Top Banner
EX Switch series Quick Start Training Guide This lab will prepare you on familiarizing yourself with the basic features of EX switch series. This lab will cover the following features: EX Basics Virtual Chassis Redundant Trunk Group (RTG) Port Security (DHCP Snooping, MAC Limiting) Link Aggregation Group (LAG) /LACP 802.1X (single/multiple supplicants) LLDP VLAN and Port Modes Traffic Analyzer J-Web Routed VLAN Interfaces (RVI) Spanning Tree (STP, RSTP, MSTP) There are exercises in each section which you will walk you through configuration and interpret basic show commands for each technology/feature.
36

EX Switch Series Quick Start Training Guide

Nov 07, 2014

Download

Documents

phbnunes
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: EX Switch Series Quick Start Training Guide

EX  Switch  series  Quick  Start  Training  Guide  This lab will prepare you on familiarizing yourself with the basic features of EX switch series. This lab will cover the following features:

• EX Basics

• Virtual Chassis

• Redundant Trunk Group (RTG)

• Port Security (DHCP Snooping, MAC Limiting)

• Link Aggregation Group (LAG) /LACP • 802.1X (single/multiple supplicants)

• LLDP

• VLAN and Port Modes

• Traffic Analyzer

• J-Web

• Routed VLAN Interfaces (RVI)

• Spanning Tree (STP, RSTP, MSTP)

There are exercises in each section which you will walk you through configuration and interpret basic show commands for each technology/feature.

Page 2: EX Switch Series Quick Start Training Guide

Setup  &  Lab  Topology  

VC

0/0/20/0/10/0/2

1/0/1

0/0/10/0/0

0/0/00/0/1 1/0/0

DHCP/Radius Server

0/0/21/0/2

0/0/23

Hub

0/0/23Switch 1

Switch 2

Switch 3

Switch 4

PC 1, 2, 3 (left to right)

PC 4

VC = Virtual Chassis

Core/Aggregation LayerAccess Layer

PC 5

The above diagram is the physical setup of the lab topology. Switches 1 and 2 are standalone switches and Switches 3 and 4 are Virtual Chassis via the stacking cable. All switches will be accessible via the SecureCRT from PC 4 (mgmt PC). Launch SecureCRT and there will be four saved connections to the switches. Switch login credential’s are juniper/juniper1. To get to the other PCs, there is an “Operations” on the toolbar of the applet. Under operation, highlight “Connect to Secondary” and there will be options for the other PCs. “Windows” on the applet toolbar allows you to toggle between PCs.

Device VLAN Name VLAN-ID Subnet/IP Address

- Sales 10 10.1.x.0/24

- Engineering 20 20.1.x.0/24

- Remote 30 -

DHCP/Radius Server - - 192.168.100.254/24

PC 1, 2, 3 Sales 10 DHCP

PC 5 Engineering 20 20.1.x.1/24

PC 4 (mgmt PC) - - 30.1.x.5/24

Switch 1 ge-0/0/23 - - 192.168.100.x/24

Page 3: EX Switch Series Quick Start Training Guide

Note: x denotes the Kit number. For example, if you reserve Kit 3, then the IP address scheming will be 10.1.3.0/24 for Sales and 20.1.3.0/24 for Engineering. This will be true throughout this lab.

EX  Basics  There are two flavors of EX series. One is a 3200EX series, which is a standalone box, and the 4200EX can either be a standalone or Virtual Chassis system. Within each series, there is a T model (8 POE ports) and the P model (all ports are POE). The EX series switches can operate in both Layer 2 and Layer 3 environment. A new family, ethernet-switching, is introduced for Layer 2 port configuration. Layer 3 still follows the JUNOS family convention, family inet.

Objective:  

Get familiar with some basic commands on a single switch and assign an IP address on the management port.

Exercise  1:  Logging  into  the  switch  When logging into the switch as root you will be placed into a shell.

Step 1: Open SecureCRT and connect to Switch 1.

Step 2: At the login prompt, enter “juniper”. At the password prompt enter “juniper1”

Amnesiac (ttyu0) login: juniper Password: --- JUNOS 9.0R2.10 built 2008-03-06 10:31:45 UTC juniper>

Exercise  2:  show  commands  Step 1: From the operational mode, enter ‘show chassis hardware’

juniper> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis REV X3 750-021254 BP0207452223 EX4200-48T FPC 0 REV 02A 711-021263 AJ0207431705 EX4200-48T, 8 POE CPU BUILTIN BUILTIN FPC CPU PIC 0 BUILTIN BUILTIN 48x 10/100/1000 Base-T Power Supply 0 REV 01 740-020957 AT0507430371 PS 320W AC Fan Tray Fan Tray The above is a sample output of ‘show chassis hardware’ command. The output provides hardware information such as hardware components, serial number, and description. Although the output lists multiple components, only the power supply and fan tray are FRUABLE (replaceable).

Step 2: Additional show commands to try are:

Page 4: EX Switch Series Quick Start Training Guide

• ‘show chassis lcd’ this will give you the readout of the LCD front panel. • ‘show version’ for software version • ‘show system uptime’ for system uptime, current date and time.

Step 3: To view MAC address table, then enter the following command ‘show ethernet-switching table’

juniper> show ethernet-switching table Ethernet-switching table: 4 entries, 3 learned VLAN MAC address Type Age Interfaces default * Flood - All-members default 00:0c:29:7b:5e:97 Learn 0 ge-0/0/23.0 default 00:50:56:10:00:01 Learn 0 ge-0/0/23.0 default 00:50:56:30:00:02 Learn 0 ge-0/0/23.0 NOTE: Your output will be different from the above output.

The ‘show ethernet-switching table’ output lists all the mac address and their associating VLAN and interface which the mac address was last learned on.

Exercise  3:  Configuring  host-­‐name,  user,  and  management  interface  (me0),  enable  telnet  In JUNOS, there are two different modes:

• Operational Mode – In this mode, you can retrieve systems information such as version, statistics, forwarding table via show commands or execute operational command such as reboot, clear statistics via request. juniper>

• Configuration Mode – All configurations for the system are done in this mode via set or delete. juniper#

The prompt tells you which mode you are in. In operational mode, the prompt is “>”. If you are in the configuration mode, then the prompt will be “#”.

“?” is your friend. At any given time (in either mode), you can type “?” to list possible command completion or available commands.

juniper> show con? Possible completions: configuration Show current configuration connections Show circuit cross-connect connections juniper# set chassis ? Possible completions: > aggregated-devices Aggregated devices configuration > alarm Global alarm settings + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups

Page 5: EX Switch Series Quick Start Training Guide

Step 1: Configuration Mode

Type ‘configure’ at the operational command to enter into the configurational mode.

juniper> configure Entering configuration mode [edit] juniper# Step 2: Configure host-name for Switch 1 and 2

The command to configure the hostname for the system is ‘set system host-name <name>’. For my lab, I’m going to name my Switch 1 “ONE” as shown below.

juniper# set system host-name ONE Step 3: Configure users for Switch 1 and 2

There is an option to manually configure user, user’s privilege, and passwords on the EX series switches. The command to configure a user is ‘set system login user <user-name> class <privilege_level> authentication <authentication-method>’.

In the example below, I created a user name “user1” with a read-only privilege using plain-text-password as the authentication method. “user1” will only be able execute limited show commands.

juniper# set system login user user1 class read-only authentication plain-text-password New password: <-- Enter password for “user1” Retype new password: <-- Re-enter password for “user1” What is the privilege level for user juniper?

Step 4: Configure management interface for Switch 1 and 2.

The EX series switches management port is me0. me0 is similar to fxp0 on M/MX/T series.

The table below is the IP address assignment for Switch 1 and 2.

