AJEX_10.b-R_SG

7/22/2019 AJEX_10.b-R_SG

1/304

1194 North Mathilda Avenue

Sunnyvale, CA 94089USA

408-745-2000

www.juniper.net

Worldwide Education ServicesWorldwide Education Services

Advanced Junos Enterprise

Switching

10.b

Student Guide

Course Number: EDU-JUN-AJEX

7/22/2019 AJEX_10.b-R_SG

2/304

7/22/2019 AJEX_10.b-R_SG

3/304www.juniper.net Contents iii

ContentsChapter 1: Course Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

Chapter 2: Advanced Ethernet Switching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1Virtual Local Area NetworksAssigning User Traffic to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . .2-3

Virtual Local Area NetworksRestricting Traffic within a VLAN . . . . . . . . . . . . . . . . . . . . . . . .2-15

Automating VLAN Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-28

Tunneling Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-40

Lab 1: Advanced Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-63

Chapter 3: Advanced Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1Spanning Tree Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10

VLAN Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-23

Lab 2: Implementing MSTP and VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34

Chapter 4: Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Access Control Features: 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Access Control Features: MAC RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-28

Access Control Features: Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-34

Overview of Authentication Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-45

Lab 3: Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-51

Chapter 5: Deploying IP Telephony Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3IP Telephony Features: Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

IP Telephony Features: Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-15

IP Telephony Features: Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-28

Case Study: Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-33

Lab 4: Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-43

Chapter 6: Class of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1Class of Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Implementing Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-16

Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-28

Lab 5: Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-37

Chapter 7: Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1Introduction to Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Monitoring and Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18

Troubleshooting Case Studies: Reachability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27

Troubleshooting Case Studies: Network Congestion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33

Lab 6: Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-41

7/22/2019 AJEX_10.b-R_SG

4/304iv Contents www.juniper.net

Appendix A: Acronym List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1Appendix B: Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

7/22/2019 AJEX_10.b-R_SG

5/304www.juniper.net Course Overview v

Course OverviewThis two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple Spanning

Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access control

for Layer 2 networks, IP telephony features, class of service (CoS) and monitoring and

troubleshooting tools and features supported on the EX Series Ethernet Switches.

Through demonstrations and hands-on labs, students will gain experience in configuring and

monitoring the Junos operating system and in monitoring device and protocol operations.

ObjectivesAfter successfully completing this course, you should be able to:

Implement filter-based VLAN assignments.

Restrict traffic flow within a VLAN.

Manage dynamic VLAN registration.

Tunnel Layer 2 traffic through Ethernet networks.

Review the purpose and operations of a spanning tree.

Implement multiple spanning tree instances in a network.

Implement one or more spanning tree instances for a VLAN.

List the benefits of implementing end-user authentication.

Explain the operations of various access control features.

Configure and monitor various access control features.

Describe processing considerations when multiple authentication and access control

features are enabled.

Describe some common IP telephony deployment scenarios.

Describe features that facilitate IP telephony deployments.

Configure and monitor features used in IP telephony deployments.

Explain the purpose and basic operations of class of service.

Describe class of service features used in Layer 2 networks.

Configure and monitor class of service in a Layer 2 network.

Describe a basic troubleshooting method.

List common issues that disrupt network operations.

Identify tools used in network troubleshooting.

Use available tools to resolve network issues.

Intended AudienceThis course benefits individuals responsible for configuring and monitoring EX Series switches.

Course LevelAdvanced Junos Enterprise Switchingis an advanced-level course.

PrerequisitesStudents should have an intermediate-level of networking knowledge and an understanding of the

Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students

should also attend the Introduction to the Junos Operating System(IJOS), theJunos Routing

Essentials(JRE), and theJunos Enterprise Switching(JEX) courses prior to attending this class.

7/22/2019 AJEX_10.b-R_SG

6/304vi Course Agenda www.juniper.net

Course AgendaDay 1

Chapter 1: Course Introduction

Chapter 2: Advanced Ethernet Switching

Lab 1: Advanced Ethernet Switching

Chapter 3: Advanced Spanning Tree

Lab 2: Implementing MSTP and VSTP

Chapter 4: Authentication and Access Control

Lab 3: Authentication and Access Control

Day 2Chapter 5: Deploying IP Telephony Features

Lab 4: Deploying IP Telephony Features

Chapter 6: Class of Service

Lab 5: Class of Service

Chapter 7: Monitoring and Troubleshooting

Lab 6: Monitoring and Troubleshooting Layer 2 Networks
http://-/?-http://-/?-http://../LG/L1_Advanced%20Ethernet%20Switching.pdfhttp://-/?-http://../LG/L2_Implementing%20MSTP%20and%20VSTP.pdfhttp://-/?-http://../LG/L3_Authentication%20and%20Access%20Control.pdfhttp://-/?-http://../LG/L4_Deploying%20IP%20Telephony%20Features.pdfhttp://-/?-http://../LG/L5_Class%20of%20Service.pdfhttp://-/?-http://../LG/L6_Monitoring%20and%20Troubleshooting.pdfhttp://../LG/L6_Monitoring%20and%20Troubleshooting.pdfhttp://-/?-http://../LG/L5_Class%20of%20Service.pdfhttp://-/?-http://../LG/L4_Deploying%20IP%20Telephony%20Features.pdfhttp://-/?-http://../LG/L3_Authentication%20and%20Access%20Control.pdfhttp://-/?-http://../LG/L2_Implementing%20MSTP%20and%20VSTP.pdfhttp://-/?-http://../LG/L1_Advanced%20Ethernet%20Switching.pdfhttp://-/?-http://-/?-

7/22/2019 AJEX_10.b-R_SG

7/304www.juniper.net Document Conventions vii

Document ConventionsCLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)

or a graphical user interface (GUI). To make the language of these documents easier to read, we

distinguish GUI and CLI text from chapter text according to the following table.

Input Text Versus Output TextYou will also frequently see cases where you must enter input text yourself. Often these instances

will be shown in the context of where you must enter them. We use bold style to distinguish text

that is input versus text that is simply displayed.

Defined and Undefined Syntax VariablesFinally, this course distinguishes between regular text and syntax variables, and it also

distinguishes between syntax variables where the value is already assigned (defined variables) and

syntax variables where you must assign the value (undefined variables). Note that these styles can

be combined with the input style as well.

Style Description Usage Example

Franklin Gothic Normal text. Most of what you read in the Lab Guide

and Student Guide.

Cour i er New Console text:

Screen captures

Noncommand-related

syntax

GUI text elements:

Menu names

Text field entry

commi t compl et e

Exi t i ng conf i gur at i on mode

Select Fi l e > Open, and then clickConf i gur at i on. confin theFi l enametext box.


Nor mal CLI

Nor mal GUI

No distinguishing variant. Physi cal i nt er f ace: f xp0,Enabl ed

View configuration history by clicking

Conf i gur at i on > Hi st ory.

CLI Input

GUI Input

Text that you must enter. l ab@San_J ose> show route

Select Fi l e > Save, and typeconfig.iniin the Fi l enamefield.


CLI Variable

GUI Variable

Text where variable value is already

assigned.

pol i cy my-peers

Click my-peersin the dialog.

CLI Undefined

GUI Undefined

Text where the variables value is

the users discretion or text where

the variables value as shown in

the lab guide might differ from the

value the user must input

according to the lab topology.

Type set policypolicy-name.

ping 10.0.x.y

Select Fi l e > Save, and typefilenamein the Fi l enamefield.

7/22/2019 AJEX_10.b-R_SG

8/304viii Additional Information www.juniper.net

Additional InformationEducation Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and class

locations from the World Wide Web by pointing your Web browser to:

http://www.juniper.net/training/education/.

About This PublicationTheAdvanced Junos Enterprise Switching Student Guide was developed and tested using softwareRelease 10.4R3.4. Previous and later versions of software might behave differently so you should

always consult the documentation and release notes for the version of code you are running before

reporting errors.

This document is written and maintained by the Juniper Networks Education Services development

team. Please send questions and suggestions for improvement to [email protected].

Technical PublicationsYou can print technical manuals and release notes directly from the Internet in a variety of formats:

Go to http://www.juniper.net/techpubs/.

