switching on srx
TRANSCRIPT
-
7/27/2019 Switching on SRX
1/36
APPLICATION NOTE
Copyright 2011, Juniper Networks, Inc.
J SEIES AN BANC
SX SEIES ETENET
SITCIN
CONfIATION IE
-
7/27/2019 Switching on SRX
2/36
2 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
TabeofContents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Sotware Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Limitations in Ethernet Switching Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Lie o Packet in Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Junos OS elease 10.2 Ethernet Switching Coniguration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Enabling Ethernet Switching on the J Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Enabling Ethernet Switching on Branch SX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Coniguring Layer 2 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Coniguring VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Attaching Switch Ports to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Extending Broadcast omains and Coniguring Tagged Interaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Coniguring outed VLAN Inter ace (Integrated outing and Bridging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Coniguring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Coniguring Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Spanning Tree Protocol (IEEE 802.1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
apid Spanning Protocol (IEEE 802.1w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Coniguring IEEE 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Coniguring IMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Coniguring 802.1q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Coniguring Link Layer iscover Protocol (LLP) and LLP-ME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
J Se ri es an d B ran ch S X Ser ies Eth er net Sw itc hi ng Co ni gu rati on Exam ples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Simple Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Adding VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
outing Traic Between VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Adding Tagged Interace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Increasing Capacity with Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Loop Avoidance with STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
IEEE 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Multicast Snooping with IMP Snooping Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
802.1q Tunneling (Q-in-Q Tunneling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
About Juniper N etworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
-
7/27/2019 Switching on SRX
3/36
Copyright 2011, Juniper Networks, Inc. 3
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
TabeofFigures
figure 1: Lie o packet in Ethernet switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
figure 2: Supported VLAN ange on J Series and branch SX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
figure 3: Trunk and access ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
figure 4: Intra-VLAN and inter-VLAN packet orwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
figure 5: Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
figure 6: Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
figure 7: apid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
figure 8: Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
figure 9: IEEE 802.1x authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
figure 10: IMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
figure 11: Q-in-Q tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
figure 12: LLP and LLP-ME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
figure 13: Simple Ethernet switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
figure 14: Ethernet switching with multiple VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
figure 15: Inter-VLAN orwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
figure 16: Trunk port (or adding tagged interace) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
figure 17: Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
figure 18: Loop avoidance with STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
figure 19: IEEE 802.1x authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
figure 20: Multicast snooping with IMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
figure 21: 802.1q tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
-
7/27/2019 Switching on SRX
4/36
4 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
Introduction
Juniper Networks SX Series Services ateways or the branch and J Series Services outers enable the enterprise
to provide services without boundaries. The SX Series products provide a comprehensive suite o Ethernet switching
unctionality. Ethernet switching eatures eliminate the need or Layer 2 switches in small branch oices and act as an
aggregate switch in medium-sized branch oices.
Juniper Networks Junos operating system elease 9.2 or J Series routers introduces Ethernet switching eatures,
integrated routing and bridging, and support or several Layer 2 protocols. These eatures have been present in branchSX Series Services ateways since their release.
Scope
This application note provides an overview o the Junos OS Layer 2 eatures or J Series and branch SX Series
Services ateways. It describes common deployment scenarios, with detailed conigurations. SX Series data center
products (SX1400, SX3000 line and SX5000 line) do not support Ethernet switching unctionality. All eatures
discussed in this document reerence SX Series Services ateways or the branch (Juniper Networks SX100 Series
Services ateways, SX200 Series Services ateway, , and SX650 Services ateway). All eatures and conigurations
discussed in this document are based on standalone deployment o J Series and branch SX Series Service ateways.
Please reer SX technical documentation or Ethernet Switching eatures in SX chassis cluster environment.
The Ethernet switching eatures are limited by both hardware and sotware. The scope is deined in the ollowing section.
Tabe1:HardwareScope
PlTFS -B PI PI XPI
J2320 6 3 6 6
J2350 6 3 6 6
J4350 6 3 6 6
J6350 6 3 6 6
SX100 3 6 6 6
SX110 3 6 6 6
SX210 3 6 6* 6
SX220 3 6 6* 6
SX240 3 6 6* 6
SX650 6 6 6 3**
* Ethernet switching support is planned or uture release or 1 igabit Ethernet SfP MPIM on the SX210 and SX240.
** As o Junos OS elease 10.2, Ethernet switching is not supported on 10bE XPIM.
SowareScope
Ethernet switching on the J Series and branch SX Series is based on Juniper Networks EX Series Ethernet Switches
unctionality. As o Junos OS elease 11.2, the J Series and branch SX Series support the ollowing:
Layer 2 switching o traic, including support or both trunk and access ports
outed VLAN interace (or integrated routing and bridging)
Spanning Tree Protocol (STP)
apid Spanning Tree Protocol (STP)
Multiple Spanning Tree Protocol (MSTP)
Link aggregation, both static and using Link Aggregation Control Protocol (LACP)
-
7/27/2019 Switching on SRX
5/36
Copyright 2011, Juniper Networks, Inc. 5
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
AP VLAN egistration Protocol (VP)
IEEE 802.1x authentication
- Single/single-secure/multiple supplicant modes
- ynamic VLAN assignment
- uest VLAN and server-reject VLANs
- AIS server ailure conditions
- MAC authentication
- Authentication bypass
- VoIP VLAN
IMP snooping
IEEE 802.1ad dot1q tunneling (Q-in-Q)
Link Layer iscovery Protocol (LLP)
limitationsinEthernetSwitchingImpementation
As o Junos OS elease 11.2, the ollowing EX Series unctionality is not supported on the J Series and branch SX
Series. Additionally, uture eatures added to EX Series platorms are not expected to be automatically ported to the
J Series and branch SX Series.
- Layer 2 access control lists (ACLs)
- Quality o service (QoS) or switching ports
- SNMP MIB support (or the new Layer 2 eatures)
- Virtual chassis
- Port security
- L2 CoS unctionality
On J Series platorms, Ethernet switching is supported on only one universal PIM (uPIM) per J Series chassis.
MSTP is not supported on the SX210.
The IMP snooping and Q-in-Q eature is not available or the SX100.
The J Series and SX100 do not support advanced 802.1x eatures such as dynamic VLAN, guest VLAN, server-
reject VLAN, server ail operations, and VoIP VLAN. But AIS accounting and MAC authentication are available or
the SX100.
Advanced Q-in-Q eatures such as push, customer bundling, etc. are only supported on the SX650.
Only SX Series Services ateways or branch support Ethernet switching eatures in chassis cluster environment.
This document discussion Ethernet Switching eatures on standalone deployments. for Ethernet switching in chassis
cluster environment please reer SX technical documentation.
