AJEX_10.b-R_LGD
Transcript of AJEX_10.b-R_LGD
-
8/15/2019 AJEX_10.b-R_LGD
1/152
1194 North Mathilda Avenue
Sunnyvale, CA 94089USA
408-745-2000
www.juniper.net
Worldwide Education ServicesWorldwide Education Services
Advanced Junos Enterprise
Switching
10.b
Detailed Lab Guide
Course Number: EDU-JUN-AJEX
-
8/15/2019 AJEX_10.b-R_LGD
2/152
-
8/15/2019 AJEX_10.b-R_LGD
3/152www.juniper.net Contents • iii
ContentsLab 1: Advanced Ethernet Switching Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Part 1: Logging In Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Part 2: Configuring and Monitoring Filter-Based VLAN Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Part 3: Configuring and Monitoring a PVLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Part 4: Configuring and Monitoring MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Part 5: Configuring and Monitoring Q-in-Q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Lab 2: Implementing MSTP and VSTP Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Part 2: Configuring and Monitoring MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Part 3: Configuring and Monitoring VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Lab 3: Authentication and Access Control Detailed) . . . . . . . . . . . . . . . . . . . . . . . . 3-1Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2: Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Part 3: Configuring and Monitoring Other Access and Authentication Features . . . . . . . . . . . . . . . . . . . . . . 3-12
Lab 4: Deploying IP Telephony Features Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Part 2: Configuring and Monitoring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Part 3: Configuring and Monitoring LLDP and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Part 4: Configuring and Monitoring the Voice VLAN Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
Lab 5: Class of Service Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1Part 1: Exploring the Default CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Part 2: Configuring and Monitoring CoS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Part 3: Implementing CoS Using the EZQoS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Lab 6: Monitoring and Troubleshooting Layer 2 Networks Detailed) . . . . . . . . . . . 6-1Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Part 2: Determining Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Part 3: Verifying Hardware Components and System Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Part 4: Verifying Ethernet Switching, MSTP, and Aggregate Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . 6-10
Part 5: Configuring Port Mirroring and sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31
Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
-
8/15/2019 AJEX_10.b-R_LGD
4/152iv • Contents www.juniper.net
-
8/15/2019 AJEX_10.b-R_LGD
5/152www.juniper.net Course Overview • v
Course OverviewThis two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple Spanning
Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access control
for Layer 2 networks, IP telephony features, class of service (CoS) and monitoring and
troubleshooting tools and features supported on the EX Series Ethernet Switches.
Through demonstrations and hands-on labs, students will gain experience in configuring and
monitoring the Junos operating system and in monitoring device and protocol operations.
ObjectivesAfter successfully completing this course, you should be able to:
• Implement filter-based VLAN assignments.
• Restrict traffic flow within a VLAN.
• Manage dynamic VLAN registration.
• Tunnel Layer 2 traffic through Ethernet networks.
• Review the purpose and operations of a spanning tree.
• Implement multiple spanning tree instances in a network.
• Implement one or more spanning tree instances for a VLAN.
• List the benefits of implementing end-user authentication.
• Explain the operations of various access control features.
• Configure and monitor various access control features.
• Describe processing considerations when multiple authentication and access control
features are enabled.
• Describe some common IP telephony deployment scenarios.
• Describe features that facilitate IP telephony deployments.
• Configure and monitor features used in IP telephony deployments.
• Explain the purpose and basic operations of class of service.
• Describe class of service features used in Layer 2 networks.
• Configure and monitor class of service in a Layer 2 network.
• Describe a basic troubleshooting method.
• List common issues that disrupt network operations.
• Identify tools used in network troubleshooting.
• Use available tools to resolve network issues.
Intended AudienceThis course benefits individuals responsible for configuring and monitoring EX Series switches.
Course Level Advanced Junos Enterprise Switching is an advanced-level course.
PrerequisitesStudents should have an intermediate-level of networking knowledge and an understanding of the
Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students
should also attend the Introduction to the Junos Operating System (IJOS), the Junos Routing
Essentials (JRE), and the Junos Enterprise Switching (JEX) courses prior to attending this class.
-
8/15/2019 AJEX_10.b-R_LGD
6/152vi • Course Agenda www.juniper.net
Course AgendaDay 1
Chapter 1: Course Introduction
Chapter 2: Advanced Ethernet Switching
Lab 1: Advanced Ethernet Switching (Detailed)
Chapter 3: Advanced Spanning Tree
Lab 2: Implementing MSTP and VSTP (Detailed)
Chapter 4: Authentication and Access Control
Lab 3: Authentication and Access Control (Detailed)
Day 2Chapter 5: Deploying IP Telephony Features
Lab 4: Deploying IP Telephony Features (Detailed)
Chapter 6: Class of Service
Lab 5: Class of Service (Detailed)
Chapter 7: Monitoring and Troubleshooting
Lab 6: Monitoring and Troubleshooting Layer 2 Networks (Detailed)
http://../SG/C1_CourseIntroduction.pdfhttp://../SG/C2_AdvancedEthernetSwitching.pdfhttp://../SG/C3_AdvancedSpanningTree.pdfhttp://../SG/C4_Authentication_and_AccessControl.pdfhttp://../SG/C5_Deploying_IP_Telephony_Features.pdfhttp://../SG/C6_Class_of_Service.pdfhttp://../SG/C7_Monitoring_and_Troubleshooting.pdfhttp://../SG/C7_Monitoring_and_Troubleshooting.pdfhttp://../SG/C6_Class_of_Service.pdfhttp://../SG/C5_Deploying_IP_Telephony_Features.pdfhttp://../SG/C4_Authentication_and_AccessControl.pdfhttp://../SG/C3_AdvancedSpanningTree.pdfhttp://../SG/C2_AdvancedEthernetSwitching.pdfhttp://../SG/C1_CourseIntroduction.pdf
-
8/15/2019 AJEX_10.b-R_LGD
7/152www.juniper.net Document Conventions • vii
Document ConventionsCLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Input Text Versus Output Text You will also frequently see cases where you must enter input text yourself. Often these instances
will be shown in the context of where you must enter them. We use bold style to distinguish text
that is input versus text that is simply displayed.
Defined and Undefined Syntax VariablesFinally, this course distinguishes between regular text and syntax variables, and it also
distinguishes between syntax variables where the value is already assigned (defined variables) and
syntax variables where you must assign the value (undefined variables). Note that these styles can
be combined with the input style as well.
Style Description Usage Example
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
Cour i er New Console text:
• Screen captures
• Noncommand-related
syntax
GUI text elements:
• Menu names
• Text field entry
commi t compl et e
Exi t i ng conf i gur at i on mode
Select Fi l e > Open, and then clickConf i gur at i on. conf in theFi l ename text box.
Style Description Usage Example
Nor mal CLI
Nor mal GUI
No distinguishing variant. Physi cal i nt er f ace: f xp0,Enabl ed
View configuration history by clicking
Conf i gur at i on > Hi st ory.
CLI Input
GUI Input
Text that you must enter. l ab@San_J ose> show route
Select Fi l e > Save, and typeconfig.ini in the Fi l ename field.
Style Description Usage Example
CLI Variable
GUI Variable
Text where variable value is already
assigned.
pol i cy my-peers
Click my-peers in the dialog.
CLI Undefined
GUI Undefined
Text where the variable’s value is
the user’s discretion or text where
the variable’s value as shown in
the lab guide might differ from the
value the user must input
according to the lab topology.
Type set policy policy-name.
ping 10.0.x.y
Select Fi l e > Save, and typefilename in the Fi l ename field.
-
8/15/2019 AJEX_10.b-R_LGD
8/152viii • Additional Information www.juniper.net
Additional InformationEducation Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class
locations from the World Wide Web by pointing your Web browser to:
http://www.juniper.net/training/education/.
About This PublicationThe Advanced Junos Enterprise Switching Detailed Lab Guide was developed and tested usingsoftware Release 10.4R3.4. Previous and later versions of software might behave differently so
you should always consult the documentation and release notes for the version of code you are
running before reporting errors.
This document is written and maintained by the Juniper Networks Education Services development
team. Please send questions and suggestions for improvement to [email protected].
Technical Publications You can print technical manuals and release notes directly from the Internet in a variety of formats:
• Go to http://www.juniper.net/techpubs/.
• Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
Juniper Networks SupportFor technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or
at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).
-
8/15/2019 AJEX_10.b-R_LGD
9/152
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–110.b.10.4R3.4
Lab 1
Advanced Ethernet Switching Detailed)
OverviewIn this lab, you familiarize yourself with the starting configuration and the lab
environment. You will also use the command-line interface (CLI) to configure and monitor
various Ethernet switching features covered in the corresponding lecture.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab you will perform the following tasks:
• Familiarize yourself with the lab environment.
• Configure and monitor filter-based VLAN assignments.
• Configure and monitor a private VLAN (PVLAN).
• Configure and monitor the Multiple VLAN Registration Protocol (MVRP).
