Академический Документы
Профессиональный Документы
Культура Документы
Published: 2012-05-11
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos OS Juniper Networks Horizontal Campus Validated Design Guide Copyright 2012, Juniper Networks, Inc. All rights reserved. Revision History April 2012Revision 1 The information in this document is current as of the date on the title page.
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.
ii
Table of Contents
Part 1
Chapter 1
Overview
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Using the Examples in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2
iii
Part 2
Chapter 3
Network Deployment
Wired LAN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring the Core Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring Global Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . . 35 Configuring a Virtual Chassis for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 36 Configuring Layer 2 Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 38 Configuring Power over Ethernet (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Configuring Layer 3 Settings for the Core Switch . . . . . . . . . . . . . . . . . . . . . . 44 Configuring the Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Configuring the Access Switch in Extended Mode . . . . . . . . . . . . . . . . . . . . . 46 Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuring the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Configuring Layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Configuring the Access Switch in Dedicated Mode . . . . . . . . . . . . . . . . . . . . . 59 Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuring Layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter 4
Wireless Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Wireless Services Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Configuring the Primary WLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Configuring the Secondary WLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter 5
SRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring the SRX Series Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Part 3
Appendix A
Appendix
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Appendix B
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Virtual Chassis Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Types of Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Dedicated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Extended Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Mixed Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Pre-Provisioning the Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Virtual Chassis Base Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Layer 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Appendix C
iv
Table of Contents
Appendix D
Appendix E
vi
List of Figures
Part 1
Chapter 2
Overview
Juniper Networks Validated Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 1: Horizontal Network Topography for a Single Building . . . . . . . . . . . . . . . . 14 Figure 2: Topography Model for the Horizontal Campus Validated Design . . . . . . 15 Figure 3: Horizontal Campus Reference Architecture for the Validated Design . . . 16 Figure 4: Wired LAN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Figure 5: Centralized Switching for the Wireless LAN Controller . . . . . . . . . . . . . . 20 Figure 6: Clustered Switching for the Wireless LAN Controller . . . . . . . . . . . . . . . . 21 Figure 7: SRX Zone Map (logical) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Figure 8: SRX reth Failure Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 9: SRX reth Failure Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Figure 10: Common Access Switch Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 11: Virtual Chassis Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Figure 12: VLAN-to-Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Part 2
Chapter 3
Network Deployment
Wired LAN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 13: Core Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Figure 14: Extended Mode Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Figure 15: Dedicated Mode Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 4
Wireless Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 16: Wireless LAN Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 5
SRX Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 17: The SRX Series Services Gateway Cluster . . . . . . . . . . . . . . . . . . . . . . . . 77 Figure 18: SRX Series Cluster Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Figure 19: Deployment Complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
vii
viii
List of Tables
Part 1
Chapter 1
Overview
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 2
Part 3
Appendix
Table 6: Hardware List for the Network Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 7: Hardware List for Closet 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 8: Hardware List for Closet 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Table 9: Hardware List for Closet 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Table 10: Hardware List for Closet 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Appendix E
ix
PART 1
Overview
About This Guide on page 3 Juniper Networks Validated Design Overview on page 11
CHAPTER 1
Junos OS Documentation and Release Notes on page 3 Objectives on page 4 Audience on page 4 Examples on page 4 Documentation Conventions on page 6 Documentation Feedback on page 8 Technical Support on page 8
Objectives
This guide provides a simple, step-by-step process that businesses can use to rapidly deploy a small campus solution. The deployment in this guide is based on a tested reference topology that can easily be scaled and adapted to your specific requirements.
Audience
This guide is designed for network administrators who are tasked with designing and deploying a small campus network for a small enterprise. To use this guide, you need to have a broad understanding of networks in general, the Internet in particular, networking principles, and network configuration.
Examples
Using the Examples in This Guide on page 4 Merging a Full Example on page 5 Merging a Snippet on page 5
The configuration displayed in a hierarchical format is what you would normally see when displaying the configuring from the CLI of the device. The configuration expressed by set commands like the ones used when configuring the devices line by line is the format that can be viewed from the CLI by adding the display set modifier when issuing a show configuration command.
user@host> show configuration | display set
Both examples are presented here so that you can pick the format that works best for you. For the wireless LAN controllers, the configuration commands can be cut and pasted onto the device. The configuration itself is only available as a list of commands and does not have a hierarchical equivalent to the EX or SRX series. If you want to use the examples in this manual, you can cut and paste the set commands at the configuration prompt, or you can use the load merge or the load merge relative to add commands in their hierarchical format. These commands cause the software to merge the incoming configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the example is a full example. In this case, use the load merge command. If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the load merge relative command. These procedures are described in the following sections.
From the HTML or PDF version of the manual, copy a configuration example into a text file, save the file with a name, and copy the file to a directory on your EX Series or SRX Series device. For example, copy the following configuration to a file and name the file ex-script.conf. Copy the ex-script.conf file to the /var/tmp directory on your EX Series or SRX Series device.
system { scripts { commit { file ex-script.xsl; } } } interfaces { fxp0 { disable; unit 0 { family inet { address 10.0.0.1/24; } } } }
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command: [edit] user@host# load merge /var/tmp/ex-script.conf load complete
Merging a Snippet
To merge a snippet, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the file with a name, and copy the file to a directory on your routing platform. For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
load merge relative configuration mode command: [edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet.conf load complete
Documentation Conventions
Table 1 on page 6 defines notice icons used in this guide.
Description
Indicates important features or instructions.
Caution
Warning
Laser warning
Table 2 on page 6 defines the text and syntax conventions used in this guide.
Description
Represents text that you type.
Examples
To enter configuration mode, type theconfigure command: user@host> configure
Description
Examples
Introduces or emphasizes important new terms. Identifies book names. Identifies RFC and Internet draft titles.
A policy term is a named structure that defines match conditions and actions. Junos OS System Basics Configuration Guide RFC 1997, BGP Communities Attribute
Represents variables (options for which you substitute a value) in commands or configuration statements.
Configure the machines domain name: [edit] root@# set system domain-name domain-name
Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Enclose optional keywords or variables. Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. Indicates a comment specified on the same line as the configuration statement to which it applies. Enclose a variable for which you can substitute one or more values. Identify a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level.
To configure a stub area, include the stub statement at the[edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE.
# (pound sign)
[ ] (square brackets)
community name members [ community-ids ] [edit] routing-options { static { route default { nexthop address; retain; } } }
; (semicolon)
In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include the following information with your comments:
Document or topic name URL or page number Software release version (if applicable)
Technical Support
Requesting Technical Support on page 8 Self-Help Online Tools and Resources on page 8 Opening a Case with JTAC on page 9
JTAC policiesFor a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf . Product warrantiesFor product warranty information, visit http://www.juniper.net/support/warranty/ . JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
10
CHAPTER 2
Understanding Validated Designs on page 11 Design Goals on page 12 Design Benefits on page 12 Who Should Read This Guide on page 12 How This Guide Is Organized on page 13 Horizontal Campus Topography on page 14 Juniper Networks Validated Design on page 15 Design Overview on page 16 Design Components on page 18
11
Design Goals
The validated design is created with the following design objectives:
the design. The examples must provide reference methodologies and configurations to enable rapid deployment of a resilient network infrastructure.
FlexibleFlexible design, adapted for modular expansion so that users can scale and
and so on).
Design Benefits
Some of the advantages of the validated design include:
Modular deployment. Each technology presented here can be deployed independently of the others Efficient and cost-effective deployment using a standardized design methodology Redundant infrastructure for wired, wireless, and Internet connectivity Can be deployed by IT professionals with a moderate amount of technical experience Easy to manage, with few logical devices and protocols to configure Standardized methodology reduces deployment time Reduced number of hardware and software platforms to learn, maintain, and spare Highly available, redundant LAN and wireless access for all applications
Have a network that supports 1000 or fewer connected employees Need wired and wireless access for their employees Need a simple, resilient network infrastructure Need a high-performance network that can be easily expanded and adapted to support new technologies Are new to Juniper Networks products Are system engineers who need a standardized process to design and deploy networks that comprise Juniper Networks LAN, WLAN, and security products.
12
LAN Infrastructure
The LAN section covers all of the base infrastructure requirements included in planning and deploying VLANs, subnets, and switching and routing protocols. The core LAN section covers:
Configuring resilience Aggregating all networking components Configuring user services Deploying servers, WLAN, firewalls, and resilient connections to the access switching layer
Configuring trunks and VLANs Configuring access switch-specific settings to provide redundant core connections Configuring port security Configuring wired and wireless connectivity for desktop services and mobile devices
WLAN Infrastructure
The section on wireless LAN (WLAN) explains how to configure and deploy redundant WLAN controllers to provide resilient wireless connectivity for enterprise and guest users. Enterprise and guest users are completely isolated from one another, allowing enterprise wireless users to have full access to the network and the Internet, whereas wireless guest users can access only the Internet. The WLAN section covers:
Clustering of wireless LAN controllers for redundancy and resilience Configuring enterprise access using 802.1x Configuring guest access using captive portal
13
Firewall
The section on firewalls covers configuring clustered firewalls to provide secure, redundant access to Internet-based services. It also details how to configure security policies for Internet and guest services. The Firewall section covers:
Clustering of SRX Series Services Gateways for redundancy and resilience Configuring security zones and policies Configuring two Internet/WAN connections in active/passive mode Configuring guest security and services
The validated network uses the same architecture and network components as the horizontal topography reference on which it is based, and inherits all of the benefits of the design principles laid out in the horizontal topography. The benefits of the horizontal topography model include resiliency for LAN/Switching, wireless LAN and security networking components. Using a two-tiered network design commonly called a collapsed core, reduces network complexity. The Juniper Networks Virtual Chassis technology reduces the number of actively managed devices and removes the need for relying on legacy redundancy protocols such as spanning tree and VRRP. Virtual Chassis also provides the flexibility to incrementally grow the network on an as needed basis without concern for compromise of performance or availability.
14
Architecture overviewThis section explains the overall architecture and the networking
components.
Configuration detailsThis section provides all of the exact configurations used. These
can be cut and pasted for use in your own network. This validated design verifies that the network components all work together as expected when configured together according to this guide. Testing was conducted on
15
interoperability and high availability (HA) of the design. Scale testing was not emphasized, because the products scale characteristics are well documented and in the case of wireless, may require a site survey to size equipment properly.
Design Overview
At the heart of the network is the switching infrastructure, as shown in Figure 3 on page 16. Juniper Networks EX Series Ethernet Switches are used here, because they provide many HA features found in chassis-based solutions such as redundant route engines, power, and blowers. In addition, up to 10 EX Series Ethernet Switches can be connected together with a high-speed 64-Gbps backplane or using 10-Gbps Ethernet ports, and be managed as single switch. The flexibility of the EX Series provides an excellent way for users to easily expand network capacity one switch at a time, as needed. This validated network example uses only EX4500 and EX4200 switches, because they were generally available, mature products at the time these tests were done, and support the same Virtual Chassis technology.
The horizontal campus uses a collapsed core architecture, reducing much of the management burden with fewer individual devices to manage, and most of the configuration is centralized in the core. Resiliency is not compromised by taking this approach, because the EX Series, using Virtual Chassis provides box-level redundancy without the overhead of managing multiple devices and keeping their configurations in sync with every change made to the network.
16
The Juniper Networks wireless infrastructure utilizes a clustering technology that simplifies managing the entire wireless network by using a single seed cluster controller to configure and manage up to 32 wireless LAN controllers (WLC). Clustering also dynamically load balances access points (AP) across WLCs and automatically assigns primary and backup WLCs for each AP. In addition, clustering also provides subsecond failover for wireless sessions in case of WLC failure. Juniper Networks SRX Series Services Gateways provide secure and highly available Internet access for the validated network. The SRX Series devices are clustered and configured as a single device, simplifying security management. The SRX Series cluster replicates a session state so that active sessions can be preserved in case of failure. The SRX Series and EX Series share a common Junos OS operating system. Using a common operating system reduces the number of different interfaces that need to be managed, and simplifies many common operational tasks. The equipment and software listed in Table 3 on page 17, refer to what was used to verify this design and its included features. Future software releases should support all of the same functionality. Before deploying equipment and software in your specific environment, it is always recommended that you check the release notes for the specific version of software you intend to deploy.
Table 3: Equipment and Hardware Used for the Small Campus Validated Design
Hardware
EX4500-40F-FB-C EX4200-24PX EX-UM-2X4SFP SRX650-BASE-SRE6-645AP SRX-GP-16GE WLC8R* WLA522
Software
11.4r1.6 11.4r1.6 n/a 11.4r1.6 n/a 7.6.1.3.0 n/a
* The WLC8R was sufficient for our validation testing, but it only supports 12 access points. When planning for your wireless equipment needs, you need to determine the maximum number of access points you require, and then size your wireless LAN controller to that number. As a rule of thumb, one access point per 10-15 users is a good starting point for estimating your wireless needs. For example, a small campus that has 1000 users would typically require 75100 access points for wireless coverage, and need a pair of WLC800s or WLC880s to support that number of access points.
17
Design Components
The network detailed in this document is divided into three separate components or modulesLAN or switching infrastructure, wireless, and security. These sections highlight the design choices and main features implemented for each of these components. Although each section can stand on its own, the sections are presented in the logical sequence in which the network would be deployed.
Wired LAN Overview on page 18 Wireless LAN Overview on page 19 SRX Series Services Gateway Overview on page 21 Virtual Chassis For Collapsed Backbone Design on page 24 Subnets and VLANs on page 26
NOTE: The different Virtual Chassis in this network are highlighted in blue.
18
The core network provides high-density 10-Gigabit Ethernet and 1-Gigabit Ethernet connectivity by combining both EX4500 and EX4200 switches together in a single Virtual Chassis. This provides the core connectivity and routing for the network, and acts as the Layer 2 and Layer 3 boundary for the access switches. The access layer uses EX4200 series switches providing power over Ethernet (PoE) and Layer 2 connectivity back to the core, using two 10-Gigabit Ethernet ports configured for Ethernet link aggregation (LAG). Each access switch is connected back to the core on different line cards, providing protection in case a single device fails on either end. The first floor of the building operates as a single Virtual Chassis. The two closets are connected using 10-Gigabit Ethernet ports that are configured to act as Virtual Chassis Extended ports. The second floor closets do not have available fiber to connect the Virtual Chassis together, so each closet has its own Virtual Chassis.
19
On the validated network, guest users are placed on the guest VLAN and can access the Internet, whereas corporate users are placed on the Wireless_Data VLAN and have access to the intranet and the Internet. The WLCs can be configured in clusters of up to 32 WLCs in a cluster. The validated design uses a two-WLC cluster, as shown in Figure 6 on page 21. The primary WLC (also known as the primary seed controller) is in charge of configuration management for all WLCs and APs and acts as a central configuration point for all wireless LAN changes. The primary WLC also configures and load-balances the APs across the WLCs to distribute the wireless traffic load. Access points form connections with two separate WLCsone connection is active, and the other connection acts as a backup. If the connection to the active WLC is interrupted (WLC failure), the backup connection takes over immediately, preserving all existing wireless sessions so that users are not affected.
20
The configuration examples in this document use local authentication for the WLAN authorization. This is to provide a simple way to verify WLAN functionality. In a production environment, local authentication is generally used only for testing or as a last resort authentication method. Use of a RADIUS server for authentication is highly recommended.
Figure 7 on page 21 illustrates the logical zones that are defined for the validated design. The smaller text inside each zone bubble is a list of the VLANs contained in each of these zones. In the figure, to provide a clearer logical view, the Guest Zone is set apart from the EX Series Switches because the EX Series Switches only provide Layer 2 connectivity for these zones. The Guest VLANs use the SRX Series Services Gateway as their default gateway to obtain IP addresses using DHCP. The Internet Edge zone is where most of the validated network VLANs reside. Each of these VLANs uses the EX Series core switch as its gateway. The Internet_Edge VLAN
21
listed in this zone network is where the EX Series forwards any traffic requests intended for the Internet to the SRX Series. The Management Zone is the Management VLAN and is kept separate by specifying security policies on the SRX Series from the other networks because this is used for management of network devices. The Untrust Zone is where the SRX Series connects to the Internet and NAT takes place. This zone is highly restrictive about what traffic is allowed to come from the Internet.
22
In the examples illustrated in Figure 8 on page 23, no session is reset in the case of local link failure since there is no change in the source address for the sessions, because they continue to use the same service provider. In the examples illustrated in Figure 9 on page 24, where the source address for SRX650-1 or service provider 1 is lost completely, traffic switches to service provider 2. When this occurs, the source IP address for the traffic changes, resulting in existing sessions being reset due to the change in source address.
23
24
The core and distribution layer is commonly configured as the Layer 2 and Layer 3 boundary. The simplest of these designs uses access switches that are configured as Layer 2 devices and requires very little configuration. Reusing the same VLAN and other settings allows for simple replication across multiple switches and closets. This reuse significantly reduces the time it takes to deploy the network, and keeps things simple at the access layer. The drawbacks with this design are that it often creates loops, and is very inefficient from a bandwidth perspective, because only half of the links can forward traffic. Although Spanning Tree Protocol (STP) is used to manage redundancy, it has slow convergence times, and in case of a faulty configuration, STP may take down part of the network and can be difficult to troubleshoot. A design using VRRP or HSRP removes the loops and can help provide better link utilization. This design removes STP from the design and has improved reliability and failover, but can get complicated quickly by manually load-balancing per-VLAN or subnet traffic across the switches. This approach requires more configuration per switch for both access layer and distribution layer devices. More VLAN, interface, protocol, and switch configurations at the core and distribution layer must be manually kept in sync. Layer 3 at the access layer eliminates loops and provides load balancing. This could, however, translate into additional license fees, and additional, redundant hardware, thereby increasing the cost of the solution. Using VRRP or HSRP is also the most configuration-intensive approach, because it increases the number of devices that must be managed at the access layer, and introduces routing protocols as another layer. This also means that each switch configuration would have many unique items, resulting in increased overall deployment complexity and management overhead.
25
A Virtual Chassis allows multiple Juniper Networks EX Series Ethernet Switches to act as a single device. This means that box-level redundancy can be achieved without creating loops in the network, or requiring additional protocols or tedious configuration management between devices. All of the links can be fully utilized, which reduces the costs associated with bandwidth upgrades and providing improved resiliency and performance. In Figure 11 on page 26 the highlighted chassis represent Virtual Chassis (a single logical unit made up of two or more EX Series Switches). In the core/distribution picture, access switches are connected using link aggregation group (LAG) uplinks to the core/distribution Virtual Chassis connected to separate switches providing device-level redundancy, without the usual complexity. By taking this even further and using a Virtual Chassis in both the core and access layer, we can further simplify the network by reducing the number of actively managed devices.
NOTE: A Virtual Chassis is unique in its ability to span distances of up to 40 km between devices. This means that multiple wiring closets in the same or even different buildings can be easily combined to reduce the total number of managed devices.
26
We also recommended leaving some room between VLANs to allow for possible future expansion, while maintaining a consistent range of VLANs for specific functions.
