switching on srx

7/27/2019 Switching on SRX

1/36

APPLICATION NOTE

Copyright 2011, Juniper Networks, Inc.

J SEIES AN BANC

SX SEIES ETENET

SITCIN

CONfIATION IE


2/36

2 Copyright 2011, Juniper Networks, Inc.

APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching

TabeofContents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Sotware Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Limitations in Ethernet Switching Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Lie o Packet in Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Junos OS elease 10.2 Ethernet Switching Coniguration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Enabling Ethernet Switching on the J Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Enabling Ethernet Switching on Branch SX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Coniguring Layer 2 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Coniguring VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Attaching Switch Ports to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Extending Broadcast omains and Coniguring Tagged Interaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Coniguring outed VLAN Inter ace (Integrated outing and Bridging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Coniguring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Coniguring Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Spanning Tree Protocol (IEEE 802.1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

apid Spanning Protocol (IEEE 802.1w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Coniguring IEEE 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Coniguring IMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Coniguring 802.1q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Coniguring Link Layer iscover Protocol (LLP) and LLP-ME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

J Se ri es an d B ran ch S X Ser ies Eth er net Sw itc hi ng Co ni gu rati on Exam ples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Simple Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Adding VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22


outing Traic Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23


Adding Tagged Interace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Increasing Capacity with Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


Loop Avoidance with STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


IEEE 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33


Multicast Snooping with IMP Snooping Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34


802.1q Tunneling (Q-in-Q Tunneling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


About Juniper N etworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36


3/36

Copyright 2011, Juniper Networks, Inc. 3

APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin

TabeofFigures

figure 1: Lie o packet in Ethernet switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

figure 2: Supported VLAN ange on J Series and branch SX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

figure 3: Trunk and access ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

figure 4: Intra-VLAN and inter-VLAN packet orwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

figure 5: Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

figure 6: Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

figure 7: apid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

figure 8: Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

figure 9: IEEE 802.1x authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

figure 10: IMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

figure 11: Q-in-Q tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

figure 12: LLP and LLP-ME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

figure 13: Simple Ethernet switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

figure 14: Ethernet switching with multiple VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

figure 15: Inter-VLAN orwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

figure 16: Trunk port (or adding tagged interace) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

figure 17: Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

figure 18: Loop avoidance with STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

figure 19: IEEE 802.1x authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

figure 20: Multicast snooping with IMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

figure 21: 802.1q tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


4/36



Introduction

Juniper Networks SX Series Services ateways or the branch and J Series Services outers enable the enterprise

to provide services without boundaries. The SX Series products provide a comprehensive suite o Ethernet switching

unctionality. Ethernet switching eatures eliminate the need or Layer 2 switches in small branch oices and act as an

aggregate switch in medium-sized branch oices.

Juniper Networks Junos operating system elease 9.2 or J Series routers introduces Ethernet switching eatures,

integrated routing and bridging, and support or several Layer 2 protocols. These eatures have been present in branchSX Series Services ateways since their release.

Scope

This application note provides an overview o the Junos OS Layer 2 eatures or J Series and branch SX Series

Services ateways. It describes common deployment scenarios, with detailed conigurations. SX Series data center

products (SX1400, SX3000 line and SX5000 line) do not support Ethernet switching unctionality. All eatures

discussed in this document reerence SX Series Services ateways or the branch (Juniper Networks SX100 Series

Services ateways, SX200 Series Services ateway, , and SX650 Services ateway). All eatures and conigurations

discussed in this document are based on standalone deployment o J Series and branch SX Series Service ateways.

Please reer SX technical documentation or Ethernet Switching eatures in SX chassis cluster environment.

The Ethernet switching eatures are limited by both hardware and sotware. The scope is deined in the ollowing section.

Tabe1:HardwareScope

PlTFS -B PI PI XPI

J2320 6 3 6 6

J2350 6 3 6 6

J4350 6 3 6 6

J6350 6 3 6 6

SX100 3 6 6 6

SX110 3 6 6 6

SX210 3 6 6* 6

SX220 3 6 6* 6

SX240 3 6 6* 6

SX650 6 6 6 3**

* Ethernet switching support is planned or uture release or 1 igabit Ethernet SfP MPIM on the SX210 and SX240.

** As o Junos OS elease 10.2, Ethernet switching is not supported on 10bE XPIM.

SowareScope

Ethernet switching on the J Series and branch SX Series is based on Juniper Networks EX Series Ethernet Switches

unctionality. As o Junos OS elease 11.2, the J Series and branch SX Series support the ollowing:

Layer 2 switching o traic, including support or both trunk and access ports

outed VLAN interace (or integrated routing and bridging)

Spanning Tree Protocol (STP)

apid Spanning Tree Protocol (STP)

Multiple Spanning Tree Protocol (MSTP)

Link aggregation, both static and using Link Aggregation Control Protocol (LACP)


5/36



AP VLAN egistration Protocol (VP)

IEEE 802.1x authentication

- Single/single-secure/multiple supplicant modes

- ynamic VLAN assignment

- uest VLAN and server-reject VLANs

- AIS server ailure conditions

- MAC authentication

- Authentication bypass

- VoIP VLAN

IMP snooping

IEEE 802.1ad dot1q tunneling (Q-in-Q)

Link Layer iscovery Protocol (LLP)

limitationsinEthernetSwitchingImpementation

As o Junos OS elease 11.2, the ollowing EX Series unctionality is not supported on the J Series and branch SX

Series. Additionally, uture eatures added to EX Series platorms are not expected to be automatically ported to the

J Series and branch SX Series.

- Layer 2 access control lists (ACLs)

- Quality o service (QoS) or switching ports

- SNMP MIB support (or the new Layer 2 eatures)

- Virtual chassis

- Port security

- L2 CoS unctionality

On J Series platorms, Ethernet switching is supported on only one universal PIM (uPIM) per J Series chassis.

MSTP is not supported on the SX210.

The IMP snooping and Q-in-Q eature is not available or the SX100.