• Configure and monitor Q-in-Q tunneling.
-
8/15/2019 AJEX_10.b-R_LGD
10/152
Advanced Junos Enterprise Switching
Lab 1–2 • Advanced Ethernet Switching (Detailed) www.juniper.net
Part 1: Logging In Using the CLIIn this lab part, you familiarize yourself with the access details used to connect to
the lab equipment. Once you are familiar with the access details, you will use the CLI
to log in to your team’s designated switch and become familiar with this lab’s
environment.
Step 1.1Ensure that you know to which switch you have been assigned. Check with your
instructor if you are not certain. Consult the Management Network Diagram to
determine your switch’s management address.
Question: What is the management address
assigned to your switch?
Answer: Your answer will depend on your assigned
device and the rack of equipment you areusing.
Step 1.2Access the CLI for your switch using either the console, Telnet, or SSH as directed by
your instructor. Refer to the Management Network Diagram for the IP address
associated with your team’s station. The following example uses Telnet and the
SecureCRT program:
Note
The lab equipment used in this class is
likely to be remote from your physical
location. The instructor will provide access
details to get you logged in to your assigned
device.
-
8/15/2019 AJEX_10.b-R_LGD
11/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–3
Step 1.3Log in as user lab with the password supplied by your instructor.
exD- 1 ( t t yu0)
l ogi n: labPassword:
- - - J UNOS 10. 4R3. 4 bui l t 2011- 03- 19 22: 06: 32 UTC{mast er : 0}l ab@exD- 1>
Part 2: Configuring and Monitoring Filter-Based VLAN AssignmentsIn this lab part, you configure and monitor filter-based VLAN assignments. You will
first verify the state of the starting configuration. You will then configure and apply a
firewall filter used for a filter-based VLAN assignment. You will then associate the
interfaces.
Step 2.1Use the show interfaces terse command to ensure ge-0/0/7.0, ge-0/0/8.0,
and ge-0/0/12.0 are all enabled for Layer 2 operations and are up, both physicallyand administratively.
{mast er : 0}l ab@exD- 1> show interfaces terse | match "Interfaces|0/0/(7|8|12)" I nt erf ace Admi n Li nk Prot o Local Remotege- 0/ 0/ 7 up upge- 0/ 0/ 7. 0 up up et h- swi t chge- 0/ 0/ 8 up upge- 0/ 0/ 8. 0 up up et h- swi t chge- 0/ 0/ 12 up upge- 0/ 0/ 12. 0 up up et h- swi t ch
Question: Are the referenced interfaces enabled for
Layer 2 operations and up, physically andadministratively?
Answer: The answer should be yes. You should see
up listed under the Admi n and Li nk columns andet h- swi t ch under the Proto column. If youroutput does not match the sample output, please
work with your instructor to ensure the correct
starting configuration has been loaded.
-
8/15/2019 AJEX_10.b-R_LGD
12/152
Advanced Junos Enterprise Switching
Lab 1–4 • Advanced Ethernet Switching (Detailed) www.juniper.net
Step 2.2Use the show vlans command to ensure ge-0/0/7.0 and ge-0/0/8.0 are
associated with the v11 and v12 VLANs respectively. Use the same command to
ensure ge-0/0/12.0 is associated with both v11 and v12.
{mast er : 0}l ab@exD- 1> show vlans Name Tag I nter f aces
def aul t Nonev11 11
ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 12. 0*v12 12
ge- 0/ 0/ 8. 0*, ge- 0/ 0/ 12. 0*
Question: Are the referenced interfaces associated
with the correct VLANs?
Answer: The answer should be yes. You should see
ge-0/0/7.0 and ge-0/0/12.0 associated with VLAN
v11 and ge-0/0/8.0 and ge-0/0/12.0 associated
with VLAN v12. If you see something different,
please work with your instructor as needed.
Question: What operational mode command can
you issue to determine the port modes currently
assigned with the referenced interfaces?
Answer: Multiple commands are available to view
port mode assignments. The following output
illustrates two such commands and shows that
ge-0/0/7.0 and ge-0/0/8.0 are access ports (or
untagged ports), whereas ge-0/0/12.0 is a trunk
port (or a tagged port):
{mast er : 0}l ab@exD- 1> show vlans detail VLAN: def aul t , 802. 1Q Tag: Unt agged, Admi n Stat e: Enabl ed
VLAN: v11, 802. 1Q Tag: 11, Admi n St ate: Enabl edNumber of i nt erf aces: 2 ( Act i ve = 2) Unt agged i nt er f aces: ge- 0/ 0/ 7. 0* Tagged i nt er f aces: ge- 0/ 0/ 12. 0*
VLAN: v12, 802. 1Q Tag: 12, Admi n St ate: Enabl edNumber of i nt erf aces: 2 ( Act i ve = 2) Unt agged i nt er f aces: ge- 0/ 0/ 8. 0*
-
8/15/2019 AJEX_10.b-R_LGD
13/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–5
Tagged i nt er f aces: ge- 0/ 0/ 12. 0*
{mast er : 0}l ab@exD- 1> show ethernet-switching interfaces I nter f ace Stat e VLAN member s Tag Taggi ng Bl ocki ngge- 0/ 0/ 7. 0 up v11 11 unt agged unbl ockedge- 0/ 0/ 8. 0 up v12 12 unt agged unbl ockedge- 0/ 0/ 12. 0 up v11 11 t agged unbl ocked v12 12 t agged unbl ocked
Step 2.3Enter configuration mode and navigate to the [ edi t f i rewal l f ami l yet her net - swi t chi ng] hierarchy. Create a firewall filter named fbva thatmatches any source IP address in the 172.23.15.0/24 subnet and associates the
related traffic with VLAN v15 . Ensure that all other traffic is permitted.
{mast er : 0}l ab@exD- 1> configure Ent er i ng conf i gur at i on mode
{mast er : 0}[ edi t ]l ab@exD- 1# edit firewall family ethernet-switching
{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# set filter fbva term match-net from source-address 172.23.15.0/24
{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# set filter fbva term match-net then vlan v15
{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# set filter fbva term else-accept then accept
{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# show f i l t er f bva { t er m mat ch- net { f r o m { sour ce- addr ess { 172. 23. 15. 0/ 24; } } ## ## War ni ng: Named or Non- r ange vl an must be set
## t hen vl an v15; } t er m el se- accept { t hen accept ; }}
{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1#
-
8/15/2019 AJEX_10.b-R_LGD
14/152
-
8/15/2019 AJEX_10.b-R_LGD
15/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–7
{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show vlans v15 detail VLAN: v15, 802. 1Q Tag: 15, Admi n St at e: Enabl edNumber of i nt er f aces: 2 ( Act i ve = 2) Tagged i nt er f aces: ge- 0/ 0/ 12. 0* Mappi ng pol i cy i nt er f aces: ge- 0/ 0/ 7. 0*
Question: Are the expected interfaces now
associated with VLAN v15?
Answer: Yes, as shown in the sample output, the
ge-0/0/7.0 and ge-0/0/12.0 interfaces should both
now be associated with VLAN v15. The ge-0/0/12.0
interface is a trunk port serving VLAN v15 and the
ge-0/0/7.0 interface is an access port for all traffic
that matches the applied mapping policy (firewall
filter).
Question: Based on the current configuration, with
which VLAN would traffic entering ge-0/0/7.0 with
an IP source address of 172.23.16.100 be
associated?
Answer: Based on the current configuration, all
traffic, except traffic from the 172.23.15.0/24subnet, should be associated with VLAN v11. Traffic
sourced from the 172.23.15.0/24 subnet should
be associated with VLAN v15.
Step 2.7Issue the top save /var/home/lab/ajex/lab1part2.conf command to
save the entire configuration. Note that you will need to reload this configuration at
a later time so ensure the entire configuration is saved.
{mast er : 0}[ edi t vl ans]
l ab@exD- 1# top save /var/home/lab/ajex/lab1part2.conf Wr ot e 120 l i nes of conf i gur at i on t o ' / var / home/ l ab/ aj ex/ l ab1par t 2. conf '
STOP Before proceeding ensure that the remote team is done with Part 2.
-
8/15/2019 AJEX_10.b-R_LGD
16/152
Advanced Junos Enterprise Switching
Lab 1–8 • Advanced Ethernet Switching (Detailed) www.juniper.net
Part 3: Configuring and Monitoring a PVLANIn this lab part, you configure and monitor a PVLAN. You will first delete the current
VLAN configuration. You will then configure and monitor a PVLAN named pvlan-50
with two community VLANs named finance and sales. Refer to the network
diagram for configuration details associated with this lab.
