Documente Academic
Documente Profesional
Documente Cultură
NOTE: Please note this Student Guide has been developed from an audio narration. Therefore it will have
conversational English. The purpose of this transcript is to help you follow the online presentation and may require
reference to it.
Slide 1
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 1
Slide 2
2016 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Slide 3
Navigation
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 3
Throughout this module, you will find slides with valuable detailed information. You can stop any slide with the Pause
button to study the details. You can also read the notes by using the Notes tab. You can click the Feedback link at any
time to submit suggestions or corrections directly to the Juniper Networks eLearning team.
Slide 4
Course Objectives
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 4
Slide 5
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 5
This course consists of five sections. The five main sections are as follows:
An Introduction to Using Junos OS on EX Series Switches;
Configuring and Monitoring Interfaces;
Configuring and Monitoring Switching;
Security; and
Virtual Chassis Configuration.
Slide 6
2016 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Slide 7
Section Objectives
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 7
Slide 8
Switch
Router
Router Switch
operating operating
system system
Many networking companies have different software for their routers and their switches. Sometimes these are simply
different builds.
Slide 9
Router OS?
Switch OS?
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 9
Other times, these companies create different software for their very high-end routers than for their switcheswhich
means customers need to learn both operating systems.
Slide 10
Switching
Routing Security
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 10
The Junos OS is a reliable, high-performance network operating system for routing, switching, and security. Juniper
does produce several platform-specific builds of Junos to reduce package size by only including the parts of Junos
necessary for a particular platform.
However, its Junipers goal to limit the number of builds for a particular platform (often to just a single build) that
supports all the features supported by that platform.
Slide 11
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 11
In this course, we focus on EX Series switches. Juniper designed Junos for EX Series switches specifically with a
Layer 2 configuration syntax that would provide enterprises the ability to quickly configure Layer 2 features most
appropriate for the enterprise environment.
Slide 12
Junos OS Architecture
Separate Control and Forwarding Planes Provide Maximum Stability and Reliability
Routing protocols
Layer 2 interfaces
Junos OS Layer 3 interfaces
CLI
User
Routing and Forwarding Tables
Switching Tables
Control Plane
Routing Engine
Forwarding Plane
Packet Forwarding Engine
Forwarding Tables
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 12
Junos OS Architecture
All devices running Junos have separate control and forwarding planes. All protocolssuch as routing protocols, the
Spanning Tree Protocol (or STP), and the Link Layer Discovery Protocol (or LLDP)run on the control plane. The
control plane maintains routing and switching tables, which it uses to build forwarding tables. The forwarding plane
receives the forwarding tables from the control plane and uses those to forward traffic correctly.
When you access the Junos command-line interface (or CLI), you are accessing the control plane. On the EX Series
switches, the control plane runs on a Routing Engine, which is either integrated or removable, depending on the
model. Regardless of whether the Routing Engine is removable or integrated in the chassis, it has its own processor,
memory, and storage.
The forwarding plane is built using custom application-specific integrated circuits (or ASICs), which perform packet
switching. This separation prevents the control plane from becoming so busy forwarding traffic that it cannot keep up
with protocol traffic, or vice versa. Because of the separation of the control and forwarding planes, Junos can reliably
forward the same amount of traffic regardless of the amount of protocol traffic the Routing Engine is processing.
Slide 13
SSH
Telnet
J-Web GUI
Console Port
SNMP
Junos Space
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 13
Just like all other devices running Junos, you can manage the EX Series switch using the Junos CLI or a web
graphical user interface (or GUI).
You can access the CLI from the console port, Telnet, or SSH. You can also access the J-Web interface, which is a
web GUI, using either HTTP or HTTPS. You can also manage the device by using SNMP, the Junoscript API, the
NETCONF API, or Junos Space. The Junoscript API allows you to extend Junos with automated configuration
checking or expansion and automated maintenance commands. The wide variety of both proprietary and standards-
based network management choices make Junos quite flexible.
Slide 14
Section Summary
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 14
Slide 15
Routing
Switching
Security
Wireless
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 15
Slide 16
2016 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Slide 17
Section Objectives
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 17
Slide 18
Interface Designations (1 of 6)
Interface Names:
The type of interface is usually identified by a two-character
identifier. Examples include the following:
ge: Gigabit Ethernet interfaces
xe: 10-Gigabit Ethernet interfaces
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 18
Interface names are formed from a designation (usually two characters) that identifies the type of interface, followed
by the Flexible PIC Concentrator (FPC), PIC, and port number.
Some common interface designations include ge for Gigabit Ethernet Interfaces and xe for 10-Gigabit Ethernet
Interfaces.
Slide 19
Interface Designations (2 of 6)
Fixed Configuration Switches
FPC
Virtual Chassis
Member Number
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 19
On the fixed configuration switches, the FPC number is always 0. On switches with Virtual Chassis capability, the
Virtual Chassis member number replaces the FPC number.
Slide 20
Interface Designations (3 of 6)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 20
The built-in ports are considered to be PIC 0. The uplink module (if installed) will be PIC 1.
Slide 21
Interface Designations (4 of 6)
ge-0/0/1
ge-0/1/2
ge-0/1/3
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 21
Chassis, module, and port numbering always starts with 0. Therefore, the first port is 0; the second port is 1, and so
on.
Slide 22
Interface Designations (5 of 6)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 22
As an example, on a Virtual Chassis-capable switch, ge-0/1/2 identifies a Gigabit Ethernet port that is located on the
first chassis (or chassis 0), on the module in slot 1 of the chassis, and is the third Gigabit Ethernet port on that module.
Slide 23
Interface Designations (6 of 6)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 23
For another example, lets look at a Virtual Chassis composed of EX4200-48 switches. In this case, ge-2/0/0 refers to
a Gigabit Ethernet port. That port is on the third switch in a Virtual Chassis configuration and is on the first module (or
PIC 0, the built-in ports), and is port 0 (which is the first port on the switch).