The J Series and SX100 do not support advanced 802.1x eatures such as dynamic VLAN, guest VLAN, server-

reject VLAN, server ail operations, and VoIP VLAN. But AIS accounting and MAC authentication are available or

the SX100.

Advanced Q-in-Q eatures such as push, customer bundling, etc. are only supported on the SX650.

Only SX Series Services ateways or branch support Ethernet switching eatures in chassis cluster environment.

This document discussion Ethernet Switching eatures on standalone deployments. for Ethernet switching in chassis

cluster environment please reer SX technical documentation.

Most o the limitations discussed in this section are expected to be ixed in later Junos OS releases. Please reer to

FutureSupporteference or more inormation.


6/36



lifeofPacketinEthernetSwitching

Figure1:lifeofpacketinEthernetswitching

1. Intra-VLAN traicOnce interaces are conigured in the same VLAN through CLI/Juniper Networks J-eb

Sotware, the Ethernet switch chip is programmed accordingly, MAC learning, and STP states are maintained at

chip. Packets in the same VLAN are switched internally at the Ethernet switch chip. They do not go through a low

architecture, and none o the security eatures are applied to this traic.

2. Inter-VLAN traicPackets or dierent VLANs are routed/orwarded through a low architecture.

2A. Incoming traic is classiied according to port based VLAN.

2B. The destination MAC address o inter-VLAN traic is matched with the routed VLAN interace at the Ethernet

switch chip, and all these packets are sent to a low module or urther processing.

2C. In the low module, inter-VLAN traic goes through all security checks and is routed to a dierent VLAN.

2. outed traic is sent back to the Ethernet switch chip, which urther sends out packets through the interace othe destination VLAN.

JunosSeease11.2EthernetSwitchingCongurationScenarios

This section discusses several deployment scenarios and their associated conigurations.

EnabingEthernetSwitchingontheJSeries

The J Series platorm supports two dierent modes o switching. Plain switching is legacy bridge mode operation

wherein a uPIM is treated as a bridge and all its Ethernet ports are part o this bridge. None o the eatures discussed in

this document are supported in this mode. And details o this mode are beyond the scope o this document. Enhanced

switching mode converts uPIM on the J Series to a modern L2 switch. All protocols and eatures discussed in this

document are applicable to this mode. Enhanced switching is conigured under the [chassis fpc pic ethernet]

level o the coniguration hierarchy. for example, the ollowing coniguration enables a PIM in slot 6:

Forwarding Lookup

Ethernet Switch Chip

YesNo

StaticNAT

DestNAT

Route Zones PolicyReverse

StaticNAT

SourceNAT

SevicesALG

Inter-VLAN trac (trac between two dierent VLANs)

SessionScreens

ScreensPer

PacketPolicer

PerPacketFilter

PerPacketFilter

PerPacketShaper

TCP NATServices

ALGMatch

Session?

Yes

2C

2A 1 2D

2B

Intra-VLAN trac (trac between two same VLANs)

fpc 6 {pic 0 {

ethernet {pic-mode enhanced-switching;

}}

}

ote: In the current implementation, only one universal PIM per chassis can be conigured with enhanced switching.


7/36



EnabingEthernetSwitchingonBranchSXSeries

The Ethernet switching eature is enabled by deault on branch SX Series platorms. There are no explicit

conigurations required to enable it.

Conguringlayer2Switching

Physical interaces can operate in several modes. hen an interace is conigured with a Layer 3 address (such as an

IPv4, IPv6, or ISO address), the interace routes traic based on the destination address o each packet. I an interace

is not given a Layer 3 address but is conigured as part o the Ethernet switching protocol amily, the interace orwards

traic based on the link layer destination address. The ollowing coniguration deines an interace as a switching port

(note that the Layer 2 coniguration is limited to unit 0 o an interace):

interface {ge-/0/ {

unit 0 {family ethernet-switching;

}}

}

ConguringVlAs in most modern switches, broadcast domains can be segmented using virtual LANs or VLANs, an approach that

allows device segmentation by assigning ports to dierent broadcast domains. Traic can be orwarded between

member interaces o the same VLAN, but not between interaces that belong to dierent VLANs, eectively allowing

the same physical device to be shared between dierent non-connected networks (a later section o this document

describes how to orward traic between dierent VLANs).

By deault, all switching-enabled ports orm part o the same broadcast domain. I an interace is enabled or Layer 2

switching but not associated with any VLAN, it becomes part o the deault VLAN (VLAN I 1 in the J Series and SX

Series). To conigure a new domain, a VLAN has to be deined under the [vlans] hierarchy and given a unique identiier

(VLAN I).

vlans {

{vlan-id ;

}

}

Please note the ollowing limitation in the J Series and branch SX Series devices or using VLAN Is.

Tabe2:SupportedVlangeonJSeriesandbranchSXSeries

PlTF SPPTEVlE

J Series 1-4094

SX100 1-4094

SX110 1-4094

SX210 1-4094*

SX220 1-4094*

SX240 1-3967

SX650 1-3967

*VLAN 4093 is reserved or internal purpose in the SX200 line.


8/36



ttachingSwitchPortstoVls

Additionally, you can speciy which interaces are part o the newly created VLAN. There are two ways to allocate

interaces. (These ways are identical rom a unctional point o viewit is up to you to choose the method you preer).

The irst way, under the [interface unit 0 family ethernet-switching] hierarchy, is to declare the

VLAN as part o an interace coniguration.

interface {

ge-/0/ {unit 0 {

family ethernet-switching {vlan members

}}

}}

The second way, under the [vlan interface] hierarchy, is to deine VLAN member interaces.

vlans { {

interfaces {;;

}}

}

ExtendingBroadcastomainsandConguringTaggedInterfaces

Modern switching networks can be large enough to require the use o multiple switches (some require a tiered

approach, with many switching layers). hen multiple bridging domains span more than one switching device, it is

convenient to allow traic rom many domains to be orwarded through the same link, while still separating the traic

rom dierent domains. VLAN tagging (IEEE 802.1q) provides this unctionality by extending the Ethernet header with

a VLAN identiier (a 12-bit value) used to dierentiate traic rom dierent VLANs. VLAN tagging reduces the number

o interaces needed to connect devices because a single interace can then carry traic rom multiple domains.

