/2019 AJEX_10.b-R_SG
57/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 233
Exchanging VLAN Membership Information Contd.)VLAN information is distributed as part of the MVRP message exchange process and can be used to
dynamically create VLANs, which are VLANs created on one switch and propagated to other switches
as part of the MVRP message exchange process. Dynamic VLAN creation using MVRP is enabled by
default but can be disabled.
MVRP uses MRP messages to register and declare MVRP states for a switch and to inform the
switching network of state changes. These messages are included in the PDUs and communicate
state information to the other switches in the network. The following messages are communicated
for MVRP:
Empt y: VLAN information is not being declared and is not registered.
I n: VLAN information is not being declared but is registered.
J oi nEmpt y: VLAN information is being declared but not registered.
J oi nI n: VLAN information is being declared and is registered.
Leave: VLAN information that was previously registered is being withdrawn.
LeaveAl l : All registrations will be de-registered. Participants that want to participatein MVRP will need to re-register.
New: VLAN information is new and possibly not previously registered.
To ensure VLAN membership information is current, MVRP uses the MRP messages to removeswitches and interfaces that are no longer available from the VLAN information. Pruning VLAN
information limits the network VLAN configuration to active participants only, reducing network
overhead. Pruning VLAN information also targets the scope of broadcast, unicast with unknown
destination, and multicast (BUM) traffic to interested devices only.
MVRP is disabled by default on all EX Series switches. You can configure MVRP on EX Series switch
interfaces to participate in MVRP for the switching network. MVRP can only be enabled on trunk
interfaces, and dynamic VLAN configuration through MVRP is enabled by default when MVRP is
enabled. We cover MVRP configuration on a subsequent slide. Note that MVRP does not support all
spanning tree protocols. Currently, MVRP does not support the VLAN Spanning Tree Protocol (VSTP).
7/22/2019 AJEX_10.b-R_SG
58/304
Advanced Junos Enterprise Switching
Chapter 234 Advanced Ethernet Switching www.juniper.net
A Starting PointWhen implementing MVRP, you should ensure that all required VLANs are configured on the access
switches and that the access ports are associated with their respective VLANs. We illustrate a basic
starting point configuration for the AS-1 switch on the slide. Note that the sample configuration is
trimmed for brevity and that the AS-2 switch requires a similar configuration.
Also worth noting is that none of the trunk ports, on any of the participating switches, should be
associated with the configured VLANs. The trunk ports must still be configured under the [ edi ti nt er f aces] hierarchy level as trunk ports but they will not be manually associated with VLANs.MVRP will make the needed associations once it is enabled.
7/22/2019 AJEX_10.b-R_SG
59/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 235
Enabling MVRPThis slide illustrates the required configuration used to enable MVRP. Note that MVRP is only
enabled on the trunk ports of all participating switches. Once MVRP is enabled, dynamic VLAN
configuration information will be shared and created on participating switches. You can disable
dynamic VLAN configuration using the no-dynamic-vlanstatement as shown below:
[ edi t pr ot ocol s]user @AS- 1# showmvr p { no- dynami c- vl an; i nt er f ace ge- 0/ 0/ 14. 0;}
Continued on the next page.
7/22/2019 AJEX_10.b-R_SG
60/304
Advanced Junos Enterprise Switching
Chapter 236 Advanced Ethernet Switching www.juniper.net
Enabling MVRP Contd.)Remember that MVRP registration and updates are controlled by timers, which are part of MRP.
These timers are set on a per-interface basis and define when MVRP PDUs can be sent and when
MVRP information can be updated. If needed, you can adjust the timers as shown below:
[ edi t pr ot ocol s]user @AS- 1# set mvrp interface ge-0/0/14.0 ?Possi bl e compl et i ons: Execute t hi s command
+ appl y- gr oups Gr oups f r om whi ch t o i nher i t conf i gur ati on data+ appl y- gr oups- except Don' t i nher i t conf i gur ati on dat a f r om t hese gr oups di sabl e Di sabl e MVRP on t hi s i nt er f ace j oi n- t i mer J oi n t i mer i nt er val ( 200. . 4294967295 mi l l i seconds) l eave- t i mer Leave t i mer i nt erval ( 600. . 4294967295 mi l l i seconds) l eaveal l - t i mer LeaveAl l t i mer i nt er val ( 10000. . 4294967295 mi l l i seconds) r egi st r at i on Regi st r at i on mode | Pi pe t hrough a command
The default MVRP timer values are 200 ms for the join timer, 1000 ms for the leave timer, and
10000 ms for the leaveall timer. Unless there is a compelling reason to make a change, we
recommend you use the default timer settings. Modifying timers to inappropriate values might cause
an imbalance in MVRP operations.