Slide 24
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 24
lo0 is the loopback interface, similar to the loopback interface in IOS. The addresses you configure on this interface
are not associated with a specific physical interface. Because these addresses will always be reachable regardless of
the state of individual interfaces, the lo0 addresses are often used for management traffic to and from the switch.
me0 in an EX Series switch is an out-of-band Ethernet interface that you can use to manage the device. The me0
interface is unlike other interfaces on the device because the device does not switch traffic between the me0 interface
and other ports on the device. Its used to communicate with the device itself.
vme is a virtual management Ethernet interface. In an EX Series Virtual Chassis system, this interface is reachable
through any of the me0 interfaces on the switches that are part of the Virtual Chassis system. This interface ensures
that you will not lose reachability with the Virtual Chassis system as long as one of the me0 interfaces is connected.
vlan interfaces in an EX Series switch allow you to configure an EX Series switch to have a routed Layer 3 interface
for a VLAN by associating the VLAN with a particular unit on the special VLAN interface. You then perform Layer 3
configuration for the VLAN on this unit.
Slide 25
Units
IOS Software:
If you want to create multiple logical units on a single
physical interface, you can use subinterfaces
Junos OS:
All physical interfaces have at least one logical interface
called a unit
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 25
Units
If you have used Cisco IOS, you are probably familiar with the concept of subinterfaces. You use subinterfaces to
create multiple logical units on a single physical interface. For example, you can create subinterfaces for 802.1q
tagged interfaces that might require them.
The Junos OS has a similar concept, called a unit. However, in the Junos OS, all physical interfaces have at least one
logical interface.
Slide 26
Units: Layer 3
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 26
Units: Layer 3
All Layer 3 configuration always occurs at the logical interfaceat the unit level.
Slide 27
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 27
Layer 2 configuration occurs at the physical interface level when it affects the entire interface (such as setting speed
and duplex).
Slide 28
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 28
Layer 2 configuration occurs at the logical unit level when it affects only a single logical unit (such as assigning
Ethernet switching parameters).
Slide 29
Units: Unit 0
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 29
Units: Unit 0
When you configure an Ethernet interface without 802.1q tagging, it supports only a single unit. In this case, the unit
must be unit 0.
Slide 30
Units: Numbering
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 30
Units: Numbering
When using an interface that supports multiple units, you are free to choose whatever unit number you like for each
sub-interface. The special vlan interface always supports multiple units. There is no requirement that you choose unit
numbers that match VLAN numbers, although it is advisable that you do so.
When you configure multiple units for a single physical interface, each unit is treated as a completely separate logical
interface. So, it is possible, for example, to route traffic between two logical interfaces on the vlan interface.
Slide 31
Units: interface.unit
You refer to units in Junos OS as interface.unit
when entering commands
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 31
Units: interface.unit
Just as you refer to IOS subinterfaces as interface.subinterface when entering commands on a Cisco device, you refer
to units in Junos as interface.unit when entering commands.
Slide 32
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 32
Under the unit level, you configure Layer 2 switching parameters and Layer 3 parameters under the family stanzas.
Two types of families on EX Series switches include the ethernet-switching family and the inet family.
Slide 33
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 33
Layer 2 Ethernet switching configuration uses the ethernet-switching family. The parameters that would be
configured with interface-level switchport configuration statements in IOS are generally configured under this
address family in Junos. Configuring this address family makes a logical interface a Layer 2, switched interface.
Slide 34
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 34
IPv4 configuration uses the inet address family. The parameters that would be configured with interface-level ip
configuration statements in IOS are generally configured under this address family in Junos. Configuring this address
family makes a logical interface a Layer 3, routed interface.
Slide 35
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 35
Junos allows you to choose to configure IP addresses directly on interfaces or to configure the interface to be a switch
port that is part of a VLAN.
Slide 36
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 36
You can choose to enable processing of a type of traffic by simply configuring the address family on the unit.
For IPv4, such a configuration will cause the software to behave in the same way as an IOS router would if you
configured ip unnumbered on an interface.
Slide 37
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 37
For the ethernet-switching family, such a configuration would cause the interface to be an access port and would
cause it to belong to the default VLAN unless configured to be part of another VLAN.
Slide 38
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 38
Examples of some things you would configure under a Layer 3 address family include:
Addresses;
Stateless packet filters that apply to traffic of that address family; and
Unicast reverse-path-forwarding (or RPF) checks.
Examples of some things you would configure under the ethernet-switching family include:
Port-mode (access vs. trunk);
VLANs; and
Stateless packet filters.
Slide 39
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 39
You can assign descriptions to units as well as to main interfaces. This comes in handy especially with the VLAN
interfaces. Here you see that we have configured the special vlan interface with two units.
Slide 40
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 40
Well give these units descriptions to help us identify them, as shown in the example on this slide. As you can see in
the sample output, a description appears in the configuration for each unit.
Slide 41
Activating Interfaces
IOS Software:
shutdown: Deactivate an interface
no shutdown: Re-activate an interface
Junos OS:
deactivate: Deactivate an interface's configuration
disable: Completely shut off a port
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 41
Activating Interfaces
In IOS, you deactivate an interface with the shutdown command, and you re-activate an interface with the no
shutdown command.
In Junos, you can deactivate an interface in two ways. First, you can use the deactivate command shown earlier to
deactivate the configuration. However, that command does not actually shut the interface off; rather, it simply causes
Junos to ignore that interfaces configuration. To completely shut off a port, you use the disable configuration
command.
Slide 42
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 42
Here, we disable interface ge-0/0/10. As you can see, the interface is now down.
Slide 43
Reactivating Interfaces
We delete the disable parameter on ge-0/0/10
The interface comes back up
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 43
Activating Interfaces
To reactivate the interface, we delete the disable configuration parameter as shown in the example on this slide. This
is similar to using no shutdown to reactive ports in IOS.
Slide 44
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 44
Now lets take a more detailed look at the configuration of Ethernet interfaces.
The EX Series switches come with built-in 10/100/1000 Ethernet ports. By default, these ports try to autonegotiate
speed and duplex. You can see the details of the autonegotiation using the command show interfaces extensive.
Heres a switch port that negotiated to 100Mbps speed and full-duplex operation.
Slide 45
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 45
Here is a switch port that negotiated to 1 Gbps speed and full-duplex operation.
Slide 46
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 46
On EX Series switches, many Ethernet-specific configuration parameters are contained under the ether-options
hierarchy. You can set the speed and duplex manually using the speed and link-mode commands.
Slide 47
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 47
Changing the speed or duplex settings will change only the parameters that the switch uses when attempting
autonegotiation. It will not disable autonegotiation.