Locate the specific software or hardware release and title you need, and choose the

format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or

account representative.

Juniper Networks SupportFor technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or

at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

7/22/2019 AJEX_10.b-R_SG

9/304

Advanced Junos Enterprise Switching

Chapter 1: Course Introduction

7/22/2019 AJEX_10.b-R_SG

10/304


Chapter 12 Course Introduction www.juniper.net

This Chapter Discusses: Objectives and course content information;

Additional Juniper Networks, Inc. courses; and

The Juniper Networks Certification Program.

7/22/2019 AJEX_10.b-R_SG

11/304


www.juniper.net Course Introduction Chapter 13

IntroductionsThe slide asks several questions for you to answer during class introductions.

7/22/2019 AJEX_10.b-R_SG

12/304



Course ContentsThe slide lists the topics we discuss in this course.

7/22/2019 AJEX_10.b-R_SG

13/304



PrerequisitesThe slide lists the prerequisites for this course.

7/22/2019 AJEX_10.b-R_SG

14/304



General Course AdministrationThe slide documents general aspects of classroom administration.

7/22/2019 AJEX_10.b-R_SG

15/304



Training and Study MaterialsThe slide describes Education Services materials that are available for reference both in the

classroom and online.

7/22/2019 AJEX_10.b-R_SG

16/304



Additional ResourcesThe slide provides links to additional resources available to assist you in the installation,

configuration, and operation of Juniper Networks products.

7/22/2019 AJEX_10.b-R_SG

17/304



Satisfaction FeedbackJuniper Networks uses an electronic survey system to collect and analyze your comments and

feedback. Depending on the class you are taking, please complete the survey at the end of the class,

or be sure to look for an e-mail about two weeks from class completion that directs you to complete

an online survey form. (Be sure to provide us with your current e-mail address.)

Submitting your feedback entitles you to a certificate of class completion. We thank you in advance

for taking the time to help us improve our educational offerings.

7/22/2019 AJEX_10.b-R_SG

18/304



Juniper Networks Education Services CurriculumJuniper Networks Education Services can help ensure that you have the knowledge and skills to

deploy and maintain cost-effective, high-performance networks for both enterprise and service

provider environments. We have expert training staff with deep technical and industry knowledge,

providing you with instructor-led hands-on courses in the classroom and online, as well as

convenient, self-paced eLearning courses.

Course ListYou can access the latest Education Services offerings covering a wide range of platforms at

http://www.juniper.net/training/technical_education/.

7/22/2019 AJEX_10.b-R_SG

19/304



Juniper Networks Certification ProgramA Juniper Networks certification is the benchmark of skills and competence on Juniper Networks

technologies.

7/22/2019 AJEX_10.b-R_SG

20/304



Juniper Networks Certification Program OverviewThe Juniper Networks Certification Program (JNCP) consists of platform-specific, multitiered tracks

that enable participants to demonstrate competence with Juniper Networks technology through a

combination of written proficiency exams and hands-on configuration and troubleshooting exams.

Successful candidates demonstrate thorough understanding of Internet and security technologies

and Juniper Networks platform configuration and troubleshooting skills.

The JNCP offers the following features:

Multiple tracks;

Multiple certification levels;

Written proficiency exams; and

Hands-on configuration and troubleshooting exams.

Each JNCP track has one to four certification levelsAssociate-level, Specialist-level,

Professional-level, and Expert-level. Associate-level and Specialist-level exams are computer-based

exams composed of multiple choice questions administered at Prometric testing centers worldwide.

Professional-level and Expert-level exams are composed of hands-on lab exercises administered at

select Juniper Networks testing centers. Professional-level and Expert-level exams require that you

first obtain the next lower certification in the track. Please visit the JNCP Web site at

http://www.juniper.net/certification for detailed exam information, exam pricing, and exam

registration.

7/22/2019 AJEX_10.b-R_SG

21/304



Preparing and StudyingThe slide lists some options for those interested in preparing for Juniper Networks certification.

7/22/2019 AJEX_10.b-R_SG

22/304



Find Us OnlineThe slide lists some online resources to learn and share information about Juniper Networks.

7/22/2019 AJEX_10.b-R_SG

23/304



Any Questions?If you have any questions or concerns about the class you are attending, we suggest that you voice

them now so that your instructor can best address your needs during class.

This chapter contains no review questions.

7/22/2019 AJEX_10.b-R_SG

24/304



7/22/2019 AJEX_10.b-R_SG

25/304


Chapter 2: Advanced Ethernet Switching

7/22/2019 AJEX_10.b-R_SG

26/304


Chapter 22 Advanced Ethernet Switching www.juniper.net

This Chapter Discusses: Implementation of filter-based virtual LAN (VLAN) assignments;

Restricting traffic flows within a VLAN;

Management of dynamic VLAN registration; and

Tunneling Layer 2 traffic through Ethernet networks.

7/22/2019 AJEX_10.b-R_SG

27/304


www.juniper.net Advanced Ethernet Switching Chapter 23

Virtual Local Area NetworksAssigning User Traffic to VLANsThe slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

7/22/2019 AJEX_10.b-R_SG

28/304



Default DesignationsThe factory-default configuration associates all installed interfaces with the def aul t VLAN. In thissample output shown on the slide we can see that the def aul t VLAN does not use an 802.1Q tag.

Because all installed interfaces are pre-configured for Layer 2 operations and are associated with

the def aul t VLAN, you can simply insert an EX Series switch in basic single-broadcast domainenvironments without much or any configuration. If a switch supports multiple broadcast domains,

you might want to define additional VLANs to separate the traffic associated with each subnet at

Layer 2.

Continued on the next page.

7/22/2019 AJEX_10.b-R_SG

29/304



Default Designation contd.)You can assign an 802.1Q tag with the default VLAN as shown in the following output:

[edi t ]r oot # set vlans default vlan-id 100

[edi t ]r oot # commit and-quitconf i gurat i on check succeedscommi t compl ete

Exi t i ng conf i gur ati on mode

r oot > show vlansName Tag I nter f acesdef aul t 100

ge- 0/ 0/ 0. 0, ge- 0/ 0/ 1. 0, ge- 0/ 0/ 2. 0, ge- 0/ 0/ 3. 0, ge- 0/ 0/ 4. 0, ge- 0/ 0/ 5. 0, ge- 0/ 0/ 6. 0*, ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 8. 0*, ge- 0/ 0/ 9. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 11. 0*, ge- 0/ 0/ 12. 0*, ge- 0/ 0/ 13. 0*, ge- 0/ 0/ 14. 0*, ge- 0/ 0/ 15. 0*, ge- 0/ 0/ 16. 0, ge- 0/ 0/ 17. 0, ge- 0/ 0/ 18. 0, ge- 0/ 0/ 19. 0, ge- 0/ 0/ 20. 0, ge- 0/ 0/ 21. 0, ge- 0/ 0/ 22. 0, ge- 0/ 0/ 23. 0, xe- 0/ 1/ 0. 0

7/22/2019 AJEX_10.b-R_SG

30/304



Changing Default DesignationsYou can easily change the default VLAN designations by adding new VLANs and associating

interfaces with those user-defined VLANs. You can also create trunk ports which are used to service

one or more VLANs. We review the key attributes of access and trunk ports on a subsequent slide.

7/22/2019 AJEX_10.b-R_SG

31/304



Access and Trunk PortsThis slide is designed as a review of the key attributes of access and trunk ports. The tables

associated with the two port modes provide the key characteristics of each and highlight the

differences between the two types.

7/22/2019 AJEX_10.b-R_SG

32/304



Port-Based VLAN AssignmentsIn the Junos Enterprise Switching course we introduced you to the port-based VLAN assignment

method. Using the port-based VLAN assignment method, you associate ports with user-defined

VLANs. Typically, access ports are associated with a single VLAN whereas trunk ports are often

associated with multiple VLANs. The slide provides a basic configuration example that associates

access and trunk ports with their respective VLANs. Note that in this example vlan-10 and vlan-20

are associated with the 172.23.10.0/24 and 172.23.20.0/24 subnets respectively.