Switch me0 IP Address

Switch 1 30.1.x.1/24

Switch 2 30.1.x.2/24

The command to configure the me0 interface is ‘set interface me0 unit 0 family inet address <ip_address/subnet_mask>’.

The configuration below was configured on Switch 1 management interface with 30.1.1.1/24.

juniper# set interfaces me0 unit 0 family inet address 30.1.1.1/24

Page 6: EX Switch Series Quick Start Training Guide

The same command will need to be done on Switch 2 but with Switch 2 IP address (see Table above).

Step 5: Enable telnet

To enable telnet services, enter the following command ‘set system services telnet’

juniper# set system services telnet Step 6: To apply the configuration, type ‘commit’. This will apply all configurational changes to the system.

juniper# commit To exit out of configuration mode, then type ‘exit’. If you want to commit and exit in a single command, then type ‘commit and-quit’.

Step 7: From the PC 4 telnet to Switch 1 me0 IP address and use the user credentials you just created.

Virtual  Chassis  The EX 4200 series switches can either be a standalone or interconnect to form a Virtual Chassis system. A Virtual Chassis is comprised of multiple of EX 4200 series switches connected to each other to form a logical single chassis system. The Virtual Chassis is formed either through the dedicated Virtual Chassis Ports (VCP) located in the back of the chassis or through the 10 GbE uplink ports. If the dedicated VCPs are connected, then VC will form automatically. If you want to form the Virtual Chassis from the 10 GbE uplink port, then an operational command is required, ‘request virtual-chassis vc-port set interface <name>’.

In a Virtual Chassis there is always a master and backup Routing Engine (RE). The master RE is responsible for managing the virtual chassis and the backup is on standby in case of a master failure. For the other switch that is not a master or backup, then it takes on the role of a linecard. A switch that is acting as a linecard, can still be eligible to be a master/backup if the current ones failed. The master and backup runs the full fledge JUNOS operating system while the linecard runs the lightweight of JUNOS.

The Virtual Chassis can be managed through a single IP via the Virtual Management Ethernet (vme). Also, all console connections through the non-master switches are redirected to the master RE.

Objective:

In this exercise, the Virtual Chassis is Switch 3 and 4; they are already connected via the dedicated VCP. Through show commands, you will be able to determine who is master and backup. You will learn how to change the mastership priority in the virtual-chassis stanza, configure vme interface, and change member-ids

Page 7: EX Switch Series Quick Start Training Guide

Exercise  1:  Accessing  the  Virtual  Chassis  via  the  console  When accessing the Virtual Chassis via the console port through a non-master switch. The connection will always get redirected to the master console.

Step 1: From SecureCRT console to Switch 4. The login is juniper and password is juniper1. You should see the below output.

Amnesiac (ttyu0) login: juniper Logging to master <-- console redirection €Password: --- JUNOS 9.0R2.10 built 2008-03-06 10:31:45 UTC juniper> If you do not get the above output, then console into Switch 3.

Step 2: From the operational mode, enter “show virtual-chassis status” command.

juniper> show virtual-chassis status Virtual Chassis ID: 0019.e250.a280 Mastership Neighbor List Member ID Status Serial No Model priority Role ID Interface 0 (FPC 0) Prsnt BR0207431993 ex4200-24f 128 Master* 1 vcp-0 1 (FPC 1) Prsnt BR0207432021 ex4200-24f 128 Backup 0 vcp-1 Member ID for next new member: 2 (FPC 2) NOTE: The master and backup role may be reversed

The ‘virtual-chassis status’ command provides basic system information such as virtual chassis id, member-id, serial number, switch role, etc.

The Virtual Chassis ID (VCID) uses the master’s systems MAC address. This mac address is used by the Virtual Chassis system. To view all system MAC addresses type ‘show chassis mac-addresses’.

Member-ID is assigned by the master and increments numerically from 0-9. The last line of the output tells you the next available member-id. To renumber a switch member-id, type the following command ‘request virtual-chassis renumber member-id <member-id> new-member-id <new-member-id>’ at the operational mode. Base on the above output, Switch 3 is member-id is 0 and Switch 4 member-id is 1. In my example below, I changed Switch 4 member-id to 5.

juniper> request virtual-chassis renumber member-id 1 new-member-id 5 To move configuration specific to member ID 1 to member ID 5, please use the replace command. e.g. replace pattern ge-1/ with ge-5/ Do you want to continue ? [yes,no] (yes) Notice the new member-id for Switch 4 is now 5. Also, notice the last line of the output has changed. If a new switch is added to the Virtual Chassis, then it will get assigned with a member-id of 1.

Page 8: EX Switch Series Quick Start Training Guide

juniper> show virtual-chassis status Virtual Chassis ID: 0019.e250.a280 Mastership Neighbor List Member ID Status Serial No Model priority Role ID Interface 0 (FPC 0) Prsnt BR0207431993 ex4200-24f 128 Master* 5 vcp-0 5 (FPC 5) Prsnt BR0207432021 ex4200-24f 128 Backup 0 vcp-1 Member ID for next new member: 1 (FPC 1) Status gives you the current condition of the of the switch member. Present (Prsnt) is active, Not Present (NotPrsnt) member is not part of the Virtual Chassis.

Mastership priority shows the current priority value of the switch. Default value is 128. This is configurable in the virtual-chassis stanza in the configuration mode. The mastership priority can be assigned between 0-255. A higher value has a higher probability of becoming the master.

Role shows the current role of the switch. Possible roles are Master, Backup and Linecard.

Neighbor ID/List Interface shows you the neighboring switch and local VCP connection. In the above output, Member 0’s vcp-0 is connected to Member 5.

Exercise  2:  Virtual-­‐Chassis  Stanza  All Virtual Chassis related configuration is done under the virtual-chassis stanza such as mastership priority.

Step 1: Change the member-id for Switch 4 back to 1.

Step 2: Get into configuration mode by issuing ‘configure’ at the operational mode.

Step 3: Change the priority on the Backup.

The syntax to change the mastership priority is, ‘set virtual-chassis member <member-id> mastership-priority <value>’. In my example, I’m increased the mastership priority to 130 for the “Backup RE” switch.

juniper# set member 5 mastership-priority 130 [edit] juniper# commit synchronize ‘commit-synchronize’ is to commit and synchronize the configurational changes to both the master and backup REs. If ‘commit’ was only issued, then the master will only have the committed changes. Thus there will be different configuration file between the two and this will lead to undesirable results when RE fails over.

If you increased the mastership-priority for the “Backup RE”, what happened?

TIP: Good practice is to configure the same mastership priority for both the master and backup to avoid preemption.

Page 9: EX Switch Series Quick Start Training Guide

Exercise  3:  Configure  host-­‐name,  user,  and  virtual  management  ethernet  (vme).  Step 1: (Optional) Configure host-name and user for the Virtual Chassis.

Step 2: Configure the management interface.

The virtual management ethernet (vme) allows administrator to manage the Virtual Chassis by a single IP address. Assign the following IP address, 30.1.x.3/24 to the vme.

NOTE: x denotes the Kit number. For example, if you are in Kit 3, then the IP address will be 30.1.3.3/24. To determine which Kit you are on, look at the top left of the PC control window (java applet).

In my case, I’m in Kit 1 so my vme will be 30.1.1.3/24 as shown in the configuration below.

juniper# set interfaces vme unit 0 family inet address 30.1.1.3/24 Step 3: Commit configuration changes and exit.

The following warning message is expected when issuing ‘commit synchronize’, because a backup-router is not configured. Backup-router ensures the system is accessible over the network if the routing protocol process (RPD) is down. The backup-router should be the gateway of last resort on the local management subnet. You can configure one to avoid this message by entering the following command, ‘set system backup-router <x.x.x.x>’. Otherwise, just ignore the warning.

juniper# commit synchronize fpc1: configuration check succeeds fpc0: [edit interfaces vme unit 0 family inet] 'address 30.1.1.3/24' warning: [edit system backup-router] not present. The default route for mgmt ethernet is not installed. commit complete fpc1: commit complete

Step 4: Telnet to the vme0 address from PC 4.