On this slide you see that the switch is still performing autonegotiation. It has autonegotiated to 100 Mbps speed and
full-duplex operation using the parameters that were configured.
Slide 48
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 48
If you look at the remote side, you can see that it has also autonegotiated to the same settings.
Slide 49
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 49
To disable autonegotiation in our example, enter the command set interfaces ge-0/0/4 ether-options no-auto-
negotiation, as shown on this slide.
Slide 50
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 50
Here are the results of your configuration. Using the first few lines of output from the show interfaces command, you
can see that autonegotiation is disabled.
Slide 51
Aggregated Ethernet (1 of 5)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 51
Junos supports the IEEE 802.3ad link aggregation protocol. Configuring links to be part of aggregated Ethernet
interfaces requires three steps:
First, you have to tell the device to create the aggregated Ethernet interfaces.
Second, you must configure the device to associate certain physical links with the aggregated Ethernet interface.
Third, you must configure the aggregated Ethernet interface.
Slide 52
Aggregated Ethernet (2 of 5)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 52
You tell the software to create aggregated Ethernet interfaces and allocate resources for them by setting the ethernet
device-count parameter under the [edit chassis aggregated-devices] hierarchy.
In this example, we set this parameter to 1, so the device will create one aggregated Ethernet interface.
Aggregated Ethernet interfaces are designated aeX, where X is a number. The switch creates the number of
aggregated Ethernet devices specified, beginning with ae0 and counting upwards. In this case, because we told the
switch to create only 1 interface, the switch will create interface ae0 only.
Slide 53
Aggregated Ethernet (3 of 5)
We associate interfaces ge-0/0/5 and ge-0/0/6 with the
aggregated Ethernet interface ae0 parameter under the
ether-options section of the physical interface, and view
the results
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 53
Next, you configure the switch to associate certain physical links with the aggregated Ethernet interface. You do this
by setting the 802.3ad parameter under the ether-options section of the physical interface. Here, we will associate
ge-0/0/5 and ge-0/0/6 with interface ae0.
Slide 54
Aggregated Ethernet (4 of 5)
Finally, we configure the ae0 interface itself, setting up
802.1q as a switch trunk port
Also, well configure the switch to run LACP in active mode
(if you choose to run LACP, at least one side needs to be
active) and commit the changes
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 54
Finally, you configure the ae0 interface itself. You can configure most anything under this interface that you could
under the constituent interfaces. Among other things, that means you can configure 802.1q trunking. Well set this up
as a switch trunk port.
Also, well configure the switch to run the Link Aggregation Control Protocol (or, LACP) in active mode. (By default,
Junos does not run LACP. If you choose to run LACP, at least one side needs to be active for the link to come up.)
Unlike Cisco IOS, you configure these parameters only onceat the aggregated interface level.
Slide 55
Aggregated Ethernet (5 of 5)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 55
So, here, with just five commands, youve created an aggregated Ethernet bundle with two constituent interfaces.
Slide 56
Basic Commands (1 of 4)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 56
Now lets look at monitoring interface state. Junos software provides several ways of displaying interface state. Two
basic commands are shown on screen.
These are operational mode commands, so if you want to use them in configuration mode, you must preface them
with run. The examples we use in this section are in operational mode.
Slide 57
Basic Commands (2 of 4)
You can use the show interfaces
descriptions command to get a listing of
interfaces and their configured descriptions
Only interfaces that have descriptions will be displayed
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 57
You can use the show interfaces descriptions command to get a listing of interfaces and their configured
descriptions. However, note that only interfaces that have descriptions will be displayed.
Slide 58
Basic Commands (3 of 4)
In Junos OS, show interfaces terse shows all
configured addresses of each address family on each
interface
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 58
As youve seen already in this course, you can use the show interfaces terse command to get a listing of interfaces,
their status, and their addresses. In this output, you can see that the ge-0/0/5 and ge-0/0/6 interfaces are part of the
ae0 aggregated Ethernet bundle.
In IOS, to get a listing of interface status as well as the IP address (if assigned), you would type show ip interface
brief. In Junos, show interfaces terse shows all configured addresses of each address family on each interface.
Slide 59
Basic Commands (4 of 4)
[]
[]
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 59
Notice that several of the interfaces in the Junos output have multiple IP addresses configured. These addresses
would not have been visible using the IOS show ip interface brief. command.
In addition to information about IP addresses and interface status, this Junos command also lets you see the brief
configuration of each interface. You can also see which ports are configured as Ethernet Switch ports.
Slide 60
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 60
In the previous section, we saw two ways to view a summary of multiple interfaces. Now lets look at some ways we
can learn more about a particular interface.
In IOS, you get details about an interface by typing: show interfaces <interface-name>. In Junos, you get details
about an interface by typing the same command; however, in Junos, you can also add various switches to get more
information or less information.
Slide 61
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 61
Here is some information about a Gigabit Ethernet port displayed with the command show interfaces ge-0/0/3 brief.
As you can see, this is just a high-level summary of the interface (including its logical interfaces).
Slide 62
[]
[]
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 62
Here is the output from the command show interfaces ge-0/0/3. Among other things, this commands a counter of
input and output packets for the particular units. It also shows hardware addresses and whether a switch port is
configured as an access or trunk port.
Slide 63
[]
[]
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 63
Here is the same interface with the command show interfaces ge-0/0/3 detail. This command allows you to see
some more detailed traffic statistics, including per-queue statistics for the physical interface and a much greater level
of statistics at the logical unit level.
Slide 64
[]
[]
[]
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 64
Here is the same interface with the command show interfaces ge-0/0/3 extensive. Here, you see errors,
autonegotiation information, and detailed Layer 2 information.
Slide 65
https://virtuallabs.juniper.net/
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 65
Slide 66
Section Summary
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 66
Slide 67
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 67
Slide 67
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 67
Slide 68
2016 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Slide 69
Section Objectives
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 69
Slide 70
Configuring VLANs (1 of 5)
We configure VLANs under the [edit vlans]
hierarchy
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 70
By default, all ports that are configured as switch ports are members of the default VLAN, which Junos automatically
creates. You configure VLANs under the [edit vlans] hierarchy.
All you need to do is configure the name of a VLAN, and it instantly becomes a VLAN. To add a new VLAN called
example, you would simply enter the command set example.
Slide 71
Configuring VLANs (2 of 5)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 71
Slide 72
Configuring VLANs (3 of 5)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 72
Here we see our new VLAN and the existing VLANS we already configured.