LANs 1017 are dedicated for wired voice and data. In our validated design, we use only four VLANs for wired data and voice, leaving plenty of room for future expansion. VLANs 1821 are dedicated for corporate wireless access. This design uses only VLAN 18. VLANs 2229 are dedicated for network infrastructure. This example allocates only three VLANSManagement, Servers, and Internet Edge.
The Management VLAN is used to manage all of the network devices such as switches and routers. In the validated network, this is also where the wireless APs reside. The Servers VLAN is where network servers and services are connected to the network (DHCP, file services, and so on). The Internet Edge VLAN is where the EX Series Ethernet Switch connects to the SRX Series Services Gateway and further out to the Internet. This is where the majority of security policies on the SRX Series are enforced.
VLANs 3032 are used for guest wired and wireless access.
The guest VLANs connect directly to the SRX Series Services Gateway. The core EX Series switch does not have any interfaces on these VLANsit only acts as an Layer 2 switch.
The validated network uses private addressing, which enables flexible IP address allocation. In this design, all of the networks use a 24-bit subnet mask, but larger subnet masks can be used if desired to further simplify configuration by reducing the number of subnets required, and allowing more hosts to participate in each subnet. You should also reserve some addresses on each subnet for networking devices. This is typically the first few or last few addresses in a subnet. In this design, we reserve the first 10 IP addresses of the subnet for network devices and the last IP address (.254) for the SRX Series interface if it resides on a subnet (See Table 4 on page 27).
Purpose/VLAN Name
Data_Wired_1 Data_Wired_2 VOIP_Wired_1 VOIP_Wired_2 Data_Wireless_1 Internet_Edge
Subnet
10.10.10.0/24 10.10.12.0/24 10.10.14.0/24 10.10.16.0/24 10.10.18.0/24 10.10.22.0/24
27
Purpose/VLAN Name
Servers Management Guest_Wired Guest_Wireless
Subnet
10.10.24.0/24 10.10.28.0/24 10.10.30.0/24 10.10.32.0/24
ID
10 12 14 16 18 22 24
Subnet
10 10.10.10.0 /24 10 10.10.12.0 /24 10 10.10.14.0 /24 10 10.10.16.0 /24 10 10.10.18.0 /24 10 10.10.22.0 /24 10 10.10.24.0 /24
EX4542-vc1
X X X X X X X
EX4200-vc1
X
EX4200-vc2
EX4200-vc3
WLC
AP
SRX
X X X
X X X
28
ID
28 3 0 32
Subnet
10 10.10.28.0 /24 10 10.10.30.0 /24 10 10.10.32.0 /24
EX4542-vc1
X X X
EX4200-vc1
X X
EX4200-vc2
X X
EX4200-vc3
X X
WLC
X
AP
X
SRX
X X
NOTE:
EX4542-vc1 is .1 on all subnets except for the guest networks, on which it only acts as a Layer 2 switch and the SRX Series handle all routing functions. SRX Series Services Gateways use address .254 on all subnets to which they are connected.
Figure 12 on page 28 maps the VLANs that are configured on each device in the network. The core switch is configured to support all VLANs. Each of the access switches are configured with the Management and Guest VLANs. In addition, Data_Wired_1 and VOIP_Wired_1 are configured on access switches supporting the first floor and Data_Wired_2 and VOIP_Wired_2 are configured on access switches supporting the second floor. The Wireless access Points will be on the Management VLAN and communicate to the wireless LAN controllers on the same subnet. Wireless traffic from the APs will be placed in their proper VLAN once they have been received by the WLC. The WLCs each have trunk ports configured, and are configured on the following VLANs: Data_Wireless_1, Management, and Guest_Wireless. The SRX Series Services Gateways are clustered, and each has a trunk port configured for the following VLANs: Internet Edge, Management, Guest_Wired, and Guest_Wireless.
29
30
PART 2
Network Deployment
Wired LAN Deployment on page 33 Wireless Deployment on page 67 SRX Deployment on page 77
31
32
CHAPTER 3
Configuring the Core Switch on page 33 Configuring the Access Switch on page 45
33
1.
2. Configuring Global Settings for the Core Switch on page 35 3. Configuring a Virtual Chassis for the Core Switch on page 36 4. Configuring Layer 2 Settings for the Core Switch on page 38 5. Configuring Power over Ethernet (optional) on page 44 6. Configuring Layer 3 Settings for the Core Switch on page 44
Procedure Overview
1.
Identify the type of Virtual Chassis Pre-provision the Virtual Chassis Perform the Virtual Chassis type-specific configuration Perform the Virtual Chassis standard configuration
34
Unpack and boot up the core switch, and then configure global settings.
2. Connect to the Console port of the EX4200 switch (Setting: s9600, 8, 1, none).
You should now be at the # prompt and ready to start configuring the switch.
5. Configure the password.
root# set system root-authentication plain-text-password New password:******* Retype new password:******* {master:0}[edit] root#
6. Configure the time zone.
35
NOTE: This optional item is only recommended if you plan on having a separate out-of-band network just for managing devices. If you are unsure, you can always add this item later. For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4542-vc1# set system services web-management https system-generated-certificate set system services ssh delete system services web-management http delete system services telnet
10. Configure DNS.
Identify the Virtual Chassis type. In the case of the validated network, the core switch is a mixed mode Virtual Chassis (both EX4500 and EX4200 switches in the same Virtual Chassis). For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
The recommended setup process for a Virtual Chassis is called pre-provisioned, which is the process we will use here. To pre-provision a Virtual Chassis, you need to identify the serial numbers of each device that will be part of the Virtual Chassis, the device function, and the order in which you want each switch to be placed. Here we have configured the EX4500 switches to be in slot 0 and slot 1, and act as the Routing Engines. The EX4200 switches are in slot 2 and slot 3, and configured as line cards. Later when all the switches are connected and powered up, they will automatically be assigned the proper function and slot. Make sure you pay attention to the serial numbers and ordering of each switch when you connect them together later. The EX Series Switches by default automatically form a Virtual Chassis, but because the ordering is nondeterministic, and so the switches may not be numbered sequentially, making things confusing. For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4542-vc1# set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine
36
set virtual-chassis member 0 serial-number GX0211411253 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number GX0211411250 set virtual-chassis member 2 role line-card set virtual-chassis member 2 serial-number FP0211333181 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333260
NOTE: Because this is a mixed mode chassis, we need to configure it to accept a mix of EX4500 and EX4200 devices in the same Virtual Chassis. Exit configuration mode by typing exit at the # prompt. The next command is an operational command.
root@EX4542-vc1> show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: 8c7a.9353.df56 Virtual Chassis Mode: Mixed Mstr Mixed Neighbor List Member ID Status Serial No Model prio Role Mode ID Interface 0 (FPC 0) Prsnt GX0211411253 ex4500-40f 129 Master* Y
Using the VCP ports at the back of the units, cable the remaining members together in a daisy-chained configuration. When all of the units are cabled properly, power them up. Remember to pay attention to the serial number of each switch when connecting them together to ensure they are in the right position.
b. After the switches finish booting up, verify that all of the members of the Virtual
37
root@EX4542-vc1# set system commit synchronize set ethernet-switching-options nonstop-bridging set chassis redundancy graceful-switchover
5. Configure default settings.
The following items should be enabled by default in the configuration. You may wish to review and verify that these setting are desired for your specific network.
root@EX4542-vc1# set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all set protocols lldp-med interface all set poe interface all set ethernet-switching-options storm-control interface all
NOTE: We enable Spanning Tree Protocol to prevent loops from forming in the network, even though we do not use it as a topology protocol. As an extra precaution, we set the bridge priority on the core switch to 8192, so that is the default root bridge in the event another bridging device is connected to the network for some reason. Juniper Networks EX Series Switches run RSTP by default.
NOTE: We configure all of the inter-VLAN routing on the core switch, except for our guest VLANs. This makes it easier to simultaneously configure the VLANs and IP interfaces for those VLANs. When creating VLAN names, it is important to note that these names are case sensitive. The first command creates the VLAN Data_Wired_1 with a VLAN ID of 10 and then assigns a Layer 3 interface called vlan.10 to that VLAN. The second line creates the vlan.10 interface and assigns an IP address.
root@EX4542-vc1# set vlans Data_Wired_1 vlan-id 10 l3-interface vlan.10 set interfaces vlan unit 10 family inet address 10.10.10.1/24
You may notice that the VLAN ID and the interface VLAN unit number match (both are number 10). This is not mandatory, but it is a recommended practice, because it keeps things easier to understand later, when you have many VLANs and interfaces to track.
38
We also used a compound command for the first line. We created the VLAN, assigned the VLAN ID, and assigned a Layer 3 interface all at the same time. This can save you some time but does not have to be done in a single statement. When you look at the configuration, you will notice that this is separated into two disparate statements.
NOTE: When you issue a large number of commands at once, we recommend that you issue a commit command to verify that the commands take effect with no configuration errors. Alternatively, you can do a commit check instead, which verifies the configuration without making it active.
The complete set of VLAN and Layer 3 interface statements for the core switch in the validated network example follows. We have also added the guest VLANs here, but we have not assigned any Layer 3 interfaces to these VLANs, because routing for the VLANs will be done using the SRX Series firewall.
VLAN Configurations
root@EX4542-vc1# set vlans Data_Wired_1 vlan-id 10 set vlans Data_Wired_1 l3-interface vlan.10 set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 l3-interface vlan.12 set vlans Data_Wireless_1 vlan-id 18 set vlans Data_Wireless_1 l3-interface vlan.18 set vlans Guest_Wired vlan-id 30 set vlans Guest_Wireless vlan-id 32 set vlans Internet_Edge vlan-id 22 set vlans Internet_Edge l3-interface vlan.22 set vlans Management vlan-id 28 set vlans Management l3-interface vlan.28 set vlans Servers vlan-id 24 set vlans Servers l3-interface vlan.24 set vlans VOIP_Wired_1 vlan-id 14 set vlans VOIP_Wired_1 l3-interface vlan.14 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 l3-interface vlan.16
Interface Configurations
root@EX4542-vc1# set interfaces vlan unit 10 family inet address 10.10.10.1/24 set interfaces vlan unit 12 family inet address 10.10.12.1/24 set interfaces vlan unit 14 family inet address 10.10.14.1/24 set interfaces vlan unit 16 family inet address 10.10.16.1/24 set interfaces vlan unit 18 family inet address 10.10.18.1/24 set interfaces vlan unit 20 family inet address 10.10.20.1/24 set interfaces vlan unit 22 family inet address 10.10.22.1/24 set interfaces vlan unit 24 family inet address 10.10.24.1/24 set interfaces vlan unit 28 family inet address 10.10.28.1/24
3. Configure LAG (aggregated Ethernet) ports.
39
In the validated network configuration, the only LAG ports configured will be used to connect to access switches. This means that we need to configure three of these on the core switch. Junos OS requires that you configure the number of LAG interfaces you want to use before you begin configuring the interfaces. We suggest picking a number slightly larger than you might need, in case you need to add more LAG interfaces later. You can change this value in the future. We need three aggregated Ethernet ports for the validated network example, so we will configure the core chassis with four, in case we add another access switch.
root@EX4542-vc1#set chassis aggregated-devices ethernet device-count 4
To provide the highest level of resilience, you need to configure the LAG to span multiple EX Series Switches. In the validated network example, we use xe-0/0/0 through xe-0/0/2 and xe-1/0/0 through xe-1/0/2 for the LAG connections to the access switches. We need to assign the LAG ports in matching pairs (For example, xe-0/0/0 and xe-1/0/0) between the EX4500 switches so that they will be part of the same LAG interface. This provides link-level and hardware-level redundancy and provides consistency, making things easier to remember.
a. First, we need to remove any port-specific configuration on the physical ports that
we want to aggregate. Interfaces have unit 0 defined by default, but this is not allowed on an interface that is part of an aggregated interface, because it would conflict with unit 0 on the logical aggregated interface.
root@EX4542-vc1# delete interfaces xe-0/0/0 unit 0 delete interfaces xe-1/0/0 unit 0 delete interfaces xe-0/0/1 unit 0 delete interfaces xe-1/0/1 unit 0 delete interfaces xe-0/0/2 unit 0 delete interfaces xe-1/0/2 unit 0
b. Then we configure the interfaces to be part of the respective aggregated interfaces.
root@EX4542-vc1# set interfaces xe-0/0/0 ether-options 802.3ad ae0 set interfaces xe-1/0/0 ether-options 802.3ad ae0 set interfaces xe-0/0/1 ether-options 802.3ad ae1 set interfaces xe-1/0/1 ether-options 802.3ad ae1 set interfaces xe-0/0/2 ether-options 802.3ad ae2 set interfaces xe-1/0/2 ether-options 802.3ad ae2
c. Next we want to add LACP to each LAG interface to provide some health checking.
NOTE: You need to configure LACP on the interfaces at both ends for the LAG port to become active.
root@EX4542-vc1# set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic slow set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic slow
40
Because we are not using STP, we can disable it on the LAG ports going to our access switches. This also reduces potential convergence times in case a LAG member fails, because fewer protocols need to converge.
NOTE: All access switches have RSTP enabled locally to prevent looping.
root@EX4542-vc1# set protocols rstp interface ae0.0 disable set protocols rstp interface ae1.0 disable set protocols rstp interface ae2.0 disable
5. Configure trunk and VLAN settings.
We need to configure the LAG ports as trunks and add the VLANs that will be supported on the individual access switches.
root@EX4542-vc1# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae2 unit 0 family ethernet-switching port-mode trunk
You can configure the VLANs directly as part of the port configuration. You can configure the ports included in the VLAN under the VLAN configuration. Each of these has different advantages and disadvantages.
Generally, it makes sense to configure access ports (client-facing) under the VLAN configuration and configure VLANs directly on the port for trunk port configuration. You cannot configure the VLAN mapping in both places, because that might result in errors when doing a configuration commit operation. As discussed previously, we need to configure the VLANs that the trunk port will carry directly on the interface configuration section. This makes it easier to tell what VLANs a specific trunk is part of when viewing the configuration. When you add VLANs directly to a trunk port you have the option of adding them by their VLAN ID or by the VLAN name. In this example, we will add them by VLAN name, because this makes the overall configuration more readable. When adding several VLANs to a trunk, you can either specify them one at a time or you can specify several VLANs at the same time by enclosing them in [] brackets and separating them with spaces.
a. The VLAN configuration for ae0 which connects to EX4200-vc1 in the case of the
validated network EX4200-vc1 has four EX4200s that cover the first floor using the extended Virtual Chassis feature. This floor uses Data_Wired_1 and VOIP_Wired_1 for data and voice and be part of the Management VLAN for access points and
41
switch management. In the case of Guests requiring wired access the Guest_Wired VLAN will also be configured on this trunk.
root@EX4542-vc1# set interfaces ae0 unit 0 family ethernet-switching vlan members [Data_Wired_1 VOIP_Wired_1 Management Guest_Wired]
b. The VLAN configuration for ae1 and ae2 connecting to EX4200-vc2 and EX4200-vc3
these two switches handle the second floor and will use the Data_Wired_2 and VOIP_Wired_2 VLANs for data and voice and be part of the Management VLAN for access points and switch management. In the case of Guests requiring wired access the Guest_Wired VLAN will also be configured on these trunks.
root@EX4542-vc1# set interfaces ae1 unit 0 family ethernet-switching vlan members [Data_Wired_2 VOIP_Wired_2 Management Guest_Wired] set interfaces ae2 unit 0 family ethernet-switching vlan members [Data_Wired_2 VOIP_Wired_2 Management Guest_Wired]
7. Configure dual-homed or other network device connections
Configuring connections for other devices that are dual homed, but do not use LAG connections or other network equipment typically involves connecting to the core and requires trunk ports. In the validated network, the SRX Series and wireless LAN controllers both use clustering technologies to provide High Availability and in this case are not configured with LAG connections to the core. Each of these devices require two identical port configurations on separate EX Series Switches to provide link-level and box-level redundancy.
8. Configure wireless LAN controllers
Connect wireless LAN controllers (WLCs) to ports ge-2/0/1 and ge-3/0/1 and add them to the following VLANs: Data_Wireless_1, Management, and Guest_Wireless.
root@EX4542-vc1# set interfaces ge-2/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members [Data_Wireless_1 Management Guest_Wireless] set interfaces ge-3/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members [Data_Wireless_1 Management Guest_Wireless]
9. Configure SRX firewalls.
Connect the SRX firewalls to ports ge-2/0/47 and ge-3/0/47 and make them part of the following VLANs: Internet_Edge, Management, Guest_Wired and Guest_Wireless.
root@EX4542-vc1# set interfaces ge-2/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members [Internet_Edge Management Guest_Wired Guest_Wireless] set interfaces ge-3/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members [Internet_Edge Management Guest_Wired Guest_Wireless]
42
Server ports are typically configured as access ports that have a single VLAN. In the validated network example, we have a VLAN called Servers where servers would typically reside. To configure a server port that is part of a single VLAN, it must first be configured as an access port.
a. Set port ge-2/0/5 into access mode:
configuration instead of the port configuration, but either can be used. In this case we need to assign the server port to the VLAN Servers.
root@EX4542-vc1# set vlans Servers interface ge-2/0/5.0
In some cases, it may make more sense to assign the VLAN directly in the port configuration because servers are different from a standard network host.
11. Enable BPDU-Block for server interfaces.
Because we do not expect to connect any bridges to the network, the bpdu-block command protects the network should anyone connect a bridge to the core switch that may shut down any ports sending BPDUs. This command maintains network stability if someone connects an unauthorized bridge to the network.
root@EX4542-vc1# set ethernet-switching-options bpdu-block interface ge-2/0/5
If interfaces become blocked, you need to clear them manually. The following commands can be used to clear a blocked port condition:
Many servers reside on more than one VLAN and require a trunk port. In this case, configure the port for trunking and assign the VLANs it should belong to directly in the port configuration like we did for the LAG ports. Below is an example of an interface configured as a trunk that belongs to the VLANs Servers and Management.
root@EX4542-vc1# set interfaces <interface> unit 0 family ethernet-switching port-mode trunk set interfaces <interface> unit 0 family ethernet-switching vlan members [Servers Management]
13. Configure secure access port features
Most ports on the core switch do not need any secure access port features enabled because these may be more work than they are worth. The reason is that statically assigned IP addresses are typically used for servers and other networking devices, and each of these would require exceptions to be manually entered in order to work if these features are enabled. There are some VLANs on the core switch, however, on
43
which we recommend enabling these features: the Data_Wireless_1, Guest_Wireless and Guest_Wired are all client-facing VLANs that are configured on the core.
root@EX4542-vc1# set ethernet-switching-options secure-access-port vlan Data_Wireless_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wireless_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wireless_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wireless arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wireless examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wireless ip-source-guard
Configure DHCP The validated network example uses DHCP forwarding and a central DHCP server for all IP address allocation except the Guest_Wireless and Guest_Wired VLANs that are allocated IP addresses directly from the SRX Series Gateways to keep these isolated from the rest of the network. DHCP services can be set up directly on the EX Series Switches if desired (See Appendix C). DHCP forwarding is essentially a broadcast forwarding system for DHCP requests that allows users to consolidate their DHCP services in a centralized location instead of having a DHCP server for every subnet. The following configuration enables DHCP forwarding on the VLAN interfaces listed, and forwards DHCP requests to the DHCP server 10.10.24.100.
root@EX4542-vc1# set forwarding-options helpers bootp description DHCP-SERVER set forwarding-options helpers bootp server 10.10.24.100 set forwarding-options helpers bootp interface vlan.24 set forwarding-options helpers bootp interface vlan.10 set forwarding-options helpers bootp interface vlan.12 set forwarding-options helpers bootp interface vlan.14 set forwarding-options helpers bootp interface vlan.16 set forwarding-options helpers bootp interface vlan.18 set forwarding-options helpers bootp interface vlan.20 set forwarding-options helpers bootp interface vlan.26 set forwarding-options helpers bootp interface vlan.28
44
3. Configure OSPF.
We need to configure a single OSPF area that will be the backbone area 0.0.0.0 and add the interfaces/subnets we wish to advertise to the SRX Series Gateway.