Switching interaces that carry tagged traic are reerred to as trunk ports. An interace is called an access port when it

carries single VLAN untagged traic. An access port cannot be part o multiple VLANs.

interface {ge-*/*/* {

unit 0 {family ethernet-switching {

port-mode trunk;vlan {

members [ ]}

}}

}}


9/36



Figure2:Vltagging

By deault, all switching interaces are access ports. An interace can be conigured as a trunk port by simply setting

the port-mode value to trunk under the [family ethernet-switching]. As shown in figure 1, a trunk port can then

be deined as part o multiple VLANs, which allows a switching port deined as a trunk port to be associated with more

than one VLAN. Traic orwarded rom a trunk port is tagged using the VLAN I o the originating VLAN, while received

traic is orwarded to the appropriate VLAN or distribution.

Figure3:Trunkandaccessports

ConguringoutedVlInterface(IntegratedoutingandBridging)

As previously discussed, traic can be orwarded between member interaces o the same VLAN, but not between

interaces that belong to dierent VLANs. Traic inside the same VLAN is switched and traic across a dierent VLAN

is routed. ence, Layer 3 device/interaces are needed to orward traic rom one VLAN to another VLAN. The J Series

and SX Series provide logical Layer 3 interaces called routed VLAN interaces (or integrated routing and bridging)

or this purpose. Each VLAN domain is tied to one o the logical routed VLAN interaces. This scenario is equivalent

to placing a switch in ront o a router. Traic that is not destined or the router is switched based on the Layer 2

inormation, and traic that reaches the router is orwarded based on the Layer 3 inormation. As dierent VLAN

domains can have unique Layer 3 addresses, traic between VLAN domains can then be routed by Junos OS sotware

provided that security policies allow it.

J Series/Branch SRX Series




VLAN Orange VLAN Blue






Intra-VLANtrac locallyswitched inthe uPIM

ge-4/0/0Trunk

ge-4/0/1Access

VLANOrange

Layer 2

VLANBlue

VLANRed

ge-4/0/2Access

ge-4/0/3Access


10/36



Figure4:Intra-Vlandinter-Vlpacketforwarding

A logical Layer 3 interace or routed VLAN interace can be created under the [interaces vlan] hierarchy. Ater the

logical interace is created, it must be associated with a particular VLAN using the l3-interace keyword.

Intra-VLANtrac locallyswitched inthe uPIM

Inter-VLANrouted tracsent to fwdd

ge-4/0/0Trunk

ge-4/0/1Access

Layer 2

Layer 3

VLANRed

ge-4/0/2Access

ge-4/0/3Access

interface vlan.0 interface vlan.1

Junos OS fwdd

interface vlan.2

VLANOrange

VLANBlue

interfaces {vlan {

unit {family {

inet {address /;

}}

}}

}vlans {

{l3-interface vlan.;

}}

outed VLAN interaces are no dierent than any other Layer 3 interaces in Junos OS and thus require the same

coniguration. In particular, these interaces have to be assigned to a security zone, and security policies have to

explicitly allow traic to be orwarded between these interaces and any other conigured Layer 3 interaces.


11/36



Conguringlinkggregation

hen connecting two switches together, sometimes it is advantageous to use two or more parallel connections,

normally to provide redundancy. It is also desirable to increase bandwidth between switches. The challenge is that

Layer 2 networks have to be loop ree, and loop avoidance protocols such as Spanning Tree Protocol (and all its

variations and extensions such as STP and MSTP) deactivate all but one o these parallel connectionsallowing

parallel connections to solve the redundancy problem, but not the bandwidth limitation.

The solution to this problem is to use link aggregation, which deines how to load-balance traic across multiplelinks (while guaranteeing that packets rom a given low are not reordered). The physical interaces that orm part o

a link aggregation group can be statically conigured or negotiated between endpoints using LACP (speciied in IEEE

802.3ad). Endpoints are normally switches, but they can be servers with multiple network interace cards or NICs.

Figure5:linkaggregation

To conigure link aggregation, irst create an aggregate interace by deining the number o aggregated interaces in

the system and associate all the physical interaces that are part o the aggregate bundle to one o the newly created

aggregated interaces.



Trunk Port AE0.0



chassis {aggregated-devices {

ethernet {device-count ;

}}}

Aggregate device count reers to the total number o aggregated interaces in the system and not the number o

physical interaces per aggregate bundle.

This coniguration creates aggregate interaces named ae0 to ae. Ater these interaces are created,

you have to associate physical interaces with them, which you do under the gigabit-ethernet-options hierarchy.


12/36



interface { {

gigabit-ethernet-options {802.3ad {

;}

}

}}

LACP is not required between, but i conigured, it enables automatic traic switchover when one or more links ail. It

also prevents common misconiguration errors by conirming that both devices are set up or link aggregation. LACP

can be enabled under the aggregated-ethernet-options section o the aggregated interace (make sure that at least

one o the endpoints is conigured as active, as passive endpoint does not initiate LACP P exchange). Link-speed

under aggregated-ethernet-options speciies the link speed o each member interace that joins the bundle. And

minimum-links keyword speciies the minimum number o active links required or the bundle to be considered up.

The deault value o minimum-links is 1 or the J Series and branch SX Series devices. A maximum o eight links can

be bundled in a single AE (LA) interace.

interface { {

aggregated-ether-options {link-speed [100m|1g];

minimum-links ;lacp {active|passive;

}}}

}

Ater a bundle interace is created, it can be conigured just like any other interace. for example, you can enable

switching, add the interace to a VLAN (or a group o VLANs), and enable VLAN tagging.


13/36



ConguringSpanningTreeProtoco

Layer 2 switching networks tend to create loops in the network when there are redundant paths available between the

source and destination. hen such loops are created, a single packet can cause enormous traic and easily bring down

an entire Layer 2 network. J Series Services outers and SX Series Services ateways provide loop prevention in Layer

2 switching networks using STP, STP, and MSTP. A loop-ree network in spanning-tree topologies is created through

the exchange o a special type o rame called bridge protocol data unit (BP). Peer STP applications running on the

switch interaces use BPs to communicate. ltimately, the exchange o BPs determines which interaces block

traic (preventing loops) and which interaces orward traic.