Link  Aggregation  Group  (LAG)/LACP  (802.3ad)  LAG is bundling multiple physical links into one virtual bundle. This increases bandwidth and provides physical link redundancy. LAG can form either statically or dynamically via LACP.

LACP is part of the IEEE specification 802.3ad that allows dynamic bundling of physical ports. JUNOS implemented a feature with LACP to provide basic-error checking for mis-configuration such as to ensure LAG is configured on both sides of the bundle. If mis-configuration is detected then the bundle will not be active.

Page 10: EX Switch Series Quick Start Training Guide

On the EX series switches, LAG is configured as aggregate ethernet (ae). When forming a LAG, all links speed and duplex need to be the same. There is a maximum of 8 links in a LAG. The LAG ports do not need to be contiguous and can be across members in a Virtual Chassis. Hashing is automatically done, base on packet header. For non-IP packet, hashing is done source and destination MAC address. For IP packet, hashing is done on source and destination of MAC, IP, and if present, network ports.

Objective:  

To configure aggregated ethernet and interpret basic show commands.

LAG will be between Switch 1 and Virtual Chassis. The other LAG group will be between Switch 2 and Virtual Chassis.

VC Switch

Core/Aggregation LayerAccess Layer

= Aggregated Ethernet (ae)

Switch 1Switch 2

Use the table below to help work through the LAG exercises.

Page 11: EX Switch Series Quick Start Training Guide

Exercise  1:  Static  Aggregated  Ethernet  Manually configure LAG.

Step 1: Number of LAG on a system

The number of LAG needs to be defined in the system. For EX 3200, the maximum allow is 32 groups and EX 4200/Virtual Chassis is 64 groups.

The following command, ‘set chassis aggregrated-devices ethernet device-count <number>’, defines the number of LAG.

For Switch 1, I entered the below output. You will need define the number of LAG for Switch 2 and Virtual Chassis. Use the table above to determine the number of LAGs needed for the other switches.

juniper# set chassis aggregated-devices ethernet device-count 1 Step 2: Removing logical interfaces

By default, all ports have a logical interface (unit 0) configured. Logical interfaces cannot be part of the LAG bundle. To delete the logical interface from the port, type ‘delete interface <interface_name> unit <unit_number>’.

Below command was done on Switch 1. This needs to be done on all the interfaces that will be in LAG group. Use the table from the Objective section to determine the interfaces for the other switches.

juniper# delete interfaces ge-0/0/1 unit 0 Step 3: Configure a port to be part of an aggregated ethernet bundle (ae)

Aggregated ethernet is configured under the physical interface. The following command, ‘set interface <interface_name> ether-options 802.3ad <ae_bundle>’ defines the physical interface to be part of the aggregated ethernet bundle.

The below command was done on Switch 1. This needs to be done on all the interfaces that will be part of the aggregated ethernet bundle. Use the table from the Objective section to determine the aggregated ethernet bundle for the other switches.

juniper# set interfaces ge-0/0/1 ether-options 802.3ad ae0 Step 4: Aggregated Ethernet

Switch Ports No. of LAG Aggregated Ethernet Bundle

Switch 1 ge-0/0/1, ge-0/0/2 1 ae0

Switch 2 ge-0/0/1, ge-0/0/2 1 ae0

VC Switch ge-0/0/0, ge-1/0/0

2 ae0

ge-0/0/1, ge-1/0/1 ae1

Page 12: EX Switch Series Quick Start Training Guide

Aggregated ethernet can either be a Layer 2 or Layer 3 interface. To configure ae as a Layer 2, then use family keyword “ethernet-switching”. For Layer 3, then use family keyword “inet”.

In our lab, we will configure the aggregated ethernet as a Layer 2 interface. The command is ‘set interface <ae_bundle> unit 0 family ethernet-switching’.

I entered the below command on Switch 1. Configure a Layer 2 aggregated ethernet interface for the other switches and commit the configurational changes. DO NOT EXIT from the configuration mode.

juniper# set interfaces ae0 unit 0 family ethernet-switching Step 5: Validate the LAG

Since aggregated ethernet interface is virtual interface, then ‘show interface <name>’ command can be used to check interface information and statistics.

TIP: JUNOS allows you to run operational command from the configuration mode. To accomplish this, just type ‘run’ before any operational command.

The below output was executed from the configuration mode of Switch 1.

juniper# run show interfaces ae0 Physical interface: ae0, Enabled, Physical link is Up Interface index: 177, SNMP ifIndex: 136 Link-level type: Ethernet, MTU: 1514, Speed: 2000mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Current address: 02:19:e2:50:86:60, Hardware address: 02:19:e2:50:86:60 Last flapped : Never Input packets : 8088 Output packets: 22087362 Logical interface ae0.0 (Index 114) (SNMP ifIndex 137) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 0 0 0 0 Protocol eth-switch, MTU: 0 Flags: None

Exercise  2:  LACP  LACP allows LAG to form dynamically. LACP works in two modes:

• Active – Sends LACP and actively tries to form bundle with neighboring device

• Passive – Does not send LACP but listens for LACP. If the port receives a LACP, then it will try to form a bundle with neighboring device.

Page 13: EX Switch Series Quick Start Training Guide

One sides need to be active in order for the bundle to be formed.

This exercise only needs to be done on only one aggregated link. Choose any aggregated link.

Step 1: LACP

For LACP to work properly, LACP needs to be configured on both end of the bundle. The following LACP command, ‘set interface ae0 aggregated-ether-options lacp active’ is done under the main ae interface.

Below is a sample configuration done on both Switch 1 and Virtual Chassis.

juniper# set interfaces ae0 aggregated-ether-options lacp active Step 2: Commit, exit from configuration mode, and validate

‘show lacp interface ae0’ shows status and flags for LACP.

Here is a sample output taken from the Virtual Chassis.

juniper> show lacp interfaces ae0 Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity ge-1/0/0 Actor No No Yes Yes Yes Yes Fast Active ge-1/0/0 Partner No No Yes Yes Yes Yes Fast Active ge-0/0/0 Actor No No Yes Yes Yes Yes Fast Active ge-0/0/0 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State ge-1/0/0 Current Fast periodic Collecting distributing ge-0/0/0 Current Fast periodic Collecting distributing In the LACP state, the interface is listed twice. The difference between the two is the role. The Actor role is local interface and Partner Role is the neighboring device. In the LACP protocol, the Receive State should be in Current, which means LAG is up.

Link  Layer  Discovery  Protocol  LLDP is an open standard protocol that advertises basic information, such as, equipment capability, port info, etc. to the neighboring device. LLDP advertises on a well known multicast address.

LLDP-MED is used to communicate with PoE capable end devices. This allows the switch to budget power consumption and to the PoE capable device. LLDP-MED also allows the switch to advertise voice VLAN and 802.1p to an IP phone.

EX series switches support both LLDP and LLDP-MED and both are enabled by default. All LLDP related configuration is done at the protocol LLDP stanza

NOTE: For LLDP-MED, our switch will always budget a full class 3 regardless what the end device advertises. Although the switch budgets 15.4 watts, it will only send the required power for the PoE device.

Page 14: EX Switch Series Quick Start Training Guide

Objective:  

The scope of this exercise will focus only on LLDP. At the end you will be able to interpret show LLDP related command.

Exercise:  Step 1: LLDP

Both LLDP and LLDP-MED are enabled by default. LLDP can be disabled on a per interface. The following command is to disable LLDP on an interface, ‘set protocols lldp interface <interface_name> disable’. To re-enable the interface, then change the keyword from “disable” to “enable”.