Step 3.1Delete all configuration under the [ edi t vl ans] hierarchy level.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete Del et e ever yt hi ng under t hi s l evel ? [ yes, no] ( no) yes
Step 3.2Delete all configuration under the [ edi t f i rewal l ] hierarchy and remove theapplication of the fbva firewall filter from the ge-0/0/7.0 interface.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete firewall
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete interfaces ge-0/0/7.0 family ethernet-switching filter
Step 3.3Configure a primary VLAN named pvlan-50 with a VLAN ID of 50. Associate the
ge-0/0/12 interface with this newly defined VLAN. Configure ge-0/0/12 to function
as a PVLAN trunk port.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set pvlan-50 vlan-id 50 interface ge-0/0/12.0 pvlan-trunk
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set pvlan-50 no-local-switching
Step 3.4Use the details shown on the network diagram for this lab and configure two
community VLANs: one named finance and the other named sales. Ensure that
ge-0/0/7.0 and ge-0/0/8.0 are associated with their respective community VLANs
and that both community VLANs are linked to the primary VLAN ( pvlan-50).
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set finance vlan-id 41 interface ge-0/0/7.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set finance primary-vlan pvlan-50
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set sales vlan-id 42 interface ge-0/0/8.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set sales primary-vlan pvlan-50
-
8/15/2019 AJEX_10.b-R_LGD
17/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–9
Step 3.5Attempt to activate the changes using the commit command.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit er r or : Tr unk por t ge- 0/ 0/ 12. 0 cannot be made member of communi t y vl an er r or : conf i gur at i on check- out f ai l ed
Question: Does the commit operation succeed? Ifnot can you explain why not?
Answer: No, as shown in the sample output the
ge-0/0/12.0 trunk port is currently associated with
one or more community VLANs. After a closer look
at the active configuration it should be obvious
where the problem lies:
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top show interfaces ge-0/0/12.0 f ami l y et her net - swi t chi ng { port - mode t r unk; vl an { members al l ; }}
Step 3.6Remove the vlan members all statement from the ge-0/0/12.0 interface
configuration and attempt the commit operation once again.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete interfaces ge-0/0/12.0 family ethernet-switching vlan
{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete
Question: Does the commit operation succeed
now?
Answer: Yes, as shown in the sample output, the
commit operation should now succeed.
Step 3.7Issue the run show vlans pvlan-50 extensive command to determine the
current PVLAN designations for the associated interfaces and community VLANs.
-
8/15/2019 AJEX_10.b-R_LGD
18/152
Advanced Junos Enterprise Switching
Lab 1–10 • Advanced Ethernet Switching (Detailed) www.juniper.net
{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show vlans pvlan-50 extensive VLAN: pvl an- 50, Cr eated at : Fr i May 13 23: 02: 03 2011802. 1Q Tag: 50, I nt er nal i ndex: 9, Admi n St at e: Enabl ed, Or i gi n: St at i cPr i vat e VLAN Mode: Pr i maryProtocol : Por t Mode, Mac agi ng t i me: 300 secondsNumber of i nt er f aces: Tagged 1 ( Act i ve = 1) , Untagged 2 ( Act i ve = 2) ge- 0/ 0/ 12. 0*, t agged, t r unk, pvl an- t r unk ge- 0/ 0/ 7. 0*, unt agged, access
ge- 0/ 0/ 8. 0*, unt agged, accessSecondar y VLANs: I sol at ed 0, Communi t y 2, I nt er - swi t ch- i sol at ed 0
Communi t y VLANs : f i nance sal es
Question: Are the expected access and trunk ports
listed in the output?
Answer: Yes, as shown in the sample output, the
two access ports and the trunk port should be listed
in the output.
Question: Based on the output, is the ge-0/0/12.0
properly enabled as a PVLAN trunk port?
Answer: Yes, as shown in the sample output, thege-0/0/12.0 interface should be enabled as a
PVLAN trunk port.
Note You will now log in to your assigned
SRX device. The gateway is configured with
multiple virtual routers (VRs), which are
logical devices created on your assigned
gateway. Most of the configuration required
for the SRX device has already beendefined. You will, however, be required to
modify the existing configuration
throughout the labs. Refer to the
Management Network Diagram for the IP
address of your assigned SRX device. If
needed, work with your instructor to obtain
the required information.
-
8/15/2019 AJEX_10.b-R_LGD
19/152
-
8/15/2019 AJEX_10.b-R_LGD
20/152
Advanced Junos Enterprise Switching
Lab 1–12 • Advanced Ethernet Switching (Detailed) www.juniper.net
! ! ! ! !- - - 172. 24. 50. 3 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 0. 955/ 1. 062/ 1. 227/ 0. 093 ms
l ab@sr xD- 1> ping routing-instance vr y 1 172.24.50.z rapid PI NG 172. 24. 50. 4 ( 172. 24. 50. 4) : 56 data byt es. . . . .- - - 172. 24. 50. 4 pi ng stat i st i cs - - -
5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
l ab@sr xD- 1> ping routing-instance vr y 2 172.24.50.z rapid PI NG 172. 24. 50. 1 ( 172. 24. 50. 1) : 56 data byt es. . . . .- - - 172. 24. 50. 1 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
l ab@sr xD- 1> ping routing-instance vr y 2 172.24.50.z rapid PI NG 172. 24. 50. 3 ( 172. 24. 50. 3) : 56 data byt es. . . . .
- - - 172. 24. 50. 3 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
l ab@sr xD- 1> ping routing-instance vr y 2 172.24.50.z rapid PI NG 172. 24. 50. 4 ( 172. 24. 50. 4) : 56 data byt es! ! ! ! !- - - 172. 24. 50. 4 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 025/ 5. 862/ 24. 405/ 9. 272 ms
Question: Do the ping tests between the VRs
associated with the same community VLANs
succeed?
Answer: Yes, as expected the ping tests between
the VRs associated with the same community
VLANs succeed. As shown in the sample output, the
ping tests between VRs in different community
VLANs should not succeed. If your test shows
different results, check with the remote team to
ensure they have committed the requiredconfiguration and, if needed, work with your
instructor.
STOP Before proceeding ensure that the remote team is done with Part 3.
-
8/15/2019 AJEX_10.b-R_LGD
21/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–13
Part 4: Configuring and Monitoring MVRPIn this lab part, you configure and monitor MVRP. You will first load the configuration
file saved in a previous lab part and make some minor modifications. You will then
configure and monitor MVRP. Refer to the network diagram for configuration details
associated with this lab.
Step 4.1Return to your EX Series switch.
Navigate to the root of the hierarchy level and use the load override and
commit commands to restore the configuration saved at the end of Part 2. Note
that the configuration file should be in the /var/home/lab/ajex/ directory and
should be named lab1part2.conf .
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top
{mast er : 0}[ edi t ]l ab@exD- 1# load override /var/home/lab/ajex/lab1part2.conf
l oad compl ete
{mast er : 0}[ edi t ]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl et e
{mast er : 0}[ edi t ]l ab@exD- 1#
Step 4.2Remove the vlan members all statement from the ge-0/0/12.0 interface
configuration.
{mast er : 0}[ edi t ]l ab@exD- 1# delete interfaces ge-0/0/12.0 family ethernet-switching vlan
Step 4.3Delete the ge-0/0/12.0 interface from all currently defined VLANs. Issue the
commit command to activate the changes.
{mast er : 0}[ edi t ]l ab@exD- 1# delete vlans v11 interface ge-0/0/12.0
{mast er : 0}[ edi t ]l ab@exD- 1# delete vlans v12 interface ge-0/0/12.0
{mast er : 0}[ edi t ]l ab@exD- 1# delete vlans v15 interface ge-0/0/12.0
{mast er : 0}[ edi t ]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete
-
8/15/2019 AJEX_10.b-R_LGD
22/152
Advanced Junos Enterprise Switching
Lab 1–14 • Advanced Ethernet Switching (Detailed) www.juniper.net
Step 4.4Issue the run show vlans command to ensure the ge-0/0/12.0 interface is no
longer associated with any of the defined VLANs.
{mast er : 0}[ edi t ]l ab@exD- 1# run show vlans Name Tag I nter f acesdef aul t
Nonev11 11ge- 0/ 0/ 7. 0*
v12 12ge- 0/ 0/ 8. 0*
v15 15ge- 0/ 0/ 7. 0*
Question: Is the ge-0/0/12.0 interface currently
associated with any of the defined VLANs?
Answer: No, as shown in the sample output, the
trunk port ge-0/0/12.0 is no longer associated with
any of the defined VLANs.Note that this behavior is
expected based on the current configuration.
Step 4.5Enable MVRP on the ge-0/0/12.0 interface. Activate the change using the commit
command.
{mast er : 0}[ edi t ]l ab@exD- 1# set protocols mvrp interface ge-0/0/12.0
{mast er : 0}[ edi t ]l ab@exD- 1# commit conf i gurat i on check succeedscommi t compl et e
Note
Step 4.6Issue the run show vlans command once again to determine whether the
ge-0/0/12.0 interface is now associated with the defined VLANs.
Before proceeding, ensure that the remote
team in your pod finishes the previous step.