7/22/2019 AJEX_10.b-R_SG
61/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 237
Monitoring MVRP: Part 1This and the next two slides highlight some key monitoring commands used when verifying MVRP
operations. This slide illustrates the use of the show mvrpcommand, which is used to monitor
MVRP status along with message and timer information on a per interfaces basis.
7/22/2019 AJEX_10.b-R_SG
62/304
Advanced Junos Enterprise Switching
Chapter 238 Advanced Ethernet Switching www.juniper.net
Monitoring MVRP: Part 2This slide illustrates the show mvrp dynamic-vlan-membershipsand the show vlans
commands, which are used to view dynamic VLAN membership information.
7/22/2019 AJEX_10.b-R_SG
63/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 239
Monitoring MVRP: Part 3This slide illustrates the show mvrp statisticscommand, which is used to view MVRP
statistics on a per interface basis.
7/22/2019 AJEX_10.b-R_SG
64/304
Advanced Junos Enterprise Switching
Chapter 240 Advanced Ethernet Switching www.juniper.net
Tunneling Layer 2 TrafficThe slide highlights the topic we discuss next.
7/22/2019 AJEX_10.b-R_SG
65/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 241
Todays Connectivity RequirementsIEEE 802.1Q VLAN tagging makes it possible for a customers bridged network to scale. Instead of
needing to add more bridging equipment to a growing network, VLAN tagging allows for the logical
separation of a bridged network into many broadcast domains (or VLANs). With a 12-bit length VLAN
4094 VLANs are available for use on a single physical Ethernet network.
Because of its simple nature, service provider customers generally understand Ethernet. For a long
time, service providers have searched for ways to deliver Ethernet virtual connections (EVCs) to the
customer premises. To a customer, an EVC between two sites should appear as a simple Ethernet link
VLAN through the service providers network. IEEE 802.1Q VLAN tagging does not provide the scalabi
service providers' require to deliver that type of service.
Continued on next page.
7/22/2019 AJEX_10.b-R_SG
66/304
Advanced Junos Enterprise Switching
Chapter 242 Advanced Ethernet Switching www.juniper.net
Todays Connectivity Requirements Contd.)From the service providers point of view, the following is a list of some of the scaling issues that might
arise:
Because only one VLAN tag field exists in an 802.1Q frame, customers and the service
provider need to coordinate the use of VLAN ID space. Considering that a service provider
might have thousands of customers, this coordination would be an overly extreme effort.
To pass Ethernet frames between customer sites, the service provider bridges must learn
customer MAC addresses. Maintaining a bridge table for internal MAC addresses as well as
the MAC addresses of each customer can be a daunting task for some bridges and might
be too much to handle.
To provide redundant links between customers and the service provider, running a form of
the Spanning Tree Protocol (STP), which is generally not a viable solution, might be
necessary. The STPs of today cannot scale to support all service provider and customer
bridges of the world in a single spanning-tree domain.
7/22/2019 AJEX_10.b-R_SG
67/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 243
Addressing the ChallengesQ-in-Q tunneling is defined under IEEE 802.1ad. It was developed to allow a service provider to provid
more scalable EVC service to its customers. IEEE 802.1ad has standardized the methodology of
stacking VLAN tags. The slide shows the frame format that the standard introduced.
The standard gives a new name to the 802.1Q VLAN tag: the Customer VLAN (C-VLAN) tag (C-TAG) . It
also introduces a new tag named the Service VLAN (S-VLAN) tag (S-TAG). By adding the S-TAG to the
frame, much less coordination is necessary between the customer and the service provider. At the
customer site, the customer can continue to use 802.1Q tagging using C-VLAN IDs that are relevant o
to their network (not the service providers network). As 802.1Q-tagged frames arrive at the edge of t
service providers bridged network, the provider edge bridge adds an S-TAG to the frame. The S-TAG,
using a single S-VLAN ID, can carry any or all of the 4094 C-VLANs that are possibly in use by the
customer.
A typical provider bridged network using Q-in-Q tunneling provides for C-VLAN tagging and forwarding
at the edge of the network using the ports that face the customer. For all ports that face the core of
the provider bridged network, the provider bridges forward based only on the S-VLAN tag. In the
simplest case, a service provider can allocate a single S-VLAN ID to represent each of its individual
customers, which allows the service provider to potentially support up to 4094 customers. IEEE
802.1ad also allows for the translating of S-VLAN IDs at the edge of a service providers bridged
network, which helps in the coordination of VLAN ID usage between service providers.
Continued on next page.
