Вы находитесь на странице: 1из 152

Advanced Junos Enterprise Switching

10.b

Advanced Junos Enterprise Switching 10.b WorldwideWorldwide EducationEducation ServicesServices 1194 North Mathilda

WorldwideWorldwide EducationEducation ServicesServices

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA

408-745-2000

www.juniper.net

Course Number: EDU-JUN-AJEX

Detailed Lab Guide

Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Course Number: EDU-JUN-AJEX Detailed Lab Guide

This document is produced by Juniper Networks, Inc.

This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Advanced Junos Enterprise Switching Detailed Lab Guide, Revision 10.b

Copyright © 2011 Juniper Networks, Inc. All rights reserved.

Printed in USA.

Revision History:

Revision 10.a—April 2011

Revision 10.b—June 2011

The information in this document is current as of the date listed above.

The information in this document has been carefully verified and is believed to be accurate for software Release 10.4R3.4. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

YEAR 2000 NOTICE

Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.

Contents

Lab 1:

Advanced Ethernet Switching (Detailed)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1-1

Part 1: Logging In Using the CLI

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1-2

Part 2: Configuring and Monitoring Filter-Based VLAN Assignments

 

1-3

Part 3: Configuring and Monitoring a PVLAN

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1-8

. Part 5: Configuring and Monitoring Q-in-Q Tunneling

Part 4: Configuring and Monitoring MVRP

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1-13

. 1-16

Lab 2:

Implementing MSTP and VSTP (Detailed)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

2-1

Part 1: Modifying the Existing Configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

2-2

Part 2: Configuring and Monitoring MSTP

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

2-4

Part 3: Configuring and Monitoring VSTP

2-12

Lab 3:

Authentication and Access Control (Detailed)

 

3-1

Part 1: Modifying the Existing Configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

3-2

. Part 3: Configuring and Monitoring Other Access and Authentication Features

Part 2: Configuring 802.1X

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

3-12

3-5

Lab 4:

Deploying IP Telephony Features (Detailed)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

4-1

Part 1: Modifying the Existing Configurations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

4-2

. Part 3: Configuring and Monitoring LLDP and LLDP-MED

Part 2: Configuring and Monitoring PoE

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

4-3

4-7

Part 4: Configuring and Monitoring the Voice VLAN Feature

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

4-13

Lab 5:

Class of Service (Detailed)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

5-1

. Part 2: Configuring and Monitoring CoS Components

Part 1: Exploring the Default CoS Configuration

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

5-2

5-8

Part 3: Implementing CoS Using the EZQoS Template

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

5-20

Lab 6:

Monitoring and Troubleshooting Layer 2 Networks (Detailed)

 

6-1

Part 1: Modifying the Existing Configurations

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

6-2

. Part 3: Verifying Hardware Components and System Processes

Part 2: Determining Success

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

6-3

6-4

Part 4: Verifying Ethernet Switching, MSTP, and Aggregate Ethernet Interfaces

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

6-10

Part 5: Configuring Port Mirroring and sFlow

 

6-31

Appendix A: Lab Diagrams

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

A-1

Course Overview

This two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple Spanning Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access control for Layer 2 networks, IP telephony features, class of service (CoS) and monitoring and troubleshooting tools and features supported on the EX Series Ethernet Switches.

Through demonstrations and hands-on labs, students will gain experience in configuring and monitoring the Junos operating system and in monitoring device and protocol operations.

Objectives

After successfully completing this course, you should be able to:

• Implement filter-based VLAN assignments.

• Restrict traffic flow within a VLAN.

• Manage dynamic VLAN registration.

• Tunnel Layer 2 traffic through Ethernet networks.

• Review the purpose and operations of a spanning tree.

• Implement multiple spanning tree instances in a network.

• Implement one or more spanning tree instances for a VLAN.

• List the benefits of implementing end-user authentication.

• Explain the operations of various access control features.

• Configure and monitor various access control features.

• Describe processing considerations when multiple authentication and access control features are enabled.

• Describe some common IP telephony deployment scenarios.

• Describe features that facilitate IP telephony deployments.

• Configure and monitor features used in IP telephony deployments.

• Explain the purpose and basic operations of class of service.

• Describe class of service features used in Layer 2 networks.

• Configure and monitor class of service in a Layer 2 network.

• Describe a basic troubleshooting method.

• List common issues that disrupt network operations.

• Identify tools used in network troubleshooting.

• Use available tools to resolve network issues.

Intended Audience

This course benefits individuals responsible for configuring and monitoring EX Series switches.

Course Level

Advanced Junos Enterprise Switching is an advanced-level course.

Prerequisites

Students should have an intermediate-level of networking knowledge and an understanding of the Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students should also attend the Introduction to the Junos Operating System (IJOS), the Junos Routing Essentials (JRE), and the Junos Enterprise Switching (JEX) courses prior to attending this class.