NOTE: The subnet is all that is required to add the interface to the area. Mask information will be automatically imported into OSPF and redistributed.
root@EX4542-vc1# set protocols ospf area 0.0.0.0 interface vlan.22 set protocols ospf area 0.0.0.0 interface vlan.10 set protocols ospf area 0.0.0.0 interface vlan.12 set protocols ospf area 0.0.0.0 interface vlan.14 set protocols ospf area 0.0.0.0 interface vlan.16 set protocols ospf area 0.0.0.0 interface vlan.18 set protocols ospf area 0.0.0.0 interface vlan.20 set protocols ospf area 0.0.0.0 interface vlan.24
4. Configure non-stop routing.
Configure non-stop routing to keep the Routing Engines in sync with routing protocol state.
root@EX4542-vc1# set routing-options nonstop-routing
Configuring the Access Switch in Extended Mode on page 46 Configuring the Access Switch in Dedicated Mode on page 59
45
Configuring the Access Switch in Extended Mode Figure 14: Extended Mode Access Switch
Configuring access switches is simpler than configuring the core switch. We only configure Layer 2 services on the access switches, and an IP address on the Management VLAN in order to provide remote access. This section covers the configuration for EX4200-vc1, which is an extended mode Virtual Chassis in the validated network. This section includes the following topics:
Procedure Overview on page 46 Configuring Global Settings on page 47 Configuring the Virtual Chassis on page 48 Configuring Layer 2 settings on page 53
Procedure Overview
1.
Identify the type of Virtual Chassis. Pre-provision the Virtual Chassis. Perform the Virtual Chassis type-specific configuration Perform the Virtual Chassis standard configuration.
46
Unpack and boot up the access switch, and then configure global settings
2. Connect to the Console port of the EX4200 switch (setting: s9600, 8, 1, none)
NOTE: There is a known issue where the following message appears, but the date is actually set:
root> set date 201202101339.00 date: connect: Can't assign requested address Fri Feb 10 13:39:00 UTC 2012Enter configuration mode
Type
root> configure Entering configuration mode {master:0}[edit] root#
You should now be at the # prompt and ready to start configuring the switch.
5. Configure the password.
47
NOTE: This is optional, and is only recommended if you plan on having a separate out-of-band network just for managing devices. If you are not sure, you can always add this item later. For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4200-vc1# set system services web-management https system-generated-certificate set system services ssh delete system services web-management http delete system services telnet
10. Configure DNS.
Identify the Virtual Chassis type. In the case of the validated network, the access switch EX4200-vc1 is an extended mode Virtual Chassis (it uses 10-Gigabit Ethernet links to extend the Virtual Chassis between wiring closets and is managed as a single logical switch).
To pre-provision a Virtual Chassis, you need to identify the serial number of each device that will be part of the Virtual Chassis, the device function, and in what order you want each switch to be placed. Later, when all of the switches are connected and powered up, they will automatically be assigned the proper function and slot. Pay attention to the serial numbers and ordering of each switch when you connect them together later. By default, the EX Series devices automatically form a Virtual Chassis, but because the ordering is nondeterministic and so switches may not be numbered sequentially.
48
For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4200-vc1# set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333190 set virtual-chassis member 1 role line-card set virtual-chassis member 1 serial-number FP0211333201 set virtual-chassis member 2 role routing-engine set virtual-chassis member 2 serial-number FP0211333173 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333265
3. Set the Virtual Chassis to support fast failover on 10-Gigabit Ethernet Virtual Chassis
interfaces.
root@EX4200-vc1# set virtual-chassis fast-failover xe
4. Configure global Virtual Chassis commands.
root@EX4200-vc1# set system commit synchronize set ethernet-switching-options nonstop-bridging set chassis redundancy graceful-switchover
If you see an error message like the following, you can ignore it. The configuration commit operation has been completed.
root@EX4200-vc1# commit
error: Could not connect to fpc-1 : Can't assign requested address warning: Cannot connect to other RE, ignoring it configuration check succeeds commit complete
Using the VCP ports at the back of the units, cable each pair of EX Series switches together. Remember to pay careful attention to the serial numbers of each switch before cabling them together.
When all of the switches are cabled properly, power them up. You should now have two Virtual Chassis each, with two members. One of the two-member chassis will be pre-provisioned. Verify that this is working properly by running the show virtual-chassis command. Output similar to the one shown here indicates that the chassis members are present, the Virtual Chassis is pre-provisioned, and that the members are correctly identified. Here, member 0 is supposed to be a Routing Engine and member 1 is supposed to be in linecard mode. We can verify that from the output.
root@EX4200-vc1> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: e3d7.6832.7772 Virtual Chassis Mode: Enabled Mstr Mixed Neighbor List
49
Serial No Model prio Role FP0211333190 ex4200-48px 129 Master* FP0211333201 ex4200-48px 0 Linecard
Mode ID N 1 1 N 0 0
Since this is an extended mode chassis, we need to configure it to use some of the 10-Gigabit Ethernet ports as Virtual Chassis extended ports so the switches can form a single Virtual Chassis. In our example, we use the EX-UM-2x4SFP uplink module on our chassis that supports either two 10-Gbps or four 1-Gbps ports . The first and third positions coincide with the 10-Gigabit Ethernet ports and are filled on the uplink module, so we will configure ports xe-x/1/0 and xe-x/1/2. We will use port 0 in our case for each switch.
NOTE: The port definition in your example could be different if you use a different model of EX Series device as your uplink module, but as it should still have port 0, this part of the configuration does not change.
root@EX4200-vc1> request virtual-chassis vc-port set pic-slot 1 port 0 member 0 request virtual-chassis vc-port set pic-slot 1 port 0 member 1
a. Use the show virtual-chassis vc-port command to verify that the ports are configured
correctly. Here we can see that interface 1/0 on each switch is configured and up but has no neighbors.
root@EX4200-vc1> show virtual-chassis vc-port
fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Configured -1 Up 10000
fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Configured -1 Up 10000 b. Connect your console to the second pair of switches. Press Enter and you should
50
running. When both of the switches show up, we can configure the Virtual Chassis ports on these switches.
root> show virtual-chassis
Virtual Chassis ID: b155.0783.e272 Virtual Chassis Mode: Enabled Mstr List Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mixed Neighbor
Serial No Model prio Role Mode ID Interface FP0211333265 ex4200-48px 128 Master* N 1 vcp-0 1 vcp-1 FP0211333173 ex4200-48px 128 Backup N 0 vcp-0 0 vcp-1
root>request virtual-chassis vc-port set pic-slot 1 port 0 member 0 request virtual-chassis vc-port set pic-slot 1 port 0 member 1
Use the show virtual-chassis vc-port command to verify the ports are configured correctly. Here we can see that interface 1/0 on each switch is configured and up but has no neighbors.
root> show virtual-chassis vc-port
fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Configured -1 Down 10000
fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1
51
vcp-1 1/0
Dedicated Configured
2 -1
Up Down
32000 10000
vcp-0
7. Connect the Virtual Chassis extended ports. a. Connect switches 1 and 3 together using the 10-Gigabit Ethernet port xe-x/1/0 on
each switch.
b. Connect switches 2 and 4 together using the 10-Gigabit Ethernet port xe-x/1/0 on
each switch.
8. Verify Virtual Chassis extended ports. a. Connect the console back to the first pair of switches. b. Use the show virtual-chassis vc-port command to verify the port configuration is
correct. All of the four switches are visible, with one configured 1/0 port that has a neighbor listed.
{master:0} root@EX4200-vc1> show virtual-chassis vc-port
fpc0: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 1 vcp-1 vcp-1 Dedicated 2 Up 32000 1 vcp-0 1/0 Configured -1 Up 10000 2 vcp-255/1/0
fpc1: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 0 vcp-1 vcp-1 Dedicated 2 Up 32000 0 vcp-0 1/0 Configured -1 Up 10000 3 vcp-255/1/0
fpc2: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port vcp-0 Dedicated 1 Up 32000 3 vcp-1 vcp-1 Dedicated 2 Up 32000 3 vcp-0 1/0 Configured -1 Up 10000 0 vcp-255/1/0
fpc3: -------------------------------------------------------------------------Interface Type Trunk Status Speed Neighbor or ID (mbps) ID Interface PIC / Port
52
1 2 -1
Up Up Up
2 2 1
vcp-1 vcp-0
c. Use the show virtual-chassis command to verify that the Virtual Chassis is built
Serial No Model prio Role Mode ID Interface FP0211333190 ex4200-48px 129 Master* N 1 vcp-0 1 vcp-1 2 FP0211333201 ex4200-48px 0 Linecard N 0 0 3 3 3 0 2 2 1 vcp-0 vcp-1
vcp-0 vcp-1
FP0211333265 ex4200-48px
0 Linecard
vcp-0 vcp-1
The following commands show items that should be enabled by default in the configuration. You may wish to review and verify that these setting are desired for your specific network.
root@EX4200-vc1# set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all set protocols lldp-med interface all set poe interface all set ethernet-switching-options storm-control interface all
Configure VLANs. The EX4200-vc1 chassis has the following VLANs assigned: Data_Wired_1, VOIP_Wired_1, Management and Guest_Wired. It has only one IP interface defined, which is on the Management VLAN.
root@EX4200-vc1# set vlans Data_Wired_1 vlan-id 10 set vlans VOIP_Wired_1 vlan-id 14 set vlans Management vlan-id 28
53
The EX4200-vc1 chassis has only one LAG port configured to connect to the core switch. Junos OS requires that you configure the number of LAG interfaces you want to use before you begin configuring the LAG interfaces . We suggest picking a number slightly larger than what you need in case you add more LAG interfaces later. You can change this value in the future.
a. Because we need one LAG interface for this configuration, we will configure the
EX4200-vc1 chassis with two in case we add another LAG connection later.
root@EX4200-vc1# set chassis aggregated-devices ethernet device-count 2
The 10-Gigabit Ethernet ports on the EX4200-vc1 are only available using the uplink module ports. We have uplink modules on each of the four switches. However, the first port xe-x/1/0 is already in use on each switch to form the extended Virtual Chassis. We need to configure the LAG connection on switch members 1 and 3, using ports xe-1/1/2 and xe-3/1/2.
b. First, we need to remove any port-specific configuration on the physical ports we
want to aggregate. By default, interfaces have unit 0 defined, but this is not allowed on an interface that is part of an aggregate interface because it would conflict with unit 0 on the logical aggregate interface.
root@EX4200-vc1# delete interfaces xe-0/1/2 unit 0 delete interfaces xe-2/1/2 unit 0 root@EX4200-vc1# set interfaces xe-0/1/2 ether-options 802.3ad ae0 set interfaces xe-2/1/2 ether-options 802.3ad ae0
c. Next, we need to add LACP to each LAG interface to provide some health checking.
NOTE: LACP must be configured on both sides for the LAG port to become active.
root@EX4200-vc1# set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow
4. Disable RSTP on LAG connections to access switches.
Because we are not using RSTP as a topology protocol, we can disable it on the LAG ports going to our access switches. Disabling RSTP also reduces potential convergence times in case of a LAG member failure, because fewer protocols need to converge.
54
NOTE: All access switches will have RSTP enabled for loop protection locally.
Next, we need to configure the LAG port as a trunk and add the VLANs that will be supported going to the core switch. To enable the LAG port as a trunk port, use the set interfaces command.
root@EX4200-vc1# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
6. Configure VLANs on trunk ports.
VLAN configuration for ae0, which connects to the EX4542-vc1 has Data_Wired_1, VOIP_Wired_1, and theManagement VLAN for access points and switch management. The Guest_Wired VLAN will also be configured on this trunk to support guests needing a wired connection (conference rooms, and so on).
root@EX4200-vc1# set interfaces ae0 unit 0 family ethernet-switching vlan members [Data_Wired_1 VOIP_Wired_1 Management Guest_Wired]
a. Commit the configuration.
commit
You should see the commit operation finish on each of the EX Series switches in the Virtual Chassis.
root@ex4200-vc1# commit fpc0: configuration check succeeds fpc1: commit complete fpc2: commit complete fpc3: commit complete fpc0: commit complete b. Now connect the LAG connections to the core switch.
Run the show lldp neighbors command to verify that the connection is up and you can see the other side of the connection.
root@ex4200-vc1> show lldp neighbors
Local Interface System Name vme.0 xe-0/1/2.0 EX4542-vc1 xe-2/1/2.0 EX4542-vc1 Parent Interface ae0.0 ae0.0 Chassis Id 5c:5e:ab:79:bc:c0 88:e0:f3:74:55:c0 88:e0:f3:74:55:c0 Port info ge-0/0/38.0 xe-0/0/0.0 xe-1/0/0.0
c. Run the show lacp interfaces command to verify that lacp is running
55
We recommend configuring these basic security features on the majority of the VLANs on access switches. We need to enable these features on the Data_Wired_1, VOIP_Wired_1, and Guest_Wired VLANs. You may notice that we do not enable these features on the Management VLAN. There is a greater tendency to have statically configured devices on management VLANs. Each device with a static IP address attached to a port on a VLAN, with these features enabled, requires a static port configuration with an IP address and a MAC address in order to communicate with the rest of the network. If required, this additional level of security can be configured, but it will add some overhead when network changes are made.
root@EX4200-vc1# set ethernet-switching-options secure-access-port vlan Data_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_1 ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard
For more information about port security features, see the Day One book, Configuring EX Series Ethernet Switches, or Port Security on EX Series Switches Guide at www.juniper.net/techpubs.
56
NOTE: Using the interface-range statement. Junos OS supports a feature called interface-range, which allows you to group several interfaces together so that you can configure the entire group using one statement. This can be helpful when you have many similar ports that will share much of the same configuration, and this statement can be used to simplify configurations. With the access switches in the validated network, each member in the Virtual Chassis is divided up by port type. Ports 04 are reserved for wireless access points, Ports 526 are reserved for Data and 2747 reserved for Voice. Since these ports are typically configured identically, you use the interface-range statement to simplify operations and create three different port groups: Access_Points, Wired_Data and Wired_Voice.
root@EX4200-vc1# set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26 set interfaces interface-range Wired_Data member-range ge-2/0/5 to ge-2/0/26 set interfaces interface-range Wired_Data member-range ge-3/0/5 to ge-3/0/26 set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice member-range ge-2/0/27 to ge-2/0/47 set interfaces interface-range Wired_Voice member-range ge-3/0/27 to ge-3/0/47 set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points member-range ge-2/0/0 to ge-2/0/4 set interfaces interface-range Access_Points member-range ge-3/0/0 to ge-3/0/4
8. Set the port mode.
Set the port mode to access. Because we have used the interface-ranges statement, we only need to set the port mode at the interface-range instead of editing every port.
root@EX4200-vc1# set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access
9. Configure port to VLAN.
root@EX4200-vc1# set vlans Data_Wired_1 interface Wired_Data set vlans Management interface Access_Points set vlans VOIP_Wired_1 interface Wired_Voice
10. Configure Layer 3 settings.
Layer 3 configuration for the access switch involves setting a default route in the case of the validated network. In this case, it points to 10.10.28.1 which is the core switch IP interface on the Management VLAN.
root@EX4200-vc1# set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1
57
Next, you need to verify IP reachability by pinging the core switch management IP address from the access switch. This also indicates that trunking is configured properly on the interface and working properly.
root@EX4200-vc1> ping 10.10.28.1
PING 10.10.28.1 (10.10.28.1): 56 data bytes 64 bytes from 10.10.28.1: icmp_seq=0 ttl=64 time=4.441 ms 64 bytes from 10.10.28.1: icmp_seq=1 ttl=64 time=4.383 ms 64 bytes from 10.10.28.1: icmp_seq=2 ttl=64 time=4.134 ms 12. Verify VLANs and trunking. a. To verify that the proper VLANs are configured for trunking on the ae0 interface,
b. To see what ports are configured for specific VLANs use the show vlans command.
NOTE: Because of the large number of ports in ex4200-vc1, the show command output below show the first VLANs output.
root@EX4200-vc1>show vlans
Name Data_Wired_1 ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0, ge-1/0/5.0, ge-1/0/6.0, ge-1/0/7.0, ge-1/0/8.0, ge-1/0/9.0, ge-1/0/10.0*, ge-1/0/11.0, ge-1/0/12.0, ge-1/0/13.0, ge-1/0/14.0, ge-1/0/15.0, ge-1/0/16.0, ge-1/0/17.0, ge-1/0/18.0, ge-1/0/19.0, ge-1/0/20.0, ge-1/0/21.0, ge-1/0/22.0, ge-1/0/23.0, ge-1/0/24.0, ge-1/0/25.0, ge-1/0/26.0, ge-2/0/5.0, ge-2/0/6.0, ge-2/0/7.0, ge-2/0/8.0, ge-2/0/9.0, ge-2/0/10.0*, ge-2/0/11.0*, ge-2/0/12.0, ge-2/0/13.0, ge-2/0/14.0, ge-2/0/15.0, ge-2/0/16.0, ge-2/0/17.0, ge-2/0/18.0, ge-2/0/19.0, ge-2/0/20.0, ge-2/0/21.0, ge-2/0/22.0, ge-2/0/23.0, ge-2/0/24.0, ge-2/0/25.0, ge-2/0/26.0, ge-3/0/5.0, ge-3/0/6.0, ge-3/0/7.0, ge-3/0/8.0, ge-3/0/9.0, ge-3/0/10.0, ge-3/0/11.0, ge-3/0/12.0, ge-3/0/13.0, ge-3/0/14.0, Tag 10 Interfaces ae0.0*, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
58
ge-3/0/15.0, ge-3/0/16.0, ge-3/0/17.0, ge-3/0/18.0, ge-3/0/19.0, ge-3/0/20.0, ge-3/0/21.0, ge-3/0/22.0, ge-3/0/23.0, ge-3/0/24.0, ge-3/0/25.0, ge-3/0/26.0
Procedure Overview on page 60 Configuring Global Settings on page 60 Configuring a Virtual Chassis on page 61 Configuring Layer 2 settings on page 63
59
Procedure Overview
Procedure Overview
1.
Identify the type of Virtual Chassis. Pre-provision the Virtual Chassis. Perform the Virtual Chassis type-specific configuration. Perform the Virtual Chassis standard configuration.