STP uses the inormation provided by the BPs to elect a root bridge/switch, identiy root ports or each switch,

identiy designated ports or each physical LAN segment, and prune speciic redundant links to create a loop-ree

tree topology. All lea devices calculate the best path to the root device and place their ports in blocking or orwarding

states based on the best path to the root. The resulting tree topology provides a single active Layer 2 data path

between any two end stations.

SpanningTreeProtoco(IEEE802.1)

STP is a legacy protocol deined in the IEEE 802.1 standard. STP is conigured under the [edit protocol] hierarchy.

Figure6:SpanningTreeProtoco

DesignatedForwarding



Root PortForwarding

Root PortForwarding

AlternativeBlocked

protocols {stp {

bridge-priority ;interface {cost ;}

}}

Junos OS provides a number o options to control over the Spanning Tree Protocol. Bridge priority o L2 switches

determines which switch to be the root o the network (the switch with the lowest priority is elected as the root o

the topology). It also an important parameter in determining root port (the interace that connects to the root o the

topology). In Junos OS, bridge priority can be conigured under [protocols stp] with a keyword bridge priority with value

multiples o 4k, starting with 0 up to 60k. The deault bridge priority value is 32k. Another important parameter that

controls the Spanning Tree Protocol is link cost. Link costs are dependent upon interace speed. But link costs can be

overridden with coniguration under [protocols stp interace


14/36



apidSpanningProtoco(IEEE802.1w)

Legacy Spanning Tree Protocol is very slow in converging loop-ree topology. It takes around 30-50 seconds to

converge and start orwarding data packets. Also, topology change propagation is largely dependent on root bridge/

switch. apid Spanning Tree Protocol or STP is a new standard deined by IEEE to overcome these limitations. STP

uses a messaging mechanism, unlike the timer mechanism in STP, and it is not dependent on root bridge/switch or

propagation o topology in the network. It also introduces new port roles, alternative and backup ports as redundant

links or root and designated ports, respectively. In the event o link ailures, these alternative or backup ports take over

immediately. STP can be conigured as the ollowing:

protocols {rstp {

bridge-priority ;interface {cost ;}interface {edge;}

}}

Figure7:apidSpanningTreeProtoco

There is no dierence between STP and STP in terms o coniguration. STP also provides coniguration options

bridge priority and interace cost to control tree topology. An important eature that is available with STP is the edge

port eature. hen an interace is conigured as an edge port, it orwards data immediately. And topology changes in

the network do not aect the edge port. This coniguration is useul when end hosts are connected to interaces. To

avoid the wrong coniguration, the edge port starts participating in a spanning-tree state machine when it receives

BPs. The edge port is conigured under the [protocols stp interace


15/36



utipeSpanningTreeProtoco

Although STP provides aster convergence time than STP, it still does not solve a problem inherent in STPall VLANs

within a LAN must share the same Spanning Tree Protocol. To solve this problem, J Series Services outers and SX

Series Services ateways use MSTP to create a loop-ree topology in networks with multiple spanning-tree regions.

An MSTP region allows a group o switches to be modeled as a single bridge. Multiple spanning-tree instances (MSTIs)

are contained in an MSTP region. MSTIs provide dierent paths or dierent VLANs. This unctionality acilitates better

load sharing across redundant links.

Figure8:utipeSpanningTreeProtoco

The MSTP region can support up to 64 MSTIs, and each instance can support anywhere rom 1 through 4094 VLANs.

Forwarding for VLAN Blue (MSTI 101)Blocked for VLAN Red (MSTI 102)

Forwarding for VLAN Red (MSTI 102)Blocked for VLAN Blue (MSTI 101)

protocols {mstp {

conguration-name


16/36



ConguringIEEE802.1xuthentication

IEEE 802.1x, which provides an authentication and authorization mechanism in wireless networks, is gaining popularity

in wired networks. It provides network edge security, protecting Ethernet LANs rom unauthorized access. An

802.1x-enabled switch (known as an authenticator) blocks all traic rom users (known as supplicants) connected to

the switch until user credentials are veriied in an authentication server (AIS server).

The J Series and SX Series support three 802.1x modes or supplicants:

SingleOnly the irst user is authenticated and the remaining users are tailgated.

Single secureOnly one user is allowed.

MultipleMore than one user is allowed and all users need to get authenticated.

As stated earlier, Ethernet switching eatures including 802.1x are inherited rom the EX Series product line. But not all

EX Series 802.1x eatures are available in the J Series and branch SX Series. These platorms support the ollowing:

ynamicVlssignmentAter successul authentication, it enables the supplicant to be a member o a

particular VLAN dynamically. Please note that the VLAN I needs to be conigured in a AIS server or the user.

uestVlThis provides limited access to a LAN or 802.1x unsupported supplicants (supplicants that do not

understand 802.1x).

Server-rejectVlhen an 802.1x-compliant supplicant ails to authenticate (because o wrong credentials),

then the supplicant is assigned to a conigured server-reject VLAN.

ISaccountingAccounting inormation is sent to the AIS accounting server. The inormation is sent to the

server whenever a user (supplicant) logs in or logs out. Accounting inormation includes the amount o traic, login

and logout time, etc.

CISorCuthentication802.1x unsupported supplicants can be authenticated via a MAC AIS

eature. Please note that guest VLAN and MAC AIS eatures are mutually exclusive.

SupportforVoIPIP telephones are supported. I the phone is 802.1x enabled, it is authenticated like any other

supplicant. I the phone is not 802.1x enabled, but has another 802.1x compatible device connected to its data

port, that device is authenticated and then VoIP traic can low to and rom the phone (providing that the interace

is conigured in single mode and not in single-secure mode). Ater successul authentication, AIS server

communicates VLAN I to device so that all voice traic is classiied under this VLAN also called VoIP VLAN.