Course Agenda

Day 1

 

Chapter 1:

Course Introduction

Chapter 2:

Advanced Ethernet Switching

 

Lab 1:

Advanced Ethernet Switching (Detailed)

 

Chapter 3:

Advanced Spanning Tree

 

Lab 2:

Implementing MSTP and VSTP (Detailed)

 

Chapter 4:

Authentication and Access Control

 

Lab 3:

Authentication and Access Control (Detailed)

Day 2

 

Chapter 5:

Deploying IP Telephony Features

 

Lab 4:

Deploying IP Telephony Features (Detailed)

 

Chapter 6:

Class of Service

 

Lab 5:

Class of Service (Detailed)

 

Chapter 7:

Monitoring and Troubleshooting

Lab 6:

Monitoring and Troubleshooting Layer 2 Networks (Detailed)

Document Conventions

CLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table.

Style

Description

Usage Example

Franklin Gothic

Normal text.

Most of what you read in the Lab Guide and Student Guide.

Courier New

Console text:

• Screen captures

• Noncommand-related

syntax

GUI text elements:

• Menu names

• Text field entry

commit complete

Exiting configuration mode

Select File > Open, and then click

Configuration.conf in the

Filename text box.

Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances will be shown in the context of where you must enter them. We use bold style to distinguish text that is input versus text that is simply displayed.

Style

Description

Usage Example

Normal CLI

No distinguishing variant.

Physical interface:fxp0, Enabled

Normal GUI

View configuration history by clicking Configuration > History.

CLI

Input

Text that you must enter.

lab@San_Jose> show route

GUI

Input

Select File > Save, and type config.ini in the Filename field.

Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Note that these styles can be combined with the input style as well.

Style

Description

Usage Example

CLI

Variable

Text where variable value is already assigned.

policy my-peers

GUI

Variable

Click my-peers in the dialog.

CLI

Undefined

Text where the variable’s value is

Type set policy policy-name.

 

the user’s discretion or text where the variable’s value as shown in

ping 10.0.x.y

GUI

Undefined

the lab guide might differ from the

value the user must input according to the lab topology.

Select File > Save, and type filename in the Filename field.

Additional Information

Education Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and class locations from the World Wide Web by pointing your Web browser to:

http://www.juniper.net/training/education/.

About This Publication

The Advanced Junos Enterprise Switching Detailed Lab Guide was developed and tested using software Release 10.4R3.4. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors.

This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to training@juniper.net.

Technical Publications

You can print technical manuals and release notes directly from the Internet in a variety of formats:

• Go to http://www.juniper.net/techpubs/.

• Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.

Juniper Networks Support

For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

Lab 1

Advanced Ethernet Switching (Detailed)

Overview

In this lab, you familiarize yourself with the starting configuration and the lab environment. You will also use the command-line interface (CLI) to configure and monitor various Ethernet switching features covered in the corresponding lecture.

The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands.

By completing this lab you will perform the following tasks:

• Familiarize yourself with the lab environment.

• Configure and monitor filter-based VLAN assignments.

• Configure and monitor a private VLAN (PVLAN).

• Configure and monitor the Multiple VLAN Registration Protocol (MVRP).

• Configure and monitor Q-in-Q tunneling.

Advanced Junos Enterprise Switching

Part 1: Logging In Using the CLI

In this lab part, you familiarize yourself with the access details used to connect to the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your team’s designated switch and become familiar with this lab’s environment.

Step 1.1

Note

The lab equipment used in this class is likely to be remote from your physical location. The instructor will provide access details to get you logged in to your assigned device.

Ensure that you know to which switch you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine your switch’s management address.

Question: What is the management address assigned to your switch?

Answer: Your answer will depend on your assigned device and the rack of equipment you areusing.

Step 1.2

Access the CLI for your switch using either the console, Telnet, or SSH as directed by your instructor. Refer to the Management Network Diagram for the IP address associated with your team’s station. The following example uses Telnet and the SecureCRT program:

e following example uses Telnet and the SecureCRT program: Lab 1–2 • Advanced Ethernet Sw itching

Step 1.3

Advanced Junos Enterprise Switching

Log in as user lab with the password supplied by your instructor.

exD-1 (ttyu0)

login: lab

Password:

--- JUNOS 10.4R3.4 built 2011-03-19 22:06:32 UTC

{master:0}

lab@exD-1>

Part 2: Configuring and Monitoring Filter-Based VLAN Assignments

In this lab part, you configure and monitor filter-based VLAN assignments. You will first verify the state of the starting configuration. You will then configure and apply a firewall filter used for a filter-based VLAN assignment. You will then associate the interfaces.

Step 2.1

Use the show interfaces terse command to ensure ge-0/0/7.0, ge-0/0/8.0, and ge-0/0/12.0 are all enabled for Layer 2 operations and are up, both physically and administratively.