Most o the limitations discussed in this section are expected to be ixed in later Junos OS releases. Please reer to
FutureSupporteference or more inormation.
-
7/27/2019 Switching on SRX
6/36
6 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
lifeofPacketinEthernetSwitching
Figure1:lifeofpacketinEthernetswitching
1. Intra-VLAN traicOnce interaces are conigured in the same VLAN through CLI/Juniper Networks J-eb
Sotware, the Ethernet switch chip is programmed accordingly, MAC learning, and STP states are maintained at
chip. Packets in the same VLAN are switched internally at the Ethernet switch chip. They do not go through a low
architecture, and none o the security eatures are applied to this traic.
2. Inter-VLAN traicPackets or dierent VLANs are routed/orwarded through a low architecture.
2A. Incoming traic is classiied according to port based VLAN.
2B. The destination MAC address o inter-VLAN traic is matched with the routed VLAN interace at the Ethernet
switch chip, and all these packets are sent to a low module or urther processing.
2C. In the low module, inter-VLAN traic goes through all security checks and is routed to a dierent VLAN.
2. outed traic is sent back to the Ethernet switch chip, which urther sends out packets through the interace othe destination VLAN.
JunosSeease11.2EthernetSwitchingCongurationScenarios
This section discusses several deployment scenarios and their associated conigurations.
EnabingEthernetSwitchingontheJSeries
The J Series platorm supports two dierent modes o switching. Plain switching is legacy bridge mode operation
wherein a uPIM is treated as a bridge and all its Ethernet ports are part o this bridge. None o the eatures discussed in
this document are supported in this mode. And details o this mode are beyond the scope o this document. Enhanced
switching mode converts uPIM on the J Series to a modern L2 switch. All protocols and eatures discussed in this
document are applicable to this mode. Enhanced switching is conigured under the [chassis fpc pic ethernet]
level o the coniguration hierarchy. for example, the ollowing coniguration enables a PIM in slot 6:
Forwarding Lookup
Ethernet Switch Chip
YesNo
StaticNAT
DestNAT
Route Zones PolicyReverse
StaticNAT
SourceNAT
SevicesALG
Inter-VLAN trac (trac between two dierent VLANs)
SessionScreens
ScreensPer
PacketPolicer
PerPacketFilter
PerPacketFilter
PerPacketShaper
TCP NATServices
ALGMatch
Session?
Yes
2C
2A 1 2D
2B
Intra-VLAN trac (trac between two same VLANs)
fpc 6 {pic 0 {
ethernet {pic-mode enhanced-switching;
}}
}
ote: In the current implementation, only one universal PIM per chassis can be conigured with enhanced switching.
-
7/27/2019 Switching on SRX
7/36
Copyright 2011, Juniper Networks, Inc. 7
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
EnabingEthernetSwitchingonBranchSXSeries
The Ethernet switching eature is enabled by deault on branch SX Series platorms. There are no explicit
conigurations required to enable it.
Conguringlayer2Switching
Physical interaces can operate in several modes. hen an interace is conigured with a Layer 3 address (such as an
IPv4, IPv6, or ISO address), the interace routes traic based on the destination address o each packet. I an interace
is not given a Layer 3 address but is conigured as part o the Ethernet switching protocol amily, the interace orwards
traic based on the link layer destination address. The ollowing coniguration deines an interace as a switching port
(note that the Layer 2 coniguration is limited to unit 0 o an interace):
interface {ge-/0/ {
unit 0 {family ethernet-switching;
}}
}
ConguringVlAs in most modern switches, broadcast domains can be segmented using virtual LANs or VLANs, an approach that
allows device segmentation by assigning ports to dierent broadcast domains. Traic can be orwarded between
member interaces o the same VLAN, but not between interaces that belong to dierent VLANs, eectively allowing
the same physical device to be shared between dierent non-connected networks (a later section o this document
describes how to orward traic between dierent VLANs).
By deault, all switching-enabled ports orm part o the same broadcast domain. I an interace is enabled or Layer 2
switching but not associated with any VLAN, it becomes part o the deault VLAN (VLAN I 1 in the J Series and SX
Series). To conigure a new domain, a VLAN has to be deined under the [vlans] hierarchy and given a unique identiier
(VLAN I).
vlans {
{vlan-id ;
}
}
Please note the ollowing limitation in the J Series and branch SX Series devices or using VLAN Is.
Tabe2:SupportedVlangeonJSeriesandbranchSXSeries
PlTF SPPTEVlE
J Series 1-4094
SX100 1-4094
SX110 1-4094
SX210 1-4094*
SX220 1-4094*
SX240 1-3967
SX650 1-3967
*VLAN 4093 is reserved or internal purpose in the SX200 line.
-
7/27/2019 Switching on SRX
8/36
8 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
ttachingSwitchPortstoVls
Additionally, you can speciy which interaces are part o the newly created VLAN. There are two ways to allocate
interaces. (These ways are identical rom a unctional point o viewit is up to you to choose the method you preer).
The irst way, under the [interface unit 0 family ethernet-switching] hierarchy, is to declare the
VLAN as part o an interace coniguration.
interface {
ge-/0/ {unit 0 {
family ethernet-switching {vlan members
}}
}}
The second way, under the [vlan interface] hierarchy, is to deine VLAN member interaces.
vlans { {
interfaces {;;
}}
}
ExtendingBroadcastomainsandConguringTaggedInterfaces
Modern switching networks can be large enough to require the use o multiple switches (some require a tiered
approach, with many switching layers). hen multiple bridging domains span more than one switching device, it is
convenient to allow traic rom many domains to be orwarded through the same link, while still separating the traic
rom dierent domains. VLAN tagging (IEEE 802.1q) provides this unctionality by extending the Ethernet header with
a VLAN identiier (a 12-bit value) used to dierentiate traic rom dierent VLANs. VLAN tagging reduces the number
o interaces needed to connect devices because a single interace can then carry traic rom multiple domains.
Switching interaces that carry tagged traic are reerred to as trunk ports. An interace is called an access port when it
carries single VLAN untagged traic. An access port cannot be part o multiple VLANs.
interface {ge-*/*/* {
unit 0 {family ethernet-switching {
port-mode trunk;vlan {
members [ ]}
}}
}}
-
7/27/2019 Switching on SRX
9/36
Copyright 2011, Juniper Networks, Inc. 9
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
Figure2:Vltagging
By deault, all switching interaces are access ports. An interace can be conigured as a trunk port by simply setting
the port-mode value to trunk under the [family ethernet-switching]. As shown in figure 1, a trunk port can then
be deined as part o multiple VLANs, which allows a switching port deined as a trunk port to be associated with more
than one VLAN. Traic orwarded rom a trunk port is tagged using the VLAN I o the originating VLAN, while received
traic is orwarded to the appropriate VLAN or distribution.