Step 2: LLDP database

To view the LLDP database, enter command, ‘show lldp neighbors’ at the operational mode. The below output was taken from Switch 2.

juniper> show lldp neighbors LocalInterface Chassis Id Port info System Name ge-0/0/0.0 00:19:e2:50:86:60 ge-0/0/0.0 ONE ae0.0 00:19:e2:50:a0:00 ge-1/0/1.0 Virtual_Chassis ae0.0 00:19:e2:50:a0:00 ae1.0 Virtual_Chassis ae0.0 00:19:e2:50:a0:00 ge-0/0/1.0 Virtual_Chassis Chassis ID is the system identifier. For the EX series switches, it is the system MAC address.

Port Info is the neighboring port.

System Name is the neighboring device Hostname

Step 3: Detail LLDP information

To get more detailed information, the following command, ‘show lldp neighbors interface <name>’ can be issued at the operational mode. The below output was taken from Switch 2.

juniper> show lldp neighbors interface ge-0/0/0.0 LLDP Neighbor Information: Index: 1 Time to live: 120 Time mark: Fri Mar 7 20:41:43 2008 Age: 3 secs Local interface : ge-0/0/0.0 Chassis type : Mac address Chassis ID : 00:19:e2:50:86:60 Port type : Locally assigned Port ID : 22 Port description : ge-0/0/0.0 System name : ONE System description : Juniper Networks, Inc. ex4200-48t Latte, version 9.0R2.10 Build date: 2008-03-06 10:37:47 UTC System capabilities Supported: Bridge Router Enabled : Bridge

Page 15: EX Switch Series Quick Start Training Guide

Management address Type : IPv4 Address : 30.1.1.1 The information will vary from vendor and device. For EX series switches, we advertise model, device capability (Bridge/Router), software version, management port, other basic system information.

VLAN  VLAN logically divides a Layer 2 device into separate Local Area Network (LAN) within a switch. Each VLAN confines all local traffic within its domain.

On the EX series switches, you assign a VLAN to either an access or trunk port. An access port is a port that is a member to a single VLAN, which is common for a host port. A trunk port is a port that is a member to multiple VLANs, this is common for inter- switch links that need to extend multiple VLANs over a single link. When traffic traverses across a trunk port, the traffic is tagged with a VLAN identifier (802.1Q).

Creating and deleting VLAN are done under the VLANs stanza.

Objective:  

At the end of these exercises, you will be able to configure, assign ports to a VLAN, and interpret basic show commands.

Exercise  1:  VLANs  Step 1: Enter configuration mode

Step 2: Creating VLANs

VLAN management is done under the VLANs stanza. The minimum configuration require for a VLAN is the name. Vlan-id is only required when the VLAN is part of a trunk. The vlan-id is the 802.1 tag id that is used to identify the traffic on the trunk link.

The command to configure VLANs is ‘set vlans <vlan_name> vlan-id <dot1q_tag>’. Configure the VLANs on all of the switches base on the table below.

VLAN Name VLAN-ID

Sales 10

Engineering 20

Remote 30

TIP: JUNOS is hierarchical software. To avoid repetitiveness use “edit” to configure similar syntax for a given stanza.

Page 16: EX Switch Series Quick Start Training Guide

To avoid repetitive typing of “set vlans” for each VLAN, I’m going to “edit” the VLANs stanza. The example below was done on Switch 1. Configure the VLANs on all of the other switches.

juniper# edit vlans [edit vlans] juniper# set Sales vlan-id 10 [edit vlans] juniper# set Engineering vlan-id 20 [edit vlans] juniper# set Remote vlan-id 30 [edit vlans] juniper# top <-- this command moves you back to the top of the of the configuration hierarchy [edit] juniper# Step 3: Commit configurational changes and exit.

Step 4: VLAN validation

All VLAN related information can be derived from ‘show vlans’ command in the operational mode.

juniper> show vlans Name Tag Interfaces Engineering 20 None Remote 30 None Sales 10 None default ae0.0*, ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0*, ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0, ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0, ge-0/0/43.0, ge-0/0/44.0, ge-0/0/45.0, ge-0/0/46.0, ge-0/0/47.0 <output truncated>

Name is the <vlan-name> you assigned to identify the VLAN

Tag is the 802.1Q tag.

Page 17: EX Switch Series Quick Start Training Guide

Interface is a list of ports that is associated to VLAN.

You have the option to view VLAN specific information by specifying the VLAN name. The syntax is ‘show vlans <vlan_name>’

Exercise  2:  Port-­‐Modes  By default, all ports are access-ports. Trunk ports requires configuration.

Step 1: Enter into the configuration mode.

Step 2: Define port mode.

The command syntax to configure trunk port is, ‘set interface <name> unit 0 family ethernet-switching port-mode trunk’. To change the port back to access mode, then change the keyword from “trunk” to “access”. Use the table below to determine the port role.

Switch Port Port Mode

Switch 1 and 2 ge-0/0/0, ae0 trunk

Virtual Chassis ae0, ae1 trunk

Virtual Chassis ge-0/0/2 access

Virtual Chasis ge-1/0/2 access

Only trunk ports need to be configured. The below command was done on Switch 1.

TIP: When configuring the logical interface, you can avoid typing “unit <unit_number>”, by using the “.” + “unit_number” in conjunction with interface.

juniper# set interfaces ge-0/0/0.0 family ethernet-switching port-mode trunk The above command is equivalent to, ‘set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk’

Step 3: Commit the configuration changes.

Exercise  3:  VLAN  Membership  Step 1: Configure VLAN membership.

By default all ports are part of VLAN “default”. Assigning a port to a VLAN, can be done one of two ways:

• Interface Level, by using the following command ‘set interfaces <name> unit 0 family ethernet-switching vlan members <vlan_name or vlan_id>’

• VLAN Level, by entering the following command ‘set vlans <vlan_name> interface <logical_inteface>’

Page 18: EX Switch Series Quick Start Training Guide

Below is the VLAN membership information to complete this exercise.

Switch Port VLAN

Membership

Switch 1 and 2 ge-0/0/0, ae0 Sales, Engineering

Virtual Chassis

ae0, ae1 Sales, Engineering

ge-0/0/2 Sales

ge-1/0/2 Engineering

TIP: Under interface level, use “all” keyword or square brackets [ …. ] for multiple VLANs.

The below command was entered on Switch 1. Configure the other interfaces according to the table above.

juniper> set interfaces ae0.0 family ethernet-switching vlan members [ Sales Engineering ]

Step 2: Commit configurational changes and exit.

Step 3: Validate VLAN membership

The VLAN output was done on the Virtual Chassis.

juniper@Virtual_Chassis> show vlans Sales detail VLAN: Sales, 802.1Q Tag: 10, Admin state: Enabled Number of interfaces: 3 (Active = 3) Untagged interfaces: ge-0/0/2.0* Tagged interfaces: ae0.0*, ae1.0* Untagged - Both TX and RX the packet will not be tagged.

Tagged – Both TX and RX the packet will be tagged with 802.1q.

The asterisk denotes the port is active.

Another useful command is ‘show ethernet-switching interface’. This command provides a summary of VLAN, interface, and forwarding status.

Page 19: EX Switch Series Quick Start Training Guide

juniper> show ethernet-switching interfaces Interface State VLAN members Blocking ae0.0 up Engineering unblocked Sales unblocked ge-0/0/0.0 up Engineering unblocked Sales unblocked ge-0/0/3.0 down default blocked - blocked by STP/RTG ge-0/0/4.0 down default blocked - blocked by STP/RTG <output truncated> TIP: Cisco switches implements hybrid trunks. A hybrid trunks is a given VLAN is either tagged or untagged (native VLAN) on a trunk for transmit and receive. The command to configure native VLAN on EX sereies switches is ‘set intefaces <name> unit 0 family ethernet-switching native-vlan-id <vlan_name or vlan_id>’ Make sure the native VLAN matches on both switches.