7/22/2019 AJEX_10.b-R_SG

33/304



Test Your KnowledgeThis slide is designed to test the learners understanding based on the scenario and configuration

provided. Based on the configuration, all traffic received through the ge-0/0/6.0 interface,

regardless of its associated subnet, will be tagged with VLAN-ID 10 and flooded out interfaces

associated with the vlan-10 VLAN. The end result is that all traffic sourced from Host-B will be

associated with vlan-10 and forwarded or flooded on to nodes that are also associated with vlan-10.

It is important to note that although VLANs are typically associated with a single subnet, this is not a

strict requirement. In other words, you can have multiple subnets associated with a single VLAN.

7/22/2019 AJEX_10.b-R_SG

34/304



Filter-Based VLAN AssignmentUsing the port-based VLAN assignment method, all traffic received through an access port is

associated with the VLAN assigned to that access port. This approach is all-encompassing and

provides no evaluation of source subnet information.

The filter-based VLAN assignment method provides flexibility by evaluating information, such as the

source IP address, and making VLAN assignments based on evaluation results. The filter-based

VLAN assignment method uses firewall filters to aid in the evaluation and assignment process. This

feature might be used in scenarios that include multiple devices attached to a single switch port

through an attached hub or passive switch, as shown on the slide.

7/22/2019 AJEX_10.b-R_SG

35/304



Implementing Filter-Based VLAN AssignmentsThis slide provides a basic overview of how filter-based VLAN assignments are implemented. We

cover each of the highlighted steps in more detail on subsequent slides.

Note that filter-based VLAN assignments are not supported on access ports that are configured for

802.1X. If both features are configured at the same time, the configuration will not commit as shown

in the following output:

[ edi t pr ot ocol s dot 1x]user @swi t ch# commiter r or : Dot 1x: Aut hent i cat or can' t be conf i gur ed on mappi ng "pol i cy" enabl ed i nt er f aceer r or : conf i gur at i on check- out f ai l ed

7/22/2019 AJEX_10.b-R_SG

36/304



Defining and Applying the Firewall FilterThe first two steps when implementing filter-based VLAN assignments are to define and apply a

Layer 2 firewall filter. Note that Layer 2 filters are associated with the et her net - swi t chi ngprotocol family.

In the example shown on the slide, we define a Layer 2 firewall filter that matches on the source IP

subnet 172.23.20.0/24 and associates matching traffic with the VLAN named vl an- 20using thethen vlanstatement. Because the default action for all traffic not explicitly accepted is discard,

we include a second term that accepts all other traffic. The el se- accept term not only allows theswitch to accept all other traffic but by doing so also allows the switch to associate all other traffic

with VLAN vl an- 10, which is the port-based VLAN assignment for the ge-0/0/6.0 access port.

Note that the slide also shows the application of the vl an- assi gnfirewall filter. In this case thevl an- assi gnfirewall filter is applied as an input filter to the ge-0/0/6.0 access port.

7/22/2019 AJEX_10.b-R_SG

37/304



Associating Access Port with Secondary VLANThe third step when implementing filter-based VLAN assignments is to associate the access port,

ge-0/0/6.0 in our example, with the secondary VLAN (vl an- 20). Because the matching criteriadefined in the firewall filter (illustrated on the previous slide) must be met, this secondary VLAN

association for the ge-0/0/6.0 access port is conditional in nature. To form a conditional association

between an access port and a secondary VLAN, you use themapping policystatement, as

shown in the example on the slide.

7/22/2019 AJEX_10.b-R_SG

38/304



Monitoring the ResultsHere we can see that the ge-0/0/6.0 access port is now associated with vl an- 10and vl an- 20.Note the unique Mappi ng pol i cy i nt er f acesassociation ge-0/0/6.0 has with vl an- 20.This unique association is indicative of a filter-based VLAN assignment, which, as previously stated,

is conditional in nature.

Based on the current configuration and associations, if traffic enters ge-0/0/6.0 and matches the

defined conditions in the firewall filter, then that traffic should be associated with vl an- 20. Allother traffic should be associated with vl an- 10.

Once traffic passes through ge-0/0/6.0, the switch will add the related media access control (MAC)

addresses to the corresponding VLAN in the bridge table. If no MAC entry exists in the bridge table,

the switch uses the flood entry assigned to each VLAN to facilitate the required communications. Thefollowing output shows the bridge table assignments for ge-0/0/6.0:

user @AS- 2> show ethernet-switching table interface ge-0/0/6Et her net - swi t chi ng t abl e: 0 uni cast ent r i es VLAN MAC addr ess Type Age I nt er f aces vl an- 10 * Fl ood - Al l - member s vl an- 20 * Fl ood - Al l - member s

7/22/2019 AJEX_10.b-R_SG

39/304



Virtual Local Area NetworksRestricting Traffic within a VLANThe slide highlights the topic we discuss next.

7/22/2019 AJEX_10.b-R_SG

40/304



Typical VLAN DeploymentsAlthough not strictly required, a common VLAN deployment involves a one-to-one mapping between a

VLAN and a corresponding broadcast domain. This deployment design results in end-to-end

communications between all devices participating in the same VLAN.

7/22/2019 AJEX_10.b-R_SG

41/304



Restricting TrafficIn some situations you might want to sub-divide groups within the same broadcast domain and

restrict communications between the different groups. For example, you might have a single subnet

on which multiple workgroups participate, such as the Sales and Finance workgroups, and want to

restrict direct communications between those workgroups. A primary reason for restricting

communications between workgroups in the same broadcast domain is to increase network security.

7/22/2019 AJEX_10.b-R_SG

42/304



Private VLANThe Private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated

broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN consists of a primary

VLAN with other VLANs, called secondary VLANs, nested inside. PVLANs are useful for restricting the

flow of broadcast and unknown unicast traffic and for limiting the communication between known

hosts.

A PVLAN can be configured on a single switch or can be configured to span multiple switches. A

PVLAN can span different models of EX Series switches. Note that the PVLAN feature is not

supported on all EX Series switches. Refer to the technical publications for a list of switches that

support this feature.

The voice VLAN and PVLAN features cannot both be enabled at the same time on the sameinterface. We discuss the voice VLAN feature in detail in a subsequent chapter.

7/22/2019 AJEX_10.b-R_SG

43/304



Primary VLANThe primary VLAN is the main VLAN within a configured PVLAN, and other VLANs are nested inside

that VLAN as secondary VLANs. The primary VLAN must be associated with an 802.1Q tag regardless

of whether the PVLAN is configured on a single switch or is configured to span multiple switches. The

primary VLAN is used to forward frames downstream to all secondary VLANs (isolated and

community VLANs).

Secondary VLANsSecondary VLANs are nested inside the primary VLAN. Secondary VLANs require 802.1Q tags only

when a PVLAN spans multiple switches. The types of secondary VLANs supported on EX Series

switches along with a brief description of each follows:

Community VLAN: A secondary VLAN that transports frames among interfaces within

the same community and forwards frames upstream to the primary VLAN.

Isolated VLAN: A secondary VLAN that receives packets only from the primary VLAN and

forwards frames upstream to the primary VLAN. Isolated VLANs can be used when a

PVLAN is configured on one switch or spans multiple switches in a PVLAN domain.

Inter-switch isolated VLAN: A secondary (internal) VLAN that is used to forward isolated

VLAN traffic from one switch to another through pvl an- t r unkports. We discusspvl an- t r unkports on a later slide. Inter-switch isolated VLANs are used when aPVLAN spans multiple switches.

7/22/2019 AJEX_10.b-R_SG

44/304



PVLAN Port Designations: Part 1This slide illustrates and describes some of the PVLAN port designations. We illustrate and describe

the remainder of the port designations on the next slide.

7/22/2019 AJEX_10.b-R_SG

45/304



PVLAN Port Designations: Part 2This slide illustrates and describes the remainder of the PVLAN port designations.

7/22/2019 AJEX_10.b-R_SG

46/304



Test Your KnowledgeThis slide is designed to test your understanding of PVLAN port accessibility. Remember that only

promiscuous ports (or traffic that has entered the PVLAN domain from a promiscuous port) can

access isolated ports. Because of this rule, only R1 can access the file server in the isolated VLAN.

7/22/2019 AJEX_10.b-R_SG

47/304



Case Study: Topology and ObjectivesThe slide displays the topology and objectives for our case study.