Figure3:Trunkandaccessports
ConguringoutedVlInterface(IntegratedoutingandBridging)
As previously discussed, traic can be orwarded between member interaces o the same VLAN, but not between
interaces that belong to dierent VLANs. Traic inside the same VLAN is switched and traic across a dierent VLAN
is routed. ence, Layer 3 device/interaces are needed to orward traic rom one VLAN to another VLAN. The J Series
and SX Series provide logical Layer 3 interaces called routed VLAN interaces (or integrated routing and bridging)
or this purpose. Each VLAN domain is tied to one o the logical routed VLAN interaces. This scenario is equivalent
to placing a switch in ront o a router. Traic that is not destined or the router is switched based on the Layer 2
inormation, and traic that reaches the router is orwarded based on the Layer 3 inormation. As dierent VLAN
domains can have unique Layer 3 addresses, traic between VLAN domains can then be routed by Junos OS sotware
provided that security policies allow it.
J Series/Branch SRX Series
J Series/Branch SRX Series
J Series/Branch SRX Series
J Series/Branch SRX Series
VLAN Orange VLAN Blue
VLAN Orange VLAN Blue
VLAN Orange VLAN Blue
VLAN Orange VLAN Blue
VLAN Orange VLAN Blue
VLAN Orange VLAN Blue
Intra-VLANtrac locallyswitched inthe uPIM
ge-4/0/0Trunk
ge-4/0/1Access
VLANOrange
Layer 2
VLANBlue
VLANRed
ge-4/0/2Access
ge-4/0/3Access
-
7/27/2019 Switching on SRX
10/36
10 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
Figure4:Intra-Vlandinter-Vlpacketforwarding
A logical Layer 3 interace or routed VLAN interace can be created under the [interaces vlan] hierarchy. Ater the
logical interace is created, it must be associated with a particular VLAN using the l3-interace keyword.
Intra-VLANtrac locallyswitched inthe uPIM
Inter-VLANrouted tracsent to fwdd
ge-4/0/0Trunk
ge-4/0/1Access
Layer 2
Layer 3
VLANRed
ge-4/0/2Access
ge-4/0/3Access
interface vlan.0 interface vlan.1
Junos OS fwdd
interface vlan.2
VLANOrange
VLANBlue
interfaces {vlan {
unit {family {
inet {address /;
}}
}}
}vlans {
{l3-interface vlan.;
}}
outed VLAN interaces are no dierent than any other Layer 3 interaces in Junos OS and thus require the same
coniguration. In particular, these interaces have to be assigned to a security zone, and security policies have to
explicitly allow traic to be orwarded between these interaces and any other conigured Layer 3 interaces.
-
7/27/2019 Switching on SRX
11/36
Copyright 2011, Juniper Networks, Inc. 1
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
Conguringlinkggregation
hen connecting two switches together, sometimes it is advantageous to use two or more parallel connections,
normally to provide redundancy. It is also desirable to increase bandwidth between switches. The challenge is that
Layer 2 networks have to be loop ree, and loop avoidance protocols such as Spanning Tree Protocol (and all its
variations and extensions such as STP and MSTP) deactivate all but one o these parallel connectionsallowing
parallel connections to solve the redundancy problem, but not the bandwidth limitation.
The solution to this problem is to use link aggregation, which deines how to load-balance traic across multiplelinks (while guaranteeing that packets rom a given low are not reordered). The physical interaces that orm part o
a link aggregation group can be statically conigured or negotiated between endpoints using LACP (speciied in IEEE
802.3ad). Endpoints are normally switches, but they can be servers with multiple network interace cards or NICs.
Figure5:linkaggregation
To conigure link aggregation, irst create an aggregate interace by deining the number o aggregated interaces in
the system and associate all the physical interaces that are part o the aggregate bundle to one o the newly created
aggregated interaces.
J Series/Branch SRX Series
J Series/Branch SRX Series
Trunk Port AE0.0
VLAN Orange VLAN Blue
VLAN Orange VLAN Blue
chassis {aggregated-devices {
ethernet {device-count ;
}}}
Aggregate device count reers to the total number o aggregated interaces in the system and not the number o
physical interaces per aggregate bundle.
This coniguration creates aggregate interaces named ae0 to ae. Ater these interaces are created,
you have to associate physical interaces with them, which you do under the gigabit-ethernet-options hierarchy.
-
7/27/2019 Switching on SRX
12/36
12 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
interface { {
gigabit-ethernet-options {802.3ad {
;}
}
}}
LACP is not required between, but i conigured, it enables automatic traic switchover when one or more links ail. It
also prevents common misconiguration errors by conirming that both devices are set up or link aggregation. LACP
can be enabled under the aggregated-ethernet-options section o the aggregated interace (make sure that at least
one o the endpoints is conigured as active, as passive endpoint does not initiate LACP P exchange). Link-speed
under aggregated-ethernet-options speciies the link speed o each member interace that joins the bundle. And
minimum-links keyword speciies the minimum number o active links required or the bundle to be considered up.
The deault value o minimum-links is 1 or the J Series and branch SX Series devices. A maximum o eight links can
be bundled in a single AE (LA) interace.
interface { {
aggregated-ether-options {link-speed [100m|1g];
minimum-links ;lacp {active|passive;
}}}
}
Ater a bundle interace is created, it can be conigured just like any other interace. for example, you can enable
switching, add the interace to a VLAN (or a group o VLANs), and enable VLAN tagging.
-
7/27/2019 Switching on SRX
13/36
Copyright 2011, Juniper Networks, Inc. 13
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
ConguringSpanningTreeProtoco
Layer 2 switching networks tend to create loops in the network when there are redundant paths available between the
source and destination. hen such loops are created, a single packet can cause enormous traic and easily bring down
an entire Layer 2 network. J Series Services outers and SX Series Services ateways provide loop prevention in Layer
2 switching networks using STP, STP, and MSTP. A loop-ree network in spanning-tree topologies is created through
the exchange o a special type o rame called bridge protocol data unit (BP). Peer STP applications running on the
switch interaces use BPs to communicate. ltimately, the exchange o BPs determines which interaces block
traic (preventing loops) and which interaces orward traic.
STP uses the inormation provided by the BPs to elect a root bridge/switch, identiy root ports or each switch,
identiy designated ports or each physical LAN segment, and prune speciic redundant links to create a loop-ree
tree topology. All lea devices calculate the best path to the root device and place their ports in blocking or orwarding
states based on the best path to the root. The resulting tree topology provides a single active Layer 2 data path
between any two end stations.