You could now assign ports to the new VLAN, and it would begin to switch traffic between them.
Slide 73
Configuring VLANs (4 of 5)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 73
There are also a few other options you might want to configure. If you might want to use 802.1q tags to transmit this
VLAN on a trunk port, you should assign a VLAN ID to the VLAN. In this case, lets use VLAN ID 100.
Slide 74
Configuring VLANs (5 of 5)
We enter the run show vlans command again
and see that the example VLAN now has a VLAN ID
assigned
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 74
Now enter the run show vlans command again to view a list of VLANs. As you can see, the example VLAN now has
a VLAN ID assigned.
Slide 75
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 75
Lets take a look at how you assign interfaces to a VLAN. There are two ways to statically assign ports to a VLAN.
Lets look at the phones VLAN for an example.
Here, you see that there are three interfaces assigned to the VLAN as tagged interfaces.
Slide 76
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 76
If you look at the VLAN configuration, you see a single interface assigned. This method is one way interfaces can be
statically assigned to a VLAN.
Slide 77
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 77
Another way to statically assign ports to a VLAN is to configure the VLAN membership under the [edit interfaces
interface-name unit 0 family ethernet-switching] hierarchy. The other two interfaces were assigned to this VLAN
using this method. Lets take a look at those configurations. Here is the ge-0/0/3 interface.
Slide 78
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 78
By default, when you configure family ethernet-switching on a unit, the port becomes an access port that is part of
the default VLAN. You can configure it to be a member of a different VLAN by assigning it to the VLAN under the [edit
vlans] hierarchy or under the [edit interfaces] hierarchy.
Slide 79
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 79
Lets configure three new access portsge-0/0/7, ge-0/0/8, and ge-0/0/9to be members of the example VLAN. Well
configure ge-0/0/7 under the [edit vlans] hierarchy.
Slide 80
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 80
Slide 81
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 81
Well configure ge-0/0/8 and ge-0/0/9 to become members of the example VLAN under the [edit interfaces]
hierarchy. We can either use the VLAN ID or the VLAN name.
Slide 82
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 82
Lets review the configuration for the example VLAN and the three interfaces that are part of it before committing.
Slide 83
[]
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 83
Slide 84
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 84
Now well commit the configuration. Once the configuration is committed, you can see that all the interfaces become
part of the VLAN, despite the different ways we configured them.
Slide 85
You can use these different configuration methods to assign ports to the same VLAN, or to assign a single trunk port
to multiple VLANs. Junos gives you the flexibility to configure your device in the way that best suits the requirements
of your network.
Slide 86
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 86
So far, weve covered configuring access ports only (that is, ports that are members of a single VLAN and carry all
their traffic without 802.1q VLAN tags). This is the default mode for a switch port.
You configure a port to become a trunk port (that is, a port which carries multiple VLANs via 802.1q tags) by
configuring port-mode trunk under the family ethernet-switching hierarchy on the interfaces logical unit.
Slide 87
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 87
Now, well configure three ports to be trunk ports, carrying the example, phones, and printers VLANs. To be
consistent, well continue configuring them using the three different methods we used in the previous section. All three
ports are currently configured as access ports in the example VLAN.
Well start by configuring the ge-0/0/7 interface to be a member of the phones VLAN. Well also configure that
interface to be a member of the printers VLAN.
Slide 88
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 88
When we perform a commit check, you can see that Junos will not let you accidentally configure an access interface
to be a member of multiple VLANs.
One of the benefits of editing a candidate configuration (rather than an active configuration, as in IOS) is the ability to
catch and resolve errors like this prior to any of the configuration becoming active. This process allows you to resolve
configuration problems before they actually affect network users.
Slide 89
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 89
Slide 90
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 90
Now that we have configured this interface as a trunk port, a commit check succeeds.
Slide 91
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 91
Slide 92
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 92
Now, well do the same for ge-0/0/9. However, well add the extra VLANs by name.
Slide 93
[]
[]
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 93
Before committing, lets take a quick look at each of the interfaces we have configured.
Slide 94
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 94
After committing the configuration, you see that these interfaces are now all listed as tagged interfaces for all three
VLANs (that is, trunk interfaces on which a tag is being applied for this VLAN).
Slide 95
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 95
Now, lets say that you want to configure ge-0/0/9 to receive untagged frames and to process those frames as part of
the default VLAN. (Configuring a trunk port to process untagged frames and treat them like they are part of a
configured VLAN is sometimes called configuring the native VLAN.)
Slide 96
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 96
Slide 97
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 97
You see that ge-0/0/9 is listed as an untagged interface for the default VLAN. Even though it is a trunk interface, the
native VLAN is transmitted and received without 802.1q tags; therefore, Junos identifies this interface as an untagged
member of this VLAN. Also, you see that the other two trunk ports we configured are not members of this VLAN. In
Junos, trunk ports only transmit those VLANs which they have been specifically configured to transmit. IOS defaults to
trunking all VLANs on all trunk ports and having VLAN 1 as the native VLAN on all trunk ports. Junos, on the other
hand, trunks only those VLANs that you configure for a particular port, and uses a native VLAN on a trunk port only if
you configure it to do so.
Slide 98
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 98
You can configure routed VLAN interfaces as units under the special VLAN interface that was described earlier. You
must do two things to enable this. First, you assign the VLAN a Layer 3 interface. While it is not necessary that you
match the unit numbers and 802.1q tags, we recommend you do so for ease of administration. Here, we assign the
example VLAN the Layer 3 interface vlan.100, which matches its VLAN ID of 100.
Next, we configure the actual Layer 3 interface. To make it easier to identify, we give the unit a description. Here, we
configure an IP address of 192.168.100.2/24.
The vlan.100 interface is just like any other interface on the switch. You can run routing protocols on that interface, or
use it just as you would any other interfaces on the switch.
Slide 99
You can configure a single logical interface to accept untagged packets and forward the packets within a specified
VLAN. A logical interface configured to accept untagged packets is called an access interface or access port. When
an untagged or tagged packet is received on an access interface, the packet is accepted, the VLAN ID is added to the
packet, and the packet is forwarded within the VLAN that is configured with the matching VLAN ID.