{master:0}

lab@exD-1> show interfaces terse | match "Interfaces|0/0/(7|8|12)"

Interface

Admin Link Proto

Local

Remote

ge-0/0/7

up

up

ge-0/0/7.0

up

up

eth-switch

ge-0/0/8

up

up

ge-0/0/8.0

up

up

eth-switch

ge-0/0/12

up

up

ge-0/0/12.0

up

up

eth-switch

Question: Are the referenced interfaces enabled for Layer 2 operations and up, physically and administratively?

Answer: The answer should be yes. You should see up listed under the Admin and Link columns and eth-switch under the Proto column. If your output does not match the sample output, please work with your instructor to ensure the correct starting configuration has been loaded.

Advanced Junos Enterprise Switching

Step 2.2

Use the show vlans command to ensure ge-0/0/7.0 and ge-0/0/8.0 are associated with the v11 and v12 VLANs respectively. Use the same command to ensure ge-0/0/12.0 is associated with both v11 and v12.

{master:0}

lab@exD-1> show vlans

Name

Tag

Interfaces

 

default

 

None

v11

11

 

ge-0/0/7.0*, ge-0/0/12.0*

 

v12

12

 

ge-0/0/8.0*, ge-0/0/12.0*

 
 

Question: Are the referenced interfaces associated with the correct VLANs?

Answer: The answer should be yes. You should see ge-0/0/7.0 and ge-0/0/12.0 associated with VLAN v11 and ge-0/0/8.0 and ge-0/0/12.0 associated with VLAN v12. If you see something different, please work with your instructor as needed.

Question: What operational mode command can you issue to determine the port modes currently assigned with the referenced interfaces?

{master:0}

 

Answer: Multiple commands are available to view port mode assignments. The following output illustrates two such commands and shows that ge-0/0/7.0 and ge-0/0/8.0 are access ports (or untagged ports), whereas ge-0/0/12.0 is a trunk port (or a tagged port):

lab@exD-1> show vlans detail VLAN: default, 802.1Q Tag: Untagged, Admin State: Enabled

VLAN: v11, 802.1Q Tag: 11, Admin State: Enabled Number of interfaces: 2 (Active = 2) Untagged interfaces: ge-0/0/7.0* Tagged interfaces: ge-0/0/12.0*

VLAN: v12, 802.1Q Tag: 12, Admin State: Enabled Number of interfaces: 2 (Active = 2) Untagged interfaces: ge-0/0/8.0*

Tagged interfaces: ge-0/0/12.0*

Advanced Junos Enterprise Switching

{master:0}

lab@exD-1> show ethernet-switching interfaces

Interface

State VLAN members

Tag

Tagging Blocking

ge-0/0/7.0

up

v11

11

untagged unblocked

ge-0/0/8.0

up

v12

12

untagged unblocked

ge-0/0/12.0 up

v11

11

tagged

unblocked

v12

12

tagged

unblocked

Step 2.3

Enter configuration mode and navigate to the [edit firewall family ethernet-switching] hierarchy. Create a firewall filter named fbva that matches any source IP address in the 172.23.15.0/24 subnet and associates the related traffic with VLAN v15. Ensure that all other traffic is permitted.

{master:0}

lab@exD-1> configure Entering configuration mode

{master:0}[edit]

lab@exD-1# edit firewall family ethernet-switching

{master:0}[edit firewall family ethernet-switching] lab@exD-1# set filter fbva term match-net from source-address 172.23.15.0/24

{master:0}[edit firewall family ethernet-switching] lab@exD-1# set filter fbva term match-net then vlan v15

{master:0}[edit firewall family ethernet-switching] lab@exD-1# set filter fbva term else-accept then accept

{master:0}[edit firewall family ethernet-switching] lab@exD-1# show filter fbva { term match-net { from { source-address {

172.23.15.0/24;

}

}

## ## Warning: Named or Non-range vlan must be set ## then vlan v15;

}

term else-accept { then accept;

}

}

{master:0}[edit firewall family ethernet-switching]

lab@exD-1#

Advanced Junos Enterprise Switching

Step 2.4

Navigate to the [edit interfaces] hierarchy and associate the newly defined filter with ge-0/0/7.0 as an input filter.

{master:0}[edit firewall family ethernet-switching] lab@exD-1# top edit interfaces

{master:0}[edit interfaces] lab@exD-1# set ge-0/0/7.0 family ethernet-switching filter input fbva

{master:0}[edit interfaces]

lab@exD-1#

Step 2.5

Navigate to the [edit vlans] hierarchy and define VLAN v15 to use VLAN ID 15. Associate ge-0/0/12.0 and ge-0/0/7.0 with this VLAN. Note that to correctly associate ge-0/0/7.0 with the newly defined VLAN, you must use the mapping policy statement. Activate the changes using commit.