-
8/15/2019 AJEX_10.b-R_LGD
23/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–15
{mast er : 0}[ edi t ]l ab@exD- 1# run show vlans Name Tag I nter f acesdef aul t
Nonev11 11
ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 12. 0*v12 12
ge- 0/ 0/ 8. 0*, ge- 0/ 0/ 12. 0*
v15 15ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 12. 0*
Question: Is the ge-0/0/12.0 interface now
associated with the defined VLANs?
Answer: Yes, as shown in the sample output, the
trunk port ge-0/0/12.0 is now associated with all of
the defined VLANs. Note that you can also view
dynamic VLAN membership associations using the
show mvrp dynamic-vlan-memberships
command as shown in the following:
{mast er : 0}[ edi t ]l ab@exD- 1# run show mvrp dynamic-vlan-memberships MVRP dynami c vl ans f or r out i ng i nst ance ' def aul t - swi t ch' ( s ) s tat i c vl an, ( f ) f i xed regi s t rat i on
VLAN I D I nt er f aces11( s) ge- 0/ 0/ 12. 012( s) ge- 0/ 0/ 12. 015( s) ge- 0/ 0/ 12. 0
Step 4.7Issue the run show mvrp statistics command to display MVRP statistics.
{mast er : 0}[ edi t ]l ab@exD- 1# run show mvrp statistics MVRP st at i st i csI nt er f ace name : ge- 0/ 0/ 12. 0
MRPDU r ecei ved : 15I nval i d PDU r ecei ved : 0New r ecei ved : 0
J oi n Empt y r ecei ved : 12 J oi n I n r ecei ved : 33Empt y r ecei ved : 0I n r ecei ved : 0Leave r ecei ved : 0LeaveAl l r ecei ved : 4MRPDU t r ansmi t t ed : 15MRPDU t r ansmi t f ai l ur es : 0
-
8/15/2019 AJEX_10.b-R_LGD
24/152
-
8/15/2019 AJEX_10.b-R_LGD
25/152
-
8/15/2019 AJEX_10.b-R_LGD
26/152
Advanced Junos Enterprise Switching
Lab 1–18 • Advanced Ethernet Switching (Detailed) www.juniper.net
l ab@exD- 1# set v12 dot1q-tunneling
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v15 dot1q-tunneling
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 dot1q-tunneling layer2-protocol-tunneling all
{mast er : 0}[ edi t vl ans]
l ab@exD- 1# commit and-quit conf i gurat i on check succeedscommi t compl et eExi t i ng conf i gur at i on mode
{mast er : 0}l ab@exD- 1>
Step 5.5Issue the show vlans cust-1 detail command.
{mast er : 0}l ab@exD- 1> show vlans cust-1 detail VLAN: cust - 1, 802. 1Q Tag: 200, Admi n State: Enabl edDot1q Tunnel i ng st at us: Enabl edLayer 2 Pr ot ocol Tunnel i ng st at us: Enabl edNumber of i nt erf aces: 2 ( Act i ve = 2) Unt agged i nt er f aces: ge- 0/ 0/ 6. 0* Tagged i nt er f aces: ge- 0/ 0/ 12. 0*
Question: Based on the output, are Q-in-Q tunneling
and L2PT now enabled?
Answer: Yes, as shown in the sample capture, Q-in-Q
tunneling and L2PT are now enabled.
Step 5.6Return to the session opened for your SRX device.
Use the ping utility once again and verify reachability between customer sites. Refer
to the network diagram for the instance names and the IP address information. Do
not forget to reference the correct routing instance when performing this operation.
l ab@sr xD- 1> ping routing-instance vr y 0 172.27.100.z rapid PI NG 172. 27. 100. 2 ( 172. 27. 100. 2) : 56 data byt es! ! ! ! !- - - 172. 27. 100. 2 pi ng st at i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 038/ 5. 765/ 24. 069/ 9. 153 ms
-
8/15/2019 AJEX_10.b-R_LGD
27/152
Advanced Junos Enterprise Switching
www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–19
Question: Does the ping operation succeed now?
Answer: Yes, as shown in sample output, the ping
operation should now succeed.
STOP Tell your instructor that you have completed Lab 1.
-
8/15/2019 AJEX_10.b-R_LGD
28/152
Advanced Junos Enterprise Switching
Lab 1–20 • Advanced Ethernet Switching (Detailed) www.juniper.net
-
8/15/2019 AJEX_10.b-R_LGD
29/152
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–110.b.10.4R3.4
Lab 2
Implementing MSTP and VSTP Detailed)
OverviewIn this lab, you will use the command-line interface (CLI) to configure and monitor the
Multiple Spanning Tree Protocol (MSTP) and VLAN STP (VSTP).
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab you will perform the following tasks:
• Modify the existing configuration.
• Configure and monitor MSTP.
• Configure and monitor VSTP.
-
8/15/2019 AJEX_10.b-R_LGD
30/152
Advanced Junos Enterprise Switching
Lab 2–2 • Implementing MSTP and VSTP (Detailed) www.juniper.net
Part 1: Modifying the Existing ConfigurationIn this lab part, you will modify the existing configuration on your EX Series switch
and perform some basic verification tasks to prepare for subsequent lab parts.
Refer to network diagram for this lab for topological and configuration details.
Step 1.1Enter configuration mode and configure the ge-0/0/9 and ge-0/0/10 interfaces for
Layer 2 operations and as trunk ports.
{mast er : 0}l ab@exD- 1> configure Ent er i ng conf i gur at i on mode
{mast er : 0}[ edi t ]l ab@exD- 1# edit interfaces
{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1# set ge-0/0/9.0 family ethernet-switching port-mode trunk
{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1# set ge-0/0/10.0 family ethernet-switching port-mode trunk
{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1#
Step 1.2Associate these newly defined trunk ports with all currently defined VLANs. Note
that the VLANs must be statically associated with these new trunk ports, because
the attached SRX devices do not support the Multiple VLAN registration Protocol
(MVRP). Also note that you cannot use the vlan members all statement
because Q-in-Q tunneling is in place.
{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1# top edit vlans
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set ? Possi bl e compl et i ons: VLAN name+ appl y- gr oups Gr oups f r om whi ch t o i nher i t conf i gur at i on dat a+ appl y- gr oups- except Don' t i nher i t conf i gur at i on dat a f r om t hese gr oups cust - 1 VLAN name
> t r aceopt i ons VLAN t r ace opt i ons v11 VLAN name v12 VLAN name v15 VLAN name{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 interface ge-0/0/9.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 interface ge-0/0/10.0
{mast er : 0}[ edi t vl ans]
-
8/15/2019 AJEX_10.b-R_LGD
31/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–3
l ab@exD- 1# set v11 interface ge-0/0/9.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v11 interface ge-0/0/10.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v12 interface ge-0/0/9.0
{mast er : 0}[ edi t vl ans]
l ab@exD- 1# set v12 interface ge-0/0/10.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v15 interface ge-0/0/9.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v15 interface ge-0/0/10.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1#
Step 1.3Activate the configuration changes using the commit command and verify the
spanning-tree topology details using the run show spanning-tree bridge
command.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete
{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show spanning-tree bridge
STP br i dge par ameter sCont ext I D : 0Enabl ed pr ot ocol : RSTP Root I D : 4096. 00: 26: 88: e1: 45: 10 Root cost : 20000 Root por t : ge- 0/ 0/ 9. 0 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 1
Number of t opol ogy changes : 4 Ti me si nce l ast t opol ogy change : 1808 seconds
Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters
Br i dge I D : 32768. 50: c5: 8d: ba: 62: 00 Extended syst em I D : 0 I nt er nal i nst ance I D : 0
-
8/15/2019 AJEX_10.b-R_LGD
32/152
Advanced Junos Enterprise Switching
Lab 2–4 • Implementing MSTP and VSTP (Detailed) www.juniper.net
Question: Which device is elected as the root
bridge? Which interface will your switch use to
forward traffic through the Layer 2 network?
Answer: The srxX -1 device should be elected the
root bridge device based on its current bridge
priority of 4 K. The root port, used to forward traffic
through the root bridge, varies depending on yourassigned switch. If you are assigned exX -1, the root
port should be ge-0/0/9.0. If you are assigned
exX -2, the root port should be ge-0/0/10.0.
Question: What limitation exists with the current
spanning-tree implementation? What options exist
that overcome this limitation?
Answer: The current spanning-tree topology offersno load balancing. The links between the EX Series
switches and the srxX -2 device will not be used.
This problem is a known limitation of STP and RSTP.
You can use MSTP or VSTP instead of RSTP to
overcome this limitation. We make use of MSTP and
VSTP in subsequent lab parts.
Part 2: Configuring and Monitoring MSTPIn this lab part, you configure and monitor MSTP. You create two multiple
spanning-tree instances (MSTIs); one for all VLAN IDs between 1 and 199, and a
second for all VLAN IDs between 200 and 399. Once configured, you use various
operational mode commands to monitor MSTP.
