AJEX_10.b-R_LGD

8/15/2019 AJEX_10.b-R_LGD

1/152

1194 North Mathilda Avenue

Sunnyvale, CA 94089USA

408-745-2000

www.juniper.net

Worldwide Education ServicesWorldwide Education Services

Advanced Junos Enterprise

Switching

10.b

Detailed Lab Guide

Course Number: EDU-JUN-AJEX

8/15/2019 AJEX_10.b-R_LGD

2/152

8/15/2019 AJEX_10.b-R_LGD

3/152www.juniper.net Contents • iii

ContentsLab 1: Advanced Ethernet Switching Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Part 1: Logging In Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Part 2: Configuring and Monitoring Filter-Based VLAN Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Part 3: Configuring and Monitoring a PVLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Part 4: Configuring and Monitoring MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Part 5: Configuring and Monitoring Q-in-Q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Lab 2: Implementing MSTP and VSTP Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Part 2: Configuring and Monitoring MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Part 3: Configuring and Monitoring VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Lab 3: Authentication and Access Control Detailed) . . . . . . . . . . . . . . . . . . . . . . . . 3-1Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Part 2: Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Part 3: Configuring and Monitoring Other Access and Authentication Features . . . . . . . . . . . . . . . . . . . . . . 3-12

Lab 4: Deploying IP Telephony Features Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Part 2: Configuring and Monitoring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Part 3: Configuring and Monitoring LLDP and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

Part 4: Configuring and Monitoring the Voice VLAN Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

Lab 5: Class of Service Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1Part 1: Exploring the Default CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Part 2: Configuring and Monitoring CoS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Part 3: Implementing CoS Using the EZQoS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Lab 6: Monitoring and Troubleshooting Layer 2 Networks Detailed) . . . . . . . . . . . 6-1Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Part 2: Determining Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Part 3: Verifying Hardware Components and System Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Part 4: Verifying Ethernet Switching, MSTP, and Aggregate Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . 6-10

Part 5: Configuring Port Mirroring and sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

8/15/2019 AJEX_10.b-R_LGD

4/152iv • Contents www.juniper.net

8/15/2019 AJEX_10.b-R_LGD

5/152www.juniper.net Course Overview • v

Course OverviewThis two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple Spanning

Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access control

for Layer 2 networks, IP telephony features, class of service (CoS) and monitoring and

troubleshooting tools and features supported on the EX Series Ethernet Switches.

Through demonstrations and hands-on labs, students will gain experience in configuring and

monitoring the Junos operating system and in monitoring device and protocol operations.

ObjectivesAfter successfully completing this course, you should be able to:

• Implement filter-based VLAN assignments.

• Restrict traffic flow within a VLAN.

• Manage dynamic VLAN registration.

• Tunnel Layer 2 traffic through Ethernet networks.

• Review the purpose and operations of a spanning tree.

• Implement multiple spanning tree instances in a network.

• Implement one or more spanning tree instances for a VLAN.

• List the benefits of implementing end-user authentication.

• Explain the operations of various access control features.

• Configure and monitor various access control features.

• Describe processing considerations when multiple authentication and access control

features are enabled.

• Describe some common IP telephony deployment scenarios.

• Describe features that facilitate IP telephony deployments.

• Configure and monitor features used in IP telephony deployments.

• Explain the purpose and basic operations of class of service.

• Describe class of service features used in Layer 2 networks.

• Configure and monitor class of service in a Layer 2 network.

• Describe a basic troubleshooting method.

• List common issues that disrupt network operations.

• Identify tools used in network troubleshooting.

• Use available tools to resolve network issues.

Intended AudienceThis course benefits individuals responsible for configuring and monitoring EX Series switches.

Course Level Advanced Junos Enterprise Switching is an advanced-level course.

PrerequisitesStudents should have an intermediate-level of networking knowledge and an understanding of the

Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students

should also attend the Introduction to the Junos Operating System (IJOS), the Junos Routing

Essentials (JRE), and the Junos Enterprise Switching (JEX) courses prior to attending this class.

8/15/2019 AJEX_10.b-R_LGD

6/152vi • Course Agenda www.juniper.net

Course AgendaDay 1

Chapter 1: Course Introduction

Chapter 2: Advanced Ethernet Switching

Lab 1: Advanced Ethernet Switching (Detailed)

Chapter 3: Advanced Spanning Tree

Lab 2: Implementing MSTP and VSTP (Detailed)

Chapter 4: Authentication and Access Control

Lab 3: Authentication and Access Control (Detailed)

Day 2Chapter 5: Deploying IP Telephony Features

Lab 4: Deploying IP Telephony Features (Detailed)

Chapter 6: Class of Service

Lab 5: Class of Service (Detailed)

Chapter 7: Monitoring and Troubleshooting

Lab 6: Monitoring and Troubleshooting Layer 2 Networks (Detailed)

http://../SG/C1_CourseIntroduction.pdfhttp://../SG/C2_AdvancedEthernetSwitching.pdfhttp://../SG/C3_AdvancedSpanningTree.pdfhttp://../SG/C4_Authentication_and_AccessControl.pdfhttp://../SG/C5_Deploying_IP_Telephony_Features.pdfhttp://../SG/C6_Class_of_Service.pdfhttp://../SG/C7_Monitoring_and_Troubleshooting.pdfhttp://../SG/C7_Monitoring_and_Troubleshooting.pdfhttp://../SG/C6_Class_of_Service.pdfhttp://../SG/C5_Deploying_IP_Telephony_Features.pdfhttp://../SG/C4_Authentication_and_AccessControl.pdfhttp://../SG/C3_AdvancedSpanningTree.pdfhttp://../SG/C2_AdvancedEthernetSwitching.pdfhttp://../SG/C1_CourseIntroduction.pdf

8/15/2019 AJEX_10.b-R_LGD

7/152www.juniper.net Document Conventions • vii

Document ConventionsCLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)

or a graphical user interface (GUI). To make the language of these documents easier to read, we

distinguish GUI and CLI text from chapter text according to the following table.