Routed  VLAN  Interface  (RVI)  Routed VLAN Interface is a Layer 3 VLAN interface. This allows IP traffic to be routed between VLANs and Lay3 routed interfaces.

Objective:  

At the end of this exercise, you will be able configured RVI and understand basic show commands.

Exercise:  Configuring  RVI  Step 1: Configuring RVI for VLANs Sales and Engineering

Configuring RVI is a two step process. First, configure a Layer 3 VLAN interface under the VLAN stanza. All RVIs are done under the VLAN interface with different logical unit. The command to configure RVI is

‘set interface vlan unit <unit_number> family inet <ip_address/mask>’ Next, bind the RVI to the VLAN under the VLANs database. The syntax is

‘set vlans <vlan_name> l3-interface <l3_vlan_interface>’. Use the table below to configure the RVIs for Switch 1 and 2.

Switch VLAN VLAN-ID IP Address

Switch 1 Sales

Engineering

10

20

10.1.x.254/24

20.1.x.254/24

Switch 2 Sales

Engineering

10

20

10.1.x.253/24

20.1.x.253/24

Here I configured the RVI on Switch 1. Complete the remaining RVI configuration for Switch 1 and 2.

Page 20: EX Switch Series Quick Start Training Guide

juniper# set interfaces vlan unit 10 family inet address 10.1.1.254/24 [edit] juniper# set vlans Sales l3-interface vlan.10 NOTE: For management simplicity, it is recommended to match the unit number with VLAN-ID

Step 3: Commit and exit.

Step 4: RVI validation

Here are some show commands to use to validate RVI configuration, ‘show vlans <vlan_name> detail’, ‘show interfaces vlan’ or ‘show interface terse’

Spanning-­‐Tree  Protocol  Spanning-tree is a Layer 2 protocol that ensures loop free network by blocking redundant Layer 2 paths. Communication between spanning-tree enabled switches is done through Bridge Protocol Data Unit (BPDU).

EX switches support all three flavors of Spanning Tree, 802.1D (STP), 802.1w (RSTP), and 802.1s (MSTP). RSTP is enabled by default. Spanning Tree is configured under the protocol stanza.

NOTE: EX STP implementation is RSTP with a forced version 0. Both STP and RSTP are a single instance of spanning-tree protocol (supports one Layer 2 forwarding topology). RSTP improves on the convergence time.

Objective:  

At the end of this exercise, you will be able to configure all three flavors of spanning-tree and interpret show spanning-tree related commands.

Exercise  1:  STP/RSTP  Step 1: Bridge Priority

Spanning-tree relies on one bridge being the root. There is an election process for determining which switch is root. The election process is based on the bridge id. The bridge with the lowest bridge id wins.

A bridge id is comprised of a bridge priority and bridge MAC address. Only the bridge priority can be manipulated. By default, all switches bridge priority is 32678. The command to change the priority is ‘set protocols <spanning_tree_protocol> bridge-priority <value>’.

We want to Switch 1 to be the root. Enter the below command on Switch 1.

juniper# set protocols rstp bridge-priority 4k NOTE: STP uses the same syntax, just change the protocol from RSTP to STP.

Step 2: Commit and exit

Page 21: EX Switch Series Quick Start Training Guide

Step 3: Check spanning-tree

‘show spanning-tree bridge’ provides a basic spanning-tree information. The below output was taken from Switch 1.

juniper> show spanning-tree bridge STP bridge parameters Context ID : 0 Enabled protocol : RSTP Root ID : 4096.00:19:e2:50:86:60 Hello time : 2 seconds Maximum age : 20 seconds Forward delay : 15 seconds Message age : 0 Number of topology changes : 10 Time since last topology change : 7642 seconds Local parameters Bridge ID : 4096.00:19:e2:50:86:60 Extended system ID : 0 Internal instance ID : 0 From the above output, we can see RSTP is enabled on this switch. We also know the root switch bridge id is 4096.00:19:e2:50:86:60. Switch 1 bridge id is under the local parameters section. Since the bridge id is the same as the root id, then we know this switch (Switch 1) is the root switch. Try the same command on Switch 2 or the Virtual Chassis; the root id should be Switch 1 bridge id, and the local parameter bridge id is the switch itself.

Step 3: Who is blocking?

Base on our topology, we have a loop in our network. If spanning-tree is working correctly, then one of the links should be blocking. The command to check for port state (forwarding or blocking) is ‘show spanning-tree interface’.

The output below was taken on Switch 1. Use this command on the other switches until you find the port that is blocking.

juniper> show spanning-tree interface Spanning tree interface parameters for instance 0 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:1 4096.0019e2508660 10000 FWD DESG ge-0/0/0.0 128:513 128:513 4096.0019e2508660 20000 FWD DESG ge-0/0/3.0 128:516 128:516 32768.0019e2508660 20000 BLK DIS ge-0/0/4.0 128:517 128:517 32768.0019e2508660 20000 BLK DIS ge-0/0/5.0 128:518 128:518 32768.0019e2508660 20000 BLK DIS <output truncated> ‘show spanning-tree interface’ shows the following:

Page 22: EX Switch Series Quick Start Training Guide

• Port cost – Cost to use this link

• State – Port forwarding or blocking

• Role – Port roles are Designated (forwarding), Root (forwarding), Backup (blocking), Alternate (blocking), Edge (forwarding), and Disable (blocking)

Step 4 (Optional): STP failover If you want to see the link failover (port transition from blocking --> to forward) then disable the forwarding port. The command to disable is ‘set interfaces <name> disable’. To re-enable the port, then just change the “disable” to “enable” or type the following command ‘delete interfaces <name> disable’.

Exercise  2:  MSTP  and  Load-­‐Balance  MSTP (802.1s) increases the number of supported Layer 2 topology (instance) in a bridged network. Therefore, each instance can have a different Layer 2 forwarding topology. MSTP supports up to 64 instances. This allows traffic to be forwarded on all links but still maintain a loop free Layer 2 network.

Step 1: Changing STP status

Only one spanning-tree protocol can be active on the EX series switches. We will need to delete RSTP on all the switches. Type the following command ‘delete protocols rstp’.

I entered the below command on Switch 1. This will need to be done on Switch 2 and the Virtual Chassis.

juniper# delete protocols rstp Step 2: Enable MSTP

The command to enable MSTP is, ‘set protocols mstp’

The below was done on Switch 1. The same command needs to be done on the other switches.

juniper# set protocols mstp Step 3: Common Spanning Tree (CST) Root Bridge

Without going into great detail, CST comes into play when there multiple regions. Regions are a group of switches under a common management. This is commonly deployed in the metro space whereas in the enterprise, only a single region is required.

We will configure Switch 1 to be the CST root bridge. The command is as the STP/RSTP.

Enter the command below on Switch 1.

juniper# set protocols mstp bridge-priority 4k Step 4: Instances

MSTP instances (MSTI) are a group of VLANs. There is no restriction of number of VLANs mapped to an instance. However, there are only 64 instances available within a region. Each instance can have its own Layer 2 forwarding topology (all VLANs within an instance will have the same Layer 2 forwarding

Page 23: EX Switch Series Quick Start Training Guide

topology). The Layer 2 forwarding topology for the instance is dependent on the placement of the root instance. The command to configure the root instance is ‘set protocol mstp msti <msti_instance> bridge-priority <bridge_priority_vlaue>’.

Use the table below to for the MSTI and VLAN mapping.