You can configure an interface for access interface mode using the following syntax in configuration mode:
set interfaces interface-name unit logical-unit-number family ethernet-switching interface-mode access
The slide shows an example of configuring a logical interface as an access port with a VLAN ID of 20 on routers and
switches that support the enhanced Layer 2 software.
Slide 100
To configure a Layer 3 interface, you must assign an IP address to the interface. You assign an address to an
interface by specifying the address when configuring the protocol family. For the inet or inet6 family, configure the
interface IP address.
You can configure interfaces with a 32-bit IP version 4 (IPv4) address and optionally with a destination prefix,
sometimes called a subnet mask. An IPv4 address utilizes a 4-octet dotted decimal address syntax (for example,
192.16.1.1). An IPv4 address with destination prefix utilizes a 4-octet dotted decimal address syntax with a destination
prefix appended (for example, 192.16.1.1/30).
To specify an IP address for the logical unit using IPv4, use the following command syntax from configuration mode:
set interfaces interface-name unit logical-unit-number family inet address ip-address
You represent IP version 6 (IPv6) addresses in hexadecimal notation using a colon-separated list of 16-bit values. You
assign a 128-bit IPv6 address to an interface.
To specify an IP address for the logical unit using IPv6, use the following command syntax from configuration mode:
set interfaces interface-name unit logical-unit-number family inet6 address ip-address
Slide 101
IRB provides support for Layer 2 bridging and Layer 3 IP routing on the same interface. IRB enables you to route
packets to another routed interface or to another VLAN that has a Layer 3 protocol configured. IRBs allow the device
to recognize packets that are being sent to local addresses so that they are bridged (switched) whenever possible and
are routed only when necessary. Whenever packets can be switched instead of routed, several layers of processing
are eliminated. An interface named irb functions as a logical router on which you can configure a Layer 3 logical
interface for VLAN. For redundancy, you can combine an IRB interface with implementations of VRRP in both bridging
and virtual private LAN service (VPLS) environments.
To configure an IRB interface, first create a Layer 2 VLAN by assigning it a name and a VLAN ID by using the
following command syntax in configuration mode:
set vlans vlan-name vlan-id vlan-id
Next, create an IRB logical interface with the following command syntax in configuration mode:
set interface irb unit logical-unit-number family inet address ip-address
Finally, associate the IRB interface with the VLAN using the following command syntax in configuration mode:
set vlans vlan-name l3-interface irb.logical-unit-number
Slide 102
Switch Ports (1 of 2)
IOS Software:
show interfaces switchport
show interfaces trunk
Junos OS:
show ethernet-switching interfaces
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 102
In Ciscos IOS, you would use the command show interfaces switchport to get information about a switch port, or
show interfaces trunk to get information about trunks.
With Junos, you use the command show ethernet-switching interfaces to get similar information. Like the Cisco
IOS commands, you can either specify an interface, or, if you dont specify one, the software will display information
on all interfaces.
Slide 103
Switch Ports (2 of 2)
You can use the command show ethernet-
switching interfaces to get information on the
ge-0/0/3.0 interface
If we add the detail flag, we see whether the VLAN is
transmitted with an 802.1q tag
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 103
Here, we use the command to get information on the ge-0/0/3.0 interface. When we add the detail flag, we can see
information about whether the VLAN is transmitted with an 802.1q tag.
Slide 104
VLANs (1 of 6)
IOS Software:
show vlan
show vlan id
Junos OS:
show vlans
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 104
VLANs: Part 1
In Ciscos IOS, you monitor VLANs with the show vlan command. As weve already seen, you monitor VLANs in
Junos with the show vlans command.
Slide 105
VLANs (2 of 6)
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 105
VLANs: Part 2
The IOS command will show you a listing of all VLANs; however, the listing of ports does not include trunk ports. To
see trunk ports, you need to use the show vlan id command.
Slide 106
VLANs (3 of 6)
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 106
VLANs: Part 3
Look how several extra ports suddenly show up in the VLAN 2 listing when we use the show vlan id 2 command.
These different outputs can cause confusion and cost precious minutes in troubleshooting.
Slide 107
VLANs (4 of 6)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 107
VLANs: Part 4
Junos, on the other hand, allows you to get summary information with the show vlans command:
Here, you see several pieces of key information: a list of the VLANs, the assigned 802.1q VLAN tag for each VLAN, a
listing of interfaces, and an indication of whether they are up or down.
Slide 108
VLANs (5 of 6)
Here we use the detail switch:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 108
VLANs: Part 5
To get more information about a VLAN, you can use the detail and extensive switches. As you can see here, the
detail switch gives you the configured VLAN description (if any), the primary IP address for the associated Layer 3
interfaces (if one is configured), the total number of ports configured to be part of the VLAN, and the total number of
those ports that are active. In addition to displaying a listing of interfaces and an indication of whether they are up or
down, the detail switch also lets you know whether the interfaces are tagged or untagged.
Slide 109
VLANs (6 of 6)
Here we use the extensive switch:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 109
VLANs: Part 6
The extensive switch lists the origin of the VLAN (whether it was static or created through the GARP VLAN
Registration Protocol [or GVRP]), the time the VLAN was created, the associated Layer 3 interface, and an indication
of whether each interface is a trunk or access port.
As you can see, Junos never presents a partial listing of member interfaces.
Slide 110
MAC Tables (1 of 2)
In the Junos OS, you view the MAC address table with
the show ethernet-switching table
command
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 110
In Ciscos IOS, you view the MAC address table with the show mac-address-table command. In Junos, you view the
MAC address table with the show ethernet-switching table command.
Of course, you can also use the detail and extensive arguments to get more information.
Slide 111
MAC Tables (2 of 2)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 111
Junos also has a feature to allow you to see a log of recent MAC address table changes. This feature allows you to
quickly track down some types of Layer 2 problems.
Slide 112
https://virtuallabs.juniper.net/
Slide 113
Section Summary
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 113
Slide 114
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 114
Slide 114
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 114
Slide 115
Security
2016 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Security
Slide 116
Section Objectives
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 116
Slide 117
Security Overview (1 of 2)
IOS Software:
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 117
Next, lets take a look at security. In Ciscos IOS, you configure access control lists with either numbers or names.
Numbered access control lists have numbers that indicate the type of access control list (standard or extended) and
address family. Named access control lists also contain these indications.