Serverfaiurecaseshen the AIS server becomes unreachable, the J Series and SX Series take actions suchas the ollowing:

- PermitAllow all authentication requests without authentication until the AIS server is reachable.

- enyntil the AIS server becomes reachable, all authentication requests are blocked.

- VLANEnable authentication requested users to be members o a VLAN.

- CacheImitate the previous authentication result or an authentication requested user.

StaticCbypassA list o MAC addresses can be conigured on the J Series and branch SX Series or which

802.1 x authentications are bypassed.

Tabe3:Supported802.1xFeaturesonJSeriesandBranchSXSeriesPatforms

FETE SX100 SX110 SX210 SX220 S X240 SX650 JSEIES

ynamic VLAN assignment 6 6 3 3 3 3 6

Authentication bypass 3 3 3 3 3 3 3

Bypass with VLAN assignment 6 6 3 3 3 3 6

uest VLAN 6 6 3 3 3 3 6

Server-reject VLAN 6 6 3 3 3 3 6

Server ailure allback 6 6 3 3 3 3 6

VoIP VLAN 6 6 3 3 3 3 6

AIS accounting 3 3 3 3 3 3 6

MAC AIS or MAC authentication 3 3 3 3 3 3 6


17/36



Figure9:IEEE802.1xauthentication

RADIUS Server

Network

Resources


as Authenticator

Supplicants

protocols {dot1x {

authenticator {authentication-prole-name abc;

static {/mask;

}interface {

{supplicant (single | single-secure| multiple);guest-vlan ;server-reject-vlan ;server-fail (permit| deny| vlan-name |cache);

}}

}

}}access {

radius-server { secret

}prole {

authentication-order radius;radius {

authentication-server ;}

}}


18/36



802.1x is enabled on an interace under [protocols dot1x authenticator]. Although a supported supplicant type is

conigured under [protocols dot1x authenticator interface supplicant mode], it can be any

o three modesthat is, single, single-secure, and multiple. uest VLAN, server-reject VLAN, server ail conditions, and MAC

authentication options are conigured under [protocols dot1x authenticator interface ]. The

authentication bypass list is conigured under [protocols dot1x authenticator static].

The AIS server coniguration is a must or proper working o the 802.1x protocol. The AIS server needs to be

deined under [edit access proile]. Also, it is mandatory that an access proile be created or the AIS server, and

this access proile should be conigured under [protocols dot1x authenticator authentication-proile-name].

ConguringIPSnooping

At Layer 2 all multicast traic is treated as broadcast and is looded to all ports o a switch o the same broadcast

domain or VLAN domain. ue to this, a lot o bandwidth is wasted when only a ew multicast receivers are connected

to this switch. To overcome this limitation on J Series and branch SX Series platorms, Junos OS provides a eature

called IMP snooping. Internet roup Management Protocol (IMP) snooping regulates multicast traic in a

switched network. ith IMP snooping enabled, a LAN switch monitors the IMP transmissions between a host (a

network device) and a multicast router, keeping track o the multicast groups and associated member interaces. The

switch uses that inormation to make intelligent multicast-orwarding decisions and orward traic to the intended

destination interaces.

Figure10:IPsnooping

J Series/Branch SRX Serieswith IGMP Snooping

PIM/IGMPRouter

Source

MulticastRouter

Interface

Multicast Receiver

protocols {igmp-snooping {

vlan vlan10;}

}

IMP snooping is conigured per VLAN under [protocols]. Once it is conigured, the switch starts inspecting IMP

communication between multicast receivers (hosts) and IMP or the PIM router. The interace where IMP queries are

received is identiied as the multicast router interace. A binding between a multicast group and an interace is createdwhen join/report messages are received on that interace. hen actual multicast data traic or a particular group is

received on a router-connected interace, it is orwarded to only those interaces or which binding is present or that

multicast group. And it continues to orward traic until it receives IMP leave or time-out mechanisms in IMPv1

hosts. All these operations are transparent to the IMP/PIM router and multicast receiver. Junos OS also provides

options or manual coniguration o multicast router interaces and static binding between multicast groups and

interaces. Please note this eature is not available in SX100.


19/36



Conguring802.1qTunneing

Q-in-Q tunneling allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection

between two customer sites. This eature is very useul when J Series and branch SX Series devices are deployed in a

service provider network as a provider edge (PE) device. A PE device sends and encapsulates incoming VLAN tagged

packets rom customers into a provider VLAN, and the receiving PE device de-encapsulates the provider VLAN and

orwards packets to receiving customers. In this way the customer Layer 2 inormation (VLAN, priority) is intact when it

is received at the other end.

Figure11:Q-in-Qtunneing

In Q-in-Q tunneling, as a packet travels rom a customer VLAN (C-VLAN) to a service providers VLAN, a customer-

speciic 802.1Q tag is added to the packet. This additional tag is used to segregate traic into service-provider-deined

service VLANs (S-VLANs). The original customer 802.1Q tag o the packet remains and is transmitted transparently,

passing through the service providers network. As the packet leaves the S-VLAN in the downstream direction, the extra

802.1Q tag is removed.

In a Q-in-Q deployment, customer packets rom downstream interaces are transported without any changes to source

and destination MAC addresses. You can disable MAC address learning at both the interace level and the VLAN level.

isabling MAC address learning on an interace disables learning or all the VLANs o which that interace is a member.

C-VLAN Tagged

C-VLAN Tagged

Customer

ServiceProvider

S-VLAN + C-VLAN Tagged



vlans { {

vlan-id ;

dot1q-tunneling {customer-vlans (native | );

}interface {

{mapping {

(native | ) {push;

}}

}


20/36



}no-mac-learning;

}}ethernet-switching-options {

interfaces { {

no-mac-learning;}

}}

hen Q-in-Q tunneling is enabled on J Series and branch SX Series platorms, it is assumed that trunk interaces are

to be part o the service provider network and access interaces are to be customer acing. An access interace can

receive both tagged and untagged rames in this case. There are three ways to map C-VLANs to an S-VLAN:

All-in-one bundlingse the dot1q-tunne ling statement at the [vlan ] hierarchy to map without

speciying customer VLANs. All packets rom a speciic access interace are mapped to the S-VLAN.