2. Connect to the console port of the EX4200 switch (setting: s9600, 8, 1, none). a. Press Enter. The following prompt appears:
60
{master:0}[edit] root#
You should now be at the # prompt and ready to start configuring the switch.
5. Configure the password.
root# set system root-authentication plain-text-password New password:******* Retype new password:******* {master:0}[edit] root#
6. Configure the time zone.
NOTE: This is optional, and is only recommended if you plan on having a separate out-of-band network just for managing devices. If you are not sure, you can add this item later. For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4200-vc2# set system services web-management https system-generated-certificate set system services ssh delete system services web-management http delete system services telnet
10. Configure DNS.
Identify the Virtual Chassis type. In the case of the validated network access switch EX4200-vc2 is a dedicated mode Virtual Chassis using only the VCP ports to form the switching fabric interconnect and all switches are the same model.
To pre-provision a Virtual Chassis you need to identify the serial numbers of each device that will be part of the Virtual Chassis, the device function, and the order in
61
which you want each switch to be placed. Later, when all of the switches are connected and powered up, they will automatically be assigned the proper function and slot. Make sure you pay attention to the serial numbers and ordering of each switch when you connect them together later. By default, the EX Series devices automatically form a Virtual Chassis, but because the ordering is nondeterministic, the switches may not be numbered sequentially. For more information about Virtual Chassis, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
root@EX4200-vc2# set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333274 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number FP0211333245
3. Configure specific Virtual Chassis commands.
Because this is only a two-member Virtual Chassis and both members are located together, we need to disable split detection.
root@EX4200-vc2# set virtual-chassis no-split-detection
4. Configure global Virtual Chassis commands.
root@EX4200-vc2# set system commit synchronize set ethernet-switching-options nonstop-bridging set chassis redundancy graceful-switchover
a. Commit the configuration.
root@EX4200-vc2# commit
b. Using the VCP ports at the back of the units, cable each pair of EX Series Switches
together. When all of the switches are cabled properly, power up the remaining switch. Once all the switches are powered up, verify that all of th members are active by running the Commit the configurationshow virtual-chassis command.
root@EX4200-vc-2> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: 77df.abcc.3e2f Virtual Chassis Mode: Enabled Mstr List Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mixed Neighbor
Serial No Model prio Role Mode ID Interface FP0211333274 ex4200-48px 129 Backup N 1 vcp-0 1 vcp-1 FP0211333245 ex4200-48px 129 Master* N 0 vcp-0 0 vcp-1
The following commands show items that should be enabled by default in the configuration. You may wish to review and verify that these setting are desired for your specific network.
root@EX4200-vc2# set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all
62
set protocols lldp-med interface all set poe interface all set ethernet-switching-options storm-control interface all
Configure VLANs. The EX4200-vc2 chassis has the following VLANs assigned: Data_Wired_2, VOIP_Wired_2 , Management and Guest_Wired. It has only one IP interface defined, which is on the Management VLAN
root@EX4200-vc2# set vlans Data_Wired_2 vlan-id 12 set vlans VOIP_Wired_2 vlan-id 16 set vlans Management vlan-id 28 set vlans Management l3-interface vlan.28 set vlans Guest_Wired vlan-id 30
2. Configure interfaces.
The EX4200-vc2 chassis has only one LAG port configured to connect to the core switch. Junos OS requires that you configure the number of LAG interfaces you want to use before you begin configuring the LAG interfaces . We suggest picking a number slightly larger than what you need in case you add more LAG interfaces later. You can change this value in the future.
a. Because we need one LAG interface for this configuration, we will configure the
EX4200-vc2 chassis with two in case we add another LAG connection later.
root@EX4200-vc2# set chassis aggregated-devices ethernet device-count 2
The 10-Gigabit Ethernet ports on the EX4200-vc1 are only available using the uplink module ports. We have uplink modules on each of the four switches. However, the first port xe-x/1/0 is already in use on each switch to form the extended Virtual Chassis. We need to configure the LAG connection on switch members 1 and 3, using ports xe-1/1/2 and xe-3/1/2.
b. First, we need to remove any port-specific configuration on the physical ports we
want to aggregate. By default, interfaces have unit 0 defined, but this is not allowed on an interface that is part of an aggregate interface because it would conflict with unit 0 on the logical aggregate interface.
root@EX4200-vc2# delete interfaces xe-0/1/0 unit 0 delete interfaces xe-1/1/0 unit 0 root@EX4200-vc2# set interfaces xe-0/1/2 ether-options 802.3ad ae0 set interfaces xe-2/1/2 ether-options 802.3ad ae0
63
c. Next, we need to add LACP to each LAG interface to provide some health checking.
NOTE: LACP must be configured on both sides for the LAG port to become active.
root@EX4200-vc2# set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow
4. Disable RSTP on LAG connections to access switches.
Because we do not use RSTP as a topology protocol, we can disable it on the LAG ports going to our access switches. Disabling RSTP also reduces potential convergence times in case a LAG member fails, because fewer protocols need to converge.
NOTE: Note all access switches have RSTP enabled locally for loop protection.
Next, we need to configure the LAG port as a trunk and add the VLANs that will be supported going to the core switch. To enable the LAG port as a trunk port, use the set interfaces command.
root@EX4200-vc2# set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
6. Configure VLANs on trunk ports.
VLAN configuration for ae0, which connects to the EX4542-vc1 switch, has Data_Wired_2, VOIP_Wired_2, and theManagement VLAN for access points and switch management. The Guest_Wired VLAN will also be configured on this trunk to support guests needing a wired connection (conference rooms, and so on).
root@EX4200-vc2# set interfaces ae0 unit 0 family ethernet-switching vlan members [Data_Wired_2 VOIP_Wired_2 Management Guest_Wired]
a. Commit the configuration.
root@EX4200-vc2# commit
b. Connect the LAG connections to the core switch using the show lldp neighbors
command to verify that the connection is up and you can see the other side of the connection.
root@EX4200-vc2> show lldp neighbors Local Interface Parent Interface System Name vme.0 xe-0/1/0.0 ae0.0 EX4542-vc1 xe-1/1/0.0 ae0.0 EX4542-vc1 ge-0/0/0.0 Chassis Id 5c:5e:ab:79:bc:c0 88:e0:f3:74:55:c0 88:e0:f3:74:55:c0 10.10.28.52 Port info ge-0/0/12.0 xe-0/0/1.0 xe-1/0/1.0 port 1
64
10.10.28.53
port 1
c. Run the show lacp interfaces command to verify that LACP is running. root@EX4200-vc2> show lacp interfaces Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/1/0 Actor No No Yes Yes Yes Yes Slow Active xe-0/1/0 Partner No No Yes Yes Yes Yes Slow Active xe-1/1/0 Actor No No Yes Yes Yes Yes Slow Active xe-1/1/0 Partner No No Yes Yes Yes Yes Slow Active LACP protocol: Receive State Transmit State Mux State xe-0/1/0 Current Slow periodic Collecting distributing xe-1/1/0 Current Slow periodic Collecting distributing 7. Configure secure access port features
We recommend configuring these basic security features on most VLANs on access switches. We need to enable these features on the Data_Wired_2, VOIP_Wired_2, and Guest_Wired VLANs. You may notice that we do not enable these features on the Management VLAN. There is a greater tendency to have statically configured devices on management VLANs. Each device with a static IP address attached to a port on a VLAN, with these features enabled, requires a static port configuration with an IP address and a MAC address in order to communicate with the rest of the network. If required, this additional level of security can be configured, but it will add some overhead when network changes are made.
root@EX4200-vc2# set ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard
For more information on the VME interface, see Virtual Chassis on page 95, or the Day One book, Configuring EX Series Ethernet Switches.
65
NOTE: Using the interface-range statement. Junos OS supports a feature called interface-range, which allows you to group several interfaces together so that you can configure the entire group using one statement. This can be helpful when you have many similar ports that share much of the same configuration. This statement can be used to simplify configurations. With access switches in the validated network, each member in the Virtual Chassis is divided up by port type. Ports 04 are reserved for Wireless access points, ports 526 are reserved for Data, and ports 2747 are reserved for voice. Because these ports are typically configured identically, they use the interface-range statement to simplify operations and create three different port groups Access_Points, Wired_Data and Wired_Voice.
root@EX4200-vc2# set interfaces interface-range Wired_Data member-range ge-1/0/5 to ge-1/0/26 set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4
8. Set the port mode.
We need to set the port mode to access. Because we have used the interface-ranges statement, we only need to set the port mode at the interface-range level, instead of editing every port.
root@EX4200-vc2# set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access
9. Configure port to VLAN.
root@EX4200-vc2# set vlans Data_Wired_2 interface Wired_Data set vlans Management interface Access_Points set vlans VOIP_Wired_2 interface Wired_Voice
10. Configure Layer 3 settings.
Layer 3 configuration for the access switch involves setting a default route in the case of the validated network. In this case, it points to 10.10.28.1 which is the core switch IP interface on the Mangement VLAN
set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1
66
CHAPTER 4
Wireless Deployment
Wireless Services Deployment Overview on page 67 Configuring the Primary WLC on page 68 Configuring the Secondary WLC on page 73
This section covers the essential steps involved in setting up a wireless network for corporate users using local authentication and wireless guest access. Wireless LAN Controllers (WLCs) are clustered to provide high availability (HA) and dynamic load balancing of access points (APs).
NOTE: Guest access enables guest users to connect to the Internet, and is isolated from the corporate network.
67
For the setup process, we assume that your WLC is running the factory default configuration.
Run Quick Start. The Quick Start configuration script guides you through the initial setup of WLC-1.
NOTE: You can configure more items using the quick start script than this procedure outlines, but manually stepping through the process allows for greater control. You can change configuration settings later if needed.
a. Connect to the console port of the WLC using the settings: 9600, 8, N, 1, None. b. Press the Enter key a few times until you get a prompt. c. Log in without providing a username or password. d. Type enable at the prompt.
Because no password is configured by default, just press the Enter key when prompted for a password.
e. Type quickstart at the prompt. MXR-2-5BF3A6# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [MXR-2]: WLC-1 Country Code [US]: System IP address []: 10.10.28.100 System IP address netmask []: 255.255.255.0 Default route []: 10.10.28.1 Do you need to use 802.1Q tagged ports for connectivity on the default VLAN? [n]: Enable Webview [y]: Admin username [admin]: admin Admin password [mandatory]: Enable password [optional]: Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 15/06/11 Is daylight saving time (DST) in effect [n]: y Enter the time (hh:mm:ss) []: 12:27:00 Enter the timezone []: PST Enter the offset (without DST) from GMT for PST in hh:mm [0:0]: -08:00 Do you wish to configure wireless? [y]: n success: created keypair for ssh success: Type "save config" to save the configuration f.
68
You need to configure the VLANs and enable them on the trunk port. The WLCs are configured as part of the following VLANs.
NOTE: The WLCs can be configured with a different VLAN ID from the actual 802.1q tag. This is specific to the WLC and should not be confused with the 802.1q tag. For example, you could have a VLAN ID of 5 on the WLC, but it is sent out as 802.1q tag 13 so, to the network it is VLAN ID13. There are advantages to this in more complex deployments, but that is outside the scope of this document. To make things easier to understand, we will configure the internal VLAN ID to correspond with the 802.1q tag that the rest of the network uses.
a. Create VLANs.
WLC-1# set vlan 28 name Management set vlan 18 name Data_Wireless_1 set vlan 32 name Guest_Wireless
b. Assign VLANs to ports.
WLC-1# set vlan Management port 8 tag 28 set vlan Data_Wireless_1 port 8 tag 18 set vlan Guest_Wireless port 8 tag 32
c. Assign IP interfaces to VLANs.
When you use the Quick Start script, the system IP address is automatically assigned to VLAN 1 . In our case, this needs to be VLAN 28, the Management VLAN, so we need to first delete the IP address association with VLAN 1 and then add it to VLAN 28.
NOTE: This is still the system IP address, which is the source IP address it uses to communicate with the APs and WLCs.
WLC-1# clear interface 1 ip WLC-1# set interface Management ip 10.10.28.100/24 set interface Data_Wireless_1 ip 10.10.18.100/24 set interface Guest_Wireless ip 10.10.32.100/24
69
Management VLAN.
WLC-1# ping 10.10.28.1
NOTE: You may notice that we have configured the IP address 10.10.28.100 twice. We actually first configured this as the system IP address, and then assigned it to a VLAN. The system IP address needs to reside on the Management network because that is the address that will be used to communicate to the access point and with other WLCs.
The SSID for corporate users uses WPA2 encryption and 802.1x authentication. The SSID for guest users uses an open network that relies on a captive portal to authenticate users.
The following commands create the SSID Data_Wireless_1, configure 802.1 x authentication for the SSID, and configures traffic encryption over the SSID.
WLC-1# set service-profile Secure-802.1X ssid-name Data_Wireless_1 set service-profile Secure-802.1X rsn-ie cipher-ccmp enable set service-profile Secure-802.1X rsn-ie enable set service-profile Secure-802.1X attr vlan-name Data_Wireless_1 set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local
b. Configure the Guest_Wireless SSID.
The following commands configure the Guest_Wireless SSID and set it up for captive portal authentication.
WLC-1# set service-profile Web-Portal ssid-name Guest_Wireless set service-profile Web-Portal ssid-type clear set service-profile Web-Portal auth-fallthru web-portal set service-profile Web-Portal wpa-ie auth-dot1x disable set service-profile Web-Portal rsn-ie auth-dot1x disable set service-profile Web-Portal attr vlan-name Guest_Wireless set authentication web ssid Guest_Wireless ** local
70
The first rule permits UDP traffic from everyone towards port 68 and 67 only, which is used for DHCP. The second rule creates a capture by the controller for all traffic matching this rule. In this case, we block all traffic and force the traffic to the capture portal for authentication.
WLC-1# set radio-profile default service-profile Secure-802.1X set radio-profile default service-profile Web-Portal
5. Add local users for wireless services.
NOTE: We recommend that you only use local authentication to verify initial operation and for last-resort authentication. Use a RADIUS server as the preferred method for user authentication.
a. To create local users, you need to use the command set user username password.
WLC-1# set user bob password Enter new password: Retype new password: success: change accepted. WLC-1# set user guest password Enter new password: Retype new password: success: change accepted.
b. Assign users to specific SSIDs.
WLC-1# set user bob attr ssid Data_Wireless_1 set user guest attr ssid Guest_Wireless
NOTE: Because each user is mapped to a specific SSID, different rules apply to them when they log on to the network. For example, the user bob must authenticate via 802.1x to log on to the wireless network. The user guest can log on to the Guest_Wireless network, but has to authenticate against the captive portal to get to the Internet, otherwise they can do nothing.
71
You need to use the auto setup to configure the access points. On the console, you can see several messages while the access points are configured and booted.
WLC-1# set ap auto mode enable
d. Save your configuration.
--------------- ------------ ----------------- ------- ------10.10.28.56 10.10.28.54 10.10.28.52 10.10.28.57 10.10.28.53 10.10.28.58 10.10.28.55 10.10.28.59 MP-522 MP-522 MP-522 MP-522 MP-522 MP-522 MP-522 MP-522 00:26:3e:e3:e5:80 E 00:26:3e:e5:59:c0 E 6/18 W 36/10 6/12 W 44/10
00:26:3e:e5:19:00 E 11/12 W 44/10 00:26:3e:e3:e5:c0 E 11/12 W 36/10 00:26:3e:e5:1e:80 E 11/12 W 44/10 00:26:3e:e4:8d:00 E 1/14 W 36/10
6. Set up a cluster.
To enable clustering, you need to create a mobility domain on the primary seed controller and then add the secondary seed to that cluster.
a. Create a mobility domain.
The first line sets up the domain xyzcompany. The second line adds a secondary to the cluster on the primary seed controller. This example uses the IP address 10.10.28.101, which we will configure later.
WLC-1# set mobility-domain mode seed domain-name xyzcompany set mobility-domain member 10.10.28.101
b. Enable clustering.
72
When you enable clustering, you receive a warning message that this action will overwrite the configuration of other devices.
WLC-1# set cluster mode enable WLC-1# set cluster mode enable This will cause loss of configuration on member devices. Are you sure? (y/n) [n]y
c. Save your configuration.
This will cause the access points to reboot. You will see messages on the console.
Run Quick Start. The Quick Start configuration script guides you through the initial setup of WLC-2.
a. Connect to the console port of the WLC using the settings: 9600, 8, N, 1, None. b. Press the Enter key a few times until you get a prompt. c. Log in without providing a username or password. d. Type enable at the prompt.
Because no password is configured by default, just press the Enter key when you are prompted for a password.
e. Type quickstart at the prompt. MXR-2-5BF3A6# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter '?' for help. ^C to break out System Name [MXR-2]: WLC-2 Country Code [US]: System IP address []: 10.10.28.101 System IP address netmask []: 255.255.255.0 Default route []: 10.10.28.1 Do you need to use 802.1Q tagged ports for connectivity on the default VLAN? [n]: Enable Webview [y]: Admin username [admin]: admin Admin password [mandatory]: Enable password [optional]: Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 15/06/11 Is daylight saving time (DST) in effect [n]: y Enter the time (hh:mm:ss) []: 12:27:00 Enter the timezone []: PST Enter the offset (without DST) from GMT for PST in hh:mm [0:0]: -08:00
73
Do you wish to configure wireless? [y]: n success: created keypair for ssh success: Type "save config" to save the configuration f.
g. Connect port 8 on WLC-2 to EX4542-vc1 port ge-2/0/1. 2. Configure VLANs and 802.1q trunking.
You need to configure the VLANs and enable them on the trunk port. The WLCs are configured as part of the VLANs. We need to configure the following VLANs on WLC-2
a. Create VLANs.
WLC-2# set vlan 28 name Management set vlan 18 name Data_Wireless_1 set vlan 32 name Guest_Wireless
b. Assign VLANs to ports.
WLC-2# set vlan Management port 8 tag 28 set vlan Data_Wireless_1 port 8 tag 18 set vlan Guest_Wireless port 8 tag 32
c. Assign IP interfaces to VLANs.
When you use the Quick Start script, the system IP address is automatically assigned to VLAN 1 . In this case, this needs to be VLAN 28, the Management VLAN, so you need to first delete the IP address association with VLAN 1 and then add it to VLAN 28.
NOTE: This is still the system IP address, which is the source IP address it uses to communicate with the APs and WLCs.
WLC-2# clear interface 1 ip WLC-2# set interface Management ip 10.10.28.101/24 set interface Data_Wireless_1 ip 10.10.18.101/24 set interface Guest_Wireless ip 10.10.32.101/24
d. Save your configuration.
Management VLAN.
74
Join a mobility domain. When you enable cluster mode, the system displays a warning that this will overwrite the configuration.
WLC-2# set mobility-domain mode secondary-seed domain-name xyzcompany seed-ip 10.10.28.100 set cluster mode enable
At this point the secondary WLC automatically copies the remaining configuration from the primary WLC, except for user information. You need to add the users to the secondary WLC so that it can also authenticate users for the access points it manages. You can do this by adding users with the process described in the next section.