Step 2.1Delete RSTP, under the [ edi t pr ot ocol s] hierarchy.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top edit protocols
{mast er : 0}[ edi t pr ot ocol s]
l ab@exD- 1# show rstp;mvr p { i nt er f ace ge- 0/ 0/ 12. 0;}
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# delete rstp
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1#
-
8/15/2019 AJEX_10.b-R_LGD
33/152
-
8/15/2019 AJEX_10.b-R_LGD
34/152
Advanced Junos Enterprise Switching
Lab 2–6 • Implementing MSTP and VSTP (Detailed) www.juniper.net
Step 2.6Configure a non-default bridge priority for each MSTI. If you are assigned srxX -1,
specify a bridge priority of 4k for MSTI 1 and 8k for MSTI 2. If you are assigned
srxX -2, specify a bridge priority of 8k for MSTI 1 and 4k for MSTI 2. Activate the
changes using the commit command. The following captures illustrate the
commands and expected configurations for both SRX devices in pod D:
[ edi t pr ot ocol s]
l ab@sr xD- 1# set mstp msti 1 bridge-priority 4k
[ edi t pr ot ocol s]l ab@sr xD- 1# set mstp msti 2 bridge-priority 8k
[ edi t pr ot ocol s]l ab@sr xD- 1# show mst p { conf i gur at i on- name my- mst p- conf i g; mst i 1 { br i dge- pr i or i t y 4k; vl an 1- 199;
} mst i 2 { br i dge- pr i or i t y 8k; vl an 200- 399; }}
[ edi t pr ot ocol s]l ab@sr xD- 1# commit commi t compl et e
[ edi t pr ot ocol s]l ab@sr xD- 2# set mstp msti 1 bridge-priority 8k
[ edi t pr ot ocol s]l ab@sr xD- 2# set mstp msti 2 bridge-priority 4k
[ edi t pr ot ocol s]l ab@sr xD- 2# show mst p { conf i gur at i on- name my- mst p- conf i g; mst i 1 { br i dge- pr i or i t y 8k;
vl an 1- 199; } mst i 2 { br i dge- pr i or i t y 4k; vl an 200- 399; }}
[ edi t pr ot ocol s]l ab@sr xD- 2# commit commi t compl et e
-
8/15/2019 AJEX_10.b-R_LGD
35/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–7
Question: Based on the current configurations,
what forwarding paths would you expect for traffic
associated with the various VLANs currently in use?
Answer: The spanning-tree topology now offerssome level of load balancing for the defined VLANs.
Based on the current configurations, all traffic
associated with VLAN ID 200 (SVLAN assigned to
the attached customer) should pass through srxX -2.
The traffic associated with all other VLAN IDs (11,
12, and 15) should pass through srxX -1.
Note
Step 2.7Return to the session opened for your EX Series switch.
Issue the run show spanning-tree bridge command and answer the
questions that follow.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree bridge
STP br i dge par ameter s
Cont ext I D : 0Enabl ed pr ot ocol : MSTP
STP br i dge paramet ers f or CI ST Root I D : 32768. 00: 26: 88: e1: 45: 10 Root cost : 0 Root por t : ge- 0/ 0/ 9. 0 CI ST r egi onal r oot : 32768. 00: 26: 88: e1: 45: 10 CI ST i nt er nal r oot cost : 20000 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds
Hop count : 19Message age : 0Number of t opol ogy changes : 12
Ti me si nce l ast t opol ogy change : 18 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters
Br i dge I D : 32768. 50: c5: 8d: ba: 62: 00 Extended syst em I D : 0 I nt er nal i nst ance I D : 0
Before proceeding, ensure that the remote
team in your pod finishes the previous step.
-
8/15/2019 AJEX_10.b-R_LGD
36/152
Advanced Junos Enterprise Switching
Lab 2–8 • Implementing MSTP and VSTP (Detailed) www.juniper.net
STP br i dge parameters f or MSTI 1 MSTI r egi onal r oot : 4097. 00: 26: 88: e1: 45: 10 Root cost : 20000 Root por t : ge- 0/ 0/ 9. 0 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Hop count : 19
Number of t opol ogy changes : 12
Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters
Br i dge I D : 32769. 50: c5: 8d: ba: 62: 00 Ext ended syst em I D : 0 I nt er nal i nst ance I D : 1
STP br i dge parameters f or MSTI 2 MSTI r egi onal r oot : 4098. 00: 26: 88: e1: 4f : 90 Root cost : 20000 Root por t : ge- 0/ 0/ 10. 0
Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Hop count : 19
Number of t opol ogy changes : 12 Topol ogy change i ni t i at or : ge- 0/ 0/ 10. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 45: 09 Local parameters
Br i dge I D : 32770. 50: c5: 8d: ba: 62: 00 Ext ended syst em I D : 0 I nt er nal i nst ance I D : 2
Question: Are the expected devices elected rootbridges for MSTI 1 and MSTI 2?
Answer: The answer should be yes. The srxX -1
device should be elected root bridge for MSTI 1 and
the srxX -2 device should be elected root bridge for
MSTI 2. If you see different results, check your
configuration and ensure the remote team has
finished the previous step.
Question: Which device has been elected as the
root bridge for the Common and Internal Spanning
Tree (CIST)?
Answer: The answer might vary. In the illustrated
example, srxD-1 has been elected as the root bridge
for the CIST (MSTI 0).
-
8/15/2019 AJEX_10.b-R_LGD
37/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–9
Question: What configuration change can you make
to ensure srxX -1 is always the root bridge as long as
it is available?
Answer: To ensure one device is always the root
bridge when it is available, you must ensure the
bridge priority for that device is set to a lower value
than all other switches participating in the MSTPregion.
Step 2.8On your assigned EX Series switch, issue the run show spanning-tree mstp
configuration command.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree mstp configuration MSTP i nf ormat i onCont ext i dent i f i er : 0
Regi on name : my- mst p- conf i gRevi si on : 0Conf i gur at i on di gest : 0x91ee8012e6851d931adae71da4060690
MSTI Member VLANs0 0, 400- 40941 1- 1992 200- 399
Question: Does the output display the expected
VLAN to MSTI mapping information?
Answer: Yes, the output should show the correct
VLAN to MSTI mapping information. You should see
the previously configured ranges for MSTI 1 and
MSTI 2 (1-199 and 200-399 respectively) and the
remainder of the supported VLAN ID range
associated with the CIST (MSTI 0).
Question: Which three components in the displayed
output must match for switches participating in thesame MST region?
Answer: The region name, revision level, and the
VLAN to MSTI mappings must match on all bridges
participating in the same MST region.
-
8/15/2019 AJEX_10.b-R_LGD
38/152
Advanced Junos Enterprise Switching
Lab 2–10 • Implementing MSTP and VSTP (Detailed) www.juniper.net
Question: How is the configuration digest
determined?
Answer: The configuration digest is based on the
VLAN to MSTI mapping information. Note that this
mapping information must match on all switches
intending to participate in the same MST region.
Step 2.9Issue the top save /var/home/lab/ajex/ mstp.conf command to save the
current configuration on your EX Series switch to the /var/tmp directory.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top save /var/home/lab/ajex/ mstp.conf Wr ot e 166 l i nes of conf i gur at i on t o ' / var / home/ l ab/ aj ex/ mst p. conf '
Step 2.10Change the revision level to test the effects of mismatched settings that are
required to match on switches participating in the same MST region. If you areassigned exX -1, set your revision number to 1. If you are assigned exX -2, set your
revision number to 2. Issue commit to activate the configuration change.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# set mstp revision-level n
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# commit conf i gurat i on check succeedscommi t compl et e
Step 2.11Issue the run show spanning-tree mstp configuration command toverify the change. Next issue the run show spanning-tree bridge
command to verify the current state of the MSTP topology and root bridge election
details.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree mstp configuration MSTP i nf ormat i onCont ext i dent i f i er : 0Regi on name : my- mst p- conf i gRevi si on : 1Conf i gur at i on di gest : 0x91ee8012e6851d931adae71da4060690
MSTI Member VLANs0 0, 400- 40941 1- 1992 200- 399
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree bridge
STP br i dge par amet ers
-
8/15/2019 AJEX_10.b-R_LGD
39/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–11
Cont ext I D : 0Enabl ed pr ot ocol : MSTP
STP br i dge paramet ers f or CI ST Root I D : 32768. 00: 26: 88: e1: 45: 10 Root cost : 20000 Root por t : ge- 0/ 0/ 9. 0 CI ST r egi onal r oot : 32768. 50: c5: 8d: ba: 62: 00 CI ST i nt er nal r oot cost : 0
Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Hop count : 20
Message age : 1Number of t opol ogy changes : 17
Ti me si nce l ast t opol ogy change : 20 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters
Br i dge I D : 32768. 50: c5: 8d: ba: 62: 00
Extended syst em I D : 0 I nt er nal i nst ance I D : 0
STP br i dge par ameters f or MSTI 1 MSTI r egi onal r oot : 32769. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Number of t opol ogy changes : 17 Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters
Br i dge I D : 32769. 50: c5: 8d: ba: 62: 00 Extended syst em I D : 0 I nt er nal i nst ance I D : 1
STP br i dge par ameters f or MSTI 2 MSTI r egi onal r oot : 32770. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Number of t opol ogy changes : 16 Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 45: 09
Local parametersBr i dge I D : 32770. 50: c5: 8d: ba: 62: 00
Extended syst em I D : 0 I nt er nal i nst ance I D : 2
-
8/15/2019 AJEX_10.b-R_LGD
40/152
Advanced Junos Enterprise Switching
Lab 2–12 • Implementing MSTP and VSTP (Detailed) www.juniper.net
Question: What impact did changing the revision
level have on the MSTP topology and root bridge
election for MSTI 1 and MSTI 2?