{master:0}[edit interfaces] lab@exD-1# top edit vlans

{master:0}[edit vlans] lab@exD-1# set v15 vlan-id 15

{master:0}[edit vlans] lab@exD-1# set v15 interface ge-0/0/12.0

{master:0}[edit vlans] lab@exD-1# set v15 interface ge-0/0/7.0 mapping policy

{master:0}[edit vlans] lab@exD-1# show v15 vlan-id 15; interface {

ge-0/0/12.0;

ge-0/0/7.0 { mapping { policy;

}

}

}

{master:0}[edit vlans] lab@exD-1# commit configuration check succeedscommit complete

{master:0}[edit vlans]

lab@exD-1#

Step 2.6

Issue the run show vlans v15 detail command and verify the designated access port and trunk port are associated with VLAN v15.

Advanced Junos Enterprise Switching

{master:0}[edit vlans] lab@exD-1# run show vlans v15 detail VLAN: v15, 802.1Q Tag: 15, Admin State: Enabled Number of interfaces: 2 (Active = 2) Tagged interfaces: ge-0/0/12.0* Mapping policy interfaces: ge-0/0/7.0*

Question: Are the expected interfaces now associated with VLAN v15?

Answer: Yes, as shown in the sample output, the ge-0/0/7.0 and ge-0/0/12.0 interfaces should both now be associated with VLAN v15. The ge-0/0/12.0 interface is a trunk port serving VLAN v15 and the ge-0/0/7.0 interface is an access port for all traffic that matches the applied mapping policy (firewall filter).

Question: Based on the current configuration, with which VLAN would traffic entering ge-0/0/7.0 with an IP source address of 172.23.16.100 be associated?

Answer: Based on the current configuration, all traffic, except traffic from the 172.23.15.0/24 subnet, should be associated with VLAN v11. Traffic sourced from the 172.23.15.0/24 subnet should be associated with VLAN v15.

Step 2.7

Issue the top save /var/home/lab/ajex/lab1part2.conf command to save the entire configuration. Note that you will need to reload this configuration at a later time so ensure the entire configuration is saved.

{master:0}[edit vlans] lab@exD-1# top save /var/home/lab/ajex/lab1part2.conf Wrote 120 lines of configuration to '/var/home/lab/ajex/lab1part2.conf'

STOP
STOP

Before proceeding ensure that the remote team is done with Part 2.

Advanced Junos Enterprise Switching

Part 3: Configuring and Monitoring a PVLAN

In this lab part, you configure and monitor a PVLAN. You will first delete the current VLAN configuration. You will then configure and monitor a PVLAN named pvlan-50 with two community VLANs named finance and sales. Refer to the network diagram for configuration details associated with this lab.

Step 3.1

Delete all configuration under the [edit vlans] hierarchy level.

{master:0}[edit vlans] lab@exD-1# delete Delete everything under this level? [yes,no] (no) yes

Step 3.2

Delete all configuration under the [edit firewall] hierarchy and remove the application of the fbva firewall filter from the ge-0/0/7.0 interface.

{master:0}[edit vlans] lab@exD-1# top delete firewall

{master:0}[edit vlans] lab@exD-1# top delete interfaces ge-0/0/7.0 family ethernet-switching filter

Step 3.3

Configure a primary VLAN named pvlan-50 with a VLAN ID of 50. Associate the ge-0/0/12 interface with this newly defined VLAN. Configure ge-0/0/12 to function as a PVLAN trunk port.

{master:0}[edit vlans] lab@exD-1# set pvlan-50 vlan-id 50 interface ge-0/0/12.0 pvlan-trunk

{master:0}[edit vlans] lab@exD-1# set pvlan-50 no-local-switching

Step 3.4

Use the details shown on the network diagram for this lab and configure two community VLANs: one named finance and the other named sales. Ensure that ge-0/0/7.0 and ge-0/0/8.0 are associated with their respective community VLANs and that both community VLANs are linked to the primary VLAN (pvlan-50).

{master:0}[edit vlans] lab@exD-1# set finance vlan-id 41 interface ge-0/0/7.0

{master:0}[edit vlans] lab@exD-1# set finance primary-vlan pvlan-50

{master:0}[edit vlans] lab@exD-1# set sales vlan-id 42 interface ge-0/0/8.0

{master:0}[edit vlans] lab@exD-1# set sales primary-vlan pvlan-50

Step 3.5

Advanced Junos Enterprise Switching

Attempt to activate the changes using the commit command.

{master:0}[edit vlans] lab@exD-1# commit error: Trunk port ge-0/0/12.0 cannot be made member of community vlan <finance> error: configuration check-out failed

Question: Does the commit operation succeed? If not can you explain why not?

Answer: No, as shown in the sample output the ge-0/0/12.0 trunk port is currently associated with one or more community VLANs. After a closer look at the active configuration it should be obvious where the problem lies:

{master:0}[edit vlans] lab@exD-1# top show interfaces ge-0/0/12.0 family ethernet-switching { port-mode trunk; vlan { members all;

}

}

Step 3.6

Remove the vlan members all statement from the ge-0/0/12.0 interface configuration and attempt the commit operation once again.