7/22/2019 AJEX_10.b-R_SG
68/304
Advanced Junos Enterprise Switching
Chapter 244 Advanced Ethernet Switching www.juniper.net
Addressing the Challenges Contd.)Although IEEE 802.1ad helps to solve the issue of the limited VLAN ID space that we discussed in
relation to IEEE 802.1Q tagging, it does not solve the MAC learning problem. That is, for frames to be
forwarded between bridges in the service providers network, the bridges each must learn and store
MAC addresses learned from the customer networks. A service provider can help alleviate this problem
by limiting the number of learned MAC addresses or charging the customer more for the EVC service if
they exceed the MAC address limit.
7/22/2019 AJEX_10.b-R_SG
69/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 245
IEEE 802.1ad TAG FormatsThe slide shows the S-TAG and C-TAG formats defined under IEEE 802.1ad. Note that the C-TAG rema
identical to the IEEE 802.1Q VLAN tag. The S-TAG is similar but a few fields have been redefined. For
example, because the Canonical Format Indicator (CFI) field in the C-TAG is rarely used (for use in tok
ring networks), it has been redefined in the S-TAG to represent a frames eligibility to be dropped. The
Drop Eligibility Indicator (DEI) is used for class of service. Also, IEEE 802.1ad has reserved a Tag Proto
Identifier (TPID) of 0x88A8 for the S-TAG.
7/22/2019 AJEX_10.b-R_SG
70/304
Advanced Junos Enterprise Switching
Chapter 246 Advanced Ethernet Switching www.juniper.net
Key Terminology for Provider Bridged NetworksThe following terms are used in a provider bridged network:
Provider Bridged Network: A network of provider bridges that provide transparent EVC
service to the service providers customers.
Provider Bridge: A bridge in the service providers network that performs IEEE 802.1ad
VLAN tagging and forwarding. These bridges learn and store the MAC addresses of the
service providers customers.
Provider Edge Bridge: Accepts and forwards IEEE 802.1Q frames to and from customers.
These bridges also encapsulate the received customer frames using the IEEE 802.1ad
format to forward customer frames across the provider bridged network.
S-VLAN Bridge: A nonedge provider bridge that forwards frames based only on the S-VLAN
tag.
Customer Edge Port: A port on a provider edge bridge that connects to customer
equipment and receives and transmits C-VLAN tagged frames. These are access ports.
Provider Network Port: A port on a provider edge bridge that receives and transmits S-VLAN
tagged frames. These are trunk ports.
7/22/2019 AJEX_10.b-R_SG
71/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 247
Frame Processing Example: Part 1In the example, the service provider delivers an Ethernet circuit to each of the customer premises. To
provide connectivity between Customer Bridge 1 and Customer Bridge 2, the customer must enable
IEEE 802.1Q VLAN using VLAN ID 100 on the service provider-facing ports. The service provider has
allocated an S-VLAN tag of 200 to transparently forward the customers frames across its network. W
evaluate the required configuration, from the service providers perspective, on a subsequent slide. O
the next several slides we look at the frame processing steps for traffic traversing a Q-in-Q tunnel.
7/22/2019 AJEX_10.b-R_SG
72/304
Advanced Junos Enterprise Switching
Chapter 248 Advanced Ethernet Switching www.juniper.net
Frame Processing Example: Part 2When C-VLAN-tagged frames arrive at Bridge A, Bridge A performs a MAC-table lookup based on the
customers assigned VLAN (VLAN-ID 200). If Bridge A has previously learned the destination MAC
address of the frame, it forwards the frame to the appropriate outbound interface (ge-0/0/10.0 in this
case) and adds the outer S-VLAN tag of 200 on to the frame before sending the frame to the next bridge.
The act of adding an outer tag to the frame is known as a push operation.
Note that if Bridge A did not previously learn the destination MAC address of the frames, it floods the
frame out of every other interface associated with the VLAN assigned to the customer except for the
interface on which the frame was originally received.
7/22/2019 AJEX_10.b-R_SG
73/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 249
Frame Processing Example: Part 3When S-VLAN-tagged frames arrive at Bridge C (an S-VLAN bridge), Bridge C performs a MAC-table
lookup based on the VLAN associated with the customer (VLAN-ID 200). If Bridge C has previously
learned the destination MAC address of the frame, it forwards the frame to the appropriate outbound
interface (ge-0/0/16.0 in this case) and the interface sends the frame unchanged to the next bridge
7/22/2019 AJEX_10.b-R_SG
74/304
Advanced Junos Enterprise Switching
Chapter 250 Advanced Ethernet Switching www.juniper.net
Frame Processing Example: Part 4When S-VLAN-tagged frames arrive at Bridge D, Bridge D pops the S-VLAN tag and performs a MAC-table
lookup based on the C-VLAN tag. If Bridge D has previously learned the destination MAC address of the
frame, it forwards the frame to the appropriate outbound interface (ge-0/0/0.0 in this case) and the
interface sends the C-tagged frame to the attached customer bridge.