NOTE: We recommend that you only use local authentication to verify initial operation and for last-resort authentication. Use a RADIUS server as the preferred method for user authentication.
NOTE: When you add users to the secondary WLC, we recommend that you copy the user information from the configuration file of the primary WLC. This eliminates the possibility of errors that may prevent users from getting access because of mismatching user/password/VLAN information.
If user information is changed later, it must be changed on both devices to keep them in sync.
a. Copy user information from the primary WLC to the secondary WLC.
On the primary WLC, type show configuration. Find the lines associated with the users you have created, in this case bob and guest are the users you had created previously and each one has two lines. You need to copy that information from the primary WLC to the secondary WLC.
NOTE: This example has only one attribute associated with the users, but you may have several in a production environment. Make sure you copy all of theattributes associated with each user.
WLC-1# set user bob password encrypted 06160e325f59060b01 set user bob attr ssid Data_Wireless_1 set user guest password encrypted 12090404011c03162e
75
WLC-2# set user bob password encrypted 06160e325f59060b01 set user bob attr ssid Data_Wireless_1 set user guest password encrypted 12090404011c03162e set user guest attr ssid Guest_Wireless
c. Save the configuration.
76
CHAPTER 5
SRX Deployment
Prerequisites
Figure 17: The SRX Series Services Gateway Cluster
Before you begin configuring the SRX Series Services Gateway for the validated network design, ensure the following:
That all of the SRX Series devices to be configured in the cluster are of the same model and comprise the same modules. That all of the SRX Series devices have the same version of Junos OS installed.
The configuration procedure provided in this section is for the SRX650. Although most of the steps are common across all SRX Series Services Gateways, the ports used to connect the SRX Series devices together to form a cluster may vary across SRX Series
77
models. See the Juniper Networks support site for clustering details on your specific model of SRX Series Services Gateway.
Figure 18 on page 78 shows the SRX Series cluster setup for the validated network. To keep it simple, each device identifies the fabric and control links as local physical ports, because these are connected before configuring the SRX Series cluster (After the SRX Series cluster is configured, SRX650-2 will see these ports as ge-9/0/2 and 9/0/1). The remaining port identifiers are listed in the clustering context.
78
Unpack the SRX650 and connect a console cable to the serial port with the following settings: 9600, 8, 1 and none.
2. To access the SRX650 using the Junos OS CLI: a. Connect one end of the console cable to the serial port adapter, plug the adapter
into a serial port on the PC or laptop, and plug the other end of the cable into the console port on the SRX Series device.
b. Start the terminal emulation program on the PC or laptop, select the COM port,
and configure the following port settings: 9600 (bits per second), 8 (data bits), none (parity), 1 (stop bits), and none (flow control).
c. Press the POWER button on the router, and verify that the POWER LED turns green. d. Log in as root, and press Enter at the Password prompt. (When booting the factory
Amnesiac (ttyu0) login: root Password: - - - JUNOS 10.0R1.8 built 2009-08-01 09:23:09 UTC
f.
At the % prompt, type cli to start the CLI and press Enter. The prompt changes to an angle bracket (>) when you enter CLI operational mode.
root@% cli root>
g. At the (>) prompt, type configure and press Enter. The prompt changes from > to
root# set system root authentication plain-text-password (will prompt for password)
i.
Remove some default configuration items from the SRX devices. This is done to make later configuration simpler.
NOTE: Not all of these settings may actually be configured on your device, but we include all these items for completeness.
79
delete system services dhcp delete system services web-management http interface delete system services web-management https interface delete security zones delete security policies delete security nat
j.
Use the commit command at the CLI prompt to activate the configuration.
commit
NOTE: The following process is for the SRX650. If you use another SRX model, the ports used to connect the two SRXs will be different than the process described below. Please see the Juniper Networks support site for clustering details on your specific model of SRX.
TIP: To connect the devices, it is helpful to know that after we create the cluster, the following interface assignments will occur:
ge-0/0/0 will be used as fxp0 for individual management of each of the devices ge-0/0/1 will become fxp1 and used as the control link between the two devices (This is also documented inKB15356.). This is not configurable.
The other interfaces are also renamed on the secondary device. For example, on a SRX 650 device, the ge-0/0/0 interface is renamed to ge-9/0/0 on the secondary node 1. Refer to the complete mapping for each SRX Series device: Node Interfaces on Active SRX Series Chassis Clusters.
NOTE: The interfaces used for the control link, in this example ge-0/0/1, must be connected with a cable. A switch cannot be used for the control link connection. Also, you will need to decide on a third link to connect the devices, which will be used for the fabric link between the devices. In this case we will use ge-0/0/2, but you could use any other open port either onboard or on a gPIM.
80
b. Now connect ge-0/0/2 on SRX650-1 to ge-0/0/2 on SRX650-2. 4. Enable clustering on the SRX devices. a. Set the devices in cluster mode with the following command and reboot the devices.
For example:
root> set chassis cluster cluster-id 1 node 0 reboot root> set chassis cluster cluster-id 1 node 1 reboot
The cluster ID is the same on both devices, but the node ID should be different, with the node ID as node0 on one device, at node1 on the other device . This command should be issued on both devices at the same time so that they boot up together. The range for the Cluster ID is 015. Setting it to 0 effectively disables cluster mode. After rebooting, the ge-0/0/0 and ge-0/0/1 interfaces become as fxp0 and fxp1, respectively.
b. Check both SRX Series devices to ensure that the cluster is active and that the
NOTE: It may take a minute or two for the status to complete after booting, so you may need to enter this command more than once. The prompt on each SRX Series device displays the status and node information for the respective device.
{primary:node0} root> show chassis cluster status Cluster ID: 1 Node Priority
Status
Preempt
Manual failover
Redundancy group: 0 , Failover count: 1 node0 1 primary node1 1 secondary {secondary:node1} root> show chassis cluster status Cluster ID: 1 Node Priority
no no
no no
Status
Preempt
Manual failover
no no
no no
81
When the primary and secondary status is confirmed, move to the next step. If you encounter any problems during this step, the following KB articles may be of use in diagnosing clustering problems. KB15503, KB20672 and KB20641.
5. Configure the SRX Series cluster.
NOTE: The following steps are all performed on the primary SRX Series device. The configuration is automatically copied over to the secondary SRX Series device when a configuration is committed.
We use the Junos OS group configuration feature for this operation. For more information on the group configuration feature, see the Day One book, Configuring Junos Basics, at www.juniper.net/us/en/community/junos/training-certification/day-one. Configuring device-specific properties using the group command Set up device-specific settings such as hostnames and management IP addresses. This is specific to each device and is the only part of the configuration that is unique to specific nodes. This is done by entering the following commands (all on the primary node):
root# config root# set group node0 system host-name srx650-1 set group node0 interfaces fxp0 unit 0 family inet address 10.94.188.103/24 set group node1 system host-name srx650-2 set group node1 interfaces fxp0 unit 0 family inet address 10.94.188.104/24
NOTE: The apply groups command is set so that the individual configs for each node set by the above commands applies only to that node.
root@srx650-1# commit
You should see the configuration applied to node0 and node1 when you issue a commit
{primary:node0}[edit] root# commit node0: configuration check succeeds node1: commit complete node0: commit complete c. Configure the Fabric Link
82
Create FAB links (data plane links for RTO sync, etc). You need to first delete any specific configuration related to the interfaces. Iin this case ge-0/0/2 has an address assigned by default so we will delete it.
root@srx650-1# set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2
d. Configuring redundancy groups
Set up the Redundancy Group 0 for the Routing Engine failover properties. Also setup Redundancy Group 1 (all the interfaces will be in one Redundancy Group in this example) to define the failover properties for the Reth interfaces.
NOTE: If you want to use multiple Redundancy Groups for the interfaces, refer to the Security Configuration Guide. For more information, see the Security Configuration Guide .
root@srx650-1# set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1
e. Configuring interface monitoring
Set up the Interface monitoring. Monitoring the health of the interfaces is one way to trigger Redundancy group failover.
root@srx650-1# set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0 weight 255
f.
Set up the reth interface Setup the Redundant Ethernet interfaces (reth interface) and assign the Redundant interface to a zone. Make sure that you setup your redundant interfaces as follows:
root@srx650-1# {primary:node0} set chassis cluster reth-count 1 set interfaces ge-2/0/0 gigether-options redundant-parent reth0 set interfaces ge-11/0/0 gigether-options redundant-parent reth0 set interfaces reth0 redundant-ether-options redundancy-group 1
root@srx650-1# set interfaces reth0 vlan-tagging set interfaces reth0 unit 0 description "Unit 0 must be given a VLAN tag so using a dummy tag to align units to tags" set interfaces reth0 unit 0 vlan-id 1 set interfaces reth0 unit 22 description "Internet Edge" set interfaces reth0 unit 22 vlan-id 22
83
set interfaces reth0 unit 22 family inet address 10.10.22.254/24 set interfaces reth0 unit 28 description Management set interfaces reth0 unit 28 vlan-id 28 set interfaces reth0 unit 28 family inet address 10.10.28.254/24 set interfaces reth0 unit 30 description "Guest Wired" set interfaces reth0 unit 30 vlan-id 30 set interfaces reth0 unit 30 family inet address 10.10.30.254/24 set interfaces reth0 unit 32 description "Guest Wireless" set interfaces reth0 unit 32 vlan-id 32 set interfaces reth0 unit 32 family inet address 10.10.32.254/24
root@srx650-1# set interfaces ge-2/0/1 description "primary internet connection" set interfaces ge-2/0/1 unit 0 family inet address 10.94.191.233/24 set interfaces ge-11/0/2 description "Backup Internet Connection" set interfaces ge-11/0/2 unit 0 family inet address 10.94.194.56/24
i.
Commit the configuration. The configuration is copied to the secondary node srx650-2
root@srx650-1# commit
NOTE: Even though we have configured interfaces, we will not have reachability because no security polices are in place yet.
The SRX Series Services Gateways use a zone-based model for security. The most basic configurations typically have just two zones: Trust (the inside) and Untrust (the outside). In our case we have four: Untrust, Guest, Management, and Internet_Edge.
a. Configure the Untrust security zone.
The Untrust zone is where the SRX Series devices connect to the Internet. This is considered the least trusted zone. We have configured our internet-facing ports in this zone.
root@srx650-1# set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-11/0/2.0 set security zones security-zone untrust interfaces ge-2/0/1.0
b. Configure the Guest security zone.
root@srx650-1# set security zones security-zone Guest address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Guest address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Guest host-inbound-traffic system-services ping set security zones security-zone Guest host-inbound-traffic system-services traceroute set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services dhcp
84
set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services bootp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services dhcp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services bootp
c. Configure the Management security zone.
root@srx650-1# set security zones security-zone Management host-inbound-traffic system-services ssh set security zones security-zone Management host-inbound-traffic system-services http set security zones security-zone Management host-inbound-traffic system-services https set security zones security-zone Management host-inbound-traffic system-services ping set security zones security-zone Management host-inbound-traffic system-services snmp set security zones security-zone Management host-inbound-traffic system-services traceroute set security zones security-zone Management interfaces reth0.28
d. Configure the Internet Edge security zone.
The majority of the networks are contained in the Internet_Edge zone. We use a feature called address-book to map our networks in this zone to user-friendly names for easier management. That should be easier to understand when we configure our policies that just use subnet designations. We also need to allow OSPF in this zone, because we will communicate routing information with the EX series switch in this zone.
root@srx650-1# set security zones security-zone Internet_Edge address-book address Data_Wired_1 10.10.10.0/24 set security zones security-zone Internet_Edge address-book address Data_Wired_2 10.10.12.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_1 10.10.14.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_2 10.10.16.0/24 set security zones security-zone Internet_Edge address-book address Data_Wireless_1 10.10.18.0/24 set security zones security-zone Internet_Edge address-book address Servers 10.10.24.0/24 set security zones security-zone Internet_Edge address-book address Access_Points 10.10.26.0/24 set security zones security-zone Internet_Edge address-book address Management 10.10.28.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Internet_Edge host-inbound-traffic system-services ping set security zones security-zone Internet_Edge host-inbound-traffic system-services traceroute
85
set security zones security-zone Internet_Edge host-inbound-traffic protocols ospf set security zones security-zone Internet_Edge interfaces reth0.22
7. Configuring Security Policies. a. Configure Guest user policy.
root@srx650-1# set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wireless set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wired set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match destination-address any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match application any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet then permit
b. Configure Internet Edge security policy.
root@srx650-1# set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wireless_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Servers set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match destination-address any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match application any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet then permit
8. Configuring routing and OSPF. a. Configure routes.
root@srx650-1# set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.194.254 preference 20 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.191.254 preference 10
b. Configure OSPF.
root@srx650-1# commit
d. You can see the internal networks advertised by OSPF by using the show route
command.
86
After configuring the zones and policies you can reach your internal interfaces and external gateways. Use the ping command to verify basic reachability.
10. Configuring NAT a. Configure the Guest NAT policy.
root@srx650-1# set security nat source rule-set Guest-to-untrust from zone Guest set security nat source rule-set Guest-to-untrust to zone untrust set security nat source rule-set Guest-to-untrust rule Guest-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Guest-to-untrust rule Guest-source-nat then source-nat interface
b. Configure the Internet Edge NAT policy.
root@srx650-1# set security nat source rule-set Internet_Edge-to-untrust from zone Internet_Edge set security nat source rule-set Internet_Edge-to-untrust to zone untrust set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat then source-nat interface
11. Configuring DHCP services for guest VLANs
87
set system services dhcp pool 10.10.30.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.30.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.30.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.30.0/24 router 10.10.30.254 set system services dhcp pool 10.10.32.0/24 address-range low 10.10.32.11 set system services dhcp pool 10.10.32.0/24 address-range high 10.10.32.250 set system services dhcp pool 10.10.32.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.32.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.32.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.32.0/24 router 10.10.32.254
You are now configured to be able to access the Internet from your internal user networks. When connecting to the internet from inside the network traffic will be NATed. To view the network sessions and verify that NAT is taking place properly you can issue the command show security flow session nat (To see all flows, remove the keyword nat). The following example shows NAT performed for a session. Source address 10.10.10.52 is translated to an external address of 10.94.191.233 and the destination address is 173.194.79.104.
root@srx650-1> show security flow session nat node0: -------------------------------------------------------------------------Session ID: 15945, Policy name: allow-Internet_Edge-to-internet/5, State: Active, Timeout: 1798, Valid In: 10.10.10.52/3296 --> 173.194.79.104/80;tcp, If: reth0.22, Pkts: 0, Bytes: 0 Out: 173.194.79.104/80 --> 10.94.191.233/60064;tcp, If: ge-2/0/1.0, Pkts: 36, Bytes: 37380 Total sessions: 1 13. Configuring General Settings.
Configure DNS.
root@srx650-1# set system name-server 10.10.24.100 set system domain-name xyzcompany.com
88
Configure LLDP.
root@srx650-1# set protocols lldp interface ge-2/0/0.0 set protocols lldp interface ge-11/0/0.0
89
90
PART 3
Appendix
Next Steps on page 93 Virtual Chassis on page 95 Configuring DHCP on EX Series Ethernet Switches on page 103 Configurations Used in This Guide on page 105 Bill of Materials on page 161
91
92
APPENDIX A
Next Steps
Next Steps
The base network infrastructure is now in place and ready for site-specific customization. Some of the common items you will likely want to configure are listed below. We have also identified some additional reading materials that may be helpful.
Set up RADIUS server and configure wireless LAN controllers to use RADIUS authentication of wireless users. (See the Juniper Networks Mobility System Software Configuration Guide). Configure NTP for all devices to keep network devices in sync. Configure QoS. Configure additional security policies.
Juniper Networks Mobility System Software Configuration Guide. Complete Software Guide for Junos OS for EX Series Ethernet Switches: Release 11.4. Junos OS for SRX Series: Release 11.4.
Configuring EX Series Ethernet Switches. Deploying Basic QoS. Deploying SRX Series Services Gateways.
93
94
APPENDIX B
Virtual Chassis
Virtual Chassis Advantage on page 95 Types of Virtual Chassis on page 95 Pre-Provisioning the Virtual Chassis on page 98 Virtual Chassis Base Configuration on page 101 Layer 3 Configuration on page 101
95
the basic setup as listed in the Quick Start guide that comes with the switch. After setup, go to the section Global Setup for EX Series Switches.
Dedicated Mode
The dedicated mode is the most common method of connecting adjacent EX4500 or EX4200 Series switches into a single Virtual Chassis. As mentioned earlier, dedicated mode involves interconnecting the switches using the special Virtual Chassis ports (VCPs) at the back of the switch. This is the most common type of EX Series Virtual Chassis configuration. There are two commonly used methods of cabling when connecting EX Series Switches togetherdaisy chained and braided ring.
NOTE: Although Juniper Networks recommends using one of these two switch topologies, other topologies are supported, but that is beyond the scope of this document.
Extended Mode
The Extended Virtual Chassis method enables switches to be part of a single Virtual Chassis even when the switches are far apart. You can use the optional uplink modules on the EX4200 switch to connect multiple switches, using 1-Gigabit Ethernet and 10-Gigabit Ethernet links, to provide great flexibility in how a network is configured. For example, you could have multiple wiring closets on a single floor managed as a single device. This simplifies many operational tasks, because this reduces the number of individual devices that must be managed.
Mixed Mode
The mixed mode Virtual Chassis enables you to interconnect more than one type of switch to act as a single Virtual Chassis. Currently only supported between the EX4500 and EX4200 Series switches, this provides the ability to have high-density 10-Gigabit Ethernet and 1-Gigabit Ethernet in the same Virtual Chassis. This topic provides configuration examples for each of these Virtual Chassis types.
96
NOTE: The Juniper Networks EX3300 Series switch and Juniper Networks EX8200 series switches also support the Virtual Chassis flexible scaling solution, but this information lies outside the scope of this document.
Other Virtual Chassis notes:
When you have a two-member Virtual Chassis, we recommend that you disable split detection. When you have three or more members in a Virtual Chassis, we recommend that you do not place uplinks on the master Routing Engine.
97
NOTE: If you do not pre-provision the Virtual Chassis, the devices are numbered in the order in which they come up. For example, if you have five switches in a Virtual Chassis and you turn on the middle switch, say #3, this will be slot 0, then you turn on the top switch next, and that will be slot 1 and you turn on the other switches at about the same time the rest of the slots will be randomly filled so you may end up with chassis numbering something like this.
Slot1 Slot4 Slot0 Slot3 Slot2
This is quite confusing, but completely operational. You can re-assign slots later to make a more logical chassis, but it is easier to avoid this in the first place. If you do end up doing something like this or are just curious, see the instructions in Virtual Chassis on page 95.
Prerequisites: The switches need to be set at factory defaults to follow this process.
To pre-provision the Virtual Chassis:
1.
Understand what type of Virtual Chassis you will be setting up: Dedicated, Extended or Mixed. If you are unsure, see Dedicated Mode on page 96.
Go through the initial setup process for the switch as described in Virtual Chassis on page 95.