Switch MSTI VLAN Priority Value

Switch 1 1

2

Sales

Engineering

4k

default

Switch 2 1

2

Sales

Engineering

default

4k

VC Switch 1

2

Sales

Engineering

default

default

Enter the below commands for Switch 1.

set protocols mstp msti 1 bridge-priority 4k set protocols mstp msti 1 vlan Sales set protocols mstp msti 2 vlan Engineering Enter the below commands for Switch 2.

set protocols mstp msti 2 bridge-priority 4k set protocols mstp msti 1 vlan Sales set protocols mstp msti 2 vlan Engineering Enter the below commands for the Virtual Chassis.

set protocols mstp msti 1 vlan Sales set protocols mstp msti 2 vlan Engineering NOTE: Region requirement is Instances to VLAN mappings, revision-level, and configuration name needs to be the same for all switches.

Step 5: Commit the configuration changes and exit.

Step 6: Validate spanning-tree

Since Switch 1 is root for MSTI 1 and Switch 2 is root for MSTI 2, then we should have two different Layer 2 forwarding topologies for MSTI 1 and MSTI 2. Do ‘show spanning-tree interface’ for Switch 1 and Switch 2.

Below output is a ‘show spanning-tree interface’ from Switch 1.

<output truncated>

Page 24: EX Switch Series Quick Start Training Guide

Spanning tree interface parameters for instance 1 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:1 4097.0019e2508660 10000 FWD DESG ge-0/0/0.0 128:513 128:513 4097.0019e2508660 20000 FWD DESG Spanning tree interface parameters for instance 2 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:1 32770.0019e250a000 10000 BLK ALT ge-0/0/0.0 128:513 128:513 4098.0019e2508f20 20000 FWD ROOT Take notice of the port role for MSTI 1 and MSTI 2.

Below output is a ‘show spanning-tree interface’ from Switch 2.

<output truncated> Spanning tree interface parameters for instance 1 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:2 32769.0019e250a000 10000 BLK ALT ge-0/0/0.0 128:513 128:513 4097.0019e2508660 20000 FWD ROOT Spanning tree interface parameters for instance 2 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost ae0.0 128:1 128:1 4098.0019e2508f20 10000 FWD DESG ge-0/0/0.0 128:513 128:513 4098.0019e2508f20 20000 FWD DESG From both of the outputs above, there are two different Layer 2 forwarding topologies. For MSTI 1, Switch 1 is forwarding for both ports whereas interface ae0.0 is blocking and ge-0/0/0.0 is forwarding for Switch 2. For MSTI 2 it is the reverse, port ae0.0 is blocking and ge-0/0/0.0 is forwarding for Switch 1 and both ports are forwarding for Switch 2.

Step 7 (Optional): STP Failover If you want to see the link failover (port transition from blocking --> to forward) then disable the forwarding port. The command to disable is ‘set interfaces <name> disable’. To re-enable the port, then just change the “disable” to “enable” or type the following command ‘delete interfaces <name> disable’.

Redundant  Trunk  Group  (RTG)  Redundant Trunk Group is a feature on EX series switches. RTG is a simple feature that is solely configured at the access layer switch with dual home connections. RTG provides a loop free Layer 2 topology without the need of spanning-tree running on the access layer switch. RTG accomplishes this by making one link active and the other link standby.

Page 25: EX Switch Series Quick Start Training Guide

Only 2 links per RTG group, these links do not forward BPDUs and drop BPDUs if it is received on these port. RTG is configured under the ethernet-switching-options stanza.

Objective:  

Configure RTG and interpret basic show command.

Exercise:  RTG  Step 1: Delete MSTP on the access switch (Virtual Chassis)

RTG cannot be enabled on spanning-tree enabled interfaces.

Step 2: RTG Group

Only two links can be configured in a RTG group. One link will be active and forwarding traffic and the other link will be in standby.

The command to configure RTG is ‘set ethernet-switching-options redundant-trunk-group <group_name> interface <interface_name>’.

Configure RTG for interface ae0.0 and ae1.0 on the Virtual Chassis.

juniper# set ethernet-switching-options redundant-trunk-group group RTG-1 interface ae0.0 [edit] juniper# set ethernet-switching-options redundant-trunk-group group RTG-1 interface ae1.0 Step 3: Commit and exit.

Step 4: Validate RTG

The command to validate RTG is ‘show redundant-trunk-group’ at the operational mode.

This command was taken on the Virtual Chassis.

juniper> show redundant-trunk-group

Group Interface State Time of last flap Flap name count RTG-1 ae1.0 Up/Act Never 0 ae0.0 Up Never 0 State tells if the link is up and which link is currently active. The redundant link is up but not active, thus no traffic is flowing across the redundant link. Base on the above output, the active RTG interface is ae1.0. The order of the configuration does not dictate which interface is active, rather it is lexically higher interface will be chosen as Active.

Page 26: EX Switch Series Quick Start Training Guide

Do ‘show spanning-tree interface’ on Switch 1 and Switch 2. Do you notice anything different from the outputs in the MSTP exercise?

Step 5: RTG Failover

Disable interface ae1.0 and then check if RTG failed over properly. Re-enable interface ae1.0 and then check RTG. Which port is active?

Exercise  2:  Primary  Keyword  If you want to make ae0.0 the active interface, then you can manually fail it over (disable and re-enable interface ae1.0). Another option is the “primary” keyword. The ‘primary’ keyword ensures the interface is always active when the link is up, in other words, it will pre-empt.

Step 1: Configure primary keyword for ae0.0.

The syntax is ‘set ethernet-switching-options redundant-trunk-group <name> interface <name> primary’. The example below was entered on the Virtual Chassis.

juniper# set ethernet-switching-options redundant-trunk-group group RTG-1 interface ae0.0 primary Step 2: Commit and exit

Step 3: Is ae0.0 active?

Issue ‘show redundant-trunk-group’ on the Virtual Chassis and it should match with the below sample output.

juniper> show redundant-trunk-group Group Interface State Last time of flap Flap name count RTG1 ae0.0 Up/Pri/Act Never 0 ae1.0 Up Never 0 Notice the State has another flag, ‘Pri’ to indicate the interface has been configured as the primary.

Step 4 (Optional): RTG Failover

Disable interface ae0.0 and then check if RTG failed over properly. Re-enable interface ae0.0 and then check RTG. Did ae0.0 pre-empt?

Access  Port  Security  Features  There are specific access-port security features to prevent MAC spoofing, gratuitous ARP attacks, and other Layer 2 type attacks. Such features are DHCP snooping, dynamic ARP inspection (DAI), MAC limiting, and MAC move limiting.

DHCP Snooping makes the switch become aware of DHCP packets. When enabling DHCP snooping, the switch will only allow DHCP Discovery/Request on untrusted port (access); trunk port is trusted by

Page 27: EX Switch Series Quick Start Training Guide

default. This prevents rogue DHCP servers on the network. The switch also builds a database of MAC address, port location, and IP-binding base on the DHCP packets sent by the client and server.

DAI validates ARP packets on the network. The switch will intercepts ARP reply packets from access ports and check it against the IP-MAC database that was built by DHCP snooping. If a mismatch is found, then the ARP packet will be dropped. This prevents any man in the middle attack, such as ARP spoofing/poisoning.

MAC Limiting is a feature that limits number of MAC address can be learned on an access port.

All access security configurations are done under the ethernet-switching-options secure-access-port stanza.

Objective:  

In this section we will only focus on DHCP Snooping and MAC Limiting. At the end of all these exercises, you will be able to configure all DHCP snooping and MAC limiting and understand DHCP snooping and MAC limiting show commands. A DHCP server is already configured and the IP is 192.168.100.254.

Exercise1:  DHCP  Snooping  Step 1: Layer Interface

On Switch 1, configure a Layer 3 interface for interface ge-0/0/23. Before configuring the IP address, the interface needs to be taken out of Layer 2 mode, by deleting family ethernet-switching. Next, configure an IP address to the interface with the following command ‘set interface <name> unit 0 family inet address <xx.xx.xx.xx/yy>’ in configuration mode. Use the table below for IP address assignment.