{master:0}[edit vlans] lab@exD-1# top delete interfaces ge-0/0/12.0 family ethernet-switching vlan

{master:0}[edit vlans] lab@exD-1# commit configuration check succeedscommit complete

Question: Does the commit operation succeed now?

Answer: Yes, as shown in the sample output, the commit operation should now succeed.

Step 3.7

Issue the run show vlans pvlan-50 extensive command to determine the current PVLAN designations for the associated interfaces and community VLANs.

Advanced Junos Enterprise Switching

{master:0}[edit vlans] lab@exD-1# run show vlans pvlan-50 extensive VLAN: pvlan-50, Created at: Fri May 13 23:02:03 2011 802.1Q Tag: 50, Internal index: 9, Admin State: Enabled, Origin: Static Private VLAN Mode: Primary Protocol: Port Mode, Mac aging time: 300 seconds Number of interfaces: Tagged 1 (Active = 1), Untagged 2 (Active = 2) ge-0/0/12.0*, tagged, trunk, pvlan-trunk ge-0/0/7.0*, untagged, access ge-0/0/8.0*, untagged, access Secondary VLANs: Isolated 0, Community 2, Inter-switch-isolated 0 Community VLANs :

finance

sales

Question: Are the expected access and trunk ports listed in the output?

Answer: Yes, as shown in the sample output, the two access ports and the trunk port should be listed in the output.

Question: Based on the output, is the ge-0/0/12.0 properly enabled as a PVLAN trunk port?

Answer: Yes, as shown in the sample output, the ge-0/0/12.0 interface should be enabled as a PVLAN trunk port.

Note

You will now log in to your assigned SRX device. The gateway is configured with multiple virtual routers (VRs), which are logical devices created on your assigned gateway. Most of the configuration required for the SRX device has already been defined. You will, however, be required to modify the existing configuration throughout the labs. Refer to the Management Network Diagram for the IP address of your assigned SRX device. If needed, work with your instructor to obtain the required information.

Step 3.8

Advanced Junos Enterprise Switching

Open a separate session to your assigned gateway. Note you can connect to your gateway using the console connection through the terminal server or through a Telnet or SSH session using the SRX device’s management IP address. Consult with your instructor if you have questions.

Step 3.9

with your instructor if you have questions. Step 3.9 Log in to your assigned SRX device

Log in to your assigned SRX device using the lab user account and the password provided by your instructor.

srxD-1 (ttyu0)

login: lab

Password:

--- JUNOS 10.4R3.4 built 2011-03-19 22:29:40 UTC

lab@srxD-1>

Step 3.10

From both of the VRs attached to your assigned EX Series switch, attempt to ping the other VR attached to your assigned EX Series switch, as well as the two VRs attached to the remote student EX Series switch. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs and do not forget to reference the correct routing instance.

Variable y is used to distinguish the local VR attached to your assigned EX Series switch. Variable z is used to distinguish the destination IP address of the local and remote VRs.

lab@srxD-1> ping routing-instance vry1 172.24.50.z rapid PING 172.24.50.2 (172.24.50.2): 56 data bytes

--- 172.24.50.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

lab@srxD-1> ping routing-instance vry1 172.24.50.z rapid PING 172.24.50.3 (172.24.50.3): 56 data bytes

Advanced Junos Enterprise Switching

!!!!! --- 172.24.50.3 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.955/1.062/1.227/0.093 ms

lab@srxD-1> ping routing-instance vry1 172.24.50.z rapid PING 172.24.50.4 (172.24.50.4): 56 data bytes

--- 172.24.50.4 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

lab@srxD-1> ping routing-instance vry2 172.24.50.z rapid PING 172.24.50.1 (172.24.50.1): 56 data bytes

--- 172.24.50.1 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

lab@srxD-1> ping routing-instance vry2 172.24.50.z rapid PING 172.24.50.3 (172.24.50.3): 56 data bytes

--- 172.24.50.3 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

lab@srxD-1> ping routing-instance vry2 172.24.50.z rapid PING 172.24.50.4 (172.24.50.4): 56 data bytes !!!!! --- 172.24.50.4 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.025/5.862/24.405/9.272 ms

STOP
STOP

Question: Do the ping tests between the VRs associated with the same community VLANs succeed?

Answer: Yes, as expected the ping tests between the VRs associated with the same community VLANs succeed. As shown in the sample output, the ping tests between VRs in different community VLANs should not succeed. If your test shows different results, check with the remote team to ensure they have committed the required configuration and, if needed, work with your instructor.

Before proceeding ensure that the remote team is done with Part 3.

Part 4: Configuring and Monitoring MVRP

Advanced Junos Enterprise Switching

In this lab part, you configure and monitor MVRP. You will first load the configuration file saved in a previous lab part and make some minor modifications. You will then configure and monitor MVRP. Refer to the network diagram for configuration details associated with this lab.

Step 4.1

Return to your EX Series switch.