Many-to-one bundlingse the customer-vlans statement at the [vlan ] hierarchy to speciy which

C-VLANs are mapped to the S-VLAN.

Mapping C-VLAN on a speciic interacese the mapping statement at the [vlan ] hierarchy to map

a speciic C-VLAN on a speciied access interace to the S-VLAN.

Please note that only the SX650 supports all typesall-in-one, many-to-one, and C-VLAN mapping. The rest o

the SX Series platorms (except the SX100) and J Series support only all-in-one bundling. To disable MAC learning

on VLAN, conigure no-mac-learning under [vlan ]. And to disable at the interace level, add the

same keyword under [ethernet-switching-options interface ]. Please note this eature is

not available in SX100.

ConguringlinklayeriscoverProtoco(llP)andllP-E

iscovery ProtocolMedia Endpoint iscovery (LLP-ME) to learn and distribute device inormation on network links.

The inormation allows the switch to quickly identiy a variety o devices, resulting in a LAN that interoperates smoothly

and eiciently.

LLP-capable devices transmit inormation in type, length, and value (TLV) messages to neighbor devices. evice

inormation can include speciics, such as chassis and port identiication and system name and system capabilities.

The TLVs leverage this inormation rom parameters that have already been conigured in the Junos OS.

LLP-ME goes one step urther, exchanging IP-telephony messages between the switch and the IP telephone. These

TLV messages provide detailed inormation on Power over Ethernet (PoE) policy. The PoE Management TLVs let the

switch ports advertise the power level and power priority needed. for example, the switch can compare the power

needed by an IP telephone running on a PoE interace with available resources. I the switch cannot meet the resources

required by the IP telephone, the switch could negotiate with the telephone until a compromise on power is reached.

Figure12:llPandllP-E

Network Peripherals

J Series/Branch SRX Series with LLDP/LLDP-MED


21/36


22/36



JSeriesandBranchSXSeriesEthernetSwitchingCongurationExampes

SimpeEthernetSwitching

This example details the coniguration needed to use a J Series device and a branch SX Series device as simple Layer

2 switches. The topology is illustrated in figure 13.

Figure13:SimpeEthernetswitching

The associated conigurations are as ollows:

ge -0/ 0/ 5 ge -0 /0/ 9

set interfaces ge-0/0/5 unit 0 family ethernet-switchingset interfaces ge-0/0/9 unit 0 family ethernet-switching

Troubeshooting

Both interaces, ge-0/0/5 and ge-0/0/9, should be part o the deault VLAN.

regress@SRX-1> show vlansName Tag Interfacesdefault 1

ge-0/0/5.0*, ge-0/0/9.0*

ddingVls

Now suppose that this small branch oice has two departmentsSALES and OPEATIONS. To isolate the

departments and prevent traic rom leaking between domains, VLANS are added to the designresulting in a new

topology, as illustrated in figure 14.

Figure14:EthernetswitchingwithmutipeVls

ge-0/0/11ge-0/0/7

ge-0/0/9ge-0/0/5

OPERATIONS

SALES

set vlans OPERATIONS vlan-id 20set vlans SALES vlan-id 10set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS


23/36



Troubeshooting

The ollowing command shows interaces and VLAN association:

regress@SRX-1> show vlansName Tag InterfacesOPERATIONS 20

ge-0/0/7.0*, ge-0/0/11.0*

SALES 10ge-0/0/5.0*, ge-0/0/9.0*

default 1None

outingTracBetweenVls

Now assume that this small branch needs to provide connectivity between the dierent business units, but that

the connectivity must be controlled by assigning each business unit its own Layer 3 segment. Consequently, traic

between units is routed and inspected by the irewall module, where traic policies can be enorced, as illustrated in

figure 15. The ollowing coniguration adds two Layer 3 interaces, one or each VLAN, which serve as deault gateways

or the respective network segments. These new VLAN interaces are then added to security zones, and security

policies are deined to allow traic between the zones. In this example, two security zonesSALES and OPEATIONS

are created, and TTP traic is allowed between them (bidirectional).

Figure15:Inter-Vlforwarding

ge-0/0/11

Network10.1.2.0/24

Network10.1.2.0/24

ge-0/0/7

ge-0/0/9ge-0/0/5

OPERATIONS

SALES

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES

set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan membersOPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP match


24/36



destination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address any

set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit

Troubeshooting

Along with VLAN associations, routed VLAN interaces should be linked up to orward traic between VLANs.

regress@SRX-1> show vlansName Tag InterfacesOPERATIONS 20

ge-0/0/7.0*, ge-0/0/11.0*SALES 10

ge-0/0/5.0*, ge-0/0/9.0*default 1

Noneregress@SRX-1> show interfaces vlan terseInterface Admin Link Proto Local Remotevlan up upvlan.10 up up inet 10.1.1.1/24vlan.20 up up inet 10.1.2.1/24

ddingTaggedInterface

Figure16:Trunkport(oraddingtaggedinterface)

Now assume that the J Series and SX Series are connected to another SX Series device. SALES and OPEATIONS

users belonging to one switch want to access their respective servers in another switch, keeping their VLAN domain

separately as shown in figure 16. As you can see, interaces ge-0/0/3 on both devices are connected to each other and

conigured as a trunk port to carry SALES and OPEATIONS VLAN traic.

ge-0/0/11

ge-0/0/7

ge-0/0/3

ge-0/0/3

ge-0/0/9

ge-0/0/5

SRX-2

SRX-1

Trunk Port


25/36



SX-1Congurations

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SALES

set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then

permitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit

SX-2Congurations

set vlans OPERATIONS vlan-id 20

set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan membersOPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP match

source-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address any


26/36



set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit

Troubeshooting

Access ports should be untagged members o VLANs, and trunk ports are tagged members o VLANs. A trunk port is

part o a multiple VLAN.

regress@SRX-1> show ethernet-switching interfacesInterface State VLAN members Tag Tagging Blockingge-0/0/3.0 up OPERATIONS 20 tagged unblocked

SALES 10 tagged unblockedge-0/0/5.0 up SALES 10 untagged unblockedge-0/0/7.0 up OPERATIONS 20 untagged unblockedregress@SRX-2> show ethernet-switching interfacesInterface State VLAN members Tag Tagging Blockingge-0/0/3.0 up OPERATIONS 20 tagged unblocked

SALES 10 tagged unblockedge-0/0/9.0 up SALES 10 untagged unblockedge-0/0/11.0 up OPERATIONS 20 untagged unblocked

IncreasingCapacitywithlinkggregation

As the small branch oice grows, with increasing numbers o applications requiring additional bandwidth, a bottleneck

is created between the router and the switch. To alleviate this problem, link aggregation is conigured, and a new link

between the devices is added.