The below sample output was entered on Switch 1.

juniper# set interfaces ge-0/0/23.0 family inet address 192.168.100.1/24

Step 2: DHCP/bootp helper

Since the DHCP is on a separate network from the clients, DHCP/bootp will be blocked at the Layer 3 boundary. Therefore we need to enable DHCP/bootp reley; DHCP/bootp relay takes the DHCP request and unicast it to the DHCP server.

Configure DHCP/bootp relay on Switch 1. Enter the below command exactly as it appears.

juniper# set forwarding-options helpers bootp server 192.168.100.254 Step 3: Commit and exit

Device Subnet/IP Address

Switch 1 ge-0/0/23 192.168.100.x/24

Page 28: EX Switch Series Quick Start Training Guide

Step 4: DHCP snooping

Enable DHCP snooping for the VLAN Sales on the Virtual Chassis. The command to enable snooping is ‘set etherenet-switching-options secure-access-port vlan <vlan_name> examine-dhcp’.

Below was entered on the Virtual Chassis switch.

juniper# set ethernet-switching-options secure-access-port vlan Sales examine-dhcp Step 5: Commit and exit

Step 6: DHCP Request

To log onto to other PCs, click on the Operation --> Connect to Secondary at the top of the menu (as shown below).

First log onto PC 1 and 2, next disable the Odyssey Client first, by unchecking “Use Odyssey to operate this adapter”, and then launch the command prompt. From the command prompt, issue “ipconfig/release” then “ipconfig /renew”

Step 7: Check the DHCP snooping

The command to check the DHCP snooping is ‘show dhcp snooping binding’.

Below is an out of the DHCP snooping database on the Virtual Chassis.

juniper> show dhcp snooping binding DHCP Snooping Information: MAC address IP address Lease Type VLAN Interface 00:50:56:10:00:01 10.1.1.1 14020 dynamic Sales ge-0/0/2.0 00:50:56:10:00:02 10.1.1.2 14019 dynamic Sales ge-0/0/2.0 The above DHCP snooping table maps the host MAC address with the IP address, VLAN, and interface. If DAI was enabled, then the switch will intercept ARP reply and check it against the DHCP snooping table. If the ARP reply did not match, then the ARP reply packet will be dropped.

Page 29: EX Switch Series Quick Start Training Guide

Exercise  2:  MAC  Limiting  MAC limiting is a port security to limit the number of MAC address learned on the interface.

Step 1: Log off PC 1 and 2.

Step 2: Enable MAC Limiting

Limit 2 MAC addresses on interface ge-0/0/2. The command to enable MAC limiting is ‘set ethernet-switching-options secure-access-port interface <interface> mac-limit <no_of_MAC> action <none|drop|log|shutdown>’

The action descriptions are as follow:

• None - No action • Drop – Drops the packet and log it • Shutdown – The port link does not go down, but the port will not allow any traffic. • Log – Log a message

If you chose ‘shutdown’ as your action, then to re-enable the port is by clearing the MAC address table for the interface. The command to clear the MAC address table is ‘clear ethernet-switching table interface <name>’.

The example below was configured on the Virtual Chassis.

juniper# set ethernet-switching-options secure-access-port interface ge-0/0/2.0 mac-limit 2 action drop Step 3: Initiate DHCP for PC 1 through 3. You are only allowed to log onto 2 devices at time. So you will need to disconnect from one of the machine. To disconnect, Operation --> Disconnect.

Step 4: Valdiate.

Depending on what action was configured, the show commands to validate are:

Page 30: EX Switch Series Quick Start Training Guide

• ‘show ethernet-switching table interface’ – check the MAC table to see if there are more than 2 MAC address for interface ge-0/0/2

• ‘show log messages | match limit’ to see any violation

Step 5: Remove the MAC limiting feature, to remove, type ‘delete etherenet-switching-options secure-access-port’ at the configuration mode. Commit and exit.

Step 6 (Optional): Statically allowed MAC address

Another option to limit the MAC address is manually configuring the MAC address. The command to statically configure MAC address is ‘set ethernet-switching-options secure-access-port interface <name> allowed-mac <xx.xx.xx.xx.xx.xx>’

802.1X    (This  exercise  is  to  be  added  in  the  near  future)  802.1X is an IEEE standard for Port based Network Access Control. It provides a mechanism to authenticate end users/devices prior to accessing the network.

EX boxes supports the following EAP, MD5, TLS, TTLS, and PEAP. The configuration for 802.1X is done under protocol dot1x stanza and is configurable on per-port basis.

Per the topology (see Lab Topology section), the Raidus server is already configured and radius server IP address is 192.168.100.254/24. The PCs NIC are already enabled for 802.1X authentication for EAP-MD5.

Objective:  

Configure the EX for 802.1X authentication and interpret basic show commands.

Note: The radius server and the PCs are pre-configured.

Exercise  1:  Single  Supplicant  Single supplicant only requires one supplicant to authenticate to an authenticator port. All other supplicants connecting to the authenticator port after the first supplicant has connected successfully, whether they are 802.1X enabled or not, are permitted free access to the port without further authentication. If the first authenticated supplicant logs out, all other supplicants are locked out until a supplicant successfully authenticates to the port.

Step 1: On the Virtual Chassis switch, enter into configuration mode.

Step 2: Radius Server

The radius server parameters need to be configured on the Virtual Chassis. The command is ‘set access radius-server <ip_address> secret <password>’. The radius parameters are show in the table below.

Device IP Address Secret Password Port

Radius 192.168.100.254 juniper 1812

Page 31: EX Switch Series Quick Start Training Guide

The below was entered on the Virtual Chassis.

juniper# set access radius-server 192.168.100.254 secret juniper Step 3: Radius Profile

JUNOS is flexible and allows multiple radius profiles to be configured. Essentially, each dot1x enabled port can be associated to different radius profile. The command to create a radius profile is ‘set access profile <name> authentication-order radius radius authentication-server <ip_address>’.

In the below command, I created a radius profile knockknock on the Virtual Chassis.

juniper# set access profile knockknock authentication-order radius radius authentication-server 192.168.100.254 Step 5: IP address

Radius communication is done over IP. Therefore configure a RVI for Sales on the Virtual Chassis. The IP address for Sales RVI is 10.1.x.252/24.

Step 6: Static routing

Since the radius server is on a different network and the Virtual Chassis does not have a route to the radius server, then we need to create a static route. The command to configure static routing is ‘set routing-options static <destination/subnet_mask> next-hop <ip_address>’. The next-hop should be the default gateway.

The below command was entered on the Virtual Chassis. Since I was on Kit 1, then next-hop is 10.1.1.254.

juniper# set routing-options static 192.168.100.0/24 next-hop 10.1.1.254 Step 7: Enable dot1x

802.1X needs to be enabled on ports that require 802.1x authentication. The syntax to enable 802.1x is ‘set protocols dot1x authenticator authentication-profile-name <name> interface <name> supplicant <supplicant_mode>’. There are 3 supplicant modes:

• single – only one supplicant is required to authenticate • single secure – only one supplicant can authenticate on the port • multiple – each host need needs to authenticate

The below command was entered on the Virtual Chassis for single supplicant.

juniper# set protocols dot1x authenticator authentication-profile-name knockknock interface ge-0/0/2.0 supplicant single Step 8: 802.1x authentication

Page 32: EX Switch Series Quick Start Training Guide

Switch over to PC 1 and open the Odyssey Client, and uncheck “Connect to the network” and “Use Odyssey to operate this adapter”. Re-check both fields. Repeat these steps for PC 2 and 3.

Step 9: Validate 802.1x

The following command, ‘show dot1x interface’ verifies 802.1 x authentications.