7/22/2019 AJEX_10.b-R_SG

48/304



Configuring PVLANs: Part 1This slide shows a portion of the required PVLAN configuration for our case study. Here we illustrate

the configuration associated with the primary VLAN, named pvl an- 100. Note that theconfiguration associated with the isolation VLAN is defined within the primary VLAN. All access ports

(ge-0/0/8.0 on AS-1 in our example) defined within the primary VLAN are considered isolation ports

and are associated with the isolation VLAN-ID.

In our example the VLAN-ID associated with the primary VLAN is 100 while the VLAN-ID associated

with the isolation VLAN is 30. The isolation VLAN-ID is configured under the primary VLAN using the

isolation-id command option. Remember that a VLAN-ID is not always necessary

when implementing a PVLAN. Because this PVLAN spans multiple switches (AS-1 and AS-2) the

inclusion of the isolation-idstatement is required.

7/22/2019 AJEX_10.b-R_SG

49/304



Configuring PVLANs: Part 2This slide shows the remainder of the required PVLAN configuration for our case study. Here we

illustrate the configuration associated with the community VLANs, named sal es and f i nance.Note that there are no trunk ports referenced within the community VLAN configuration. All

pvlan-trunk or promiscuous trunk ports are associated with community VLANs through the linking of

the primary and community VLANs. Primary and community VLANs are linked through the

primary-vlan statement as shown on the slide. Note that ge-0/0/6.0 and

ge-0/0/7.0 are both configured as access ports.

Note that isolation and community VLANs do not require a VLAN-ID unless the PVLAN spans multiple

switches. Because the PVLAN spans multiple switches, the inclusion of the VLAN-IDs 10 and 20, for

the sal es and f i nancecommunity VLANs respectively, is required.

7/22/2019 AJEX_10.b-R_SG

50/304



Monitoring PVLANs: Part 1This slide and the next illustrate the basics of monitoring the PVLAN feature. This slide illustrates the

show vlanscommand which is helpful in determining port-to-VLAN associations. Note that all

configured pvlan and promiscuous trunk ports should be associated with all secondary VLANs. The

slide shows the expected output on AS-1. The expected output for AS-2 follows:

user @AS- 2> show vlansName Tag I nter f aces__pvl an_pvl an- 100_i si v__ 30

ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*def aul t

Nonef i nance 20

ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*pvl an- 100 100

ge- 0/ 0/ 6. 0*, ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*sal es 10

ge- 0/ 0/ 6. 0*, ge- 0/ 0/ 10. 0*, ge- 0/ 0/ 12. 0*

7/22/2019 AJEX_10.b-R_SG

51/304



Monitoring PVLANs: Part 2This slide illustrates the show vlans extensivecommand which provides additional details

related to the PVLAN feature. In the sample output on the slide, we see details related to PVLANs

which indicate that the configured PVLAN spans multiple switches.

7/22/2019 AJEX_10.b-R_SG

52/304



Automating VLAN AdministrationThe slide highlights the topic we discuss next.

7/22/2019 AJEX_10.b-R_SG

53/304



Test Your Knowledge: Part 1This slide and the next are designed to test your understanding of basic bridging operations in an

environment with multiple VLANs. As the slide indicates, all switches are configured to support all

VLANs on their respective trunk ports (the ports interconnecting the switches). Because of this

configuration, all broadcast and unknown unicast traffic sourced and destined within a given VLAN

should be flooded throughout the entire Layer 2 network passing through all access and distribution

switches.

7/22/2019 AJEX_10.b-R_SG

54/304



Test Your Knowledge: Part 2The scenario illustrated in this slide builds on the details covered on the previous slide. In this

example, the end-user device named Host-I, which is connected to the AS-3 switch, is no longer

active (meaning that AS-3 no longer has any active access ports for VLAN 10). Even though AS-3 no

longer has active end-user devices participating in VLAN 10, it will still receive all broadcast and

unknown unicast traffic associated with VLAN 10 because of the current configurations on the

connected switches.

In order to stop this unwanted traffic from being flooded on to AS-3, you must modify the

configurations on the connected distribution switches (DS-1 and DS-2) so that their trunk ports,

which connect to AS-3, no longer service VLAN 10.

7/22/2019 AJEX_10.b-R_SG

55/304



Introducing MVRPTo simplify VLAN management you can enable Multiple VLAN Registration Protocol (MVRP) on your

EX Series Ethernet Switches. MVRP dynamically manages VLAN registration in a LAN. MVRP helps

reduce administration and network overhead by dynamically pruning VLAN information when a

switch no longer has active access ports for a configured VLAN. In addition to the pruning

functionality, MVRP can also be used to dynamically create VLANs in switching networks.

MVRP is an application protocol of the Multiple Registration Protocol (MRP) and is defined in the

IEEE 802.1ak standard. MRP and MVRP were designed by Institute of Electrical and Electronics

Engineers (IEEE) to perform the same functions as Generic Attribute Registration Protocol (GARP)

and GARP VLAN Registration Protocol (GVRP). MRP and MVRP overcome some GARP and GVRP

limitations, in particular limitations involving bandwidth usage and convergence time in large

networks with large numbers of VLANs.

MVRP was created by IEEE as a replacement application for GVRP. EX Series switches support MVRP

and GVRP; however, MVRP and GVRP cannot be enabled at the same time to share VLAN

information. We do not cover GVRP in this course.

7/22/2019 AJEX_10.b-R_SG

56/304



Exchanging VLAN Membership InformationMVRP uses protocol data units (PDUs) to send VLAN registration information which includes the

current VLAN membership details of the sending switch. The VLAN membership information is used

to communicate which switches are members of which VLANs and which switch interfaces are in

which VLAN. MVRP shares all information in the PDU with all switches participating in MVRP in the

switching network.

MVRP stays synchronized using these PDUs. The MVRP PDUs are sent to other switches on the

network only when an MVRP state change occurs. Switches participating in MVRP receive these

PDUs during state changes and update their MVRP states accordingly. MVRP timers dictate when

PDUs can be sent and when switches receiving MVRP PDUs can update their MVRP information.

MVRP registration and updates are controlled by timers that are part of the MRP protocol. Thesetimers are set on a per-interface basis and define when MVRP PDUs can be sent and when MVRP

information can be updated on a switch. The following timers are used to control MVRP operations:

J oi n: Controls the interval for the next MVRP PDU transmit opportunity.

Leave: Controls the period of time that an interface on the switch waits in the Leavestate before changing to the unregistered state.

LeaveAl l : Controls the frequency with which the interface generates LeaveAllmessages.


7/22/2019 AJEX_10.b-R_SG

57/304



Exchanging VLAN Membership Information Contd.)VLAN information is distributed as part of the MVRP message exchange process and can be used to

dynamically create VLANs, which are VLANs created on one switch and propagated to other switches

as part of the MVRP message exchange process. Dynamic VLAN creation using MVRP is enabled by

default but can be disabled.

MVRP uses MRP messages to register and declare MVRP states for a switch and to inform the

switching network of state changes. These messages are included in the PDUs and communicate

state information to the other switches in the network. The following messages are communicated

for MVRP:

Empt y: VLAN information is not being declared and is not registered.

I n: VLAN information is not being declared but is registered.

J oi nEmpt y: VLAN information is being declared but not registered.

J oi nI n: VLAN information is being declared and is registered.

Leave: VLAN information that was previously registered is being withdrawn.

LeaveAl l : All registrations will be de-registered. Participants that want to participatein MVRP will need to re-register.

New: VLAN information is new and possibly not previously registered.

To ensure VLAN membership information is current, MVRP uses the MRP messages to removeswitches and interfaces that are no longer available from the VLAN information. Pruning VLAN

information limits the network VLAN configuration to active participants only, reducing network

overhead. Pruning VLAN information also targets the scope of broadcast, unicast with unknown

destination, and multicast (BUM) traffic to interested devices only.