SpanningTreeProtoco(IEEE802.1)
STP is a legacy protocol deined in the IEEE 802.1 standard. STP is conigured under the [edit protocol] hierarchy.
Figure6:SpanningTreeProtoco
DesignatedForwarding
DesignatedForwarding
DesignatedForwarding
Root PortForwarding
Root PortForwarding
AlternativeBlocked
protocols {stp {
bridge-priority ;interface {cost ;}
}}
Junos OS provides a number o options to control over the Spanning Tree Protocol. Bridge priority o L2 switches
determines which switch to be the root o the network (the switch with the lowest priority is elected as the root o
the topology). It also an important parameter in determining root port (the interace that connects to the root o the
topology). In Junos OS, bridge priority can be conigured under [protocols stp] with a keyword bridge priority with value
multiples o 4k, starting with 0 up to 60k. The deault bridge priority value is 32k. Another important parameter that
controls the Spanning Tree Protocol is link cost. Link costs are dependent upon interace speed. But link costs can be
overridden with coniguration under [protocols stp interace
-
7/27/2019 Switching on SRX
14/36
14 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
apidSpanningProtoco(IEEE802.1w)
Legacy Spanning Tree Protocol is very slow in converging loop-ree topology. It takes around 30-50 seconds to
converge and start orwarding data packets. Also, topology change propagation is largely dependent on root bridge/
switch. apid Spanning Tree Protocol or STP is a new standard deined by IEEE to overcome these limitations. STP
uses a messaging mechanism, unlike the timer mechanism in STP, and it is not dependent on root bridge/switch or
propagation o topology in the network. It also introduces new port roles, alternative and backup ports as redundant
links or root and designated ports, respectively. In the event o link ailures, these alternative or backup ports take over
immediately. STP can be conigured as the ollowing:
protocols {rstp {
bridge-priority ;interface {cost ;}interface {edge;}
}}
Figure7:apidSpanningTreeProtoco
There is no dierence between STP and STP in terms o coniguration. STP also provides coniguration options
bridge priority and interace cost to control tree topology. An important eature that is available with STP is the edge
port eature. hen an interace is conigured as an edge port, it orwards data immediately. And topology changes in
the network do not aect the edge port. This coniguration is useul when end hosts are connected to interaces. To
avoid the wrong coniguration, the edge port starts participating in a spanning-tree state machine when it receives
BPs. The edge port is conigured under the [protocols stp interace
-
7/27/2019 Switching on SRX
15/36
Copyright 2011, Juniper Networks, Inc. 15
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
utipeSpanningTreeProtoco
Although STP provides aster convergence time than STP, it still does not solve a problem inherent in STPall VLANs
within a LAN must share the same Spanning Tree Protocol. To solve this problem, J Series Services outers and SX
Series Services ateways use MSTP to create a loop-ree topology in networks with multiple spanning-tree regions.
An MSTP region allows a group o switches to be modeled as a single bridge. Multiple spanning-tree instances (MSTIs)
are contained in an MSTP region. MSTIs provide dierent paths or dierent VLANs. This unctionality acilitates better
load sharing across redundant links.
Figure8:utipeSpanningTreeProtoco
The MSTP region can support up to 64 MSTIs, and each instance can support anywhere rom 1 through 4094 VLANs.
Forwarding for VLAN Blue (MSTI 101)Blocked for VLAN Red (MSTI 102)
Forwarding for VLAN Red (MSTI 102)Blocked for VLAN Blue (MSTI 101)
protocols {mstp {
conguration-name
-
7/27/2019 Switching on SRX
16/36
16 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
ConguringIEEE802.1xuthentication
IEEE 802.1x, which provides an authentication and authorization mechanism in wireless networks, is gaining popularity
in wired networks. It provides network edge security, protecting Ethernet LANs rom unauthorized access. An
802.1x-enabled switch (known as an authenticator) blocks all traic rom users (known as supplicants) connected to
the switch until user credentials are veriied in an authentication server (AIS server).
The J Series and SX Series support three 802.1x modes or supplicants:
SingleOnly the irst user is authenticated and the remaining users are tailgated.
Single secureOnly one user is allowed.
MultipleMore than one user is allowed and all users need to get authenticated.
As stated earlier, Ethernet switching eatures including 802.1x are inherited rom the EX Series product line. But not all
EX Series 802.1x eatures are available in the J Series and branch SX Series. These platorms support the ollowing:
ynamicVlssignmentAter successul authentication, it enables the supplicant to be a member o a
particular VLAN dynamically. Please note that the VLAN I needs to be conigured in a AIS server or the user.
uestVlThis provides limited access to a LAN or 802.1x unsupported supplicants (supplicants that do not
understand 802.1x).
Server-rejectVlhen an 802.1x-compliant supplicant ails to authenticate (because o wrong credentials),
then the supplicant is assigned to a conigured server-reject VLAN.
ISaccountingAccounting inormation is sent to the AIS accounting server. The inormation is sent to the
server whenever a user (supplicant) logs in or logs out. Accounting inormation includes the amount o traic, login
and logout time, etc.
CISorCuthentication802.1x unsupported supplicants can be authenticated via a MAC AIS
eature. Please note that guest VLAN and MAC AIS eatures are mutually exclusive.
SupportforVoIPIP telephones are supported. I the phone is 802.1x enabled, it is authenticated like any other
supplicant. I the phone is not 802.1x enabled, but has another 802.1x compatible device connected to its data
port, that device is authenticated and then VoIP traic can low to and rom the phone (providing that the interace
is conigured in single mode and not in single-secure mode). Ater successul authentication, AIS server
communicates VLAN I to device so that all voice traic is classiied under this VLAN also called VoIP VLAN.
Serverfaiurecaseshen the AIS server becomes unreachable, the J Series and SX Series take actions suchas the ollowing:
- PermitAllow all authentication requests without authentication until the AIS server is reachable.
- enyntil the AIS server becomes reachable, all authentication requests are blocked.
- VLANEnable authentication requested users to be members o a VLAN.
- CacheImitate the previous authentication result or an authentication requested user.
StaticCbypassA list o MAC addresses can be conigured on the J Series and branch SX Series or which
802.1 x authentications are bypassed.