3. Identify the serial numbers of the other switches that will be part of this Virtual Chassis.
Then decide what their function will beeither Routing Engine or line card. You can only have two switches configured as Routing Engines and one will be slot 0 (the first device we booted up). You can change the roles for devices later if required. The following is a sample set of configuration statements for a four-member Virtual Chassis specifying each member role and slot by serial number.
root@EX4542-vc1> set virtual-chassis preprovisioned
98
set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number GX0211411253 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number GX0211411250 set virtual-chassis member 2 role line-card set virtual-chassis member 2 serial-number FP0211333181 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333260
4. Determine if you need to disable split detection.
If your Virtual Chassis has only two members, go to step 5, Disable split detection. If your Virtual Chassis has more than two members, go to Step 6, Step 7, and Step 8, as appropriate for the type of Virtual Chassis you want to set up (dedicated mode, extended mode, or mixed mode).
NOTE: Virtual Chassis Split Detection Split detection is designed to avoid a possible dual active-or split-brain condition where the chassis loses multiple Virtual Chassis connections and -becomes partitioned into two separate Virtual Chassis. The default behavior is for the primary Routing Engine to disable itself and the backup Routing Engine (RE) to promote itself to master. In a two-switch Virtual Chassis, however, this is not desirable. For example, if the backup RE is powered off, the master RE will stop forwarding traffic. Therefore we recommend disabling this feature in a two-switch configuration. For more information, read about Virtual Chassis in the Junos OS documentation for Juniper Networks EX Series Ethernet Switches The below command disables split detection.
If you have a dedicated Virtual Chassis (that is, if the members are all of the same type say all EX4200 or all EX4500 switches) no additional commands are necessary.
a. You can cable up the remaining members using the VCP ports on the back of the
Serial No Model prio Role Mode ID Interface GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-0
99
Y Y Y
0 2 1 3 2 0
c. Proceed to Virtual Chassis Base Configuration on page 101. 7. Set up an extended mode Virtual Chassis.
Some Virtual Chassis members are connected together using 1-Gigabit Ethernet or 10-Gigabit Ethernet ports configured as Virtual Chassis extended (VCe) ports.
The following is an operational mode command that will not appear in the configuration. Once this is set, the option to configure these ports when in configuration mode will not appear.
request virtual-chassis vc-port set pic-slot pic-slot port port member-id memberid.
8. Set up a mixed mode Virtual Chassis.
specifically configured to support mixed mode operation. If not, the entire chassis will be active. The command to change modes is an operational command and therefore does not show up in the configuration.
request virtual-chassis mode mixed
b. To verify that the chassis is indeed in mixed mode, you can view the status by
issuing the operational command show virtual-chassis and look for line Virtual Chassis Mode:
root@EX4542-vc1> show virtual-chassis Preprovisioned Virtual Chassis Virtual Chassis ID: 762b.b071.4181 Virtual Chassis Mode: Mixed
c. You can now cable up the remaining members using the VCP ports on the back of
the units and power them up. Verify that all of the members are active by running the show virtual-chassis command.
root@EX4542-vc1> show virtual-chassis
Preprovisioned Virtual Chassis Virtual Chassis ID: 762b.b071.4181 Virtual Chassis Mode: Mixed Mstr List Member ID 0 (FPC 0) 1 (FPC 1) Status Prsnt Prsnt Mixed Neighbor
Serial No Model prio Role Mode ID Interface GX0211411253 ex4500-40f 129 Master* Y 3 vcp-1 1 vcp-0 GX0211411250 ex4500-40f 129 Backup Y 0 vcp-1
100
2 (FPC 2) 3 (FPC 3)
Prsnt Prsnt
0 Linecard 0 Linecard
Y Y
2 1 3 2 0
d. To change a Virtual Chassis back to non-mixed mode issue the following command
commit synchronize
This ensures that whenever you issue a commit command, it is synchronized with all of the other members of the Virtual Chassis. Without this command in the configuration, you should issue a commit synchronize command after every change instead of just the commit command.
set system commit synchronize
2. non-stop bridging
This command replicates bridging protocol information between master and backup Routing Engines.
set ethernet-switching-options nonstop-bridging
3. graceful switchover
Graceful switchover should be configured on any multichassis Virtual Chassis to ensure that the master and backup Routing Engines are in sync.
root@EX4542-vc1# set chassis redundancy graceful-switchover
Layer 3 Configuration
To configure DHCP on a Virtual Chassis:
1.
root@host# set system services dhcp pool network and subnet mask address range low starting ip address set system services dhcp pool network and subnet mask address range high ending ip address set system services dhcp pool network and subnet mask domain-name xyzcompany.com set system services dhcp pool network and subnet mask name-server name-server set system services dhcp pool network and subnet mask router def gw ip address
101
root@host# set routing-options static route 0.0.0.0/0 next-hop et routing-options static route 0.0.0.0/0 next-hop ip address
4. Configure routing protocols
102
APPENDIX C
IP interface configured on each VLAN to receive DHCP IP address pool and pool range to be allocated to users on each VLAN to receive DHCP Default gateway for users on each VLAN Domain name for users Name server for users
The sample that follows shows DHCP configured for the management VLAN presented in this guide. We already have the IP address configured as 10.10.28.1 for this VLAN. (See the core switch setup for more details. )
set system services dhcp pool 10.10.28.0/24 set system services dhcp pool 10.10.28.0/24 address-range low 10.10.28.11 high 10.10.28.250 set system services dhcp pool 10.10.28.0/24 router 10.10.28.1 set system services dhcp pool 10.10.28.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.28.0/24 name-server 10.10.24.100
To view statistics:
show system services dhcp statistics
103
104
APPENDIX D
EX4200vc1 Set Commands on page 105 EX4200vc1 Configuration Statements on page 108 EX4200vc2 Set Commands on page 116 EX4200vc2 Configuration Statements on page 117 EX4200vc3 Set Commands on page 121 EX4200vc3 Configuration Statements on page 123 EX4542vc1 Set Commands on page 127 EX4542vc1 Configuration Statements on page 131 WLC-1 Configuration on page 147 WLC-2 Configuration on page 148 SRX650 Cluster Set Commands on page 149 SRX650 Cluster Configuration Statements on page 152
105
set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice member-range ge-2/0/27 to ge-2/0/47 set interfaces interface-range Wired_Voice member-range ge-3/0/27 to ge-3/0/47 set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points member-range ge-2/0/0 to ge-2/0/4 set interfaces interface-range Access_Points member-range ge-3/0/0 to ge-3/0/4 set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces ge-0/0/2 unit 0 family ethernet-switching set interfaces ge-0/0/3 unit 0 family ethernet-switching set interfaces ge-0/0/4 unit 0 family ethernet-switching set interfaces ge-0/0/5 unit 0 family ethernet-switching set interfaces ge-0/0/6 unit 0 family ethernet-switching set interfaces ge-0/0/7 unit 0 family ethernet-switching set interfaces ge-0/0/8 unit 0 family ethernet-switching set interfaces ge-0/0/9 unit 0 family ethernet-switching set interfaces ge-0/0/10 unit 0 family ethernet-switching set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/0/12 unit 0 family ethernet-switching set interfaces ge-0/0/13 unit 0 family ethernet-switching set interfaces ge-0/0/14 unit 0 family ethernet-switching set interfaces ge-0/0/15 unit 0 family ethernet-switching set interfaces ge-0/0/16 unit 0 family ethernet-switching set interfaces ge-0/0/17 unit 0 family ethernet-switching set interfaces ge-0/0/18 unit 0 family ethernet-switching set interfaces ge-0/0/19 unit 0 family ethernet-switching set interfaces ge-0/0/20 unit 0 family ethernet-switching set interfaces ge-0/0/21 unit 0 family ethernet-switching set interfaces ge-0/0/22 unit 0 family ethernet-switching set interfaces ge-0/0/23 unit 0 family ethernet-switching set interfaces ge-0/0/24 unit 0 family ethernet-switching set interfaces ge-0/0/25 unit 0 family ethernet-switching set interfaces ge-0/0/26 unit 0 family ethernet-switching set interfaces ge-0/0/27 unit 0 family ethernet-switching set interfaces ge-0/0/28 unit 0 family ethernet-switching set interfaces ge-0/0/29 unit 0 family ethernet-switching set interfaces ge-0/0/30 unit 0 family ethernet-switching set interfaces ge-0/0/31 unit 0 family ethernet-switching set interfaces ge-0/0/32 unit 0 family ethernet-switching set interfaces ge-0/0/33 unit 0 family ethernet-switching set interfaces ge-0/0/34 unit 0 family ethernet-switching set interfaces ge-0/0/35 unit 0 family ethernet-switching set interfaces ge-0/0/36 unit 0 family ethernet-switching set interfaces ge-0/0/37 unit 0 family ethernet-switching set interfaces ge-0/0/38 unit 0 family ethernet-switching set interfaces ge-0/0/39 unit 0 family ethernet-switching set interfaces ge-0/0/40 unit 0 family ethernet-switching set interfaces ge-0/0/41 unit 0 family ethernet-switching set interfaces ge-0/0/42 unit 0 family ethernet-switching set interfaces ge-0/0/43 unit 0 family ethernet-switching
106
set interfaces ge-0/0/44 unit 0 family ethernet-switching set interfaces ge-0/0/45 unit 0 family ethernet-switching set interfaces ge-0/0/46 unit 0 family ethernet-switching set interfaces ge-0/0/47 unit 0 family ethernet-switching set interfaces xe-0/1/0 unit 0 family ethernet-switching set interfaces xe-0/1/2 ether-options 802.3ad ae0 set interfaces ge-1/0/0 unit 0 family ethernet-switching set interfaces xe-2/1/2 ether-options 802.3ad ae0 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces vlan unit 28 family inet address 10.10.28.244/24 set interfaces vme unit 0 family inet address 10.94.188.91/24 set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1 set protocols igmp-snooping vlan all set protocols rstp interface ae0.0 disable set protocols lldp interface all set protocols lldp-med interface all set ethernet-switching-options secure-access-port vlan Data_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_1 ip-source-guard set ethernet-switching-options nonstop-bridging set ethernet-switching-options storm-control interface all set vlans Data_Wired_1 vlan-id 10 set vlans Data_Wired_1 interface Wired_Data set vlans Guest_Wired vlan-id 30 set vlans Management vlan-id 28 set vlans Management interface Access_Points set vlans Management l3-interface vlan.28 set vlans VOIP_Wired_1 vlan-id 14 set vlans VOIP_Wired_1 interface Wired_Voice set poe interface all set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333190 set virtual-chassis member 1 role line-card set virtual-chassis member 1 serial-number FP0211333201 set virtual-chassis member 2 role routing-engine set virtual-chassis member 2 serial-number FP0211333173 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333265 set virtual-chassis fast-failover xe
107
108
} } } interface-range Wired_Voice { member-range ge-0/0/27 to ge-0/0/47; member-range ge-1/0/27 to ge-1/0/47; member-range ge-2/0/27 to ge-2/0/47; member-range ge-3/0/27 to ge-3/0/47; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Access_Points { member-range ge-0/0/0 to ge-0/0/4; member-range ge-1/0/0 to ge-1/0/4; member-range ge-2/0/0 to ge-2/0/4; member-range ge-3/0/0 to ge-3/0/4; unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/0 { unit 0 { family ethernet-switching; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } ge-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 {
109
unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } ge-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 {
110
family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/0/24 { unit 0 { family ethernet-switching; } } ge-0/0/25 { unit 0 { family ethernet-switching; } } ge-0/0/26 { unit 0 { family ethernet-switching; } } ge-0/0/27 { unit 0 { family ethernet-switching; } } ge-0/0/28 { unit 0 { family ethernet-switching;
111
} } ge-0/0/29 { unit 0 { family ethernet-switching; } } ge-0/0/30 { unit 0 { family ethernet-switching; } } ge-0/0/31 { unit 0 { family ethernet-switching; } } ge-0/0/32 { unit 0 { family ethernet-switching; } } ge-0/0/33 { unit 0 { family ethernet-switching; } } ge-0/0/34 { unit 0 { family ethernet-switching; } } ge-0/0/35 { unit 0 { family ethernet-switching; } } ge-0/0/36 { unit 0 { family ethernet-switching; } } ge-0/0/37 { unit 0 { family ethernet-switching; } } ge-0/0/38 { unit 0 { family ethernet-switching; } } ge-0/0/39 { unit 0 { family ethernet-switching; }
112
} ge-0/0/40 { unit 0 { family ethernet-switching; } } ge-0/0/41 { unit 0 { family ethernet-switching; } } ge-0/0/42 { unit 0 { family ethernet-switching; } } ge-0/0/43 { unit 0 { family ethernet-switching; } } ge-0/0/44 { unit 0 { family ethernet-switching; } } ge-0/0/45 { unit 0 { family ethernet-switching; } } ge-0/0/46 { unit 0 { family ethernet-switching; } } ge-0/0/47 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/2 { ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching; } }
113
xe-2/1/2 { ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_1 VOIP_Wired_1 Management Guest_Wired ]; } } } } vlan { unit 28 { family inet { address 10.10.28.244/24; } } } vme { unit 0 { family inet { address 10.94.188.91/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.28.1; } } protocols { igmp-snooping { vlan all; } rstp { interface ae0.0 { disable; } } lldp { interface all; } lldp-med { interface all; }
114
} ethernet-switching-options { secure-access-port { vlan Data_Wired_1 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan VOIP_Wired_1 { arp-inspection; examine-dhcp; ip-source-guard; } } nonstop-bridging; storm-control { interface all; } } vlans { Data_Wired_1 { vlan-id 10; interface { Wired_Data; } } Guest_Wired { vlan-id 30; } Management { vlan-id 28; interface { Access_Points; } l3-interface vlan.28; } VOIP_Wired_1 { vlan-id 14; interface { Wired_Voice; } } } poe { interface all; } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number FP0211333190;
115
} member 1 { role line-card; serial-number FP0211333201; } member 2 { role routing-engine; serial-number FP0211333173; } member 3 { role line-card; serial-number FP0211333265; } fast-failover { xe; } }
116
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces lo0 unit 0 family inet address 10.0.0.2/32 set interfaces vlan unit 28 family inet address 10.10.28.243/24 set interfaces vme unit 0 family inet address 10.94.188.95/24 set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1 set protocols rstp interface ae0.0 disable set protocols lldp interface all set protocols lldp-med interface all set ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guard set ethernet-switching-options nonstop-bridging set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 interface Wired_Data set vlans Guest_Wired vlan-id 30 set vlans Management vlan-id 28 set vlans Management interface Access_Points set vlans Management l3-interface vlan.28 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 interface Wired_Voice set poe interface all set virtual-chassis preprovisioned set virtual-chassis no-split-detection set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333245 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number FP0211333274
117
web-management { https { system-generated-certificate; } } } syslog { file messages { any any; authorization info; archive size 10m; } } commit synchronize; } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 2; } } } interfaces { interface-range Wired_Data { member-range ge-0/0/5 to ge-0/0/26; member-range ge-1/0/5 to ge-1/0/26; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Wired_Voice { member-range ge-1/0/27 to ge-1/0/47; member-range ge-0/0/27 to ge-0/0/47; unit 0 { family ethernet-switching { port-mode access; } } } interface-range Access_Points { member-range ge-1/0/0 to ge-1/0/4; member-range ge-0/0/0 to ge-0/0/4; unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/0 { unit 0 { family ethernet-switching {
118
port-mode access; } } } ge-0/0/2 { unit 0 { family ethernet-switching { port-mode access; } } } xe-0/1/0 { ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-1/0/1 { unit 0 { family ethernet-switching; } } xe-1/1/0 { ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } lo0 { unit 0 { family inet { address 10.0.0.2/32; } } }
119
vlan { unit 28 { family inet { address 10.10.28.243/24; } } } vme { unit 0 { family inet { address 10.94.188.95/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.28.1; } } protocols { rstp { interface ae0.0 { disable; } } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { secure-access-port { vlan Data_Wired_2 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan VOIP_Wired_2 { arp-inspection; examine-dhcp; ip-source-guard; } } nonstop-bridging; } vlans { Data_Wired_2 { vlan-id 12;
120
interface { Wired_Data; } } Guest_Wired { vlan-id 30; } Management { vlan-id 28; interface { Access_Points; } l3-interface vlan.28; } VOIP_Wired_2 { vlan-id 16; interface { Wired_Voice; } } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 0 { role routing-engine; serial-number FP0211333245; } member 1 { role routing-engine; serial-number FP0211333274; } }
121
set interfaces interface-range Wired_Data member-range ge-0/0/5 to ge-0/0/26 set interfaces interface-range Wired_Data unit 0 family ethernet-switching port-mode access set interfaces interface-range Wired_Voice member-range ge-0/0/27 to ge-0/0/47 set interfaces interface-range Wired_Voice member-range ge-1/0/27 to ge-1/0/47 set interfaces interface-range Wired_Voice unit 0 family ethernet-switching port-mode access set interfaces interface-range Access_Points member-range ge-0/0/0 to ge-0/0/4 set interfaces interface-range Access_Points member-range ge-1/0/0 to ge-1/0/4 set interfaces interface-range Access_Points unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces xe-0/1/0 ether-options 802.3ad ae0 set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode access set interfaces ge-1/0/2 unit 0 family ethernet-switching port-mode access set interfaces xe-1/1/0 ether-options 802.3ad ae0 set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces lo0 unit 0 family inet address 10.0.0.3/32 set interfaces vlan unit 28 family inet address 10.10.28.242/24 set interfaces vme unit 0 family inet address 10.94.188.97/24 set routing-options static route 0.0.0.0/0 next-hop 10.10.28.1 set protocols rstp interface ae0.0 disable set protocols lldp interface all set protocols lldp-med interface all set ethernet-switching-options secure-access-port vlan Data_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wired_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 arp-inspection set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 examine-dhcp set ethernet-switching-options secure-access-port vlan VOIP_Wired_2 ip-source-guard set ethernet-switching-options nonstop-bridging set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 interface Wired_Data set vlans Guest_Wired vlan-id 30 set vlans Management vlan-id 28 set vlans Management interface Access_Points set vlans Management l3-interface vlan.28 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 interface Wired_Voice set poe interface all set virtual-chassis preprovisioned set virtual-chassis no-split-detection set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number FP0211333208 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number FP0211333280