Figure17:linkaggregation

Interaces ge-0/0/1 and ge-0/0/3 are bundles to aggregated Ethernet interace ae0 on both switches. And this ae0.0 is

conigured as a trunk port to carry SALES and OPEATIONS VLAN traic.

ge-0/0/11

ge-0/0/7

ae0.0

ae0.0

ge-0/0/9

ge-0/0/5

SRX-2

SRX-1

Trunk Port


27/36



SX-1Conguration

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices thernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0

set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP match

destination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit

SX-2Conguration

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 unit 0 family ethernet-switching port-mode trunk

set interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-http


28/36



set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP match

application junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit

Troubeshooting

The multiplexer state o member interaces o LA should be collecting and distributing. L2 switching unctionality is

conigured on an aggregated interace (in this example ae0 is made the trunk port).

regress@SRX-1> show lacp interfacesAggregated interface: ae0

LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activityge-0/0/5 Actor No No Yes Yes Yes Yes Fast Activege-0/0/5 Partner No No Yes Yes Yes Yes Fast Active

ge-0/0/7 Actor No No Yes Yes Yes Yes Fast Activege-0/0/7 Partner No No Yes Yes Yes Yes Fast Active

LACP protocol: Receive State Transmit State Mux State ge-0/0/5 Current Fast periodic Collecting distributing

ge-0/0/7 Current Fast periodic Collecting distributing

regress@SRX-1> show ethernet-switching interfacesInterface State VLAN members Tag Tagging Blockingae0.0 up OPERATIONS 20 tagged unblocked

SALES 10 tagged unblocked

ge-0/0/5.0 up SALES 10 untagged unblockedge-0/0/7.0 up OPERATIONS 20 untagged unblocked

loopvoidancewithSTPAnother J Series and SX Series device, SX-3, is connected to both SX-1 and SX-2 as shown in figure 18. To avoid

loops in the network, STP is conigured.

Figure18:loopavoidancewithSTP

apid Spanning Tree Protocol is enabled on all devices and SX-2 is made as the root switch. Interaces connected to

end hosts, such as user workstations or servers, are conigured as edge ports.

ge-0/0/11

ge-0/0/7

ge-0/0/9

ge-0/0/5

ge-0/0/8ge-0/0/6

ae0.0

ae0.0

ae0.0

ae1.0

ae1.0ae1.0

SRX-2

SRX-1

SRX-3


29/36



SX-1Congurations

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0

set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/15 gigether-options 802.3ad ae1set interfaces ge-0/0/13 gigether-options 802.3ad ae1set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlan members SALESset interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set protocols rstpset protocols rstp interface ge-0/0/5.0 edgeset protocols rstp interface ge-0/0/7.0 edgeset security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit


30/36



SX-2Congurations

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/15 gigether-options 802.3ad ae1set interfaces ge-0/0/13 gigether-options 802.3ad ae1set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlan members SALESset interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.2/24set interfaces vlan unit 20 family inet address 10.1.2.2/24

set protocols rstp bridge-priority 4kset protocols rstp interface ge-0/0/9.0 edgeset protocols rstp interface ge-0/0/11.0 edgeset security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP match

source-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit


31/36



SX-3Congurations

set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/13 gigether-options 802.3ad ae0

set interfaces ge-0/0/15 gigether-options 802.3ad ae0set interfaces ge-0/0/0 gigether-options 802.3ad ae1set interfaces ge-0/0/2 gigether-options 802.3ad ae1set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlan members SALESset interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.3/24set interfaces vlan unit 20 family inet address 10.1.2.3/24set protocols rstpset protocols rstp interface ge-0/0/6.0 edgeset protocols rstp interface ge-0/0/8.0 edgeset security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit


32/36



Troubeshooting

SRX-2 is the root switch. All interaces on the root switch are in orwarding state.

regress@SRX-2> show spanning-tree bridgeSTP bridge parametersContext ID : 0Enabled protocol : RSTP

Root ID : 4096.00:22:83:99:b0:50Hello time : 2 secondsMaximum age : 20 secondsForward delay : 15 secondsMessage age : 0Number of topology changes : 2Time since last topology change : 458 secondsTopology change initiator : ae1.0Topology change last recvd. From : 80:71:1f:a4:2b:01Local parametersBridge ID : 4096.00:22:83:99:b0:50Extended system ID : 0Internal instance ID : 0

regress@elanta> show spanning-tree interfaceSpanning tree interface parameters for instance 0Interface Port ID Designated Designated Port State Role

port ID bridge ID Costae0.0 128:1 128:1 4096.00228399b050 20000 FWD DESGae1.0 128:2 128:2 4096.00228399b050 10000 FWD DESGge-0/0/9.0 128:522 128:522 4096.00228399b050 20000 FWD DESGge-0/0/11.0 128:524 128:524 4096.00228399b050 20000 FWD DESG

Note that the root bridge I is populated on all non-root switches. Also note that the root port is connected to the

root switch.

regress@SRX-1> show spanning-tree bridge

STP bridge parametersContext ID : 0Enabled protocol : RSTPRoot ID : 4096.00:22:83:99:b0:50

Root cost : 10000Root port : ae0.0

Hello time : 2 secondsMaximum age : 20 secondsForward delay : 15 secondsMessage age : 1Number of topology changes : 4Time since last topology change : 95 secondsTopology change initiator : ae1.0Topology change last recvd. From : 00:22:83:99:b0:c0