Navigate to the root of the hierarchy level and use the load override and commit commands to restore the configuration saved at the end of Part 2. Note that the configuration file should be in the /var/home/lab/ajex/ directory and should be named lab1part2.conf.

{master:0}[edit vlans] lab@exD-1# top

{master:0}[edit]

lab@exD-1# load override /var/home/lab/ajex/lab1part2.conf load complete

{master:0}[edit]

lab@exD-1# commit configuration check succeeds commit complete

{master:0}[edit]

lab@exD-1#

Step 4.2

Remove the vlan members all statement from the ge-0/0/12.0 interface configuration.

{master:0}[edit]

lab@exD-1# delete interfaces ge-0/0/12.0 family ethernet-switching vlan

Step 4.3

Delete the ge-0/0/12.0 interface from all currently defined VLANs. Issue the commit command to activate the changes.

{master:0}[edit]

lab@exD-1# delete vlans v11 interface ge-0/0/12.0

{master:0}[edit]

lab@exD-1# delete vlans v12 interface ge-0/0/12.0

{master:0}[edit]

lab@exD-1# delete vlans v15 interface ge-0/0/12.0

{master:0}[edit]

lab@exD-1# commit configuration check succeedscommit complete

Advanced Junos Enterprise Switching

Step 4.4

Issue the run show vlans command to ensure the ge-0/0/12.0 interface is no longer associated with any of the defined VLANs.

{master:0}[edit]

lab@exD-1# run show vlans

Name

Tag

Interfaces

default

 

None

v11

11

 

ge-0/0/7.0*

v12

12

 

ge-0/0/8.0*

v15

15

 

ge-0/0/7.0*

Question: Is the ge-0/0/12.0 interface currently associated with any of the defined VLANs?

Answer: No, as shown in the sample output, the trunk port ge-0/0/12.0 is no longer associated with any of the defined VLANs.Note that this behavior is expected based on the current configuration.

Step 4.5

Enable MVRP on the ge-0/0/12.0 interface. Activate the change using the commit command.

{master:0}[edit]

lab@exD-1# set protocols mvrp interface ge-0/0/12.0

{master:0}[edit]

lab@exD-1# commit configuration check succeedscommit complete

Step 4.6

Note

Before proceeding, ensure that the remote team in your pod finishes the previous step.

Issue the run show vlans command once again to determine whether the ge-0/0/12.0 interface is now associated with the defined VLANs.

{master:0}[edit]

lab@exD-1# run show vlans

Advanced Junos Enterprise Switching

Name

Tag

Interfaces

default

 

None

v11

11

 

ge-0/0/7.0*, ge-0/0/12.0*

v12

12

 

ge-0/0/8.0*, ge-0/0/12.0*

v15

15

ge-0/0/7.0*, ge-0/0/12.0*

Question: Is the ge-0/0/12.0 interface now associated with the defined VLANs?

Answer: Yes, as shown in the sample output, the trunk port ge-0/0/12.0 is now associated with all of the defined VLANs. Note that you can also view dynamic VLAN membership associations using the show mvrp dynamic-vlan-memberships command as shown in the following:

{master:0}[edit]

lab@exD-1# run show mvrp dynamic-vlan-memberships MVRP dynamic vlans for routing instance 'default-switch' (s) static vlan, (f) fixed registration

VLAN ID

Interfaces

11(s)

ge-0/0/12.0

12(s)

ge-0/0/12.0

15(s)

ge-0/0/12.0

Step 4.7

Issue the run show mvrp statistics command to display MVRP statistics.

{master:0}[edit]

lab@exD-1# run show mvrp statistics MVRP statistics

Interface name MRPDU received

: ge-0/0/12.0 : 15

Invalid PDU received

:

0

New received

:

0

Join Empty received

: 12

Join In received

: 33

Empty received

:

0

In received

:

0

Leave received

:

0

LeaveAll received

:

4

MRPDU transmitted

: 15

MRPDU transmit failures

:

0

Advanced Junos Enterprise Switching

New transmitted

:

0

Join Empty transmitted

: 33

Join In transmitted

: 12

Empty transmitted

:

0

In transmitted

:

0

Leave transmitted

:

0

LeaveAll transmitted

: 11

Question: Does the output show non-zero counters for the MRPDU received and MRPDU transmitted lines?

Answer: Yes, along with several other lines in the output the MRPDU received and MRPDU transmitted lines should show non-zero counters.

STOP
STOP

Before proceeding ensure that the remote team is done with Part 4.

Part 5: Configuring and Monitoring Q-in-Q Tunneling

In this lab part, you configure and monitor Q-in-Q tunneling. You will first modify the existing configuration file. You will then configure and monitor Q-in-Q tunneling and Layer 2 Protocol Tunneling (L2PT). Refer to the network diagram for configuration details associated with this lab.

Step 5.1

Enable ge-0/0/6 for Layer 2 operations as an access port.