122
123
unit 0 { family ethernet-switching { port-mode access; } } } interface-range Access_Points { member-range ge-0/0/0 to ge-0/0/4; member-range ge-1/0/0 to ge-1/0/4; unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-0/0/1 { unit 0 { family ethernet-switching; } } xe-0/1/0 { ether-options { 802.3ad ae0; } } ge-1/0/0 { unit 0 { family ethernet-switching { port-mode access; } } } ge-1/0/2 { unit 0 { family ethernet-switching { port-mode access; } } } xe-1/1/0 { ether-options { 802.3ad ae0; } } ae0 { aggregated-ether-options { lacp { active; periodic slow;
124
} } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } lo0 { unit 0 { family inet { address 10.0.0.3/32; } } } vlan { unit 28 { family inet { address 10.10.28.242/24; } } } vme { unit 0 { family inet { address 10.94.188.97/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.28.1; } } protocols { rstp { interface ae0.0 { disable; } } lldp { interface all; } lldp-med { interface all; } } ethernet-switching-options { secure-access-port { vlan Data_Wired_2 { arp-inspection; examine-dhcp;
125
ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan VOIP_Wired_2 { arp-inspection; examine-dhcp; ip-source-guard; } } nonstop-bridging; } vlans { Data_Wired_2 { vlan-id 12; interface { Wired_Data; } } Guest_Wired { vlan-id 30; } Management { vlan-id 28; interface { Access_Points; } l3-interface vlan.28; } VOIP_Wired_2 { vlan-id 16; interface { Wired_Voice; } } } poe { interface all; } virtual-chassis { preprovisioned; no-split-detection; member 0 { role routing-engine; serial-number FP0211333208; } member 1 { role routing-engine; serial-number FP0211333280; } }
126
127
set interfaces ge-0/0/18 unit 0 family ethernet-switching set interfaces xe-0/0/18 unit 0 family ethernet-switching set interfaces ge-0/0/19 unit 0 family ethernet-switching set interfaces xe-0/0/19 unit 0 family ethernet-switching set interfaces ge-0/0/20 unit 0 family ethernet-switching set interfaces xe-0/0/20 unit 0 family ethernet-switching set interfaces ge-0/0/21 unit 0 family ethernet-switching set interfaces xe-0/0/21 unit 0 family ethernet-switching set interfaces ge-0/0/22 unit 0 family ethernet-switching set interfaces xe-0/0/22 unit 0 family ethernet-switching set interfaces ge-0/0/23 unit 0 family ethernet-switching set interfaces xe-0/0/23 unit 0 family ethernet-switching set interfaces ge-0/0/24 unit 0 family ethernet-switching set interfaces xe-0/0/24 unit 0 family ethernet-switching set interfaces ge-0/0/25 unit 0 family ethernet-switching set interfaces xe-0/0/25 unit 0 family ethernet-switching set interfaces ge-0/0/26 unit 0 family ethernet-switching set interfaces xe-0/0/26 unit 0 family ethernet-switching set interfaces ge-0/0/27 unit 0 family ethernet-switching set interfaces xe-0/0/27 unit 0 family ethernet-switching set interfaces ge-0/0/28 unit 0 family ethernet-switching set interfaces xe-0/0/28 unit 0 family ethernet-switching set interfaces ge-0/0/29 unit 0 family ethernet-switching set interfaces xe-0/0/29 unit 0 family ethernet-switching set interfaces ge-0/0/30 unit 0 family ethernet-switching set interfaces xe-0/0/30 unit 0 family ethernet-switching set interfaces ge-0/0/31 unit 0 family ethernet-switching set interfaces xe-0/0/31 unit 0 family ethernet-switching set interfaces ge-0/0/32 unit 0 family ethernet-switching set interfaces xe-0/0/32 unit 0 family ethernet-switching set interfaces ge-0/0/33 unit 0 family ethernet-switching set interfaces xe-0/0/33 unit 0 family ethernet-switching set interfaces ge-0/0/34 unit 0 family ethernet-switching set interfaces xe-0/0/34 unit 0 family ethernet-switching set interfaces ge-0/0/35 unit 0 family ethernet-switching set interfaces xe-0/0/35 unit 0 family ethernet-switching set interfaces ge-0/0/36 unit 0 family ethernet-switching set interfaces xe-0/0/36 unit 0 family ethernet-switching set interfaces ge-0/0/37 unit 0 family ethernet-switching set interfaces xe-0/0/37 unit 0 family ethernet-switching set interfaces ge-0/0/38 unit 0 family ethernet-switching set interfaces xe-0/0/38 unit 0 family ethernet-switching set interfaces ge-0/0/39 unit 0 family ethernet-switching set interfaces xe-0/0/39 unit 0 family ethernet-switching set interfaces ge-0/1/0 unit 0 family ethernet-switching set interfaces xe-0/1/0 unit 0 family ethernet-switching set interfaces ge-0/1/1 unit 0 family ethernet-switching set interfaces xe-0/1/1 unit 0 family ethernet-switching set interfaces ge-0/1/2 unit 0 family ethernet-switching set interfaces xe-0/1/2 unit 0 family ethernet-switching set interfaces ge-0/1/3 unit 0 family ethernet-switching set interfaces xe-0/1/3 unit 0 family ethernet-switching set interfaces ge-0/2/0 unit 0 family ethernet-switching set interfaces xe-0/2/0 unit 0 family ethernet-switching set interfaces ge-0/2/1 unit 0 family ethernet-switching set interfaces xe-0/2/1 unit 0 family ethernet-switching
128
set interfaces ge-0/2/2 unit 0 family ethernet-switching set interfaces xe-0/2/2 unit 0 family ethernet-switching set interfaces ge-0/2/3 unit 0 family ethernet-switching set interfaces xe-0/2/3 unit 0 family ethernet-switching set interfaces xe-1/0/0 ether-options 802.3ad ae0 set interfaces xe-1/0/1 ether-options 802.3ad ae1 set interfaces xe-1/0/2 ether-options 802.3ad ae2 set interfaces ge-2/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_1 set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_2 set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Management set interfaces ge-2/0/1 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ge-2/0/5 unit 0 family ethernet-switching port-mode access set interfaces ge-2/0/9 unit 0 family ethernet-switching port-mode access set interfaces ge-2/0/9 unit 0 family ethernet-switching vlan members Servers set interfaces ge-2/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Internet_Edge set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Management set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ge-2/0/47 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ge-3/0/1 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_1 set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Data_Wireless_2 set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Management set interfaces ge-3/0/1 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ge-3/0/5 unit 0 family ethernet-switching port-mode access set interfaces ge-3/0/9 unit 0 family ethernet-switching port-mode access set interfaces ge-3/0/9 unit 0 family ethernet-switching vlan members Servers set interfaces ge-3/0/47 unit 0 family ethernet-switching port-mode trunk set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Internet_Edge set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Management set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ge-3/0/47 unit 0 family ethernet-switching vlan members Guest_Wireless set interfaces ae0 aggregated-ether-options lacp active set interfaces ae0 aggregated-ether-options lacp periodic slow set interfaces ae0 unit 0 family ethernet-switching port-mode trunk set interfaces ae0 unit 0 family ethernet-switching vlan members Data_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members VOIP_Wired_1 set interfaces ae0 unit 0 family ethernet-switching vlan members Management set interfaces ae0 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic slow set interfaces ae1 unit 0 family ethernet-switching port-mode trunk set interfaces ae1 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae1 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae1 unit 0 family ethernet-switching vlan members Management set interfaces ae1 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces ae2 aggregated-ether-options lacp active set interfaces ae2 aggregated-ether-options lacp periodic slow set interfaces ae2 unit 0 family ethernet-switching port-mode trunk set interfaces ae2 unit 0 family ethernet-switching vlan members Data_Wired_2 set interfaces ae2 unit 0 family ethernet-switching vlan members VOIP_Wired_2 set interfaces ae2 unit 0 family ethernet-switching vlan members Management set interfaces ae2 unit 0 family ethernet-switching vlan members Guest_Wired set interfaces vlan unit 10 family inet address 10.10.10.1/24 set interfaces vlan unit 12 family inet address 10.10.12.1/24
129
set interfaces vlan unit 14 family inet address 10.10.14.1/24 set interfaces vlan unit 16 family inet address 10.10.16.1/24 set interfaces vlan unit 18 family inet address 10.10.18.1/24 set interfaces vlan unit 20 family inet address 10.10.20.1/24 set interfaces vlan unit 22 family inet address 10.10.22.1/24 set interfaces vlan unit 24 family inet address 10.10.24.1/24 set interfaces vlan unit 28 family inet address 10.10.28.1/24 set interfaces vme unit 0 family inet address 10.94.188.101/24 set forwarding-options helpers bootp dhcp-option82 set forwarding-options helpers bootp description DHCP-SERVER set forwarding-options helpers bootp server 10.10.24.100 set forwarding-options helpers bootp interface vlan.24 set forwarding-options helpers bootp interface vlan.10 set forwarding-options helpers bootp interface vlan.12 set forwarding-options helpers bootp interface vlan.14 set forwarding-options helpers bootp interface vlan.16 set forwarding-options helpers bootp interface vlan.18 set forwarding-options helpers bootp interface vlan.20 set forwarding-options helpers bootp interface vlan.26 set forwarding-options helpers bootp interface vlan.28 set routing-options nonstop-routing set routing-options static route 0.0.0.0/0 next-hop 10.10.22.254 set protocols ospf area 0.0.0.0 interface vlan.22 set protocols ospf area 0.0.0.0 interface vlan.10 set protocols ospf area 0.0.0.0 interface vlan.12 set protocols ospf area 0.0.0.0 interface vlan.14 set protocols ospf area 0.0.0.0 interface vlan.16 set protocols ospf area 0.0.0.0 interface vlan.18 set protocols ospf area 0.0.0.0 interface vlan.20 set protocols ospf area 0.0.0.0 interface vlan.24 set protocols igmp-snooping vlan all set protocols dcbx interface all set protocols rstp bridge-priority 8k set protocols rstp interface ae0.0 disable set protocols rstp interface ae1.0 disable set protocols rstp interface ae2.0 disable set protocols lldp interface all set protocols lldp-med interface all set policy-options prefix-list test fd00::0214/128 set ethernet-switching-options secure-access-port vlan Data_Wireless_1 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wireless_1 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wireless_1 ip-source-guard set ethernet-switching-options secure-access-port vlan Data_Wireless_2 arp-inspection set ethernet-switching-options secure-access-port vlan Data_Wireless_2 examine-dhcp set ethernet-switching-options secure-access-port vlan Data_Wireless_2 ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wired arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wired examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wired ip-source-guard set ethernet-switching-options secure-access-port vlan Guest_Wireless arp-inspection set ethernet-switching-options secure-access-port vlan Guest_Wireless examine-dhcp set ethernet-switching-options secure-access-port vlan Guest_Wireless ip-source-guard set ethernet-switching-options nonstop-bridging set ethernet-switching-options storm-control interface all set ethernet-switching-options bpdu-block interface ge-2/0/5.0 set vlans Data_Wired_1 vlan-id 10 set vlans Data_Wired_1 l3-interface vlan.10
130
set vlans Data_Wired_2 vlan-id 12 set vlans Data_Wired_2 l3-interface vlan.12 set vlans Data_Wireless_1 vlan-id 18 set vlans Data_Wireless_1 l3-interface vlan.18 set vlans Data_Wireless_2 vlan-id 20 set vlans Data_Wireless_2 l3-interface vlan.20 set vlans Guest_Wired vlan-id 30 set vlans Guest_Wireless vlan-id 32 set vlans Internet_Edge vlan-id 22 set vlans Internet_Edge l3-interface vlan.22 set vlans Management vlan-id 28 set vlans Management l3-interface vlan.28 set vlans Servers vlan-id 24 set vlans Servers interface ge-2/0/5.0 set vlans Servers interface ge-3/0/5.0 set vlans Servers l3-interface vlan.24 set vlans VOIP_Wired_1 vlan-id 14 set vlans VOIP_Wired_1 l3-interface vlan.14 set vlans VOIP_Wired_2 vlan-id 16 set vlans VOIP_Wired_2 l3-interface vlan.16 set poe interface all set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine set virtual-chassis member 0 serial-number GX0211411253 set virtual-chassis member 1 role routing-engine set virtual-chassis member 1 serial-number GX0211411250 set virtual-chassis member 2 role line-card set virtual-chassis member 2 serial-number FP0211333181 set virtual-chassis member 3 role line-card set virtual-chassis member 3 serial-number FP0211333260
131
any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } commit synchronize; } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 4; } } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching; } } xe-0/0/0 { ether-options { 802.3ad ae0; } } ge-0/0/1 { unit 0 { family ethernet-switching; } } xe-0/0/1 { ether-options { 802.3ad ae1; } } ge-0/0/2 { unit 0 { family ethernet-switching; } } xe-0/0/2 { ether-options { 802.3ad ae2; } } ge-0/0/3 { unit 0 { family ethernet-switching;
132
} } xe-0/0/3 { unit 0 { family ethernet-switching; } } ge-0/0/4 { unit 0 { family ethernet-switching; } } xe-0/0/4 { unit 0 { family ethernet-switching; } } ge-0/0/5 { unit 0 { family ethernet-switching; } } xe-0/0/5 { unit 0 { family ethernet-switching; } } ge-0/0/6 { unit 0 { family ethernet-switching; } } xe-0/0/6 { unit 0 { family ethernet-switching; } } ge-0/0/7 { unit 0 { family ethernet-switching; } } xe-0/0/7 { unit 0 { family ethernet-switching; } } ge-0/0/8 { unit 0 { family ethernet-switching; } } xe-0/0/8 { unit 0 { family ethernet-switching; }
133
} ge-0/0/9 { unit 0 { family ethernet-switching; } } xe-0/0/9 { unit 0 { family ethernet-switching; } } ge-0/0/10 { unit 0 { family ethernet-switching; } } xe-0/0/10 { unit 0 { family ethernet-switching; } } ge-0/0/11 { unit 0 { family ethernet-switching; } } xe-0/0/11 { unit 0 { family ethernet-switching; } } ge-0/0/12 { unit 0 { family ethernet-switching; } } xe-0/0/12 { unit 0 { family ethernet-switching; } } ge-0/0/13 { unit 0 { family ethernet-switching; } } xe-0/0/13 { unit 0 { family ethernet-switching; } } ge-0/0/14 { unit 0 { family ethernet-switching; } }
134
xe-0/0/14 { unit 0 { family ethernet-switching; } } ge-0/0/15 { unit 0 { family ethernet-switching; } } xe-0/0/15 { unit 0 { family ethernet-switching; } } ge-0/0/16 { unit 0 { family ethernet-switching; } } xe-0/0/16 { unit 0 { family ethernet-switching; } } ge-0/0/17 { unit 0 { family ethernet-switching; } } xe-0/0/17 { unit 0 { family ethernet-switching; } } ge-0/0/18 { unit 0 { family ethernet-switching; } } xe-0/0/18 { unit 0 { family ethernet-switching; } } ge-0/0/19 { unit 0 { family ethernet-switching; } } xe-0/0/19 { unit 0 { family ethernet-switching; } } ge-0/0/20 {
135
unit 0 { family ethernet-switching; } } xe-0/0/20 { unit 0 { family ethernet-switching; } } ge-0/0/21 { unit 0 { family ethernet-switching; } } xe-0/0/21 { unit 0 { family ethernet-switching; } } ge-0/0/22 { unit 0 { family ethernet-switching; } } xe-0/0/22 { unit 0 { family ethernet-switching; } } ge-0/0/23 { unit 0 { family ethernet-switching; } } xe-0/0/23 { unit 0 { family ethernet-switching; } } ge-0/0/24 { unit 0 { family ethernet-switching; } } xe-0/0/24 { unit 0 { family ethernet-switching; } } ge-0/0/25 { unit 0 { family ethernet-switching; } } xe-0/0/25 { unit 0 {
136
family ethernet-switching; } } ge-0/0/26 { unit 0 { family ethernet-switching; } } xe-0/0/26 { unit 0 { family ethernet-switching; } } ge-0/0/27 { unit 0 { family ethernet-switching; } } xe-0/0/27 { unit 0 { family ethernet-switching; } } ge-0/0/28 { unit 0 { family ethernet-switching; } } xe-0/0/28 { unit 0 { family ethernet-switching; } } ge-0/0/29 { unit 0 { family ethernet-switching; } } xe-0/0/29 { unit 0 { family ethernet-switching; } } ge-0/0/30 { unit 0 { family ethernet-switching; } } xe-0/0/30 { unit 0 { family ethernet-switching; } } ge-0/0/31 { unit 0 { family ethernet-switching;
137
} } xe-0/0/31 { unit 0 { family ethernet-switching; } } ge-0/0/32 { unit 0 { family ethernet-switching; } } xe-0/0/32 { unit 0 { family ethernet-switching; } } ge-0/0/33 { unit 0 { family ethernet-switching; } } xe-0/0/33 { unit 0 { family ethernet-switching; } } ge-0/0/34 { unit 0 { family ethernet-switching; } } xe-0/0/34 { unit 0 { family ethernet-switching; } } ge-0/0/35 { unit 0 { family ethernet-switching; } } xe-0/0/35 { unit 0 { family ethernet-switching; } } ge-0/0/36 { unit 0 { family ethernet-switching; } } xe-0/0/36 { unit 0 { family ethernet-switching; }
138
} ge-0/0/37 { unit 0 { family ethernet-switching; } } xe-0/0/37 { unit 0 { family ethernet-switching; } } ge-0/0/38 { unit 0 { family ethernet-switching; } } xe-0/0/38 { unit 0 { family ethernet-switching; } } ge-0/0/39 { unit 0 { family ethernet-switching; } } xe-0/0/39 { unit 0 { family ethernet-switching; } } ge-0/1/0 { unit 0 { family ethernet-switching; } } xe-0/1/0 { unit 0 { family ethernet-switching; } } ge-0/1/1 { unit 0 { family ethernet-switching; } } xe-0/1/1 { unit 0 { family ethernet-switching; } } ge-0/1/2 { unit 0 { family ethernet-switching; } }
139
xe-0/1/2 { unit 0 { family ethernet-switching; } } ge-0/1/3 { unit 0 { family ethernet-switching; } } xe-0/1/3 { unit 0 { family ethernet-switching; } } ge-0/2/0 { unit 0 { family ethernet-switching; } } xe-0/2/0 { unit 0 { family ethernet-switching; } } ge-0/2/1 { unit 0 { family ethernet-switching; } } xe-0/2/1 { unit 0 { family ethernet-switching; } } ge-0/2/2 { unit 0 { family ethernet-switching; } } xe-0/2/2 { unit 0 { family ethernet-switching; } } ge-0/2/3 { unit 0 { family ethernet-switching; } } xe-0/2/3 { unit 0 { family ethernet-switching; } } xe-1/0/0 {
140
ether-options { 802.3ad ae0; } } xe-1/0/1 { ether-options { 802.3ad ae1; } } xe-1/0/2 { ether-options { 802.3ad ae2; } } ge-2/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wireless_1 Data_Wireless_2 Management Guest_Wireless ]; } } } } ge-2/0/5 { unit 0 { family ethernet-switching { port-mode access; } } } ge-2/0/9 { unit 0 { family ethernet-switching { port-mode access; vlan { members Servers; } } } } ge-2/0/47 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Internet_Edge Management Guest_Wired Guest_Wireless ]; } } } } ge-3/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan {
141
members [ Data_Wireless_1 Data_Wireless_2 Management Guest_Wireless ]; } } } } ge-3/0/5 { unit 0 { family ethernet-switching { port-mode access; } } } ge-3/0/9 { unit 0 { family ethernet-switching { port-mode access; vlan { members Servers; } } } } ge-3/0/47 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Internet_Edge Management Guest_Wired Guest_Wireless ]; } } } } ae0 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_1 VOIP_Wired_1 Management Guest_Wired ]; } } } } ae1 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 {
142