Tabe3:Supported802.1xFeaturesonJSeriesandBranchSXSeriesPatforms
FETE SX100 SX110 SX210 SX220 S X240 SX650 JSEIES
ynamic VLAN assignment 6 6 3 3 3 3 6
Authentication bypass 3 3 3 3 3 3 3
Bypass with VLAN assignment 6 6 3 3 3 3 6
uest VLAN 6 6 3 3 3 3 6
Server-reject VLAN 6 6 3 3 3 3 6
Server ailure allback 6 6 3 3 3 3 6
VoIP VLAN 6 6 3 3 3 3 6
AIS accounting 3 3 3 3 3 3 6
MAC AIS or MAC authentication 3 3 3 3 3 3 6
-
7/27/2019 Switching on SRX
17/36
Copyright 2011, Juniper Networks, Inc. 17
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
Figure9:IEEE802.1xauthentication
RADIUS Server
Network
Resources
J Series/Branch SRX Series
as Authenticator
Supplicants
protocols {dot1x {
authenticator {authentication-prole-name abc;
static {/mask;
}interface {
{supplicant (single | single-secure| multiple);guest-vlan ;server-reject-vlan ;server-fail (permit| deny| vlan-name |cache);
}}
}
}}access {
radius-server { secret
}prole {
authentication-order radius;radius {
authentication-server ;}
}}
-
7/27/2019 Switching on SRX
18/36
18 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
802.1x is enabled on an interace under [protocols dot1x authenticator]. Although a supported supplicant type is
conigured under [protocols dot1x authenticator interface supplicant mode], it can be any
o three modesthat is, single, single-secure, and multiple. uest VLAN, server-reject VLAN, server ail conditions, and MAC
authentication options are conigured under [protocols dot1x authenticator interface ]. The
authentication bypass list is conigured under [protocols dot1x authenticator static].
The AIS server coniguration is a must or proper working o the 802.1x protocol. The AIS server needs to be
deined under [edit access proile]. Also, it is mandatory that an access proile be created or the AIS server, and
this access proile should be conigured under [protocols dot1x authenticator authentication-proile-name].
ConguringIPSnooping
At Layer 2 all multicast traic is treated as broadcast and is looded to all ports o a switch o the same broadcast
domain or VLAN domain. ue to this, a lot o bandwidth is wasted when only a ew multicast receivers are connected
to this switch. To overcome this limitation on J Series and branch SX Series platorms, Junos OS provides a eature
called IMP snooping. Internet roup Management Protocol (IMP) snooping regulates multicast traic in a
switched network. ith IMP snooping enabled, a LAN switch monitors the IMP transmissions between a host (a
network device) and a multicast router, keeping track o the multicast groups and associated member interaces. The
switch uses that inormation to make intelligent multicast-orwarding decisions and orward traic to the intended
destination interaces.
Figure10:IPsnooping
J Series/Branch SRX Serieswith IGMP Snooping
PIM/IGMPRouter
Source
MulticastRouter
Interface
Multicast Receiver
protocols {igmp-snooping {
vlan vlan10;}
}
IMP snooping is conigured per VLAN under [protocols]. Once it is conigured, the switch starts inspecting IMP
communication between multicast receivers (hosts) and IMP or the PIM router. The interace where IMP queries are
received is identiied as the multicast router interace. A binding between a multicast group and an interace is createdwhen join/report messages are received on that interace. hen actual multicast data traic or a particular group is
received on a router-connected interace, it is orwarded to only those interaces or which binding is present or that
multicast group. And it continues to orward traic until it receives IMP leave or time-out mechanisms in IMPv1
hosts. All these operations are transparent to the IMP/PIM router and multicast receiver. Junos OS also provides
options or manual coniguration o multicast router interaces and static binding between multicast groups and
interaces. Please note this eature is not available in SX100.
-
7/27/2019 Switching on SRX
19/36
Copyright 2011, Juniper Networks, Inc. 19
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
Conguring802.1qTunneing
Q-in-Q tunneling allows service providers on Ethernet access networks to extend a Layer 2 Ethernet connection
between two customer sites. This eature is very useul when J Series and branch SX Series devices are deployed in a
service provider network as a provider edge (PE) device. A PE device sends and encapsulates incoming VLAN tagged
packets rom customers into a provider VLAN, and the receiving PE device de-encapsulates the provider VLAN and
orwards packets to receiving customers. In this way the customer Layer 2 inormation (VLAN, priority) is intact when it
is received at the other end.
Figure11:Q-in-Qtunneing
In Q-in-Q tunneling, as a packet travels rom a customer VLAN (C-VLAN) to a service providers VLAN, a customer-
speciic 802.1Q tag is added to the packet. This additional tag is used to segregate traic into service-provider-deined
service VLANs (S-VLANs). The original customer 802.1Q tag o the packet remains and is transmitted transparently,
passing through the service providers network. As the packet leaves the S-VLAN in the downstream direction, the extra
802.1Q tag is removed.
In a Q-in-Q deployment, customer packets rom downstream interaces are transported without any changes to source
and destination MAC addresses. You can disable MAC address learning at both the interace level and the VLAN level.
isabling MAC address learning on an interace disables learning or all the VLANs o which that interace is a member.
C-VLAN Tagged
C-VLAN Tagged
Customer
ServiceProvider
S-VLAN + C-VLAN Tagged
J Series/Branch SRX Series
J Series/Branch SRX Series
vlans { {
vlan-id ;
dot1q-tunneling {customer-vlans (native | );
}interface {
{mapping {
(native | ) {push;
}}
}
-
7/27/2019 Switching on SRX
20/36
20 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
}no-mac-learning;
}}ethernet-switching-options {
interfaces { {
no-mac-learning;}
}}
hen Q-in-Q tunneling is enabled on J Series and branch SX Series platorms, it is assumed that trunk interaces are
to be part o the service provider network and access interaces are to be customer acing. An access interace can
receive both tagged and untagged rames in this case. There are three ways to map C-VLANs to an S-VLAN:
All-in-one bundlingse the dot1q-tunne ling statement at the [vlan ] hierarchy to map without
speciying customer VLANs. All packets rom a speciic access interace are mapped to the S-VLAN.
Many-to-one bundlingse the customer-vlans statement at the [vlan ] hierarchy to speciy which
C-VLANs are mapped to the S-VLAN.
Mapping C-VLAN on a speciic interacese the mapping statement at the [vlan ] hierarchy to map
a speciic C-VLAN on a speciied access interace to the S-VLAN.
Please note that only the SX650 supports all typesall-in-one, many-to-one, and C-VLAN mapping. The rest o
the SX Series platorms (except the SX100) and J Series support only all-in-one bundling. To disable MAC learning
on VLAN, conigure no-mac-learning under [vlan ]. And to disable at the interace level, add the
same keyword under [ethernet-switching-options interface ]. Please note this eature is
not available in SX100.
ConguringlinklayeriscoverProtoco(llP)andllP-E
iscovery ProtocolMedia Endpoint iscovery (LLP-ME) to learn and distribute device inormation on network links.