Answer: Because the required settings on theEX Series switches no longer match the other
devices within the MST region, each EX Series
switch is effectively running in isolation in new MST
regions that are based on new settings. This
arrangement is verified by the newly elected root
bridge in each MSTI. In the sample capture, we see
that exX -1 is now the elected root bridge for MSTI 1
and MSTI 2. Note that exX -2 should show a similar
output with itself elected root bridge for both MSTIs.
Part 3: Configuring and Monitoring VSTPIn this lab part, you configure and monitor VSTP. Once configured, you use various
operational mode commands to verify VSTP operations. Note that SRX devices do
not currently support VSTP. Because of this fact, you will need to alter the current
topology to exclude the SRX devices for this lab part.
Step 3.1Issue the set rstp and commit commands in an attempt to enable RSTP along
with MSTP.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# set rstp
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# commit [ edi t pr ot ocol s] ' mst p' Anot her xSTP pr ot ocol i s enabl eder r or : Anot her xSTP pr ot ocol i s enabl eder r or : conf i gur at i on check- out f ai l ed
Question: Did the commit operation succeed? Ifnot, why not?
Answer: No, the commit operation should not
succeed because RSTP and MSTP cannot be
enabled at the same time. Note that RSTP can,
however, be enabled at the same time as VSTP.
-
8/15/2019 AJEX_10.b-R_LGD
41/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–13
Step 3.2Delete MSTP and attempt the commit operation once again.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# delete mstp
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete
Step 3.3Delete the ge-0/0/9 and ge-0/0/10 interface references from under the [ edi ti nt er f aces] and [ edi t vl ans] hierarchy levels.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete interfaces ge-0/0/9
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete interfaces ge-0/0/10
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans cust-1 interface ge-0/0/9
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans cust-1 interface ge-0/0/10
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v11 interface ge-0/0/9
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v11 interface ge-0/0/10
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v12 interface ge-0/0/9
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v12 interface ge-0/0/10
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v15 interface ge-0/0/9
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v15 interface ge-0/0/10
-
8/15/2019 AJEX_10.b-R_LGD
42/152
-
8/15/2019 AJEX_10.b-R_LGD
43/152
-
8/15/2019 AJEX_10.b-R_LGD
44/152
Advanced Junos Enterprise Switching
Lab 2–16 • Implementing MSTP and VSTP (Detailed) www.juniper.net
STP br i dge paramet ers f or VLAN 15 Root I D : 8207. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0
Number of t opol ogy changes : 0 Local parameters
Br i dge I D : 8207. 50: c5: 8d: ba: 62: 00
Ext ended syst em I D : 4 I nt er nal i nst ance I D : 0
Question: Based on the configuration, are the
correct root bridges currently elected? Can you
explain why?
Answer: No, your switch is currently elected as the
root bridge for all VLANs. This election does notmatch the expectations based on the current
configuration. This situation is because of a known
limitation with VSTP and MVRP. MVRP does not
currently support VSTP. Because of this lack of
support, you will need to manually associate the
ge-0/0/12.0 interface with the defined VLANs. You
will perform that task next.
Step 3.6Manually associate the ge-0/0/12.0 interface with all currently defined VLANs.
Activate the configuration changes using the commit command.
{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top edit vlans
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v11 interface ge-0/0/12.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v12 interface ge-0/0/12.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v15 interface ge-0/0/12.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 interface ge-0/0/12.0
{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit conf i gurat i on check succeedscommi t compl et e
{mast er : 0}[ edi t vl ans]l ab@exD- 1#
-
8/15/2019 AJEX_10.b-R_LGD
45/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–17
Note
Step 3.7Issue the run show spanning-tree bridge command once again to determine
the current root bridge designations for each VLAN.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show spanning-tree bridge . . .STP br i dge parameter s f or VLAN 200 Root I D : 4296. 50: c5: 8d: ae: b7: 80 Root cost : 20000 Root por t : ge- 0/ 0/ 12. 0 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 1
Number of t opol ogy changes : 1 Ti me si nce l ast t opol ogy change : 5 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 12. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters
Br i dge I D : 8392. 50: c5: 8d: ba: 62: 00 Extended syst em I D : 1 I nt er nal i nst ance I D : 0
STP br i dge par ameter sCont ext I D : 2Enabl ed pr ot ocol : RSTP
STP br i dge parameter s f or VLAN 11 Root I D : 4107. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0
Number of t opol ogy changes : 1 Ti me si nce l ast t opol ogy change : 7 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 12. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters
Br i dge I D : 4107. 50: c5: 8d: ba: 62: 00 Extended syst em I D : 2 I nt er nal i nst ance I D : 0
STP br i dge par ameter sCont ext I D : 3Enabl ed pr ot ocol : RSTP
STP br i dge parameter s f or VLAN 12 Root I D : 4108. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds
Before proceeding, ensure that the remote
team in your pod finishes the previous step.
-
8/15/2019 AJEX_10.b-R_LGD
46/152
Advanced Junos Enterprise Switching
Lab 2–18 • Implementing MSTP and VSTP (Detailed) www.juniper.net
Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0
Number of t opol ogy changes : 1 Ti me si nce l ast t opol ogy change : 7 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 12. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters
Br i dge I D : 4108. 50: c5: 8d: ba: 62: 00
Ext ended syst em I D : 3 I nt er nal i nst ance I D : 0
STP br i dge par amet ersCont ext I D : 4Enabl ed pr otocol : RSTP
STP br i dge paramet ers f or VLAN 15 Root I D : 4111. 50: c5: 8d: ae: b7: 80 Root cost : 20000 Root por t : ge- 0/ 0/ 12. 0
Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 1
Number of t opol ogy changes : 1 Ti me si nce l ast t opol ogy change : 5 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 12. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters
Br i dge I D : 8207. 50: c5: 8d: ba: 62: 00 Ext ended syst em I D : 4 I nt er nal i nst ance I D : 0
Question: Are the correct root bridges now elected?
Answer: Yes, the expected root bridges should now
be elected. Based on the current configuration,
exX -1 should be root bridge for the v11 and v12
VLANs and exX -2 should be root bridge for the v15
and cust-1 VLANs. If your results do not match
the expected results, check your configuration andwork with the remote team and instructor as
needed.
-
8/15/2019 AJEX_10.b-R_LGD
47/152
Advanced Junos Enterprise Switching
www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–19
Step 3.8Use the load override command to restore the mstp.conf configuration file
saved in the /var/home/lab/ajex/ directory. Activate the changes and return to
operational mode using the commit and-quit command.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top
{mast er : 0}[ edi t ]l ab@exD- 1# load override /var/home/lab/ajex/ mstp.conf l oad compl ete
{mast er : 0}[ edi t ]l ab@exD- 1# commit and-quit conf i gur at i on check succeedscommi t compl et eExi t i ng conf i gur at i on mode
{mast er : 0}l ab@exD- 1>
STOP Tell your instructor that you have completed Lab 2.
-
8/15/2019 AJEX_10.b-R_LGD
48/152
Advanced Junos Enterprise Switching
Lab 2–20 • Implementing MSTP and VSTP (Detailed) www.juniper.net
-
8/15/2019 AJEX_10.b-R_LGD
49/152
www.juniper.net Authentication and Access Control (Detailed) • Lab 3–110.b.10.4R3.4
Lab 3
Authentication and Access Control Detailed)
OverviewIn this lab, you will use the command-line interface (CLI) to configure and monitor various
authentication and access control features supported on EX Series switches.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab you will perform the following tasks:
• Modify the existing configuration.
• Configure and monitor 802.1X.
• Configure and monitor other authentication and access features.
-
8/15/2019 AJEX_10.b-R_LGD
50/152
Advanced Junos Enterprise Switching
Lab 3–2 • Authentication and Access Control (Detailed) www.juniper.net
Part 1: Modifying the Existing ConfigurationIn this lab part, you modify the existing configuration. In preparation for Part 2, you
must modify the Q-in-Q and filter-based VLAN configuration because those features
cannot be enabled with 802.1X on the same interface at the same time.