family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } ae2 { aggregated-ether-options { lacp { active; periodic slow; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ Data_Wired_2 VOIP_Wired_2 Management Guest_Wired ]; } } } } vlan { unit 10 { family inet { address 10.10.10.1/24; } } unit 12 { family inet { address 10.10.12.1/24; } } unit 14 { family inet { address 10.10.14.1/24; } } unit 16 { family inet { address 10.10.16.1/24; } } unit 18 { family inet { address 10.10.18.1/24; } } unit 20 { family inet { address 10.10.20.1/24; } } unit 22 {
143
family inet { address 10.10.22.1/24; } } unit 24 { family inet { address 10.10.24.1/24; } } unit 28 { family inet { address 10.10.28.1/24; } } } vme { unit 0 { family inet { address 10.94.188.101/24; } } } } forwarding-options { helpers { bootp { dhcp-option82; description DHCP-SERVER; server 10.10.24.100; interface { vlan.24; vlan.10; vlan.12; vlan.14; vlan.16; vlan.18; vlan.20; vlan.26; vlan.28; } } } } routing-options { nonstop-routing; static { route 0.0.0.0/0 next-hop 10.10.22.254; } } protocols { ospf { area 0.0.0.0 { interface vlan.22; interface vlan.10; interface vlan.12; interface vlan.14;
144
interface vlan.16; interface vlan.18; interface vlan.20; interface vlan.24; } } igmp-snooping { vlan all; } dcbx { interface all; } rstp { bridge-priority 8k; interface ae0.0 { disable; } interface ae1.0 { disable; } interface ae2.0 { disable; } } lldp { interface all; } lldp-med { interface all; } } policy-options { prefix-list test { fd00::0214/128; } } ethernet-switching-options { secure-access-port { vlan Data_Wireless_1 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Data_Wireless_2 { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wired { arp-inspection; examine-dhcp; ip-source-guard; } vlan Guest_Wireless { arp-inspection; examine-dhcp;
145
ip-source-guard; } } nonstop-bridging; storm-control { interface all; } bpdu-block { interface ge-2/0/5.0; } } vlans { Data_Wired_1 { vlan-id 10; l3-interface vlan.10; } Data_Wired_2 { vlan-id 12; l3-interface vlan.12; } Data_Wireless_1 { vlan-id 18; l3-interface vlan.18; } Data_Wireless_2 { vlan-id 20; l3-interface vlan.20; } Guest_Wired { vlan-id 30; } Guest_Wireless { vlan-id 32; } Internet_Edge { vlan-id 22; l3-interface vlan.22; } Management { vlan-id 28; l3-interface vlan.28; } Servers { vlan-id 24; interface { ge-2/0/5.0; ge-3/0/5.0; } l3-interface vlan.24; } VOIP_Wired_1 { vlan-id 14; l3-interface vlan.14; } VOIP_Wired_2 { vlan-id 16;
146
l3-interface vlan.16; } } poe { interface all; } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number GX0211411253; } member 1 { role routing-engine; serial-number GX0211411250; } member 2 { role line-card; serial-number FP0211333181; } member 3 { role line-card; serial-number FP0211333260; } }
WLC-1 Configuration
# Configuration nvgen'd at 2012-3-21 09:57:49 # Image 7.6.1.3.0 # Model MX-8 # Last change occurred at 2012-3-13 12:27:32 set ip route default 10.10.28.1 1 set system name WLC-1 set system ip-address 10.10.28.9 set system countrycode US set timezone pst -8 0 set service-profile Secure-802.1X ssid-name Data_Wireless_1 set service-profile Secure-802.1X rsn-ie cipher-ccmp enable set service-profile Secure-802.1X rsn-ie enable set service-profile Secure-802.1X attr vlan-name Data_Wireless_1 set service-profile Web-Portal ssid-name Guest_Wireless set service-profile Web-Portal ssid-type clear set service-profile Web-Portal auth-fallthru web-portal set service-profile Web-Portal web-portal-acl portalacl set service-profile Web-Portal wpa-ie auth-dot1x disable set service-profile Web-Portal rsn-ie auth-dot1x disable set service-profile Web-Portal attr vlan-name Guest_Wireless set enablepass password 28358f9656229c67a90632e745efe4a11b48 set authentication web ssid Guest_Wireless ** local set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local set user admin password encrypted 044b0a151c36435c0d set user bob password encrypted 08314d5d1a0e0a0516 set user bob attr ssid Data_Wireless_1 set user guest password encrypted 044b0a151c36435c0d
147
set user guest attr ssid Guest_Wireless set radio-profile default service-profile Secure-802.1X set radio-profile default service-profile Web-Portal set ap auto mode enable set ip telnet server enable set vlan 1 port 1 set vlan 1 port 2 set vlan 1 port 3 set vlan 1 port 4 set vlan 1 port 5 set vlan 1 port 6 set vlan 1 port 7 set vlan 1 port 8 set vlan 28 name Management set vlan 28 port 8 tag 28 set vlan 18 name Data_Wireless_1 set vlan 18 port 8 tag 18 set vlan 32 name Guest_Wireless set vlan 32 port 8 tag 32 set interface 28 ip 10.10.28.9 255.255.255.0 set interface 32 ip 10.10.32.9 255.255.255.0 set mobility-domain mode seed domain-name xyzcompany set mobility-domain member 10.10.28.10 set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture commit security acl portalacl set cluster mode enable
WLC-2 Configuration
# Configuration nvgen'd at 2012-3-21 09:59:08 # Image 7.6.1.3.0 # Model MX-8 # Last change occurred at 2012-3-13 12:28:17 set ip route default 10.10.28.1 1 set system name WLC-2 set system ip-address 10.10.28.10 set system countrycode US set timezone pst -8 0 set service-profile Secure-802.1X ssid-name Data_Wireless_1 set service-profile Secure-802.1X rsn-ie cipher-ccmp enable set service-profile Secure-802.1X rsn-ie enable set service-profile Secure-802.1X attr vlan-name Data_Wireless_1 set service-profile Web-Portal ssid-name Guest_Wireless set service-profile Web-Portal ssid-type clear set service-profile Web-Portal auth-fallthru web-portal set service-profile Web-Portal web-portal-acl portalacl set service-profile Web-Portal wpa-ie auth-dot1x disable set service-profile Web-Portal rsn-ie auth-dot1x disable set service-profile Web-Portal attr vlan-name Guest_Wireless set enablepass password 0a8eaea60ebf415168c5f6b0fbaa524fe17c set authentication web ssid Guest_Wireless ** local set authentication dot1x ssid Data_Wireless_1 ** peap-mschapv2 local set user admin password encrypted 140713181f13253920
148
set user bob password encrypted 15020a1f173d24362c set user bob attr ssid Data_Wireless_1 set user guest password encrypted 12090404011c03162e set user guest attr ssid Guest_Wireless set radio-profile default service-profile Secure-802.1X set radio-profile default service-profile Web-Portal set ap auto mode enable set vlan 1 port 1 set vlan 1 port 2 set vlan 1 port 3 set vlan 1 port 4 set vlan 1 port 5 set vlan 1 port 6 set vlan 1 port 7 set vlan 1 port 8 set vlan 28 name Management set vlan 28 port 8 tag 28 set vlan 18 name Data_Wireless_1 set vlan 18 port 8 tag 18 set vlan 32 name Guest_Wireless set vlan 32 port 8 tag 32 set interface 28 ip 10.10.28.10 255.255.255.0 set interface 32 ip 10.10.32.10 255.255.255.0 set mobility-domain mode secondary-seed domain-name xyzcompany seed-ip 10.10.28.9 set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture commit security acl portalacl set cluster mode enable
149
set system services dhcp pool 10.10.32.0/24 address-range high 10.10.32.250 set system services dhcp pool 10.10.32.0/24 domain-name xyzcompany.com set system services dhcp pool 10.10.32.0/24 name-server 208.67.220.220 set system services dhcp pool 10.10.32.0/24 name-server 208.67.222.222 set system services dhcp pool 10.10.32.0/24 router 10.10.32.254 set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands error set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set chassis cluster reth-count 1 set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1 set chassis cluster redundancy-group 1 interface-monitor ge-2/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor ge-11/0/0 weight 255 set interfaces ge-2/0/0 gigether-options redundant-parent reth0 set interfaces ge-2/0/1 description "primary internet connection" set interfaces ge-2/0/1 unit 0 family inet address 10.94.191.233/24 set interfaces ge-11/0/0 gigether-options redundant-parent reth0 set interfaces ge-11/0/2 description "Backup Internet Connection" set interfaces ge-11/0/2 unit 0 family inet address 10.94.194.56/24 set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2 set interfaces reth0 vlan-tagging set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 description "Unit 0 must be given a VLAN tag so using a dummy tag to align units to tags" set interfaces reth0 unit 0 vlan-id 1 set interfaces reth0 unit 22 description "Internet Edge" set interfaces reth0 unit 22 vlan-id 22 set interfaces reth0 unit 22 family inet address 10.10.22.254/24 set interfaces reth0 unit 28 description Management set interfaces reth0 unit 28 vlan-id 28 set interfaces reth0 unit 28 family inet address 10.10.28.254/24 set interfaces reth0 unit 30 description "Guest Wired" set interfaces reth0 unit 30 vlan-id 30 set interfaces reth0 unit 30 family inet address 10.10.30.254/24 set interfaces reth0 unit 32 description "Guest Wireless" set interfaces reth0 unit 32 vlan-id 32 set interfaces reth0 unit 32 family inet address 10.10.32.254/24 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.194.254 preference 20 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.94.191.254 preference 10 set protocols ospf area 0.0.0.0 interface reth0.22 set protocols lldp interface ge-2/0/0.0 set protocols lldp interface ge-11/0/0.0 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
150
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set Guest-to-untrust from zone Guest set security nat source rule-set Guest-to-untrust to zone untrust set security nat source rule-set Guest-to-untrust rule Guest-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Guest-to-untrust rule Guest-source-nat then source-nat interface set security nat source rule-set Internet_Edge-to-untrust from zone Internet_Edge set security nat source rule-set Internet_Edge-to-untrust to zone untrust set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat match source-address 0.0.0.0/0 set security nat source rule-set Internet_Edge-to-untrust rule Internet_Edge-source-nat then source-nat interface set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wireless set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match source-address Guest_Wired set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match destination-address any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet match application any set security policies from-zone Guest to-zone untrust policy allow-guest-to-internet then permit set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wireless_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Data_Wireless_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address Servers set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_1 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match source-address VOIP_Wired_2 set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match destination-address any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet match application any set security policies from-zone Internet_Edge to-zone untrust policy allow-Internet_Edge-to-internet then permit set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-11/0/2.0 set security zones security-zone untrust interfaces ge-2/0/1.0 set security zones security-zone Guest address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Guest address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Guest host-inbound-traffic system-services ping set security zones security-zone Guest host-inbound-traffic system-services traceroute set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services dhcp
151
set security zones security-zone Guest interfaces reth0.30 host-inbound-traffic system-services bootp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services dhcp set security zones security-zone Guest interfaces reth0.32 host-inbound-traffic system-services bootp set security zones security-zone Management host-inbound-traffic system-services ssh set security zones security-zone Management host-inbound-traffic system-services http set security zones security-zone Management host-inbound-traffic system-services https set security zones security-zone Management host-inbound-traffic system-services ping set security zones security-zone Management host-inbound-traffic system-services snmp set security zones security-zone Management host-inbound-traffic system-services traceroute set security zones security-zone Management interfaces reth0.28 set security zones security-zone Internet_Edge address-book address Data_Wired_1 10.10.10.0/24 set security zones security-zone Internet_Edge address-book address Data_Wired_2 10.10.12.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_1 10.10.14.0/24 set security zones security-zone Internet_Edge address-book address VOIP_Wired_2 10.10.16.0/24 set security zones security-zone Internet_Edge address-book address Data_Wireless_1 10.10.18.0/24 set security zones security-zone Internet_Edge address-book address Data_Wireless_2 10.10.20.0/24 set security zones security-zone Internet_Edge address-book address Servers 10.10.24.0/24 set security zones security-zone Internet_Edge address-book address Access_Points 10.10.26.0/24 set security zones security-zone Internet_Edge address-book address Management 10.10.28.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wired 10.10.30.0/24 set security zones security-zone Internet_Edge address-book address Guest_Wireless 10.10.32.0/24 set security zones security-zone Internet_Edge host-inbound-traffic system-services ping set security zones security-zone Internet_Edge host-inbound-traffic system-services traceroute set security zones security-zone Internet_Edge host-inbound-traffic protocols ospf set security zones security-zone Internet_Edge interfaces reth0.22
152
} } } } } node1 { system { host-name srx650-2; } interfaces { fxp0 { unit 0 { family inet { address 10.94.188.104/24; } } } } } } apply-groups [ node0 node1 ]; system { domain-name xyxcompany.com; time-zone America/Los_Angeles; root-authentication { encrypted-password "$1$/BmrTFS/$7BfLGntduS8.fj3BYVuuQ0"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; 10.10.24.100; } services { ssh; xnm-clear-text; web-management { https { system-generated-certificate; } } dhcp { pool 10.10.30.0/24 { address-range low 10.10.30.11 high 10.10.30.250; domain-name xyzcompany.com; name-server { 208.67.220.220; 208.67.222.222; } router { 10.10.30.254; } } pool 10.10.32.0/24 { address-range low 10.10.32.11 high 10.10.32.250; domain-name xyzcompany.com; name-server {
153
208.67.220.220; 208.67.222.222; } router { 10.10.32.254; } } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } chassis { cluster { reth-count 1; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; interface-monitor { ge-2/0/0 weight 255; ge-11/0/0 weight 255; } } } } interfaces { ge-2/0/0 { gigether-options { redundant-parent reth0; } } ge-2/0/1 { description "primary internet connection"; unit 0 { family inet {
154
address 10.94.191.233/24; } } } ge-11/0/0 { gigether-options { redundant-parent reth0; } } ge-11/0/2 { description "Backup Internet Connection"; unit 0 { family inet { address 10.94.194.56/24; } } } fab0 { fabric-options { member-interfaces { ge-0/0/2; } } } fab1 { fabric-options { member-interfaces { ge-9/0/2; } } } reth0 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 0 { description "Unit 0 must be given a VLAN tag so using a dummy tag to align units to tags"; vlan-id 1; } unit 22 { description "Internet Edge"; vlan-id 22; family inet { address 10.10.22.254/24; } } unit 28 { description Management; vlan-id 28; family inet { address 10.10.28.254/24; } } unit 30 {
155
description "Guest Wired"; vlan-id 30; family inet { address 10.10.30.254/24; } } unit 32 { description "Guest Wireless"; vlan-id 32; family inet { address 10.10.32.254/24; } } } } routing-options { static { route 0.0.0.0/0 { qualified-next-hop 10.94.194.254 { preference 20; } qualified-next-hop 10.94.191.254 { preference 10; } } } } protocols { ospf { area 0.0.0.0 { interface reth0.22; } } lldp { interface ge-2/0/0.0; interface ge-11/0/0.0; } } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; }
156
land; } } } nat { source { rule-set Guest-to-untrust { from zone Guest; to zone untrust; rule Guest-source-nat { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set Internet_Edge-to-untrust { from zone Internet_Edge; to zone untrust; rule Internet_Edge-source-nat { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Guest to-zone untrust { policy allow-guest-to-internet { match { source-address [ Guest_Wireless Guest_Wired ]; destination-address any; application any; } then { permit; } } } from-zone Internet_Edge to-zone untrust { policy allow-Internet_Edge-to-internet { match { source-address [ Data_Wired_1 Data_Wired_2 Data_Wireless_1 Data_Wireless_2 Servers VOIP_Wired_1 VOIP_Wired_2 ]; destination-address any; application any;
157
} then { permit; } } } } zones { security-zone untrust { screen untrust-screen; interfaces { ge-11/0/2.0; ge-2/0/1.0; } } security-zone Guest { address-book { address Guest_Wired 10.10.30.0/24; address Guest_Wireless 10.10.32.0/24; } host-inbound-traffic { system-services { ping; traceroute; } } interfaces { reth0.30 { host-inbound-traffic { system-services { dhcp; bootp; } } } reth0.32 { host-inbound-traffic { system-services { dhcp; bootp; } } } } } security-zone Management { host-inbound-traffic { system-services { ssh; http; https; ping; snmp; traceroute; } }
158
interfaces { reth0.28; } } security-zone Internet_Edge { address-book { address Data_Wired_1 10.10.10.0/24; address Data_Wired_2 10.10.12.0/24; address VOIP_Wired_1 10.10.14.0/24; address VOIP_Wired_2 10.10.16.0/24; address Data_Wireless_1 10.10.18.0/24; address Data_Wireless_2 10.10.20.0/24; address Servers 10.10.24.0/24; address Access_Points 10.10.26.0/24; address Management 10.10.28.0/24; address Guest_Wired 10.10.30.0/24; address Guest_Wireless 10.10.32.0/24; } host-inbound-traffic { system-services { ping; traceroute; } protocols { ospf; } } interfaces { reth0.22; } } } }
159
160
APPENDIX E
Bill of Materials
The tables in this Appendix list the hardware required to assemble and deploy the validated network.
Quantity
2
Description
40-port 1-Gigabit Ethernet or 10-Gigabit Ethernet SFP/SFP+ front-toback airflow, hardware support for Data Center Bridging, and support for eight PFC (802.1Qbb) queues 48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber. SRX650 Services Gateway with SRE 6, 645 W AC PoE PSU; includes 4 onboard 10/100/1000BASE-T ports, 2 GB DRAM, 2 GB CF, 247 W PoE power, fan tray, power cord and rack-mount kit. 16-port 10/100/1000BASE-T XPIM. Wireless LAN controller with 8 x 10/100BASE-T ports (6 PoE), dual integrated PSU and support for 12 access points.
EX4200-48PX
EX-SFP-10GE-SR
40
SRX650-BASE-SRE6-645AP
SRX-GP-16GE WLC8R
2 2
Quantity
2
Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module
EX-UM-2X4SFP
161
Quantity
3
Description
SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.
WLA522-US
Quantity
2
Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.
EX-UM-2X4SFP EX-SFP-10GE-SR
2 3
WLA522-US
Quantity
2
Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.
EX-UM-2X4SFP EX-SFP-10GE-SR
2 3
WLA522-US
162
Quantity
2
Description
48-port 10/100/1000BASE-T (48 PoE+ ports) + 930 W AC PSU. Includes 50cm Virtual Chassis cable. 2-port 10G SFP+ / 4-port 1G SFP Uplink Module SFP+ 10GBASE-SR; LC connector; 850nm; 300m reach on 50 microns multimode fiber; 33m on 62.5 microns multimode fiber. Access point with dual radios 802.11a/b/g/n 2x2 MIMO (2SS), single 1000BASE-T 802.3af PoE Ethernet port, 4 internal antennas. Not rated for plenum use. Ceiling/wall mount bracket included. Required for operation in USA.
EX-UM-2X4SFP EX-SFP-10GE-SR
2 3
WLA522-US
163
164