7/22/2019 AJEX_10.b-R_SG
75/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 251
Frame Processing Example: Part 5The slide shows the frame format of the Ethernet frame as it arrives at Customer Bridge 2. Note that t
frame looks exactly as it did when Customer Bridge 1 transmitted it. At this point, Customer Bridge 2 w
perform its own MAC-table lookup and forward the frame on to their intended destination, if known.
the destination MAC address is unknown, Customer Bridge 2 will flood frame out all other interfaces
associated with VLAN-ID 100.
7/22/2019 AJEX_10.b-R_SG
76/304
Advanced Junos Enterprise Switching
Chapter 252 Advanced Ethernet Switching www.juniper.net
Configuring Q-in-Q TunnelingThis slide illustrates a basic Q-in-Q tunneling configuration for EX Series Switches. Depending on your
requirements, you can map C-VLANs to an S-VLAN in three different ways. You can use the all-in-one
bundling approach which takes all traffic from all access interfaces and maps that traffic to the
defined S-VLAN regardless of the C-VLAN tag. This configuration method is shown on the slide.
The second method you can use is the many-to-one bundling approach which maps only the defined
C-VLAN tags to the configured S-VLAN. You use the customer-vlansoption to specify which
C-VLANs are mapped to the S-VLAN as shown in the configuration example below:
[ edi t vl ans]user @Br i dge- A# show
v200 { vl an- i d 200; i nt er f ace { ge- 0/ 0/ 0. 0; ge- 0/ 0/ 10. 0; } dot 1q- t unnel i ng { cust omer- vl ans [ 100 160 ] ; }}
Continued on the next page.
7/22/2019 AJEX_10.b-R_SG
77/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 253
Configuring Q-in-Q Tunneling Contd.)The third mapping option allows you to assign an S-VLAN to a specific C-VLAN on an interface. This
method uses themappingoption, which is referenced with the incoming interface. This mapping
approach uses two options for the treatment of traffic:pushand swap. When traffic, mapped to a
specific interface, is pushed, the traffic retains its tag as it moves between the C-VLAN and S-VLAN
and an additional VLAN tag is added to the frame. When traffic mapped to a specific interface is
swapped, the incoming tag is replaced with a new VLAN tag. Using the swapoption is also referred
to as VLAN ID translation. A basic configuration example, is provided below:
[ edi t vl ans]user @Br i dge- A# showv200 { vl an- i d 200; i nt er f ace { ge- 0/ 0/ 10. 0; ge- 0/ 0/ 13. 0 { mappi ng { 100 { push; } } }
} dot 1q- t unnel i ng;}
In the illustrated configuration example, traffic with a C-VLAN tag of 100 entering ge-0/0/13.0, which
is a customer-facing access interface, will receive an outer tag (S-VLAN tag) of 200. If traffic with any
other VLAN-ID enters the ge-0/0/13.0 interface, no such mapping will take effect.
If you configure multiple mapping methods, the switch gives priority to the interface-specific mapping
method, then to the many-to-one bundling method, and last to the all-in-one bundling method. Note
that while you can configure multiple mapping methods, you cannot have overlapping rules for the
same C-VLAN under a given approach.
Note that Q-in-Q tunneling does not support most access port security features. There is no per-VLAN
(customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q tunneling unless youconfigure these security features using firewall filters. For more information, refer to the technical
publications for your specific product. If Q-in-Q tunneling is configured, you will need to enable Q-in-Q
tunneling on all VLANs serviced by the trunk ports or alternatively change the Ethernet-type setting
as shown in the following sample output:
[edi t ]user @swi t ch# commiterr or : Trunk i nt er f ace can not be member of bot h dot 1q- t unnel i ngenabl ed vl an , and a non dot 1q- t unnel ed vl an when dot 1q- t unnel i ngethernet - t ype i s not er r or : conf i gur at i on check- out f ai l ed
[edi t ]user @swi t ch# set ethernet-switching-options dot1q-tunneling ether-type 0x8100
[edi t ]user @swi t ch# commitconf i gurat i on check succeedscommi t compl ete
7/22/2019 AJEX_10.b-R_SG
78/304
Advanced Junos Enterprise Switching
Chapter 254 Advanced Ethernet Switching www.juniper.net
Monitoring Q-in-Q TunnelingAs shown on the slide, you can use the show vlansand show ethernet-switching
interfacescommands to verify Q-in-Q tunneling.