MVRP is disabled by default on all EX Series switches. You can configure MVRP on EX Series switch

interfaces to participate in MVRP for the switching network. MVRP can only be enabled on trunk

interfaces, and dynamic VLAN configuration through MVRP is enabled by default when MVRP is

enabled. We cover MVRP configuration on a subsequent slide. Note that MVRP does not support all

spanning tree protocols. Currently, MVRP does not support the VLAN Spanning Tree Protocol (VSTP).

7/22/2019 AJEX_10.b-R_SG

58/304



A Starting PointWhen implementing MVRP, you should ensure that all required VLANs are configured on the access

switches and that the access ports are associated with their respective VLANs. We illustrate a basic

starting point configuration for the AS-1 switch on the slide. Note that the sample configuration is

trimmed for brevity and that the AS-2 switch requires a similar configuration.

Also worth noting is that none of the trunk ports, on any of the participating switches, should be

associated with the configured VLANs. The trunk ports must still be configured under the [ edi ti nt er f aces] hierarchy level as trunk ports but they will not be manually associated with VLANs.MVRP will make the needed associations once it is enabled.

7/22/2019 AJEX_10.b-R_SG

59/304



Enabling MVRPThis slide illustrates the required configuration used to enable MVRP. Note that MVRP is only

enabled on the trunk ports of all participating switches. Once MVRP is enabled, dynamic VLAN

configuration information will be shared and created on participating switches. You can disable

dynamic VLAN configuration using the no-dynamic-vlanstatement as shown below:

[ edi t pr ot ocol s]user @AS- 1# showmvr p { no- dynami c- vl an; i nt er f ace ge- 0/ 0/ 14. 0;}


7/22/2019 AJEX_10.b-R_SG

60/304



Enabling MVRP Contd.)Remember that MVRP registration and updates are controlled by timers, which are part of MRP.

These timers are set on a per-interface basis and define when MVRP PDUs can be sent and when

MVRP information can be updated. If needed, you can adjust the timers as shown below:

[ edi t pr ot ocol s]user @AS- 1# set mvrp interface ge-0/0/14.0 ?Possi bl e compl et i ons: Execute t hi s command

+ appl y- gr oups Gr oups f r om whi ch t o i nher i t conf i gur ati on data+ appl y- gr oups- except Don' t i nher i t conf i gur ati on dat a f r om t hese gr oups di sabl e Di sabl e MVRP on t hi s i nt er f ace j oi n- t i mer J oi n t i mer i nt er val ( 200. . 4294967295 mi l l i seconds) l eave- t i mer Leave t i mer i nt erval ( 600. . 4294967295 mi l l i seconds) l eaveal l - t i mer LeaveAl l t i mer i nt er val ( 10000. . 4294967295 mi l l i seconds) r egi st r at i on Regi st r at i on mode | Pi pe t hrough a command

The default MVRP timer values are 200 ms for the join timer, 1000 ms for the leave timer, and

10000 ms for the leaveall timer. Unless there is a compelling reason to make a change, we

recommend you use the default timer settings. Modifying timers to inappropriate values might cause

an imbalance in MVRP operations.

7/22/2019 AJEX_10.b-R_SG

61/304



Monitoring MVRP: Part 1This and the next two slides highlight some key monitoring commands used when verifying MVRP

operations. This slide illustrates the use of the show mvrpcommand, which is used to monitor

MVRP status along with message and timer information on a per interfaces basis.

7/22/2019 AJEX_10.b-R_SG

62/304



Monitoring MVRP: Part 2This slide illustrates the show mvrp dynamic-vlan-membershipsand the show vlans

commands, which are used to view dynamic VLAN membership information.

7/22/2019 AJEX_10.b-R_SG

63/304



Monitoring MVRP: Part 3This slide illustrates the show mvrp statisticscommand, which is used to view MVRP

statistics on a per interface basis.

7/22/2019 AJEX_10.b-R_SG

64/304



Tunneling Layer 2 TrafficThe slide highlights the topic we discuss next.

7/22/2019 AJEX_10.b-R_SG

65/304



Todays Connectivity RequirementsIEEE 802.1Q VLAN tagging makes it possible for a customers bridged network to scale. Instead of

needing to add more bridging equipment to a growing network, VLAN tagging allows for the logical

separation of a bridged network into many broadcast domains (or VLANs). With a 12-bit length VLAN

4094 VLANs are available for use on a single physical Ethernet network.

Because of its simple nature, service provider customers generally understand Ethernet. For a long

time, service providers have searched for ways to deliver Ethernet virtual connections (EVCs) to the

customer premises. To a customer, an EVC between two sites should appear as a simple Ethernet link

VLAN through the service providers network. IEEE 802.1Q VLAN tagging does not provide the scalabi

service providers' require to deliver that type of service.

Continued on next page.

7/22/2019 AJEX_10.b-R_SG

66/304



Todays Connectivity Requirements Contd.)From the service providers point of view, the following is a list of some of the scaling issues that might

arise:

Because only one VLAN tag field exists in an 802.1Q frame, customers and the service

provider need to coordinate the use of VLAN ID space. Considering that a service provider

might have thousands of customers, this coordination would be an overly extreme effort.

To pass Ethernet frames between customer sites, the service provider bridges must learn

customer MAC addresses. Maintaining a bridge table for internal MAC addresses as well as

the MAC addresses of each customer can be a daunting task for some bridges and might

be too much to handle.

To provide redundant links between customers and the service provider, running a form of

the Spanning Tree Protocol (STP), which is generally not a viable solution, might be

necessary. The STPs of today cannot scale to support all service provider and customer

bridges of the world in a single spanning-tree domain.

7/22/2019 AJEX_10.b-R_SG

67/304



Addressing the ChallengesQ-in-Q tunneling is defined under IEEE 802.1ad. It was developed to allow a service provider to provid

more scalable EVC service to its customers. IEEE 802.1ad has standardized the methodology of

stacking VLAN tags. The slide shows the frame format that the standard introduced.

The standard gives a new name to the 802.1Q VLAN tag: the Customer VLAN (C-VLAN) tag (C-TAG) . It

also introduces a new tag named the Service VLAN (S-VLAN) tag (S-TAG). By adding the S-TAG to the

frame, much less coordination is necessary between the customer and the service provider. At the

customer site, the customer can continue to use 802.1Q tagging using C-VLAN IDs that are relevant o

to their network (not the service providers network). As 802.1Q-tagged frames arrive at the edge of t

service providers bridged network, the provider edge bridge adds an S-TAG to the frame. The S-TAG,

using a single S-VLAN ID, can carry any or all of the 4094 C-VLANs that are possibly in use by the

customer.

A typical provider bridged network using Q-in-Q tunneling provides for C-VLAN tagging and forwarding

at the edge of the network using the ports that face the customer. For all ports that face the core of

the provider bridged network, the provider bridges forward based only on the S-VLAN tag. In the

simplest case, a service provider can allocate a single S-VLAN ID to represent each of its individual

customers, which allows the service provider to potentially support up to 4094 customers. IEEE

802.1ad also allows for the translating of S-VLAN IDs at the edge of a service providers bridged

network, which helps in the coordination of VLAN ID usage between service providers.

Continued on next page.

7/22/2019 AJEX_10.b-R_SG

68/304



Addressing the Challenges Contd.)Although IEEE 802.1ad helps to solve the issue of the limited VLAN ID space that we discussed in

relation to IEEE 802.1Q tagging, it does not solve the MAC learning problem. That is, for frames to be

forwarded between bridges in the service providers network, the bridges each must learn and store

MAC addresses learned from the customer networks. A service provider can help alleviate this problem

by limiting the number of learned MAC addresses or charging the customer more for the EVC service if

they exceed the MAC address limit.

7/22/2019 AJEX_10.b-R_SG

69/304



IEEE 802.1ad TAG FormatsThe slide shows the S-TAG and C-TAG formats defined under IEEE 802.1ad. Note that the C-TAG rema

identical to the IEEE 802.1Q VLAN tag. The S-TAG is similar but a few fields have been redefined. For

example, because the Canonical Format Indicator (CFI) field in the C-TAG is rarely used (for use in tok

ring networks), it has been redefined in the S-TAG to represent a frames eligibility to be dropped. The

Drop Eligibility Indicator (DEI) is used for class of service. Also, IEEE 802.1ad has reserved a Tag Proto

Identifier (TPID) of 0x88A8 for the S-TAG.