The Junos equivalent to IOSs access list is a firewall filter. As in IOS, you configure Junos firewall filters per address
family, and there are different match options for each address family. Like IOSs access lists, Junos firewall filters can
be applied in either the inbound or outbound direction on an interface.
Slide 118
Security Overview (2 of 2)
Remember:
Firewall filters are not stateful firewall rules, but stateless
packet filters just like IOSs access lists
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 118
Dont let the name firewall filter confuse you. Firewall filters are not stateful firewall rules, but stateless packet filters
just like IOSs access lists.
On switch ports and VLANs, you can filter traffic at Layer 2 or Layer 3, whether or not there is a Layer 3 interface
associated with the VLAN.
Slide 119
Terms (1 of 3)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 119
Terms: Part 1
Like IOS, the Junos OS evaluates firewall-filter entries sequentially. In IOS, each entry is contained on a line, which
specifies match conditions along with the action to take. In Junos, each match-action pair is called a term. A term
comprises one or more match conditions, which must all be met for a match to occur, along with one or more action
conditions. These terms are then strung together to form a firewall filter.
Slide 120
Terms (2 of 3)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 120
Terms: Part 2
In IOS, the default action is to deny packets that reach the end of the access list without matching an entry in it. Junos
has a similar default behavior. When a packet is discarded, the device drops it without sending an error back to the
sender. In Junos, the default action is to discard packets that do not match any entries in a firewall filter.
Slide 121
Terms (3 of 3)
IOS Software:
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 121
Terms: Part 3
Lets take a very simple example: block all IPv4 traffic from 192.168.0.0/24. Accept everything else. In IOS, you would
use the following syntax.
An equivalent Junos configuration would look like this. Youll notice a few things. First, all stateless packet filters are
configured under the firewall hierarchy. That hierarchy contains a separate section for filters for each address family.
Slide 122
Policies
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 122
Policies
So, IPv4 firewall filters are configured under the [edit firewall family inet] hierarchy, while filters you apply to Layer 2
interfaces or VLANs are configured under the [edit firewall family ethernet-switching] hierarchy. Dont let the
names confuse you; you can match on Layer 3 information in filters you define under the ethernet-switching family,
in addition to MAC addresses, 802.1q tags or priorities, Ethernet Type values, and VLANs. Junos is flexible enough to
allow you to combine multiple types of rules in a single firewall filter, or even combine Layer 2 and Layer 3 match
criteria in a single term. In IOS, you would need to put the Layer 3 match conditions in an IP access list and the Layer
2 match conditions in a MAC access list.
Slide 123
Terms (1 of 9)
IOS Software:
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 123
Terms: Part 1
Youll also notice that firewall filters in Junos always have names. In this case, we called the firewall filter sample-
filter.
Filters are composed of terms. Each term is analogous to a line from a Cisco access list, and the device processes
them sequentially, just as a device running Cisco IOS would process each line of an access list sequentially.
Within a term, there are from clauses, which describe match conditions and then clauses that describe action
conditions.
You can specify multiple match conditions and multiple action conditions in each term. Junos processes each term
sequentially until it finds a match. You can see that the term accept-all does not have any match conditions. If you do
not specify any match conditions for a term, all packets will match the term.
Slide 124
Terms (2 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 124
Terms: Part 2
We will now add a few more addresses. To add two more prefixes to the block-bad-subnet term, first enter the show
command.
Slide 125
Terms (3 of 9)
We enter the command edit filter sample-
filter term block-bad-subnet from
to annotating the term for additional documentation
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 125
Terms: Part 3
Now enter the command edit filter sample-filter term block-bad-subnet from.
Slide 126
Terms (4 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 126
Terms: Part 4
Slide 127
Terms (5 of 9)
[]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 127
Terms: Part 5
Slide 128
Terms (6 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 128
Terms: Part 6
Term names and filter names provide you with an excellent way to document the purpose of each filter and term.
However, you can also use Junos annotate feature to provide additional documentation.
Here, were adding comments to the source addresses using the Junos softwares annotate command.
Slide 129
Terms (7 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 129
Terms: Part 7
The software will store these comments in the configuration with the associated configuration elements for easy
reference. Here are the results.
Slide 130
Terms (8 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 130
Terms: Part 8
Youve probably noticed that Junos uses normal network masks, rather than Ciscos wildcard masks. For many
applications, this makes configuring network masks much easier. However, IOSs wildcard masks do provide a great
deal of flexibility when thats needed by allowing you to match on non-contiguous bit masks. And thats why Junos
also supports non-contiguous bit masks.
Slide 131
Terms (9 of 9)
IOS Software:
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 131
Terms: Part 9
For example, assume you have the 192.168.0.0/16 network broken into 24-bit subnets and you have other routers
using the first address of each subnet. You want to write an access list that blocks Telnet and SSH traffic to these
router addresses, yet allows all other traffic. In IOS, you would write an access list like this.
In Junos, this same access list looks like this. Notice that the destination address mask is still a standard network
mask in dotted-decimal notationit isnt backwards like a wildcard maskbut is still non-contiguous. Like all other
standard network masks, a 1 bit specifies that a bit must exactly match the pattern, while a 0 bit specifies that a bit
does not need to match.
Slide 132
Performance
IOS Software:
IOS software traditionally processes each packet through each line of an
access list in order
Network engineers may work to optimize the list to try to improve
performance
IOS software supports compiled access lists on some platforms, but not
others
Junos OS:
Junos firewall filters are always compiled
Junos OS software performs line-rate packet filtering with an optimized
and efficient match
Network engineers dont need to spend time trying to optimize filters
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 132
Performance
Ciscos IOS traditionally processes each packet through each line of an access list in order until it reaches a match.
To reduce the processing load on devices running Cisco IOS, network engineers have traditionally tried to optimize
the access list as much as possible to ensure that packets will match as early as possible. Cisco alleviated this
concern by enabling network engineers to activate compiled access lists, which are supported on at least some
platforms. Unlike IOS, Junos always compiles firewall filters. This design feature allows the Juniper Networks
hardware to perform line-rate packet filtering with an optimized and efficient match. So, network engineers do not
need to worry about optimizing Junos firewall filters to be efficient because the software does that automatically.
Slide 133
Changes (1 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 133
Changes: Part 1
Making changes to IOS access lists can present a few problems. First, to insert a new line in the middle of an access
list, you must delete the whole access list and insert a new access list. This process is most efficiently done by
copying the old access list to a text editor, making the change, and then pasting in the new access list.