7/22/2019 AJEX_10.b-R_SG
79/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 255
Tunneling Layer 2 ProtocolsWhile Q-in-Q tunneling does tunnel Layer 2 traffic across a provider bridged network, it does not, by
itself, effectively tunnel Layer 2 protocol traffic. Layer 2 protocol tunneling (L2PT) allows you to send
Layer 2 PDUs across a service provider network and between customer edge switches connected
through a service provider network. L2PT is useful when you want to run Layer 2 protocols on a
network that includes switches located at remote sites that are connected across a service provider
network.
L2PT encapsulates Layer 2 PDUs, tunneling them across a service provider network, and
decapsulates them for delivery to their destination switches. L2PT encapsulates Layer 2 PDUs by
enabling the ingress provider edge bridge to rewrite the PDUs destination MAC addresses before
forwarding them onto the service provider network. The provider bridges treat the encapsulated
PDUs as multicast Ethernet packets. Upon receipt of the PDUs, the egress provider edge bridge
decapsulates them by replacing the destination MAC addresses with the address of the Layer 2
protocol that is being tunneled before forwarding the PDUs to their destination customer edge
switch.
Continued on the next page.
7/22/2019 AJEX_10.b-R_SG
80/304
Advanced Junos Enterprise Switching
Chapter 256 Advanced Ethernet Switching www.juniper.net
Tunneling Layer 2 Protocols Contd.)EX Series implementation of L2PT supports the following Layer 2 protocols:
802.1X authentication
802.3ah Operation, Administration, and Maintenance (OAM) link fault management
(LFM)
Cisco Discovery Protocol (CDP)
Ethernet local management interface (E-LMI)
GVRP
Link Aggregation Control Protocol (LACP)
Link Layer Discovery Protocol (LLDP)
Multiple MAC Registration Protocol (MMRP)
MVRP
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Tree Protocol (MSTP)
Unidirectional Link Detection (UDLD)
VLAN Spanning Tree Protocol (VSTP)
VLAN Trunking Protocol (VTP).
7/22/2019 AJEX_10.b-R_SG
81/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 257
Configuring L2PT: Part 1L2PT is configured under the [ edi t vl ans vl an- name dot1q- t unnel i ng] hierarchy. Thismeans Q-in-Q tunneling must also be enabled when implementing L2PT. When you enable L2PT on a
VLAN, any specified Layer 2 protocols are disabled on the access ports, which are considered
customer-facing.
Access interfaces in an L2PT-enabled VLAN should not receive L2PT-tunneled PDUs. If L2PT PDUs
are received on an access interface, the switch reacts as if there is a loop between the service
provider network and the customer network and shuts down (disables) the access interface.
As previously mentioned and illustrated on the slide, L2PT supports several Layer 2 protocols. Note
that some of these protocols, when enabled, have special considerations and caveats. Some of
these considerations and caveats are listed below:
If you enable L2PT for untagged OAM LFM packets, do not configure LFM on the
corresponding access interface.
If you enable L2PT for untagged LACP packets, do not configure LACP on the
corresponding access interface.
CDP, UDLD, and VTP cannot be configured on EX Series switches. L2PT does, however,
tunnel CDP, UDLD, and VTP PDUs.
You cannot configure L2PT and VLAN translation (using themappingstatement) on
the same VLAN. You can, however, configure L2PT on one VLAN and VLAN translation on
a different VLAN that does not have L2PT enabled.
7/22/2019 AJEX_10.b-R_SG
82/304
Advanced Junos Enterprise Switching
Chapter 258 Advanced Ethernet Switching www.juniper.net
Configuring L2PT: Part 2If the tunneled Layer 2 PDUs arrive at a high rate, your network might be experiencing a problem. In
this situation, you would likely want the interface receiving the high rate of tunneled Layer 2 PDUs to
shut down so the problem can be isolated. If you do not want to completely shut down the interface,
you can configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.
The drop-thresholdconfiguration statement allows you to specify the maximum number of
Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a
specified VLAN before the switch begins dropping the Layer 2 PDUs. The drop threshold must be less
than or equal to the shutdown threshold, if configured. If the drop threshold is greater than the
shutdown threshold, the commit operation will fail.
The shutdown-thresholdconfiguration statement allows you to define the maximum number ofLayer 2 PDUs of the specified protocol that can be received per second on the interfaces in a
specified VLAN before the specified interface is disabled. The shutdown threshold must be greater
than or equal to the drop threshold. You can define a drop threshold without specifying a shutdown
threshold, and you can specify a shutdown threshold without specifying a drop threshold. If you do
not specify these thresholds, then no thresholds are enforced and, as a result, the switch tunnels all
Layer 2 PDUs regardless of the frequency at which they are received.