The inormation allows the switch to quickly identiy a variety o devices, resulting in a LAN that interoperates smoothly
and eiciently.
LLP-capable devices transmit inormation in type, length, and value (TLV) messages to neighbor devices. evice
inormation can include speciics, such as chassis and port identiication and system name and system capabilities.
The TLVs leverage this inormation rom parameters that have already been conigured in the Junos OS.
LLP-ME goes one step urther, exchanging IP-telephony messages between the switch and the IP telephone. These
TLV messages provide detailed inormation on Power over Ethernet (PoE) policy. The PoE Management TLVs let the
switch ports advertise the power level and power priority needed. for example, the switch can compare the power
needed by an IP telephone running on a PoE interace with available resources. I the switch cannot meet the resources
required by the IP telephone, the switch could negotiate with the telephone until a compromise on power is reached.
Figure12:llPandllP-E
Network Peripherals
J Series/Branch SRX Series with LLDP/LLDP-MED
-
7/27/2019 Switching on SRX
21/36
-
7/27/2019 Switching on SRX
22/36
22 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
JSeriesandBranchSXSeriesEthernetSwitchingCongurationExampes
SimpeEthernetSwitching
This example details the coniguration needed to use a J Series device and a branch SX Series device as simple Layer
2 switches. The topology is illustrated in figure 13.
Figure13:SimpeEthernetswitching
The associated conigurations are as ollows:
ge -0/ 0/ 5 ge -0 /0/ 9
set interfaces ge-0/0/5 unit 0 family ethernet-switchingset interfaces ge-0/0/9 unit 0 family ethernet-switching
Troubeshooting
Both interaces, ge-0/0/5 and ge-0/0/9, should be part o the deault VLAN.
regress@SRX-1> show vlansName Tag Interfacesdefault 1
ge-0/0/5.0*, ge-0/0/9.0*
ddingVls
Now suppose that this small branch oice has two departmentsSALES and OPEATIONS. To isolate the
departments and prevent traic rom leaking between domains, VLANS are added to the designresulting in a new
topology, as illustrated in figure 14.
Figure14:EthernetswitchingwithmutipeVls
ge-0/0/11ge-0/0/7
ge-0/0/9ge-0/0/5
OPERATIONS
SALES
set vlans OPERATIONS vlan-id 20set vlans SALES vlan-id 10set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONS
-
7/27/2019 Switching on SRX
23/36
Copyright 2011, Juniper Networks, Inc. 23
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
Troubeshooting
The ollowing command shows interaces and VLAN association:
regress@SRX-1> show vlansName Tag InterfacesOPERATIONS 20
ge-0/0/7.0*, ge-0/0/11.0*
SALES 10ge-0/0/5.0*, ge-0/0/9.0*
default 1None
outingTracBetweenVls
Now assume that this small branch needs to provide connectivity between the dierent business units, but that
the connectivity must be controlled by assigning each business unit its own Layer 3 segment. Consequently, traic
between units is routed and inspected by the irewall module, where traic policies can be enorced, as illustrated in
figure 15. The ollowing coniguration adds two Layer 3 interaces, one or each VLAN, which serve as deault gateways
or the respective network segments. These new VLAN interaces are then added to security zones, and security
policies are deined to allow traic between the zones. In this example, two security zonesSALES and OPEATIONS
are created, and TTP traic is allowed between them (bidirectional).
Figure15:Inter-Vlforwarding
ge-0/0/11
Network10.1.2.0/24
Network10.1.2.0/24
ge-0/0/7
ge-0/0/9ge-0/0/5
OPERATIONS
SALES
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALES
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan membersOPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP match
-
7/27/2019 Switching on SRX
24/36
24 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
destination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address any
set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
Troubeshooting
Along with VLAN associations, routed VLAN interaces should be linked up to orward traic between VLANs.
regress@SRX-1> show vlansName Tag InterfacesOPERATIONS 20
ge-0/0/7.0*, ge-0/0/11.0*SALES 10
ge-0/0/5.0*, ge-0/0/9.0*default 1
Noneregress@SRX-1> show interfaces vlan terseInterface Admin Link Proto Local Remotevlan up upvlan.10 up up inet 10.1.1.1/24vlan.20 up up inet 10.1.2.1/24
ddingTaggedInterface
Figure16:Trunkport(oraddingtaggedinterface)
Now assume that the J Series and SX Series are connected to another SX Series device. SALES and OPEATIONS
users belonging to one switch want to access their respective servers in another switch, keeping their VLAN domain
separately as shown in figure 16. As you can see, interaces ge-0/0/3 on both devices are connected to each other and
conigured as a trunk port to carry SALES and OPEATIONS VLAN traic.
ge-0/0/11
ge-0/0/7
ge-0/0/3
ge-0/0/3
ge-0/0/9
ge-0/0/5
SRX-2
SRX-1
Trunk Port
-
7/27/2019 Switching on SRX
25/36
Copyright 2011, Juniper Networks, Inc. 25
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
SX-1Congurations
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SALES
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP then
permitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
SX-2Congurations
set vlans OPERATIONS vlan-id 20
set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan membersOPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP match
source-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address any
-
7/27/2019 Switching on SRX
26/36
26 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
set security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
Troubeshooting
Access ports should be untagged members o VLANs, and trunk ports are tagged members o VLANs. A trunk port is
part o a multiple VLAN.
regress@SRX-1> show ethernet-switching interfacesInterface State VLAN members Tag Tagging Blockingge-0/0/3.0 up OPERATIONS 20 tagged unblocked
SALES 10 tagged unblockedge-0/0/5.0 up SALES 10 untagged unblockedge-0/0/7.0 up OPERATIONS 20 untagged unblockedregress@SRX-2> show ethernet-switching interfacesInterface State VLAN members Tag Tagging Blockingge-0/0/3.0 up OPERATIONS 20 tagged unblocked
SALES 10 tagged unblockedge-0/0/9.0 up SALES 10 untagged unblockedge-0/0/11.0 up OPERATIONS 20 untagged unblocked
IncreasingCapacitywithlinkggregation
As the small branch oice grows, with increasing numbers o applications requiring additional bandwidth, a bottleneck
is created between the router and the switch. To alleviate this problem, link aggregation is conigured, and a new link
between the devices is added.