{master:0}[edit]

lab@exD-1# edit interfaces

{master:0}[edit interfaces] lab@exD-1# set ge-0/0/6.0 family ethernet-switching

{master:0}[edit interfaces]

Step 5.2

Configure a new VLAN named cust-1 with a VLAN ID of 200. Associate the newly defined access port (ge-0/0/6.0) with this new VLAN. Issue the commit command to activate the changes.

{master:0}[edit interfaces] lab@exD-1# top edit vlans

{master:0}[edit vlans] lab@exD-1# set cust-1 vlan-id 200 interface ge-0/0/6.0

{master:0}[edit vlans] lab@exD-1# commit configuration check succeedscommit complete

{master:0}[edit vlans]

lab@exD-1#

Step 5.3

Advanced Junos Enterprise Switching

Return to the session opened for your SRX device.

From the VR attached to your assigned EX Series switch that represents the customer bridge and attached network, attempt to ping the IP address of the remote VR performing the same function for the remote team. Refer to the network diagram for the instance names and the IP address information. Do not forget to reference the correct routing instance when performing this operation.

lab@srxD-1> ping routing-instance ? Possible completions:

<routing-instance>

vr10

vr11

vr12

Routing instance for ping attempt

lab@srxD-1> ping routing-instance vry0 172.27.100.z rapid

PING 172.27.100.2 (172.27.100.2): 56 data bytes

--- 172.27.100.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

Question: Does the ping operation succeed? Can you explain why?

Answer: No, the ping operation should not succeed at this time. Remember that the current configuration expects untagged frames on the ge-0/0/6.0 interface. We remedy this situation shortly by adding Q-in-Q functionality to the cust-1 VLAN.

Step 5.4

Return to the session opened for your EX Series switch.

Enable Q-in-Q tunneling for all defined VLANs. Ensure that all Layer 2 protocol traffic is permitted through the Q-in-Q tunnel for traffic associated with the cust-1 VLAN. Activate the changes and return to operational mode using the commit and-quit command.

{master:0}[edit vlans] lab@exD-1# set v11 dot1q-tunneling

{master:0}[edit vlans]

Advanced Junos Enterprise Switching

lab@exD-1# set v12 dot1q-tunneling

{master:0}[edit vlans] lab@exD-1# set v15 dot1q-tunneling

{master:0}[edit vlans] lab@exD-1# set cust-1 dot1q-tunneling layer2-protocol-tunneling all

{master:0}[edit vlans] lab@exD-1# commit and-quit configuration check succeedscommit complete Exiting configuration mode

{master:0}

lab@exD-1>

Step 5.5

Issue the show vlans cust-1 detail command.

{master:0}

lab@exD-1> show vlans cust-1 detail VLAN: cust-1, 802.1Q Tag: 200, Admin State: Enabled Dot1q Tunneling status: Enabled Layer2 Protocol Tunneling status: Enabled Number of interfaces: 2 (Active = 2) Untagged interfaces: ge-0/0/6.0* Tagged interfaces: ge-0/0/12.0*

Question: Based on the output, are Q-in-Q tunneling and L2PT now enabled?

Answer: Yes, as shown in the sample capture, Q-in-Q tunneling and L2PT are now enabled.

Step 5.6

Return to the session opened for your SRX device.

Use the ping utility once again and verify reachability between customer sites. Refer to the network diagram for the instance names and the IP address information. Do not forget to reference the correct routing instance when performing this operation.

lab@srxD-1> ping routing-instance vry0 172.27.100.z rapid PING 172.27.100.2 (172.27.100.2): 56 data bytes !!!!! --- 172.27.100.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.038/5.765/24.069/9.153 ms

STOP
STOP

Advanced Junos Enterprise Switching

Question: Does the ping operation succeed now?

Answer: Yes, as shown in sample output, the ping operation should now succeed.

Tell your instructor that you have completed Lab 1.

Advanced Junos Enterprise Switching

Lab 2

Implementing MSTP and VSTP (Detailed)

Overview

In this lab, you will use the command-line interface (CLI) to configure and monitor the Multiple Spanning Tree Protocol (MSTP) and VLAN STP (VSTP).

The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands.

By completing this lab you will perform the following tasks:

• Modify the existing configuration.

• Configure and monitor MSTP.

• Configure and monitor VSTP.

Advanced Junos Enterprise Switching

Part 1: Modifying the Existing Configuration

In this lab part, you will modify the existing configuration on your EX Series switch and perform some basic verification tasks to prepare for subsequent lab parts. Refer to network diagram for this lab for topological and configuration details.

Step 1.1

Enter configuration mode and configure the ge-0/0/9 and ge-0/0/10 interfaces for Layer 2 operations and as trunk ports.