Once an interface is disabled, you can reenable it using the clear ethernet-switching
layer2-protocol-tunneling errorcommand.
7/22/2019 AJEX_10.b-R_SG
83/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 259
Monitoring L2PT: Part 1This slide and the next provide key commands used to monitor L2PT. As shown on the slide, you can
use the show vlans extensivecommand to verify the state of L2PT. For proper L2PT
operations, the Dot1q tunneling and L2PT status should both show enabled.
7/22/2019 AJEX_10.b-R_SG
84/304
Advanced Junos Enterprise Switching
Chapter 260 Advanced Ethernet Switching www.juniper.net
Monitoring L2PT: Part 2This slide shows the various show ethernet-switching layer2-protocol-tunneling
commands, which can be helpful when monitoring L2PT operations.
7/22/2019 AJEX_10.b-R_SG
85/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 261
This Chapter Discussed: Implementation of filter-based VLAN assignments;
Restricting traffic flows within a VLAN;
Management of dynamic VLAN registration; and
Tunneling Layer 2 traffic through Ethernet networks.
7/22/2019 AJEX_10.b-R_SG
86/304
Advanced Junos Enterprise Switching
Chapter 262 Advanced Ethernet Switching www.juniper.net
Review Questions1.
2.
3.
4.
7/22/2019 AJEX_10.b-R_SG
87/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching Chapter 263
Lab 1: Advanced Ethernet SwitchingThe slide provides the objective for this lab.
7/22/2019 AJEX_10.b-R_SG
88/304
Advanced Junos Enterprise Switching
Chapter 264 Advanced Ethernet Switching www.juniper.net
7/22/2019 AJEX_10.b-R_SG
89/304
Advanced Junos Enterprise Switching
Chapter 3: Advanced Spanning Tree
7/22/2019 AJEX_10.b-R_SG
90/304
Advanced Junos Enterprise Switching
Chapter 32 Advanced Spanning Tree www.juniper.net
This Chapter Discusses: The purpose and operations of a spanning tree;
How to implement multiple spanning tree instances in a network; and
How to implement one or more spanning tree instances for a virtual LAN (VLAN).
7/22/2019 AJEX_10.b-R_SG
91/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 33
Spanning Tree ReviewThe slide lists the topics we cover in this chapter. We discuss the highlighted topic first.
7/22/2019 AJEX_10.b-R_SG
92/304
Advanced Junos Enterprise Switching
Chapter 34 Advanced Spanning Tree www.juniper.net
What If...?Switches flood broadcast frames and frames for unknown media access control (MAC) addresses
out all ports except the port on which those frames were received. In Layer 2 networks with
redundant paths, such as the one illustrated on the slide, switches will continuously flood these
types of frames throughout the network. When a frame is continuously flooded throughout a Layer 2
network, a Layer 2 loop exists. Layer 2 loops can be extremely harmful to a networks operation and
should be avoided. To avoid Layer 2 loops, you must implement a Layer 2 loop-prevention
mechanism such as theSpanning Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP). We
discuss some alternatives to STP and RSTP in subsequent sections in this chapter.
7/22/2019 AJEX_10.b-R_SG
93/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 35
Factory Default Configuration and RSTPRSTP is enabled by default on EX Series switches. RSTP helps ensure a loop-free Layer 2 topology in
environments where redundant paths exist. To establish a loop-free path, RSTP elects one of the
participating switches as the root bridge. Based on the election results, each switch determines the
role and state of its switch ports. As illustrated on the slide, the root bridge election and
determination of every switch ports role and state provide a loop-free path throughout the network.
We covered the election process and port roles and states in detail in the Junos Enterprise Switching
course. We provide a basic review of these details on subsequent slides.