Step 1.1Enter configuration mode and navigate to the [ edi t vl ans] hierarchy.
{mast er : 0}l ab@exD- 1> configure Ent er i ng conf i gur at i on mode
{mast er : 0}[ edi t ]l ab@exD- 1# edit vlans
{mast er : 0}[ edi t vl ans]l ab@exD- 1#
Step 1.2Delete the dot1q-tunneling statement from the v11 and v12 VLANs.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete v11 dot1q-tunneling
{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete v12 dot1q-tunneling
Step 1.3Delete the v15 VLAN and all configuration related to the filter-based VLAN
assignment defined in Lab 1.
{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete v15
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete firewall
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete interfaces ge-0/0/7.0 family ethernet-switching filter
Step 1.4Navigate to the [ edi t et her net - swi t chi ng] hierarchy and set theEthernet-type for the switch to 0x8100. Activate the changes and return to
operational mode using the commit and-quit command.
-
8/15/2019 AJEX_10.b-R_LGD
51/152
Advanced Junos Enterprise Switching
www.juniper.net Authentication and Access Control (Detailed) • Lab 3–3
{mast er : 0}[ edi t vl ans]l ab@exD- 1# top edit ethernet-switching-options
{mast er : 0}[ edi t et her net - swi t chi ng- opt i ons]l ab@exD- 1# set dot1q-tunneling ether-type 0x8100
{mast er : 0}[ edi t et her net - swi t chi ng- opt i ons]l ab@exD- 1# commit and-quit conf i gur at i on check succeedscommi t compl ete
Exi t i ng conf i gur at i on mode
{mast er : 0}l ab@exD- 1>
Step 1.5Return to the session opened for your assigned SRX device. If needed, open a new
session and log in using the credentials provided by your instructor.
Use the ping utility and attempt to verify access to and reachability through the
Layer 2 network. Use the virtual routers (VRs) associated with your assigned
SRX device as the source devices for these tests. Use the corresponding VR
connected to the remote team’s EX Series switch as the destination. Refer to the
network diagram for the instance names and the IP addresses assigned to the
various VRs. Do not forget to reference the correct routing instance.
l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es. . . . .- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
l ab@sr xD- 1> ping routing-instance vr y 2 172.23.12.10z rapid PI NG 172. 23. 12. 102 ( 172. 23. 12. 102) : 56 data byt es. . . . .- - - 172. 23. 12. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
NoteChanging the Ethernet-type to 0x8100
allows trunk ports to support VLANs
configured for Q-in-Q tunneling as well as
standard 802.1Q VLANs at the same time.
In production environments, ensure the
Ethernet-type is set consistently on alldevices within a given forwarding path.
-
8/15/2019 AJEX_10.b-R_LGD
52/152
Advanced Junos Enterprise Switching
Lab 3–4 • Authentication and Access Control (Detailed) www.juniper.net
Question: Did the ping operations succeed? Can
you explain why?
Answer: No, the ping operations should not
succeed. Because of the recent configuration
changes, the forwarding path now consists of
devices configured with different Ethernet-types.
You will remedy this problem in subsequent steps.
Step 1.6On your assigned SRX device, enter configuration mode, navigate to the [ edi tvl ans] hierarchy, and delete the v15 VLAN.
l ab@sr xD- 1> configure Ent er i ng conf i gur at i on mode
[edi t ]l ab@sr xD- 1# edit vlans
[ edi t vl ans]l ab@sr xD- 1# delete v15
[ edi t vl ans]l ab@sr xD- 1#
Step 1.7Delete the dot1q-tunneling statement from the v11 and v12 VLANs.
[ edi t vl ans]l ab@sr xD- 1# delete v11 dot1q-tunneling
[ edi t vl ans]l ab@sr xD- 1# delete v12 dot1q-tunneling
Step 1.8Navigate to the [ edi t et her net - swi t chi ng] hierarchy and set theEthernet-type for the switch to 0x8100. Activate the changes and return to
operational mode using the commit and-quit command.
[ edi t vl ans]l ab@sr xD- 1# top edit ethernet-switching-options
[ edi t et her net - swi t chi ng- opt i ons]l ab@sr xD- 1# set dot1q-tunneling ether-type 0x8100
[ edi t et her net - swi t chi ng- opt i ons]l ab@sr xD- 1# commit and-quit commi t compl et eExi t i ng conf i gur at i on mode
l ab@sr xD- 1>
-
8/15/2019 AJEX_10.b-R_LGD
53/152
Advanced Junos Enterprise Switching
www.juniper.net Authentication and Access Control (Detailed) • Lab 3–5
Step 1.9Use the ping utility and attempt to verify access to and reachability through the
Layer 2 network. Use the VRs associated with your assigned SRX device as the
source devices for these tests. Use the corresponding VR connected to the remote
team’s EX Series switch as the destination. Refer to the network diagram for the
instance names and the IP addresses assigned to the various VRs. Do not forget to
reference the correct routing instance.
l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es! ! ! ! !- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 0. 990/ 6. 243/ 24. 806/ 9. 328 ms
l ab@sr xD- 1> ping routing-instance vr y 2 172.23.12.10z rapid PI NG 172. 23. 12. 102 ( 172. 23. 12. 102) : 56 data byt es! ! ! ! !- - - 172. 23. 12. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l oss
r ound- t r i p mi n/ avg/ max/ st ddev = 0. 963/ 7. 145/ 26. 195/ 9. 765 ms
l ab@sr xD- 1>
Question: Do the ping operations succeed?
Answer: Yes, the ping operations should now
succeed. If the ping operations do not succeed,
check your configuration and work with the remote
team and your instructor as needed.
Part 2: Configuring 802.1XIn this lab part, you configure the 802.1X and the static MAC bypass option. Once
configured, you use relevant operational mode commands to monitor operations.
Refer to the network diagram for this lab for topological and configuration details.
Step 2.1Return to the session opened for your assigned EX Series switch.
Display the Ethernet switching table to determine what MAC addresses have beenlearned for the v11 and v12 VLANs.
{mast er : 0}l ab@exD- 1> show ethernet-switching table vlan v11 Et her net - swi t chi ng t abl e: 2 uni cast ent r i es VLAN MAC address Type Age I nt er f aces v11 * Fl ood - Al l - members v11 00: 26: 88: 02: 6b: 87 Learn 57 ge- 0/ 0/ 9. 0 v11 00: 26: 88: 02: 74: 87 Learn 59 ge- 0/ 0/ 7. 0
{mast er : 0}
-
8/15/2019 AJEX_10.b-R_LGD
54/152
Advanced Junos Enterprise Switching
Lab 3–6 • Authentication and Access Control (Detailed) www.juniper.net
l ab@exD- 1> show ethernet-switching table vlan v12 Et her net - swi t chi ng t abl e: 2 uni cast ent r i es VLAN MAC address Type Age I nt er f aces v12 * Fl ood - Al l - members v12 00: 26: 88: 02: 6b: 88 Learn 31 ge- 0/ 0/ 9. 0 v12 00: 26: 88: 02: 74: 88 Lear n 1: 02 ge- 0/ 0/ 8. 0
Question: Do the MAC addresses learned for the
v11 and v12 VLANs match the MAC addresses
shown on the network diagram for this lab?
Answer: Yes, the MAC addresses listed for the
referenced VLANs should match those shown on
the network diagram for this lab. If you do not see
any learned MAC addresses for the v11 and v12
VLANs, you might need to run through the ping tests
in Part 1 once again.
Step 2.2Enter configuration mode and navigate to the [ edi t access] hierarchy level.Define a RADIUS server using the IP address of the server located in the
management network and a secret of Juniper . Refer to the Management Network
Diagram or consult with your instructor as needed.
{mast er : 0}l ab@exD- 1> configure Ent er i ng conf i gur at i on mode
{mast er : 0}[ edi t ]
l ab@exD- 1# edit access
{mast er : 0}[ edi t access]l ab@exD- 1# set radius-server 10.210.n.n secret Juniper
{mast er : 0}[ edi t access]l ab@exD- 1#
Step 2.3Create an authentication profile named my-profile. Define an authentication
order of RADIUS only and use the IP address of the RADIUS defined in the previous
step as the authentication server.
{mast er : 0}[ edi t access]l ab@exD- 1# set profile my-profile authentication-order radius
{mast er : 0}[ edi t access]l ab@exD- 1# set profile my-profile radius authentication-server 10.210.n.n
-
8/15/2019 AJEX_10.b-R_LGD
55/152
Advanced Junos Enterprise Switching
www.juniper.net Authentication and Access Control (Detailed) • Lab 3–7
Step 2.4Navigate to the [ edi t pr ot ocol s dot 1x] hierarchy and configure your switchas an 802.1X authenticator. Use the authentication profile defined in the previous
step and enable 802.1X authentication for the ge-0/0/7.0 and ge-0/0/8.0
interfaces. Activate the configuration changes using the commit command.