7/22/2019 AJEX_10.b-R_SG

70/304



Key Terminology for Provider Bridged NetworksThe following terms are used in a provider bridged network:

Provider Bridged Network: A network of provider bridges that provide transparent EVC

service to the service providers customers.

Provider Bridge: A bridge in the service providers network that performs IEEE 802.1ad

VLAN tagging and forwarding. These bridges learn and store the MAC addresses of the

service providers customers.

Provider Edge Bridge: Accepts and forwards IEEE 802.1Q frames to and from customers.

These bridges also encapsulate the received customer frames using the IEEE 802.1ad

format to forward customer frames across the provider bridged network.

S-VLAN Bridge: A nonedge provider bridge that forwards frames based only on the S-VLAN

tag.

Customer Edge Port: A port on a provider edge bridge that connects to customer

equipment and receives and transmits C-VLAN tagged frames. These are access ports.

Provider Network Port: A port on a provider edge bridge that receives and transmits S-VLAN

tagged frames. These are trunk ports.

7/22/2019 AJEX_10.b-R_SG

71/304



Frame Processing Example: Part 1In the example, the service provider delivers an Ethernet circuit to each of the customer premises. To

provide connectivity between Customer Bridge 1 and Customer Bridge 2, the customer must enable

IEEE 802.1Q VLAN using VLAN ID 100 on the service provider-facing ports. The service provider has

allocated an S-VLAN tag of 200 to transparently forward the customers frames across its network. W

evaluate the required configuration, from the service providers perspective, on a subsequent slide. O

the next several slides we look at the frame processing steps for traffic traversing a Q-in-Q tunnel.

7/22/2019 AJEX_10.b-R_SG

72/304



Frame Processing Example: Part 2When C-VLAN-tagged frames arrive at Bridge A, Bridge A performs a MAC-table lookup based on the

customers assigned VLAN (VLAN-ID 200). If Bridge A has previously learned the destination MAC

address of the frame, it forwards the frame to the appropriate outbound interface (ge-0/0/10.0 in this

case) and adds the outer S-VLAN tag of 200 on to the frame before sending the frame to the next bridge.

The act of adding an outer tag to the frame is known as a push operation.

Note that if Bridge A did not previously learn the destination MAC address of the frames, it floods the

frame out of every other interface associated with the VLAN assigned to the customer except for the

interface on which the frame was originally received.

7/22/2019 AJEX_10.b-R_SG

73/304



Frame Processing Example: Part 3When S-VLAN-tagged frames arrive at Bridge C (an S-VLAN bridge), Bridge C performs a MAC-table

lookup based on the VLAN associated with the customer (VLAN-ID 200). If Bridge C has previously

learned the destination MAC address of the frame, it forwards the frame to the appropriate outbound

interface (ge-0/0/16.0 in this case) and the interface sends the frame unchanged to the next bridge

7/22/2019 AJEX_10.b-R_SG

74/304



Frame Processing Example: Part 4When S-VLAN-tagged frames arrive at Bridge D, Bridge D pops the S-VLAN tag and performs a MAC-table

lookup based on the C-VLAN tag. If Bridge D has previously learned the destination MAC address of the

frame, it forwards the frame to the appropriate outbound interface (ge-0/0/0.0 in this case) and the

interface sends the C-tagged frame to the attached customer bridge.

7/22/2019 AJEX_10.b-R_SG

75/304



Frame Processing Example: Part 5The slide shows the frame format of the Ethernet frame as it arrives at Customer Bridge 2. Note that t

frame looks exactly as it did when Customer Bridge 1 transmitted it. At this point, Customer Bridge 2 w

perform its own MAC-table lookup and forward the frame on to their intended destination, if known.

the destination MAC address is unknown, Customer Bridge 2 will flood frame out all other interfaces

associated with VLAN-ID 100.

7/22/2019 AJEX_10.b-R_SG

76/304



Configuring Q-in-Q TunnelingThis slide illustrates a basic Q-in-Q tunneling configuration for EX Series Switches. Depending on your

requirements, you can map C-VLANs to an S-VLAN in three different ways. You can use the all-in-one

bundling approach which takes all traffic from all access interfaces and maps that traffic to the

defined S-VLAN regardless of the C-VLAN tag. This configuration method is shown on the slide.

The second method you can use is the many-to-one bundling approach which maps only the defined

C-VLAN tags to the configured S-VLAN. You use the customer-vlansoption to specify which

C-VLANs are mapped to the S-VLAN as shown in the configuration example below:

[ edi t vl ans]user @Br i dge- A# show

v200 { vl an- i d 200; i nt er f ace { ge- 0/ 0/ 0. 0; ge- 0/ 0/ 10. 0; } dot 1q- t unnel i ng { cust omer- vl ans [ 100 160 ] ; }}


7/22/2019 AJEX_10.b-R_SG

77/304



Configuring Q-in-Q Tunneling Contd.)The third mapping option allows you to assign an S-VLAN to a specific C-VLAN on an interface. This

method uses themappingoption, which is referenced with the incoming interface. This mapping

approach uses two options for the treatment of traffic:pushand swap. When traffic, mapped to a

specific interface, is pushed, the traffic retains its tag as it moves between the C-VLAN and S-VLAN

and an additional VLAN tag is added to the frame. When traffic mapped to a specific interface is

swapped, the incoming tag is replaced with a new VLAN tag. Using the swapoption is also referred

to as VLAN ID translation. A basic configuration example, is provided below:

[ edi t vl ans]user @Br i dge- A# showv200 { vl an- i d 200; i nt er f ace { ge- 0/ 0/ 10. 0; ge- 0/ 0/ 13. 0 { mappi ng { 100 { push; } } }

} dot 1q- t unnel i ng;}

In the illustrated configuration example, traffic with a C-VLAN tag of 100 entering ge-0/0/13.0, which

is a customer-facing access interface, will receive an outer tag (S-VLAN tag) of 200. If traffic with any

other VLAN-ID enters the ge-0/0/13.0 interface, no such mapping will take effect.

If you configure multiple mapping methods, the switch gives priority to the interface-specific mapping

method, then to the many-to-one bundling method, and last to the all-in-one bundling method. Note

that while you can configure multiple mapping methods, you cannot have overlapping rules for the

same C-VLAN under a given approach.

Note that Q-in-Q tunneling does not support most access port security features. There is no per-VLAN

(customer) policing or per-VLAN (outgoing) shaping and limiting with Q-in-Q tunneling unless youconfigure these security features using firewall filters. For more information, refer to the technical

publications for your specific product. If Q-in-Q tunneling is configured, you will need to enable Q-in-Q

tunneling on all VLANs serviced by the trunk ports or alternatively change the Ethernet-type setting

as shown in the following sample output:

[edi t ]user @swi t ch# commiterr or : Trunk i nt er f ace can not be member of bot h dot 1q- t unnel i ngenabl ed vl an , and a non dot 1q- t unnel ed vl an when dot 1q- t unnel i ngethernet - t ype i s not er r or : conf i gur at i on check- out f ai l ed

[edi t ]user @swi t ch# set ethernet-switching-options dot1q-tunneling ether-type 0x8100

[edi t ]user @swi t ch# commitconf i gurat i on check succeedscommi t compl ete

7/22/2019 AJEX_10.b-R_SG

78/304



Monitoring Q-in-Q TunnelingAs shown on the slide, you can use the show vlansand show ethernet-switching

interfacescommands to verify Q-in-Q tunneling.

7/22/2019 AJEX_10.b-R_SG

79/304



Tunneling Layer 2 ProtocolsWhile Q-in-Q tunneling does tunnel Layer 2 traffic across a provider bridged network, it does not, by

itself, effectively tunnel Layer 2 protocol traffic. Layer 2 protocol tunneling (L2PT) allows you to send

Layer 2 PDUs across a service provider network and between customer edge switches connected

through a service provider network. L2PT is useful when you want to run Layer 2 protocols on a

network that includes switches located at remote sites that are connected across a service provider

network.