7/22/2019 AJEX_10.b-R_SG
94/304
Advanced Junos Enterprise Switching
Chapter 36 Advanced Spanning Tree www.juniper.net
Test Your Knowledge: Part 1This slide is designed to test your understanding of the various configuration options and how they
relate to the root bridge election process. As shown in the following output, you can use the show
spanning-tree bridgecommand to verify root bridge information:
user @DS- 1> show spanning-tree bridgeSTP br i dge paramet ersCont ext I D : 0Enabl ed pr otocol : RSTP Root I D : 4096. 00: 26: 88: 02: 74: 90 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0
Number of t opol ogy changes : 1 Ti me si nce l ast topol ogy change : 2114 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 1. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: 02: 6b: 81 Local par ameters
Br i dge I D : 4096. 00: 26: 88: 02: 74: 90 Extended syst emI D : 0 I nt er nal i nst ance I D : 0
7/22/2019 AJEX_10.b-R_SG
95/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 37
Test Your Knowledge: Part 2This slide is designed to test your understanding of the various configuration options and how they
relate to port role and state determination. As shown in the following output, you can use the show
spanning-tree interfacecommand to verify spanning tree interface information:
user @DS- 2> show spanning-tree interfaceSpanni ng t r ee i nt er f ace paramet er s f or i nst ance 0I nt er f ace Por t I D Desi gnated Desi gnated Por t St ate Rol e port I D br i dge I D Costge- 0/ 0/ 1. 0 16: 514 128: 514 4096. 002688027490 20000 BLK ALTge- 0/ 0/ 8. 0 16: 521 16: 521 8192. 002688026b90 20000 FWD DESGge- 0/ 0/ 10. 0 128: 523 16: 523 32768. 0019e2516580 1 FWD ROOT
user @AS- 1> show spanning-tree interfaceSpanni ng t r ee i nt er f ace paramet er s f or i nst ance 0I nt er f ace Por t I D Desi gnated Desi gnated Por t St ate Rol e port I D br i dge I D Costge- 0/ 0/ 8. 0 16: 521 128: 521 4096. 002688027490 2000 FWD ROOTge- 0/ 0/ 10. 0 16: 523 16: 523 32768. 0019e2516580 2000 FWD DESGge- 0/ 0/ 12. 0 16: 525 16: 525 32768. 0019e2516580 2000 FWD DESG
7/22/2019 AJEX_10.b-R_SG
96/304
Advanced Junos Enterprise Switching
Chapter 38 Advanced Spanning Tree www.juniper.net
Test Your Knowledge: Part 3This slide is designed to test your understanding of the various configuration options and how they
relate to port role and state determination. As shown in the following output, you can use the show
spanning-tree interfacecommand to verify spanning tree interface information:
user @AS- 2> show spanning-tree interfaceSpanni ng t r ee i nt erf ace parameter s f or i nst ance 0I nt er f ace Por t I D Desi gnated Desi gnated Por t St ate Rol e port I D br i dge I D Costge- 0/ 0/ 8. 0 32: 521 16: 521 32768. 002688026b90 20000 BLK ALTge- 0/ 0/ 12. 0 16: 525 16: 525 32768. 0019e2516580 20000 FWD ROOT
7/22/2019 AJEX_10.b-R_SG
97/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 39
A Limitation of STP and RSTPWhile RSTP provides several advantages over STP neither of these protocols allow for load balancing,
which in some environments is a requirement. In environments where RSTP or STP is used, all VLANs
within a LAN share the same spanning tree, which limits the number of forwarding paths for data
traffic.
To address this limitation, we recommend you enable the Multiple Spanning Tree Protocol (MSTP) to
provide load balancing for the configured VLANs. In environments that require interoperability with
Cisco's Per-VLAN Spanning Tree Plus (PVST+) or rapid-PVST+ (RPVST+), you should consider using
the Juniper Networks VLAN Spanning Tree Protocol (VSTP). We discuss MSTP and VSTP in
subsequent sections in this chapter.
7/22/2019 AJEX_10.b-R_SG
98/304
Advanced Junos Enterprise Switching
Chapter 310 Advanced Spanning Tree www.juniper.net
Multiple Spanning Tree ProtocolThe slide highlights the topic we discuss next.
7/22/2019 AJEX_10.b-R_SG
99/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 311
MSTPMSTP extends STP and RSTP functionality by mapping multiple independent spanning-tree instances
onto one physical topology. Each spanning-tree instance (STI) includes one or more VLANs. Each
multiple spanning tree instance (MSTI) creates a separate topology tree and you can administratively
map it to one or more VLANs. Allowing users to administratively map VLANs to MSTIs facilitates
better load sharing across redundant links within a Layer 2 switching environment.
Unlike in STP and RSTP configurations, a port can belong to multiple VLANs and be dynamically
blocked in one spanning-tree instance but forwarding in another. This behavior significantly improves
network resource utilization by load-balancing across the network and maintaining switch CPU loads
at moderate levels. MSTP also leverages the fast re-convergence time of RSTP when a network,
switch, or port failure occurs within a spanning-tree instance.
MSTP was originally defined in the IEEE 802.1s draft and later incorporated into the IEEE 802.1Q-20
specification.
7/22/2019 AJEX_10.b-R_SG
100/304
7/22/2019 AJEX_10.b-R_SG
101/304
7/22/2019 AJEX_10.b-R_SG
102/304
Advanced Junos Enterprise Switching
Chapter 314 Advanced Spanning Tree www.juniper.net
Common Spanning Tree: Part 2Because MSTP encodes region information after the standard RSTP BPDU, a switch running RSTP
interprets MSTP BPDUs as RSTP BPDUs. This behavior facilitates full compatibility between devices
running MSTP and devices running STP or RSTP. MSTP uses the same Ethernet frame as STP and RSTP.