{mast er: 0}[ edi t access]l ab@exD- 1# top edit protocols dot1x
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator authentication-profile-name my-profile
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit
conf i gur at i on check succeedscommi t compl et e
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1#
Step 2.5Issue the run show dot1x interface detail command and answer the
questions that follow.
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# run show dot1x interface detail
ge- 0/ 0/ 7. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed Mac Radi us Rest r i ct : Di sabl ed Reaut hent i cat i on: Enabl ed Conf i gur ed Reaut hent i cat i on i nt er val : 3600 seconds Suppl i cant t i meout : 30 seconds Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member : ge- 0/ 0/ 8. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed
-
8/15/2019 AJEX_10.b-R_LGD
56/152
Advanced Junos Enterprise Switching
Lab 3–8 • Authentication and Access Control (Detailed) www.juniper.net
Mac Radi us Rest r i ct : Di sabl edReaut hent i cat i on: Enabl ed
Conf i gur ed Reaut hent i cat i on i nt er val : 3600 seconds Suppl i cant t i meout : 30 seconds Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member :
Question: What is the current supplicant mode
enabled for the listed interfaces?
Answer: The current supplicant mode enabled for
the ge-0/0/7.0 and ge-0/0/8.0 interfaces is the
Si ngl e supplicant mode, which is the defaultmode.
Question: If an 802.1X client authenticated through
the ge-0/0/7.0 or ge-0/0/8.0 interfaces, would that
client be forced to reauthenticate after a period oftime? If so, after what period of time?
Answer: Based on the current configuration, an
authenticated client would need to reauthenticate
after 3600 seconds (1 hour).
Step 2.6Set the supplicant mode for the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the
single-secure supplicant mode. Disable reauthentication on the ge-0/0/7.0interface and double the reauthentication interval on the ge-0/0/8.0 interface to
7200 seconds (2 hours).
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0 supplicant single-secure
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0 supplicant single-secure
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0 no-reauthentication
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0 reauthentication 7200
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# show aut hent i cat or { aut hent i cat i on- pr of i l e- name my- pr of i l e; i nt er f ace { ge- 0/ 0/ 7. 0 { suppl i cant si ngl e- secur e;
-
8/15/2019 AJEX_10.b-R_LGD
57/152
Advanced Junos Enterprise Switching
www.juniper.net Authentication and Access Control (Detailed) • Lab 3–9
no- r eaut hent i cat i on; } ge- 0/ 0/ 8. 0 { suppl i cant si ngl e- secur e; r eaut hent i cat i on 7200; } }}
Step 2.7Activate the configuration changes using the commit command. Next, issue the
run show dot1x interface detail command and answer the questions that
follow.
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# run show dot1x interface detail ge- 0/ 0/ 7. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e- Secur e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed Mac Radi us Rest r i ct : Di sabl ed Reaut hent i cat i on: Di sabl ed Conf i gur ed Reaut hent i cat i on i nt er val : 3600 seconds Suppl i cant t i meout : 30 seconds
Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member : Number of connect ed suppl i cant s: 0ge- 0/ 0/ 8. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e- Secur e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed
Mac Radi us Rest r i ct : Di sabl ed Reaut hent i cat i on: Enabl ed Conf i gur ed Reaut hent i cat i on i nt er val : 7200 seconds Suppl i cant t i meout : 30 seconds Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member : Number of connect ed suppl i cant s: 0
-
8/15/2019 AJEX_10.b-R_LGD
58/152
Advanced Junos Enterprise Switching
Lab 3–10 • Authentication and Access Control (Detailed) www.juniper.net
Question: Have the recent changes taken effect?
Answer: Yes, as shown in the sample output, the
recent changes are now in effect. You can see that
both the ge-0/0/7.0 and ge-0/0/8.0 interfaces are
now enabled for the Si ngl e- Secur e supplicantmode, the ge-0/0/7.0 interface now has
reauthentication disabled, and the ge-0/0/8.0interface still has reauthentication enabled, but the
interval is now 7200 seconds (2 hours) ratherthan the previous interval of 3600 seconds
(1 hour).
Step 2.8Return to the session opened for your assigned SRX device.
Use the ping utility and attempt to verify access to and reachability through the
Layer 2 network. Use the VRs associated with your assigned SRX device as the
source devices for these tests. Use the corresponding VR connected to the remote
team’s EX Series switch as the destination. Refer to the network diagram for the
instance names and the IP addresses assigned to the various VRs. Do not forget to
reference the correct routing instance.
l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es. . . . .- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
l ab@sr xD- 1> ping routing-instance vr y 2 172.23.12.10z rapid PI NG 172. 23. 12. 102 ( 172. 23. 12. 102) : 56 data byt es. . . . .- - - 172. 23. 12. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss
Question: Can the VRs access the Layer 2 network
through your assigned EX Series switch?
Answer: No, the VRs should not be able to access
the Layer 2 network because of the lack of support
for 802.1X.
Step 2.9Return to the session opened for your assigned EX Series switch.
Configure the static MAC bypass option to always permit the MAC addresses shown
on the network diagram. Associate the illustrated MAC addresses with their
corresponding access ports. Refer to the network diagram for this lab as needed.
Activate the changes using the commit command.
-
8/15/2019 AJEX_10.b-R_LGD
59/152
Advanced Junos Enterprise Switching
www.juniper.net Authentication and Access Control (Detailed) • Lab 3–11
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator static 00:26:88:02:nn:87 interface ge-0/0/7.0
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator static 00:26:88:02:nn:88 interface ge-0/0/8.0
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit [ edi t pr ot ocol s dot 1x aut hent i cat or st at i c 00: 26: 88: 02: 74: 87/ 48 i nt er f ace]
' i nt er f ace ge- 0/ 0/ 7. 0' St at i c MAC cannot be conf i gur ed on i nt er f ace i n si ngl e or si ngl e- secur e mode[ edi t pr ot ocol s dot 1x aut hent i cat or st at i c 00: 26: 88: 02: 74: 88/ 48 i nt er f ace] ' i nt er f ace ge- 0/ 0/ 8. 0' St at i c MAC cannot be conf i gur ed on i nt er f ace i n si ngl e or si ngl e- secur e modeer r or : commi t f ai l ed: ( st at ement s const r ai nt check f ai l ed)
Question: Did the commit operation succeed? If
not, why not?
Answer: No, the commit operation should not
succeed because of an incompatible setting in the
configuration file. As indicated in the commit error
message, you must use the multiple supplicant
mode on interfaces that are bound to a static MAC
bypass statement.
Step 2.10Change the supplicant mode on the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the
multiple supplicant mode. Issue the commit command to activate the changes.
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0 supplicant multiple
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0 supplicant multiple
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete
Note
Before proceeding, ensure that the remoteteam in your pod finishes the previous step.
-
8/15/2019 AJEX_10.b-R_LGD
60/152
Advanced Junos Enterprise Switching
Lab 3–12 • Authentication and Access Control (Detailed) www.juniper.net
Step 2.11Return to the session opened for your assigned SRX device.
Use the ping utility and attempt to verify access to and reachability through the
Layer 2 network. Use the VRs associated with your assigned SRX device as the
source devices for these tests. Use the corresponding VR connected to the remote
team’s EX Series switch as the destination. Refer to the network diagram for the
instance names and the IP addresses assigned to the various VRs. Do not forget to
reference the correct routing instance.
l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es! ! ! ! !- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 200/ 32. 826/ 159. 058/ 63. 116 ms
l ab@sr xD- 1> ping routing-instance vr y 2 172.23.12.10z rapid PI NG 172. 23. 12. 102 ( 172. 23. 12. 102) : 56 data byt es! ! ! ! !
- - - 172. 23. 12. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 176/ 31. 789/ 153. 650/ 60. 930 ms
Question: Can the VRs access the Layer 2 network
through your assigned EX Series switch?
Answer: Yes, now that the static MAC bypass
configuration has been added, the VRs should be
able to access the Layer 2 network. If your tests do
not succeed, check your configuration and workwith the remote team and instructor as needed.
Part 3: Configuring and Monitoring Other Access and Authentication FeaturesIn this lab part, you configure the MAC RADIUS, guest VLAN, and server fail fallback
features. Once configured, you use various operational mode commands to verify
proper operations.
Step 3.1Return to the session opened for your assigned EX Series switch.
Issue the run show dot1x static-mac-address command to view the MAC
addresses currently permitted through static MAC bypass. Delete all static MAC
bypass entries and activate the changes using the commit command.
{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# run show dot1x static-mac-address MAC addr ess/ pr ef i x VLAN- Assi gnment I nt er f ace00: 26: 88: 02: 74: 87/ 48 ge- 0/ 0/ 7. 000: 26: 88: 02: 74: 88/ 48 ge- 0/ 0/ 8. 0
-
8/15/2019 AJEX_10.b-R_LGD
61/152
Adva