The below output was taken from the Virtual Chassis. From the below output, auser1 is authenticated on interface ge-0/0/2.0 with the MAC address of 00:50:56:10:00:01.

juniper> show dot1x interface 802.1X Information: Interface Role State MAC address User ge-0/0/2.0 Authenticator Authenticated 00:50:56:10:00:01 auser1 Step 9: Can PC 2 and PC 3 obtain an IP address?

Check PC 2 and 3 to see if they got an IP address. At the command prompt, issue ipconfig for the respective PCs and check the switch to see if they were authenticated.

Exercise  2:  Single-­‐Secure  Single-secure only allow one supplicant to authenticate to an authenticator port. No other supplicant can connect to the authenticator port until the first supplicant logs out.

Step 1: Single-secure

On the Virtual Chassis, change supplicant mode from single to single-secure for inter ge-0/0/2.0. When you configure for single-secure, it will overwrite the keyword “single”.

Step 2: Commit and exit.

Step 3: PC 1

Reauthenticate with PC 1. To reauthenticate, open Odyssey Client, and uncheck “Connect to the network” and “Use Odyssey to operate this adapter” and then re-check both fields.

Step 4: Verify 802.1x

Verify PC 1 has authenticated on the Virtual Chassis by issuing the command ‘show dot1x interface’.

Step 5: PC 2

Repeat steps 3 for PC 2.

Step 6: Did it fail?

PC 2 should’ve failed 802.1x authentication and unable to get an IP address from the DHCP server.

What did ‘show dot1x interface’ showed for PC 2? The command to check for failed authentication is ‘show dot1x authentication-failed-users’.

Page 33: EX Switch Series Quick Start Training Guide

The below command was taken from Virtual Chassis. The output lists the entire failed authentication; from the output we see auser2 failed authentication on port ge-0/0/2.0.

juniper> show dot1x authentication-failed-users Interface MAC address User ge-0/0/2.0 00:50:56:10:00:02 auser2

Exercise  3:  Multiple  Supplicants  Multiple supplicants authenticate multiple supplicants individually on one authenticator port. You can configure the up to “x” supplicants per port.

Step 1: Multiple supplicant

On the Virtual Chassis, allow multiple supplicant authentications for ge-0/0/2.

Step 2: Commit and exit.

Step 3: PC 1

Reauthenticate with PC 1. To reauthenticate, open Odyssey Client, and uncheck “Connect to the network” and “Use Odyssey to operate this adapter” and then re-check both fields. Repeat this steps for PC 2 and 3.

Step 4: Check dot1x

Validate all 3 PCs are authenticated, by issuing the ‘show dot1x interface’ command

Traffic  Analyzer  (This  exercise  is  to  be  added  in  the  near  future)  This feature gives end user the capability to mirror traffic (source) to an analyzer port (monitor port/VLAN). The desired traffic to be mirror can be a VLAN or port(s), and direction specific (TX only, RX only, or both).

The configuration on the EX series switches is done under the “ethernet-switching-options analyzer” stanza. Analyzer supports the following configuration:

• Standalone and Virtual Chassis (cross member is supported) • Analyzer port can be configured for either Local or Remote SPAN • 1 session and 1 destination port

Objective:  

Configure traffic analyzer using the new method.

Exercise:  Remote  Analyzer  Remote SPAN allows network administrators to mirror traffic from one switch to a different switch.

Step 1: Source Port

Page 34: EX Switch Series Quick Start Training Guide

On the Virtual Chassis there is a host connected to interface ge-1/0/2. Determine what type of traffic is being sent from that host. The command to configure the source is ‘set ethernet-switching-options analyzer <name> input <ingress|egress> <interface|VLAN>’. To monitor both directions, then enter the command twice, one for ingress and the other for egress.

In my example, I configured analyzer iseeyou source on the Virtual Chassis interface ge-1/0/2.0 for ingress only.

juniper# set ethernet-switching-options analyzer iseeyou input ingress interface ge-0/0/2.0

TIP: When oversubscribing the analyzer port, then use “ratio”. The “ratio” keyword is after the analyzer name. Ratio samples the network as one out of <N> packets to be mirrored, valid values (0 to 2047). Default is 1.

Step 2: Analyzer

The command to configure for analyzer is ‘set ethernet-switching-options analyzer <name> output <interface|VLAN>’.

The analyzer port is on Switch 2 interface ge-0/0/23. Since the source port is on the Virtual Chassis and the analyzer is on Switch 2, then we need to mirror the traffic to a VLAN. On the Virtual Chassis configure the analyzer and use the VLAN named Remote.

In the example below, I configured VLAN Remote for my analyzer VLAN.

juniper# set ethernet-switching-options analyzer iseeyou output vlan Remote Step 3: VLAN destination

There can only be 1 destination for either port or VLAN.

On the Virtual Chassis, you will need to configure one of the LAG to be a member for VLAN Remote. Choose the LAG that is in a forwarding state – assuming your last configuration involving forwarding was RTG with primary on ae0.0, then VLAN Remote will need to added to that interface ae0.0.

Step 4: Commit and quit.

Step 5: Validate analyzer

The command to validate analyzer is ‘show analyzer’. The output shows all the configured parameters for the analyzer session.

The below command was taken from the Virtual Chassis.

juniper> show analyzer Analyzer name : iseeyou Analyzer mirror ratio : 1 Analyzer loss priority : Low Analyzer ingress monitored interfaces: ge-1/0/2.0 Analyzer egress monitored interfaces : None

Page 35: EX Switch Series Quick Start Training Guide

Analyzer ingress monitored VLANs : None Analyzer monitor interface : None Analyzer monitor VLAN : Remote The above output shows, the source is ge-1/0/2.0 for ingress only and being mirrored to VLAN Remote.

Step 6: VLAN Remote

VLAN Remote needs to extend across the switch network. The command is ‘set vlan <name> interface’ or ‘set interface <name> unit 0 family ethernet-switching vlan members <name|vlan-id>’.

On Switch 1, add VLAN Remote to interface ae0.0 and ge-0/0/0.0.

Step 7: Commit and exit

Step 8: Remote analyzer

On Switch 2, add VLAN Remote to interface ge-0/0/0.0 and ge-0/0/23.0 (PC 4).

Step 6: Commit and Exit.

Step 7: Packet Capture

Launch Wireshark on PC 4. From the toolbar, Capture --> Interface, start a live capture for interface 30.1.x.5. Please do not save the file when exiting.

What packets are being received on the Virtual Chassis switchport, ge-1/0/2? You will see other traffic; match the MAC address seen from the MAC address table of the Virtual Chassis’s (show etherenet-switching table)?

NOTE: The exercise we just completed works fine. However, if bi-directional mirroring or mirroring a VLAN, then configuring the analyzer feature is needed for Switch 1 and Switch 2. If the previous method was used, then traffic will not mirror because MAC address source filtering (on a given VLAN, if destination MAC needs to be sent on the same port it came in on, then the packet will drop). Another problem is of number of MAC address being learned on the monitoring VLAN, which counts against the total number of MAC address supported on the system. Configuring analyzer on Switch 1 and 2 will disable source filtering and mac learning on the VLANs

Page 36: EX Switch Series Quick Start Training Guide

Exercise  (Optional):  Local  Analyzer  You can configure for local analyzer on the Virtual Chassis. Instead of sending the mirrored traffic to a VLAN, you can send it to an interface. PC 2 and PC 3 are loaded with Wireshark.

J-­‐Web  J-Web is a front end GUI to configure the EX series switches.

Objective:  

Get familiar with J-Web.

Exercise:  Step 1: Enable J-Web. You can enable J-Web on any switches. Recommend to enable it on one of the standalone switch and the Virtual Chassis.

juniper# set system services web-management http Step 2: Commit and exit.

Step 3: Launch the Internet Explorer on PC 4. Enter the me0 or vme0 IP address in the url bar.

Step 4: Navigate through the J-Web.