Local parametersBridge ID : 32768.00:1b:c0:53:69:88Extended system ID : 0Internal instance ID : 0


33/36



hen there are two redundant links to the root switch, one o them is the root port and another is the alternate port.

regress@SRX-3> show spanning-tree interface

Spanning tree interface parameters for instance 0Interface Port ID Designated Designated Port State Role

port ID bridge ID Costae0.0 128:1 128:2 32768.001bc0536988 10000 BLK ALT

ae1.0 128:2 128:2 4096.00228399b050 10000 FWD ROOT

ge-0/0/6.0 128:519 128:519 32768.80711fa42a90 20000 FWD DESGge-0/0/8.0 128:521 128:521 32768.80711fa42a90 20000 FWD DESG

IEEE802.1xuthentication

In this example, 802.1x is enabled on interace ge-0/0/5. nless the credentials o the user connected to the interace

are veriied, the user is unable to access any o the network resources connected to this device.

Figure19:IEEE802.1xauthentication

The AIS server must be reachable rom the switch. And it must be conigured with the supplicants username and

password. No authentication is perormed on the conigured static MAC address under [edit protocols dot1x static]

ge-0/0/11ge-0/0/0

ge-0/0/5

RADIUSServer

NetworkResources

Supplicants

181.181.16.2

set interfaces ge-0/0/0 unit 0 family inet address 181.181.16.1/24set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members SALESset protocols dot1x authenticator authentication-prole-name testset protocols dot1x authenticator static 00:11:22:33:55:66/48set protocols dot1x authenticator interface ge-0/0/12.0 supplicant multipleset access radius-server 181.181.16.2 secret $9$K76WX-YgJHqfVwqfTzCAvWLset access prole test authentication-order radius


34/36



Troubeshooting

regress@SRX-1# run show dot1x interface802.1X Information:Interface Role State MAC address Userge-0/0/12.0 Authenticator Connectingregress@SRX-1# run show dot1x interface802.1X Information:Interface Role State MAC address Userge-0/0/12.0 Authenticator Authenticated 00:00:00:80:00:01 user1

regress@SRX-1# run show dot1x authentication-bypassed-usersMAC address Interface VLAN00:11:22:33:55:66 ge-0/0/12.0 congured/default

uticastSnoopingwithIPSnoopingProtoco

This example conigures IMP snooping on J Series and SX Series devices to regulate multicast traic on a device.

A multicast receiver is connected to interace ge-0/0/9, and interace ge-0/0/2 is connected to the PIM/IMP router

rom where multicast data packets are sent.

set vlans SALES vlan-id 10

set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset protocols igmp-snooping vlan SALES

Figure20:uticastsnoopingwithIPsnooping

Troubeshooting

Make sure that the uplink interace (ge-0/0/2) is identiied as a multicast router interace. Otherwise, the received join

message cannot be orwarded to the PIM/IMP router.

PIM/IGMPRouter

Source

ge-0/0/2

ge-0/0/9

Multicast Receiver

regress@SRX-1# run show igmp-snooping membership detailVLAN: SALES Tag: 10 (Index: 2)

Router interfaces:ge-0/0/2.0 dynamic Uptime: 00:04:48 timeout: 219

Group: 230.5.5.5ge-0/0/9.0 timeout: 233 Last reporter: 23.23.23.2 Receiver count: 1, Flags:


35/36



802.1qTunneing(Q-in-QTunneing)

This example shows that the 802.1q tunneling eature in the J Series and branch SX Series devices can be used as a

provider edge (PE) eature in service provider networks.

Figure21:802.1qtunneing

Interaces ge-0/0/4 and ge-0/0/12 o SX-1 and SX-2 are connected to end customer devices, respectively.

And ge-0/0/8 on both devices is connected to a service provider network.

SX-1Congurations

Customer

ServiceProvider

ge-0/0/8

ge-0/0/8

ge-0/0/12

ge-0/0/4

SRX-1

SRX-2

set vlans SERVICE_PROVIDER vlan-id 100

set vlans SERVICE_PROVIDER dot1q-tunnelingset interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members SERVICE_PROVIDERset interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members SERVICE_PROVIDER

SX-2Congurations

set vlans SERVICE_PROVIDER vlan-id 100set vlans SERVICE_PROVIDER dot1q-tunnelingset interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members SERVICE_PROVIDER

set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members SERVICE_PROVIDER


36/36


Copyright 2011 Juniper Networks, Inc. All rights res erved. Juniper Networks, the Juniper Networks logo, Junos,

NetScreen, and ScreenOS are registered trademarks o Juniper Networks, Inc. in the nited States and other

countries. All other trademarks, service marks, registered marks, or registered ser vice marks are the property o

their respective owners. Juniper Networks assumes no responsibility or any inaccuracies in this document. Juniper

EEHeadquarters

Juniper Networks Ireland

Airside Business Park

Swords, County ublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

fax: 35.31.8903.601

PCHeadquarters

Juniper Networks (ong Kong)

26/f, Cityplaza One

1111 Kings oad

Taikoo Shing, ong Kong

Phone: 852.2332.3636

fax: 852. 2574.7803

CorporateandSaesHeadquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 SA

Phone: 888.JNIPE (888.586.4737)

or 408.745.2000

fax: 408.745.2100

www.juniper.net

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

Troubeshooting

regress@SRX-1# run show vlans detailVLAN: SERVICE_PROVIDER, 802.1Q Tag: 100, Admin State: EnabledDot1q Tunneling status: Enabled

Number of interfaces: 2 (Active = 2)Untagged interfaces: ge-0/0/4.0*Tagged interfaces: ge-0/0/8.0*

VLAN: default, 802.1Q Tag: 1, Admin State: Enabled

boutJuniperetworks

Juniper Networks is in the business o network innovation. from devices to data centers, rom consumers to cloud

providers, Juniper Networks delivers the sotware, silicon and systems that transorm the experience and economics

o networking. The company serves customers and partners worldwide. Additional inormation can be ound at

www.juniper.net.

switching on srx

Documents