Figure17:linkaggregation
Interaces ge-0/0/1 and ge-0/0/3 are bundles to aggregated Ethernet interace ae0 on both switches. And this ae0.0 is
conigured as a trunk port to carry SALES and OPEATIONS VLAN traic.
ge-0/0/11
ge-0/0/7
ae0.0
ae0.0
ge-0/0/9
ge-0/0/5
SRX-2
SRX-1
Trunk Port
-
7/27/2019 Switching on SRX
27/36
Copyright 2011, Juniper Networks, Inc. 27
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
SX-1Conguration
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices thernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP match
destination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
SX-2Conguration
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 aggregated-ether-options lacp activeset interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-http
-
7/27/2019 Switching on SRX
28/36
28 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP match
application junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
Troubeshooting
The multiplexer state o member interaces o LA should be collecting and distributing. L2 switching unctionality is
conigured on an aggregated interace (in this example ae0 is made the trunk port).
regress@SRX-1> show lacp interfacesAggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activityge-0/0/5 Actor No No Yes Yes Yes Yes Fast Activege-0/0/5 Partner No No Yes Yes Yes Yes Fast Active
ge-0/0/7 Actor No No Yes Yes Yes Yes Fast Activege-0/0/7 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State ge-0/0/5 Current Fast periodic Collecting distributing
ge-0/0/7 Current Fast periodic Collecting distributing
regress@SRX-1> show ethernet-switching interfacesInterface State VLAN members Tag Tagging Blockingae0.0 up OPERATIONS 20 tagged unblocked
SALES 10 tagged unblocked
ge-0/0/5.0 up SALES 10 untagged unblockedge-0/0/7.0 up OPERATIONS 20 untagged unblocked
loopvoidancewithSTPAnother J Series and SX Series device, SX-3, is connected to both SX-1 and SX-2 as shown in figure 18. To avoid
loops in the network, STP is conigured.
Figure18:loopavoidancewithSTP
apid Spanning Tree Protocol is enabled on all devices and SX-2 is made as the root switch. Interaces connected to
end hosts, such as user workstations or servers, are conigured as edge ports.
ge-0/0/11
ge-0/0/7
ge-0/0/9
ge-0/0/5
ge-0/0/8ge-0/0/6
ae0.0
ae0.0
ae0.0
ae1.0
ae1.0ae1.0
SRX-2
SRX-1
SRX-3
-
7/27/2019 Switching on SRX
29/36
Copyright 2011, Juniper Networks, Inc. 29
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
SX-1Congurations
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/15 gigether-options 802.3ad ae1set interfaces ge-0/0/13 gigether-options 802.3ad ae1set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlan members SALESset interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.1/24set interfaces vlan unit 20 family inet address 10.1.2.1/24set protocols rstpset protocols rstp interface ge-0/0/5.0 edgeset protocols rstp interface ge-0/0/7.0 edgeset security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
-
7/27/2019 Switching on SRX
30/36
30 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
SX-2Congurations
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/1 gigether-options 802.3ad ae0set interfaces ge-0/0/3 gigether-options 802.3ad ae0set interfaces ge-0/0/15 gigether-options 802.3ad ae1set interfaces ge-0/0/13 gigether-options 802.3ad ae1set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlan members SALESset interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.2/24set interfaces vlan unit 20 family inet address 10.1.2.2/24
set protocols rstp bridge-priority 4kset protocols rstp interface ge-0/0/9.0 edgeset protocols rstp interface ge-0/0/11.0 edgeset security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP match
source-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
-
7/27/2019 Switching on SRX
31/36
Copyright 2011, Juniper Networks, Inc. 3
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
SX-3Congurations
set vlans OPERATIONS vlan-id 20set vlans OPERATIONS l3-interface vlan.20set vlans SALES vlan-id 10set vlans SALES l3-interface vlan.10set chassis aggregated-devices ethernet device-count 2set interfaces ge-0/0/13 gigether-options 802.3ad ae0
set interfaces ge-0/0/15 gigether-options 802.3ad ae0set interfaces ge-0/0/0 gigether-options 802.3ad ae1set interfaces ge-0/0/2 gigether-options 802.3ad ae1set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae0 unit 0 family ethernet-switching port-mode trunkset interfaces ae0 unit 0 family ethernet-switching vlan members SALESset interfaces ae0 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces ae1 unit 0 family ethernet-switching port-mode trunkset interfaces ae1 unit 0 family ethernet-switching vlan members SALESset interfaces ae1 unit 0 family ethernet-switching vlan members OPERATIONSset interfaces vlan unit 10 family inet address 10.1.1.3/24set interfaces vlan unit 20 family inet address 10.1.2.3/24set protocols rstpset protocols rstp interface ge-0/0/6.0 edgeset protocols rstp interface ge-0/0/8.0 edgeset security zones security-zone SALES interfaces vlan.10set security zones security-zone OPERATIONS interfaces vlan.20set security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchsource-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchdestination-address anyset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP matchapplication junos-httpset security policies from-zone SALES to-zone OPERATIONS policy Allow_HTTP thenpermitset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchsource-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchdestination-address anyset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP matchapplication junos-httpset security policies from-zone OPERATIONS to-zone SALES policy Allow_HTTP thenpermit
-
7/27/2019 Switching on SRX
32/36
32 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
Troubeshooting
SRX-2 is the root switch. All interaces on the root switch are in orwarding state.
regress@SRX-2> show spanning-tree bridgeSTP bridge parametersContext ID : 0Enabled protocol : RSTP
Root ID : 4096.00:22:83:99:b0:50Hello time : 2 secondsMaximum age : 20 secondsForward delay : 15 secondsMessage age : 0Number of topology changes : 2Time since last topology change : 458 secondsTopology change initiator : ae1.0Topology change last recvd. From : 80:71:1f:a4:2b:01Local parametersBridge ID : 4096.00:22:83:99:b0:50Extended system ID : 0Internal instance ID : 0
regress@elanta> show spanning-tree interfaceSpanning tree interface parameters for instance 0Interface Port ID Designated Designated Port State Role
port ID bridge ID Costae0.0 128:1 128:1 4096.00228399b050 20000 FWD DESGae1.0 128:2 128:2 4096.00228399b050 10000 FWD DESGge-0/0/9.0 128:522 128:522 4096.00228399b050 20000 FWD DESGge-0/0/11.0 128:524 128:524 4096.00228399b050 20000 FWD DESG
Note that the root bridge I is populated on all non-root switches. Also note that the root port is connected to the
root switch.
regress@SRX-1> show spanning-tree bridge
STP bridge parametersContext ID : 0Enabled protocol : RSTPRoot ID : 4096.00:22:83:99:b0:50
Root cost : 10000Root port : ae0.0
Hello time : 2 secondsMaximum age : 20 secondsForward delay : 15 secondsMessage age : 1Number of topology changes : 4Time since last topology change : 95 secondsTopology change initiator : ae1.0Topology change last recvd. From : 00:22:83:99:b0:c0
Local parametersBridge ID : 32768.00:1b:c0:53:69:88Extended system ID : 0Internal instance ID : 0
-
7/27/2019 Switching on SRX
33/36
Copyright 2011, Juniper Networks, Inc. 33
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
hen there are two redundant links to the root switch, one o them is the root port and another is the alternate port.