L2PT encapsulates Layer 2 PDUs, tunneling them across a service provider network, and

decapsulates them for delivery to their destination switches. L2PT encapsulates Layer 2 PDUs by

enabling the ingress provider edge bridge to rewrite the PDUs destination MAC addresses before

forwarding them onto the service provider network. The provider bridges treat the encapsulated

PDUs as multicast Ethernet packets. Upon receipt of the PDUs, the egress provider edge bridge

decapsulates them by replacing the destination MAC addresses with the address of the Layer 2

protocol that is being tunneled before forwarding the PDUs to their destination customer edge

switch.


7/22/2019 AJEX_10.b-R_SG

80/304



Tunneling Layer 2 Protocols Contd.)EX Series implementation of L2PT supports the following Layer 2 protocols:

802.1X authentication

802.3ah Operation, Administration, and Maintenance (OAM) link fault management

(LFM)

Cisco Discovery Protocol (CDP)

Ethernet local management interface (E-LMI)

GVRP

Link Aggregation Control Protocol (LACP)

Link Layer Discovery Protocol (LLDP)

Multiple MAC Registration Protocol (MMRP)

MVRP

Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple

Spanning Tree Protocol (MSTP)

Unidirectional Link Detection (UDLD)

VLAN Spanning Tree Protocol (VSTP)

VLAN Trunking Protocol (VTP).

7/22/2019 AJEX_10.b-R_SG

81/304



Configuring L2PT: Part 1L2PT is configured under the [ edi t vl ans vl an- name dot1q- t unnel i ng] hierarchy. Thismeans Q-in-Q tunneling must also be enabled when implementing L2PT. When you enable L2PT on a

VLAN, any specified Layer 2 protocols are disabled on the access ports, which are considered

customer-facing.

Access interfaces in an L2PT-enabled VLAN should not receive L2PT-tunneled PDUs. If L2PT PDUs

are received on an access interface, the switch reacts as if there is a loop between the service

provider network and the customer network and shuts down (disables) the access interface.

As previously mentioned and illustrated on the slide, L2PT supports several Layer 2 protocols. Note

that some of these protocols, when enabled, have special considerations and caveats. Some of

these considerations and caveats are listed below:

If you enable L2PT for untagged OAM LFM packets, do not configure LFM on the

corresponding access interface.

If you enable L2PT for untagged LACP packets, do not configure LACP on the

corresponding access interface.

CDP, UDLD, and VTP cannot be configured on EX Series switches. L2PT does, however,

tunnel CDP, UDLD, and VTP PDUs.

You cannot configure L2PT and VLAN translation (using themappingstatement) on

the same VLAN. You can, however, configure L2PT on one VLAN and VLAN translation on

a different VLAN that does not have L2PT enabled.

7/22/2019 AJEX_10.b-R_SG

82/304



Configuring L2PT: Part 2If the tunneled Layer 2 PDUs arrive at a high rate, your network might be experiencing a problem. In

this situation, you would likely want the interface receiving the high rate of tunneled Layer 2 PDUs to

shut down so the problem can be isolated. If you do not want to completely shut down the interface,

you can configure the switch to drop tunneled Layer 2 PDUs that exceed a certain threshold.

The drop-thresholdconfiguration statement allows you to specify the maximum number of

Layer 2 PDUs of the specified protocol that can be received per second on the interfaces in a

specified VLAN before the switch begins dropping the Layer 2 PDUs. The drop threshold must be less

than or equal to the shutdown threshold, if configured. If the drop threshold is greater than the

shutdown threshold, the commit operation will fail.

The shutdown-thresholdconfiguration statement allows you to define the maximum number ofLayer 2 PDUs of the specified protocol that can be received per second on the interfaces in a

specified VLAN before the specified interface is disabled. The shutdown threshold must be greater

than or equal to the drop threshold. You can define a drop threshold without specifying a shutdown

threshold, and you can specify a shutdown threshold without specifying a drop threshold. If you do

not specify these thresholds, then no thresholds are enforced and, as a result, the switch tunnels all

Layer 2 PDUs regardless of the frequency at which they are received.

Once an interface is disabled, you can reenable it using the clear ethernet-switching

layer2-protocol-tunneling errorcommand.

7/22/2019 AJEX_10.b-R_SG

83/304



Monitoring L2PT: Part 1This slide and the next provide key commands used to monitor L2PT. As shown on the slide, you can

use the show vlans extensivecommand to verify the state of L2PT. For proper L2PT

operations, the Dot1q tunneling and L2PT status should both show enabled.

7/22/2019 AJEX_10.b-R_SG

84/304



Monitoring L2PT: Part 2This slide shows the various show ethernet-switching layer2-protocol-tunneling

commands, which can be helpful when monitoring L2PT operations.

7/22/2019 AJEX_10.b-R_SG

85/304



This Chapter Discussed: Implementation of filter-based VLAN assignments;

Restricting traffic flows within a VLAN;

Management of dynamic VLAN registration; and

Tunneling Layer 2 traffic through Ethernet networks.

7/22/2019 AJEX_10.b-R_SG

86/304



Review Questions1.

2.

3.

4.

7/22/2019 AJEX_10.b-R_SG

87/304



Lab 1: Advanced Ethernet SwitchingThe slide provides the objective for this lab.

7/22/2019 AJEX_10.b-R_SG

88/304



7/22/2019 AJEX_10.b-R_SG

89/304


Chapter 3: Advanced Spanning Tree

7/22/2019 AJEX_10.b-R_SG

90/304


Chapter 32 Advanced Spanning Tree www.juniper.net

This Chapter Discusses: The purpose and operations of a spanning tree;

How to implement multiple spanning tree instances in a network; and

How to implement one or more spanning tree instances for a virtual LAN (VLAN).

7/22/2019 AJEX_10.b-R_SG

91/304


www.juniper.net Advanced Spanning Tree Chapter 33

Spanning Tree ReviewThe slide lists the topics we cover in this chapter. We discuss the highlighted topic first.

7/22/2019 AJEX_10.b-R_SG

92/304



What If...?Switches flood broadcast frames and frames for unknown media access control (MAC) addresses

out all ports except the port on which those frames were received. In Layer 2 networks with

redundant paths, such as the one illustrated on the slide, switches will continuously flood these

types of frames throughout the network. When a frame is continuously flooded throughout a Layer 2

network, a Layer 2 loop exists. Layer 2 loops can be extremely harmful to a networks operation and

should be avoided. To avoid Layer 2 loops, you must implement a Layer 2 loop-prevention

mechanism such as theSpanning Tree Protocol (STP) or Rapid Spanning Tree Protocol (RSTP). We

discuss some alternatives to STP and RSTP in subsequent sections in this chapter.

7/22/2019 AJEX_10.b-R_SG

93/304



Factory Default Configuration and RSTPRSTP is enabled by default on EX Series switches. RSTP helps ensure a loop-free Layer 2 topology in

environments where redundant paths exist. To establish a loop-free path, RSTP elects one of the

participating switches as the root bridge. Based on the election results, each switch determines the

role and state of its switch ports. As illustrated on the slide, the root bridge election and

determination of every switch ports role and state provide a loop-free path throughout the network.

We covered the election process and port roles and states in detail in the Junos Enterprise Switching

course. We provide a basic review of these details on subsequent slides.