Slide 134
Changes (2 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 134
Changes: Part 2
Starting with our complex example, lets say we want to add an additional SNMP server. In an IOS access list, we
would need to add four lines in four different places.
Slide 135
Changes (3 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 135
Changes: Part 3
But, what if there is a typo? Well, then you could end up with an incomplete access list.
Slide 136
Changes (4 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 136
Changes: Part 4
Second, when you delete and repaste an existing access list, IOS begins using the new access list as you enter each
line. And, like all access lists, there is an implicit deny ip any any line at the end. So, as soon as you remove the
access list, the device begins allowing all trafficnot very secure! Then, as soon as you enter the first line, it begins
dropping all traffic that doesnt match the first line, which likely means youre denying legitimate trafficnot very good
for end-user satisfaction! Worse yet, if youre accessing the device over a link using the access list, you could end up
blocking your own communication with the device!
Slide 137
Changes (5 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 137
Changes: Part 5
The Junos configuration editing process has a much better solution. In Junos, you edit the candidate configuration.
Once youre done, you commit your changes, and Junos transitions from using the old firewall filter to the new firewall
filter.
Slide 138
Changes (6 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 138
Changes: Part 6
Every packet is processed by the complete firewall filter. Junos doesnt process packets through a partial firewall filter
during the commit process; rather, it keeps using the old firewall filter until the entire new firewall filter is compiled and
downloaded to the hardware. It then begins using the new firewall filter.
Slide 139
Changes (7 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 139
Changes: Part 7
Adding another SNMP server in our Junos example is a simpler and more stable process than what we saw in the IOS
example. Starting from the configuration shown on screen, we want to add our new SNMP server to the more-
complex-example filter as a destination address for both the allow-snmp and block-snmp terms.
Slide 140
Changes (8 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 140
Changes: Part 8
Here are the commands we use to add the server to those two firewall terms.
Slide 141
Changes (9 of 9)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 141
Changes: Part 9
Slide 142
IOS Software:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 142
Like IOS, you can apply firewall filters on any Layer 3 interface in either the inbound or the outbound direction.
Slide 143
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 143
You can apply firewall filters in the inbound direction on any switch port.
Slide 144
IOS Software:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 144
Slide 145
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 145
Slide 146
IOS Software:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 146
In IOS, you can apply firewall filters that apply to an entire VLAN using the vlan access-map command. Similar to the
IOS concept of a route-map, a vlan access-map has various terms that match packets using ACLs. Packets that are
permitted by the ACL then have the action specified in the vlan access-map applied to them. This can be confusing
when the ACL action is permit, but the vlan access-map action is drop, becausein that casetraffic that is
permitted by an ACL will actually be dropped.
Slide 147
Junos OS:
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 147
In the Junos software, you can apply firewall filters in either the inbound or outbound direction for an entire VLAN. You
simply specify a normal firewall filter and the Junos software processes traffic through the firewall filter in the direction
you specify.
Slide 148
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 148
There are many other security features found in Junos that run on the EX Series switches. You can perform 802.1x
authentication, for exampleeven assigning different computers on the same port to different VLANs. You can also
limit the number of MAC address moves and perform DHCP inspection. You can also use firewall filters and 802.1X
authentication to assign class of service (or CoS) parameters for traffic.
Slide 149
https://virtuallabs.juniper.net/
Slide 150
Section Summary
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 150
Slide 151
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 151
Slide 151
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 151
Slide 152
2016 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Slide 153
Section Objectives
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 153
Slide 154
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 154
Simply put, a Virtual Chassis system is a collection of interconnected EX Series switches that are managed as a
single switch. A Virtual Chassis system can consists of up to 10 Virtual Chassis compatible EX Series switches,
depending on the model. Check the latest documentation to find out how many switches of a particular model can
participate in a Virtual Chassis, and which models can be combined in the same Virtual Chassis.
Virtual Chassis switches work together to provide higher port density while still being managed as a single switch.
Slide 155
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 155
You can connect EX switches together to form a Virtual Chassis system, which you then can manage as a single
device.
In a Virtual Chassis configuration, one of the member switches is elected as the master switch and a second member
switch is chosen to become the backup switch. This facilitates control plane redundancy and is a requirement in many
environments.
The Virtual Chassis system allows expansion flexibility. You can start with a single Virtual Chassis capable EX Series
switch and then expand into a Virtual Chassis of up to ten switches (depending on the model used). Also, the ability to
grow and expand within and across wiring closets is a key advantage of Virtual Chassis in many environments.
Slide 156
Recommended process:
Master (Active RE)
1. Install desired master switch 0
ON
Power up desired master switch
switch becomes master and Backup (Backup RE)
obtains member-id 0 1
ON
Assign mastership priority (255) Linecard
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 156
The next two slides depict the proper installation process for installing the Virtual Chassis. This slide depicts the
installation of the master switch, which gets a member ID of 0 and a priority of 255. Then the desired backup switch is
selected, receiving a member ID of 1 and a priority of 254.
Slide 157
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 157
A third switch is powered up. This switch becomes the first member switch and is assigned a member ID of 2.
Additional line card switches are added in the same manner, receiving sequential member IDs3, 4, and so on.
There is more than one way to do the installation of a Virtual Chassis. However, this is the recommended out-of-box
process for performing the installation.
Slide 158
Connectivity
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 158
Connectivity
The management Ethernet ports on the individual member switches are automatically associated with a management
VLAN. This management VLAN uses a Layer 3 virtual management interface that facilitates communication through
the Virtual Chassis system to the master switch even if the master switchs management Ethernet port is inaccessible.
When you set up the master switch, you specify an IP address for the virtual management Ethernet interface (vme).
This single IP address allows you to configure and monitor all members of the Virtual Chassis system remotely
through Telnet or SSH.
All member switches participating in a Virtual Chassis system run virtual console software. This software redirects all
console connections to the master switch.
Slide 159
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 159
The master switch manages all switches participating in the Virtual Chassis system.
We highly recommend that all changes made on the master switch are replicated to the backup switch through the
use of the commit synchronize command.
The backup switch maintains a state of readiness to take over as master should the active master fail.
A line card switch (that is, any member other than the master or backup) programs its own local hardware. It does not
run the chassis management process or control protocols. A line card switch is responsible only for its local interfaces
within a chassis.