regress@SRX-3> show spanning-tree interface
Spanning tree interface parameters for instance 0Interface Port ID Designated Designated Port State Role
port ID bridge ID Costae0.0 128:1 128:2 32768.001bc0536988 10000 BLK ALT
ae1.0 128:2 128:2 4096.00228399b050 10000 FWD ROOT
ge-0/0/6.0 128:519 128:519 32768.80711fa42a90 20000 FWD DESGge-0/0/8.0 128:521 128:521 32768.80711fa42a90 20000 FWD DESG
IEEE802.1xuthentication
In this example, 802.1x is enabled on interace ge-0/0/5. nless the credentials o the user connected to the interace
are veriied, the user is unable to access any o the network resources connected to this device.
Figure19:IEEE802.1xauthentication
The AIS server must be reachable rom the switch. And it must be conigured with the supplicants username and
password. No authentication is perormed on the conigured static MAC address under [edit protocols dot1x static]
ge-0/0/11ge-0/0/0
ge-0/0/5
RADIUSServer
NetworkResources
Supplicants
181.181.16.2
set interfaces ge-0/0/0 unit 0 family inet address 181.181.16.1/24set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members SALESset protocols dot1x authenticator authentication-prole-name testset protocols dot1x authenticator static 00:11:22:33:55:66/48set protocols dot1x authenticator interface ge-0/0/12.0 supplicant multipleset access radius-server 181.181.16.2 secret $9$K76WX-YgJHqfVwqfTzCAvWLset access prole test authentication-order radius
-
7/27/2019 Switching on SRX
34/36
34 Copyright 2011, Juniper Networks, Inc.
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
Troubeshooting
regress@SRX-1# run show dot1x interface802.1X Information:Interface Role State MAC address Userge-0/0/12.0 Authenticator Connectingregress@SRX-1# run show dot1x interface802.1X Information:Interface Role State MAC address Userge-0/0/12.0 Authenticator Authenticated 00:00:00:80:00:01 user1
regress@SRX-1# run show dot1x authentication-bypassed-usersMAC address Interface VLAN00:11:22:33:55:66 ge-0/0/12.0 congured/default
uticastSnoopingwithIPSnoopingProtoco
This example conigures IMP snooping on J Series and SX Series devices to regulate multicast traic on a device.
A multicast receiver is connected to interace ge-0/0/9, and interace ge-0/0/2 is connected to the PIM/IMP router
rom where multicast data packets are sent.
set vlans SALES vlan-id 10
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members SALESset interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members SALESset protocols igmp-snooping vlan SALES
Figure20:uticastsnoopingwithIPsnooping
Troubeshooting
Make sure that the uplink interace (ge-0/0/2) is identiied as a multicast router interace. Otherwise, the received join
message cannot be orwarded to the PIM/IMP router.
PIM/IGMPRouter
Source
ge-0/0/2
ge-0/0/9
Multicast Receiver
regress@SRX-1# run show igmp-snooping membership detailVLAN: SALES Tag: 10 (Index: 2)
Router interfaces:ge-0/0/2.0 dynamic Uptime: 00:04:48 timeout: 219
Group: 230.5.5.5ge-0/0/9.0 timeout: 233 Last reporter: 23.23.23.2 Receiver count: 1, Flags:
-
7/27/2019 Switching on SRX
35/36
Copyright 2011, Juniper Networks, Inc. 35
APPLICATION NOTE - J Series and Branch SX Seri es Ethernet Switchin
802.1qTunneing(Q-in-QTunneing)
This example shows that the 802.1q tunneling eature in the J Series and branch SX Series devices can be used as a
provider edge (PE) eature in service provider networks.
Figure21:802.1qtunneing
Interaces ge-0/0/4 and ge-0/0/12 o SX-1 and SX-2 are connected to end customer devices, respectively.
And ge-0/0/8 on both devices is connected to a service provider network.
SX-1Congurations
Customer
ServiceProvider
ge-0/0/8
ge-0/0/8
ge-0/0/12
ge-0/0/4
SRX-1
SRX-2
set vlans SERVICE_PROVIDER vlan-id 100
set vlans SERVICE_PROVIDER dot1q-tunnelingset interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members SERVICE_PROVIDERset interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members SERVICE_PROVIDER
SX-2Congurations
set vlans SERVICE_PROVIDER vlan-id 100set vlans SERVICE_PROVIDER dot1q-tunnelingset interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunkset interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members SERVICE_PROVIDER
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members SERVICE_PROVIDER
-
7/27/2019 Switching on SRX
36/36
APPLICATION NOTE - J Series and Branch SX Series Ethernet Switching
Copyright 2011 Juniper Networks, Inc. All rights res erved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks o Juniper Networks, Inc. in the nited States and other
countries. All other trademarks, service marks, registered marks, or registered ser vice marks are the property o
their respective owners. Juniper Networks assumes no responsibility or any inaccuracies in this document. Juniper
EEHeadquarters
Juniper Networks Ireland
Airside Business Park
Swords, County ublin, Ireland
Phone: 35.31.8903.600
EMEA Sales: 00800.4586.4737
fax: 35.31.8903.601
PCHeadquarters
Juniper Networks (ong Kong)
26/f, Cityplaza One
1111 Kings oad
Taikoo Shing, ong Kong
Phone: 852.2332.3636
fax: 852. 2574.7803
CorporateandSaesHeadquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 SA
Phone: 888.JNIPE (888.586.4737)
or 408.745.2000
fax: 408.745.2100
www.juniper.net
To purchase Juniper Networks solutions,
please contact your Juniper Networks
representative at 1-866-298-6428 or
authorized reseller.
Troubeshooting
regress@SRX-1# run show vlans detailVLAN: SERVICE_PROVIDER, 802.1Q Tag: 100, Admin State: EnabledDot1q Tunneling status: Enabled
Number of interfaces: 2 (Active = 2)Untagged interfaces: ge-0/0/4.0*Tagged interfaces: ge-0/0/8.0*
VLAN: default, 802.1Q Tag: 1, Admin State: Enabled
boutJuniperetworks
Juniper Networks is in the business o network innovation. from devices to data centers, rom consumers to cloud
providers, Juniper Networks delivers the sotware, silicon and systems that transorm the experience and economics
o networking. The company serves customers and partners worldwide. Additional inormation can be ound at
www.juniper.net.