{master:0}

lab@exD-1> configure Entering configuration mode

{master:0}[edit]

lab@exD-1# edit interfaces

{master:0}[edit interfaces] lab@exD-1# set ge-0/0/9.0 family ethernet-switching port-mode trunk

{master:0}[edit interfaces] lab@exD-1# set ge-0/0/10.0 family ethernet-switching port-mode trunk

{master:0}[edit interfaces]

lab@exD-1#

Step 1.2

Associate these newly defined trunk ports with all currently defined VLANs. Note that the VLANs must be statically associated with these new trunk ports, because the attached SRX devices do not support the Multiple VLAN registration Protocol (MVRP). Also note that you cannot use the vlan members all statement because Q-in-Q tunneling is in place.

{master:0}[edit interfaces] lab@exD-1# top edit vlans

{master:0}[edit vlans] lab@exD-1# set ? Possible completions:

<vlan-name>

VLAN name

Groups from which to inherit configuration data

+ apply-groups

+ apply-groups-except Don't inherit configuration data from these groups

cust-1

> traceoptions

v11

v12

v15

VLAN name VLAN trace options VLAN name VLAN name VLAN name

VLAN name VLAN trace options VLAN name VLAN name VLAN name
VLAN name VLAN trace options VLAN name VLAN name VLAN name
VLAN name VLAN trace options VLAN name VLAN name VLAN name
VLAN name VLAN trace options VLAN name VLAN name VLAN name

{master:0}[edit vlans] lab@exD-1# set cust-1 interface ge-0/0/9.0

{master:0}[edit vlans] lab@exD-1# set cust-1 interface ge-0/0/10.0

{master:0}[edit vlans]

lab@exD-1# set v11 interface ge-0/0/9.0

{master:0}[edit vlans] lab@exD-1# set v11 interface ge-0/0/10.0

{master:0}[edit vlans] lab@exD-1# set v12 interface ge-0/0/9.0

{master:0}[edit vlans] lab@exD-1# set v12 interface ge-0/0/10.0

{master:0}[edit vlans] lab@exD-1# set v15 interface ge-0/0/9.0

{master:0}[edit vlans] lab@exD-1# set v15 interface ge-0/0/10.0

{master:0}[edit vlans]

lab@exD-1#

Step 1.3

Advanced Junos Enterprise Switching

Activate the configuration changes using the commit command and verify the spanning-tree topology details using the run show spanning-tree bridge command.

{master:0}[edit vlans] lab@exD-1# commit configuration check succeedscommit complete

{master:0}[edit vlans] lab@exD-1# run show spanning-tree bridge

STP bridge parameters Context ID

:

0

Enabled protocol Root ID Root cost Root port Hello time Maximum age Forward delay

: RSTP : 4096.00:26:88:e1:45:10 : 20000 : ge-0/0/9.0 : 2 seconds : 20 seconds : 15 seconds

Message age

:

1

Number of topology changes

:

4

Time since last topology change Topology change initiator

: 1808 seconds : ge-0/0/9.0

Topology change last recvd. from : 00:26:88:e1:4f:8a Local parameters

Bridge ID Extended system ID Internal instance ID

: 32768.50:c5:8d:ba:62:00 :

:

0

0

Advanced Junos Enterprise Switching

Question: Which device is elected as the root bridge? Which interface will your switch use to forward traffic through the Layer 2 network?

Answer: The srxX-1 device should be elected the root bridge device based on its current bridge priority of 4 K. The root port, used to forward traffic through the root bridge, varies depending on your assigned switch. If you are assigned exX-1, the root port should be ge-0/0/9.0. If you are assigned exX-2, the root port should be ge-0/0/10.0.

Question: What limitation exists with the current spanning-tree implementation? What options exist that overcome this limitation?

Answer: The current spanning-tree topology offers no load balancing. The links between the EX Series switches and the srxX-2 device will not be used. This problem is a known limitation of STP and RSTP. You can use MSTP or VSTP instead of RSTP to overcome this limitation. We make use of MSTP and VSTP in subsequent lab parts.

Part 2: Configuring and Monitoring MSTP

In this lab part, you configure and monitor MSTP. You create two multiple spanning-tree instances (MSTIs); one for all VLAN IDs between 1 and 199, and a second for all VLAN IDs between 200 and 399. Once configured, you use various operational mode commands to monitor MSTP.

Step 2.1

Delete RSTP, under the [edit protocols] hierarchy.

{master:0}[edit vlans] lab@exD-1# top edit protocols

{master:0}[edit protocols] lab@exD-1# show rstp; mvrp { interface ge-0/0/12.0;

}

{master:0}[edit protocols] lab@exD-1# delete rstp

{master:0}[edit protocols]

lab@exD-1#

Step 2.2

Advanced Junos Enterprise Switching

Configure MSTP to include two MSTIs (MSTI 1 and MSTI 2). Associate MSTI 1 with VLAN IDs 1 through 199 and MSTI 2 with VLAN IDs 200 through 399. Name the MSTP configuration my-mstp-config. Activate the configuration using commit.

{master:0}[edit protocols] lab@exD-1#