7/22/2019 AJEX_10.b-R_SG

94/304



Test Your Knowledge: Part 1This slide is designed to test your understanding of the various configuration options and how they

relate to the root bridge election process. As shown in the following output, you can use the show

spanning-tree bridgecommand to verify root bridge information:

user @DS- 1> show spanning-tree bridgeSTP br i dge paramet ersCont ext I D : 0Enabl ed pr otocol : RSTP Root I D : 4096. 00: 26: 88: 02: 74: 90 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0

Number of t opol ogy changes : 1 Ti me si nce l ast topol ogy change : 2114 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 1. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: 02: 6b: 81 Local par ameters

Br i dge I D : 4096. 00: 26: 88: 02: 74: 90 Extended syst emI D : 0 I nt er nal i nst ance I D : 0

7/22/2019 AJEX_10.b-R_SG

95/304




relate to port role and state determination. As shown in the following output, you can use the show

spanning-tree interfacecommand to verify spanning tree interface information:

user @DS- 2> show spanning-tree interfaceSpanni ng t r ee i nt er f ace paramet er s f or i nst ance 0I nt er f ace Por t I D Desi gnated Desi gnated Por t St ate Rol e port I D br i dge I D Costge- 0/ 0/ 1. 0 16: 514 128: 514 4096. 002688027490 20000 BLK ALTge- 0/ 0/ 8. 0 16: 521 16: 521 8192. 002688026b90 20000 FWD DESGge- 0/ 0/ 10. 0 128: 523 16: 523 32768. 0019e2516580 1 FWD ROOT

user @AS- 1> show spanning-tree interfaceSpanni ng t r ee i nt er f ace paramet er s f or i nst ance 0I nt er f ace Por t I D Desi gnated Desi gnated Por t St ate Rol e port I D br i dge I D Costge- 0/ 0/ 8. 0 16: 521 128: 521 4096. 002688027490 2000 FWD ROOTge- 0/ 0/ 10. 0 16: 523 16: 523 32768. 0019e2516580 2000 FWD DESGge- 0/ 0/ 12. 0 16: 525 16: 525 32768. 0019e2516580 2000 FWD DESG

7/22/2019 AJEX_10.b-R_SG

96/304




relate to port role and state determination. As shown in the following output, you can use the show

spanning-tree interfacecommand to verify spanning tree interface information:

user @AS- 2> show spanning-tree interfaceSpanni ng t r ee i nt erf ace parameter s f or i nst ance 0I nt er f ace Por t I D Desi gnated Desi gnated Por t St ate Rol e port I D br i dge I D Costge- 0/ 0/ 8. 0 32: 521 16: 521 32768. 002688026b90 20000 BLK ALTge- 0/ 0/ 12. 0 16: 525 16: 525 32768. 0019e2516580 20000 FWD ROOT

7/22/2019 AJEX_10.b-R_SG

97/304



A Limitation of STP and RSTPWhile RSTP provides several advantages over STP neither of these protocols allow for load balancing,

which in some environments is a requirement. In environments where RSTP or STP is used, all VLANs

within a LAN share the same spanning tree, which limits the number of forwarding paths for data

traffic.

To address this limitation, we recommend you enable the Multiple Spanning Tree Protocol (MSTP) to

provide load balancing for the configured VLANs. In environments that require interoperability with

Cisco's Per-VLAN Spanning Tree Plus (PVST+) or rapid-PVST+ (RPVST+), you should consider using

the Juniper Networks VLAN Spanning Tree Protocol (VSTP). We discuss MSTP and VSTP in

subsequent sections in this chapter.

7/22/2019 AJEX_10.b-R_SG

98/304



Multiple Spanning Tree ProtocolThe slide highlights the topic we discuss next.

7/22/2019 AJEX_10.b-R_SG

99/304



MSTPMSTP extends STP and RSTP functionality by mapping multiple independent spanning-tree instances

onto one physical topology. Each spanning-tree instance (STI) includes one or more VLANs. Each

multiple spanning tree instance (MSTI) creates a separate topology tree and you can administratively

map it to one or more VLANs. Allowing users to administratively map VLANs to MSTIs facilitates

better load sharing across redundant links within a Layer 2 switching environment.

Unlike in STP and RSTP configurations, a port can belong to multiple VLANs and be dynamically

blocked in one spanning-tree instance but forwarding in another. This behavior significantly improves

network resource utilization by load-balancing across the network and maintaining switch CPU loads

at moderate levels. MSTP also leverages the fast re-convergence time of RSTP when a network,

switch, or port failure occurs within a spanning-tree instance.

MSTP was originally defined in the IEEE 802.1s draft and later incorporated into the IEEE 802.1Q-20

specification.

7/22/2019 AJEX_10.b-R_SG

100/304

7/22/2019 AJEX_10.b-R_SG

101/304

7/22/2019 AJEX_10.b-R_SG

102/304



Common Spanning Tree: Part 2Because MSTP encodes region information after the standard RSTP BPDU, a switch running RSTP

interprets MSTP BPDUs as RSTP BPDUs. This behavior facilitates full compatibility between devices

running MSTP and devices running STP or RSTP. MSTP uses the same Ethernet frame as STP and RSTP.

However, the BPDU information in the data field is dif ferent.

The first 13 fields in the MST BPDU contain similar information to what you would find in an RSTP BPDU.

In fact, an RSTP-speaking switch evaluates these fields in the same manner as it would any other RSTP

BPDU. To the outside world (other MSTI regions or standalone RSTP devices), these fields are a

representation of the virtual bridge that is an individual MSTP region. This information is used to build

the CST.

7/22/2019 AJEX_10.b-R_SG

103/304



Common and Internal Spanning TreeAll MSTP environments contain a CST, which is used to interconnect individual MST regions and

independent STP devices. All bridges in the CST elect a single root bridge. The root bridge is responsi

for the path calculation for the CST. As illustrated on the slide, bridges outside of the MST region trea

each MST region as a virtual bridge, regardless of the actual number of devices participating in each

MST region.

The common and internal spanning tree (CIST) is a single topology that connects all switches (RSTP

and MSTP devices) through an active topology. The CIST includes a single spanning tree as

calculated by RSTP together with the logical continuation of connectivity through MST regions. MSTP

calculates the CIST and the CIST ensures connectivity between LANs and devices within a bridged

network.

Each MSTP region builds a spanning tree for the region, referred to as an internal spanning tree, bas

upon the remaining BPDU fields. For a switch to participate in a regions internal spanning tree and u

the information in this portion of the BPDU, it must be configured with the same configuration ID.

Therefore, all switches in the same region must be configured with the same configuration ID. This

approach to configuration ensures that when MSTP switches outside of the local MSTP region receiv

MSTP BPDUs, those switches will evaluate only the CST-related information (illustrated on the previou

slide). Once the internal spanning tree is built, by default, all traffic on all VLANs will follow it.


7/22/2019 AJEX_10.b-R_SG

104/304



Common and Internal Spanning Tree contd.)Without the use of MSTI configuration methods, traffic for all VLANs within a region flows along the

path of the internal spanning tree. To override this behavior and allow some VLANs to take one path

through the region and let others take other paths (64 paths are possible for each region), you must

configure MSTIs as part of the router MSTI configuration. The information carried in the MSTI

configuration messages allows each switch to elect root bridges, root ports, designated ports,

designated bridges, and so forth for each MSTI. Each MSTI will have one or more VLANs associated

with them. One VLAN cannot be in more than one MSTI. Notice that the MSTI messages do not carry

VLAN ID information. The VLAN-to-MSTI mappings are configured locally on each switch and each

switch configuration should use the same mappings. We evaluate MSTP configuration on EX Series

switches on a subsequent slides.

7/22/2019 AJEX_10.b-R_SG

105/304



MSTP ConfigurationThis slide illustrates the configuration structure for MSTP along with some of the key configuration

parameters and considerations. Note that some of the MSTP configuration values must match on all

devices participating in the same MSTP region. The MSTP configuration values that must match

include:

Configuration name: A user-defined value used to represent the region. Note that this

value can be left blank but must match on all devices in a common region.

Revision level: A user-defined value that represents the MSTP configuration version

number. By default this value is 0.

MSTI-to-VLAN mapping: A mapping between a specific MSTI and the VLANs that MSTI

will service. This value must match on all devices in a common MSTP region. All VLANs

not specifically mapped to a user-defined MSTI are automatically associated with

MSTI 0 (the common spanning tree instance).

7/22/2019 AJEX_10.b-R_SG

106/304



Topology and ObjectivesThis slide introduces the topology and objectives used throughout this case study.

7/22/2019 AJEX_10.b-R_SG

107/304



Configuring MSTPThis slide provides the configuration required on DS-1 and DS-2 to accomplish the objectives

outlined on the previous slide. Note that the configuration on AS-1, AS-2, and AS-3 is very similar to

that shown on the slide with the exception of the configured bridge priority values (AS-1, AS-2, and

AS-3 all use the default bridge priority of 32K).

7/22/2019 AJEX_10.b-R_SG

108/304



Monitoring MSTP: Part 1This slide illustrates the operational-mode commands used to monitor MSTP along with a sample

output from the show spannin

AJEX_10.b-R_SG

Documents