However, the BPDU information in the data field is dif ferent.
The first 13 fields in the MST BPDU contain similar information to what you would find in an RSTP BPDU.
In fact, an RSTP-speaking switch evaluates these fields in the same manner as it would any other RSTP
BPDU. To the outside world (other MSTI regions or standalone RSTP devices), these fields are a
representation of the virtual bridge that is an individual MSTP region. This information is used to build
the CST.
7/22/2019 AJEX_10.b-R_SG
103/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 315
Common and Internal Spanning TreeAll MSTP environments contain a CST, which is used to interconnect individual MST regions and
independent STP devices. All bridges in the CST elect a single root bridge. The root bridge is responsi
for the path calculation for the CST. As illustrated on the slide, bridges outside of the MST region trea
each MST region as a virtual bridge, regardless of the actual number of devices participating in each
MST region.
The common and internal spanning tree (CIST) is a single topology that connects all switches (RSTP
and MSTP devices) through an active topology. The CIST includes a single spanning tree as
calculated by RSTP together with the logical continuation of connectivity through MST regions. MSTP
calculates the CIST and the CIST ensures connectivity between LANs and devices within a bridged
network.
Each MSTP region builds a spanning tree for the region, referred to as an internal spanning tree, bas
upon the remaining BPDU fields. For a switch to participate in a regions internal spanning tree and u
the information in this portion of the BPDU, it must be configured with the same configuration ID.
Therefore, all switches in the same region must be configured with the same configuration ID. This
approach to configuration ensures that when MSTP switches outside of the local MSTP region receiv
MSTP BPDUs, those switches will evaluate only the CST-related information (illustrated on the previou
slide). Once the internal spanning tree is built, by default, all traffic on all VLANs will follow it.
Continued on the next page.
7/22/2019 AJEX_10.b-R_SG
104/304
Advanced Junos Enterprise Switching
Chapter 316 Advanced Spanning Tree www.juniper.net
Common and Internal Spanning Tree contd.)Without the use of MSTI configuration methods, traffic for all VLANs within a region flows along the
path of the internal spanning tree. To override this behavior and allow some VLANs to take one path
through the region and let others take other paths (64 paths are possible for each region), you must
configure MSTIs as part of the router MSTI configuration. The information carried in the MSTI
configuration messages allows each switch to elect root bridges, root ports, designated ports,
designated bridges, and so forth for each MSTI. Each MSTI will have one or more VLANs associated
with them. One VLAN cannot be in more than one MSTI. Notice that the MSTI messages do not carry
VLAN ID information. The VLAN-to-MSTI mappings are configured locally on each switch and each
switch configuration should use the same mappings. We evaluate MSTP configuration on EX Series
switches on a subsequent slides.
7/22/2019 AJEX_10.b-R_SG
105/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 317
MSTP ConfigurationThis slide illustrates the configuration structure for MSTP along with some of the key configuration
parameters and considerations. Note that some of the MSTP configuration values must match on all
devices participating in the same MSTP region. The MSTP configuration values that must match
include:
Configuration name: A user-defined value used to represent the region. Note that this
value can be left blank but must match on all devices in a common region.
Revision level: A user-defined value that represents the MSTP configuration version
number. By default this value is 0.
MSTI-to-VLAN mapping: A mapping between a specific MSTI and the VLANs that MSTI
will service. This value must match on all devices in a common MSTP region. All VLANs
not specifically mapped to a user-defined MSTI are automatically associated with
MSTI 0 (the common spanning tree instance).
7/22/2019 AJEX_10.b-R_SG
106/304
Advanced Junos Enterprise Switching
Chapter 318 Advanced Spanning Tree www.juniper.net
Topology and ObjectivesThis slide introduces the topology and objectives used throughout this case study.
7/22/2019 AJEX_10.b-R_SG
107/304
Advanced Junos Enterprise Switching
www.juniper.net Advanced Spanning Tree Chapter 319
Configuring MSTPThis slide provides the configuration required on DS-1 and DS-2 to accomplish the objectives
outlined on the previous slide. Note that the configuration on AS-1, AS-2, and AS-3 is very similar to
that shown on the slide with the exception of the configured bridge priority values (AS-1, AS-2, and
AS-3 all use the default bridge priority of 32K).
7/22/2019 AJEX_10.b-R_SG
108/304
Advanced Junos Enterprise Switching
Chapter 320 Advanced Spanning Tree www.juniper.net
Monitoring MSTP: Part 1This slide illustrates the operational-mode commands used to monitor MSTP along with a sample
output from the show spannin