Slide 160
Mastership Election
Mastership determination:
1. Member with the highest user-configured priority
Priority range is 1255, factory-default value is 128
2. Member previously functioning as master prior to reboot
3. Member with the longest standing uptime
Difference must be greater than 1 minute
4. Member with the lowest MAC address
Used as tie breaker if all is equal through the first 3
determination points [edit virtual-chassis]
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 160
Mastership Election
Slide 161
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 161
Slide 162
Member ID Assignment
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 162
Member ID Assignment
The master switch typically assumes a member ID of 0 because it is the first switch powered on. When the remainder
of the switches are interconnected and powered on, the master switch will assign a member ID from 1 through 9
making the complete member ID range 0-9. The master assigns each switch a member ID based upon the sequence
that the switch was added to the Virtual Chassis system. The member ID associated with each member switch is
preserved for the sake of consistency, across reboots. This preservation is helpful because the member ID is also a
key reference point when naming individual interfaces. The member ID serves the same purpose as a slot number
when configuring interfaces. Although the member ID is initially assigned by the master switch, you can change the
member ID values by using the CLI.
For example, the operational mode command to change a member ID from 0 to 8 would be: request virtual-chassis
renumber member-id 0 new-member-id 8.
Slide 163
Topology Discovery (1 of 3)
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 163
All switches participating in the Virtual Chassis system use the Virtual Chassis Control Protocol (VCCP) to exchange
LSA-based messages between all interconnected PFEs within a Virtual Chassis system. Based on these LSA-based
messages, each PFE builds a member switch topology in addition to a PFE topology map. These topology maps are
used when determining the best paths between individual PFEs.
Once the PFE topology map is built, the individual switches run a shortest path algorithm for each PFE. This algorithm
is based on hop count and bandwidth. The result is a map table for each PFE that outlines the shortest path to all
other PFEs within the Virtual Chassis system. In the event of failure, a new shortest path first (SPF) calculation is
performed.
To prevent loops each switch creates a unique source ID egress filter table on each PFE.
Slide 164
Topology Discovery (2 of 3)
a b c d e f g h i b c d
a e
i g f
h Virtual Chassis
Backplane
Virtual Chassis Backplane Cables
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 164
This slide depicts a visual example of the physical cabling and logical ring topology of a Virtual Chassis system.
Slide 165
Topology Discovery (3 of 3)
b c d i h g f
a e
PFE as Rooted Reachability SPF Tree
i g f
h Virtual Chassis Backplane
e d c
f
g
Logical Virtual Chassis Ring Topology
h i a b
Using the SPF algorithm, each PFE builds its own shortest path tree to all other PFEs based upon hop count and
bandwidth. This process is automatic and is not configurable.
Slide 166
path 0
As packets flow from one physical chassis to another through a Virtual Chassis system, they always take the shortest
path. This is based upon a combination of hop count and bandwidth. Based upon physical topology, the shortest path
is always selected from switch to switch in the Virtual Chassis system.
Slide 167
Operational Monitoring
Key operational commands:
Use show chassis hardware to view installed
hardware and inventory details for Virtual Chassis system
Use show virtual-chassis status to verify status
and role of individual members within the Virtual Chassis
system
Use show virtual-chassis active-topology to
view active topology details within Virtual Chassis system
Use show virtual-chassis vc-port to view VCP
status and associated details
Use show virtual-chassis member-config to view
Virtual Chassis configuration for individual members
Use show virtual-chassis protocol commands to
view interchassis communication details and status
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 167
Operational Monitoring
This slide displays some of the key operational mode commands along with a short description of the content each
command displays.
Slide 168
https://virtuallabs.juniper.net/
Slide 169
Section Summary
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 169
Slide 170
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 170
Slide 170
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 170
Slide 171
Course Summary
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 171
Slide 172
Additional Resources
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 172
For additional resources or to contact the Juniper Networks eLearning team, click the links on the screen.
Slide 173
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 173
You have reached the end of this Juniper Networks eLearning module. You should now return to your Juniper
Learning Center to take the assessment and the student survey. After successfully completing the assessment, you
will earn credits that will be recognized through certificates and non-monetary rewards. The survey will allow you to
give feedback on the quality and usefulness of the course.
Slide 174
2016 Juniper Networks, Inc. All rights reserved. CONFIDENTIAL SSEX03E-ML5 www.juniper.net | 174
All rights reserved. JUNIPER NETWORKS, the Juniper Networks logo, JUNOS, QFABRIC, NETSCREEN, and
SCREENOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective
owners. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without
notice.
Slide 175
CONFIDENTIAL
Co rp orat e and Sal es Head q uart ers APAC Head q uart ers EMEA Head q uart ers Copyright 20 10 Junip er Net w orks, Inc.
Al l right s reserved. Junip er Net w orks,
Junip er Net w orks, Inc. Junip er Net w orks ( Hong Kong) Junip er Net w orks Ireland t he Junip er Net w orks logo, Junos,
119 4 Nort h Mat hild a Avenue 26 / F, Cit yp laza One Airsid e Business Park Net Screen, and ScreenOS are regist ered
Sunnyvale, CA 9 4 0 8 9 USA 1111 Kings Road Sw ord s, Count y Dub l in, Ireland t rad em arks of Junip er Net w orks, Inc. in
Phone: 8 8 8 .JUNIPER Taikoo Shing, Hong Kong Phone: 35.31.8 9 0 3.6 0 0 t he Unit ed St at es and ot her count ries.
( 8 8 8 .58 6 .4737) Phone: 8 5 2.2332.36 36 EMEA Sales: 0 0 8 0 0 .4 58 6 .4737 Al l ot her t rad em arks, service m arks,
or 4 0 8 .74 5.20 0 0 Fax: 8 52.2574 .78 0 3 Fax: 35 .31.8 9 0 3.6 0 1 regist ered m arks, or regist ered service
Fax: 4 0 8 .74 5.210 0 m arks are t he p rop ert y of t heir
w w w.junip er.net resp ect ive ow ners. Junip er Net w orks
assum es no resp onsib il it y f or any
inaccuracies in t his d ocum ent . Junip er
Net w orks reserves t he right t o change,
m od if y, t ransf er, or ot herw ise revise t his
p ub l icat ion w it hout not ice.