Input Text Versus Output Text You will also frequently see cases where you must enter input text yourself. Often these instances

will be shown in the context of where you must enter them. We use bold style to distinguish text

that is input versus text that is simply displayed.

Defined and Undefined Syntax VariablesFinally, this course distinguishes between regular text and syntax variables, and it also

distinguishes between syntax variables where the value is already assigned (defined variables) and

syntax variables where you must assign the value (undefined variables). Note that these styles can

be combined with the input style as well.

Style Description Usage Example

Franklin Gothic Normal text. Most of what you read in the Lab Guide

and Student Guide.

Cour i er New Console text:

• Screen captures

• Noncommand-related

syntax

GUI text elements:

• Menu names

• Text field entry

commi t compl et e

Exi t i ng conf i gur at i on mode

Select Fi l e > Open, and then clickConf i gur at i on. conf in theFi l ename text box.


Nor mal CLI

Nor mal GUI

No distinguishing variant. Physi cal i nt er f ace: f xp0,Enabl ed

View configuration history by clicking

Conf i gur at i on > Hi st ory.

CLI Input

GUI Input

Text that you must enter. l ab@San_J ose> show route

Select Fi l e > Save, and typeconfig.ini in the Fi l ename field.


CLI Variable

GUI Variable

Text where variable value is already

assigned.

pol i cy my-peers

Click my-peers in the dialog.

CLI Undefined

GUI Undefined

Text where the variable’s value is

the user’s discretion or text where

the variable’s value as shown in

the lab guide might differ from the

value the user must input

according to the lab topology.

Type set policy policy-name.

ping 10.0.x.y

Select Fi l e > Save, and typefilename in the Fi l ename field.

8/15/2019 AJEX_10.b-R_LGD

8/152viii • Additional Information www.juniper.net

Additional InformationEducation Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and class

locations from the World Wide Web by pointing your Web browser to:

http://www.juniper.net/training/education/.

About This PublicationThe Advanced Junos Enterprise Switching Detailed Lab Guide was developed and tested usingsoftware Release 10.4R3.4. Previous and later versions of software might behave differently so

you should always consult the documentation and release notes for the version of code you are

running before reporting errors.

This document is written and maintained by the Juniper Networks Education Services development

team. Please send questions and suggestions for improvement to [email protected].

Technical Publications You can print technical manuals and release notes directly from the Internet in a variety of formats:

• Go to http://www.juniper.net/techpubs/.

• Locate the specific software or hardware release and title you need, and choose the

format in which you want to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or

account representative.

Juniper Networks SupportFor technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or

at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).

8/15/2019 AJEX_10.b-R_LGD

9/152

www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–110.b.10.4R3.4

Lab 1

Advanced Ethernet Switching Detailed)

OverviewIn this lab, you familiarize yourself with the starting configuration and the lab

environment. You will also use the command-line interface (CLI) to configure and monitor

various Ethernet switching features covered in the corresponding lecture.

The lab is available in two formats: a high-level format designed to make you think through

each step and a detailed format that offers step-by-step instructions complete with

sample output from most commands.

By completing this lab you will perform the following tasks:

• Familiarize yourself with the lab environment.

• Configure and monitor filter-based VLAN assignments.

• Configure and monitor a private VLAN (PVLAN).

• Configure and monitor the Multiple VLAN Registration Protocol (MVRP).

• Configure and monitor Q-in-Q tunneling.

8/15/2019 AJEX_10.b-R_LGD

10/152

Advanced Junos Enterprise Switching

Lab 1–2 • Advanced Ethernet Switching (Detailed) www.juniper.net

Part 1: Logging In Using the CLIIn this lab part, you familiarize yourself with the access details used to connect to

the lab equipment. Once you are familiar with the access details, you will use the CLI

to log in to your team’s designated switch and become familiar with this lab’s

environment.

Step 1.1Ensure that you know to which switch you have been assigned. Check with your

instructor if you are not certain. Consult the Management Network Diagram to

determine your switch’s management address.

Question: What is the management address

assigned to your switch?

Answer: Your answer will depend on your assigned

device and the rack of equipment you areusing.

Step 1.2Access the CLI for your switch using either the console, Telnet, or SSH as directed by

your instructor. Refer to the Management Network Diagram for the IP address

associated with your team’s station. The following example uses Telnet and the

SecureCRT program:

Note

The lab equipment used in this class is

likely to be remote from your physical

location. The instructor will provide access

details to get you logged in to your assigned

device.

8/15/2019 AJEX_10.b-R_LGD

11/152


www.juniper.net Advanced Ethernet Switching (Detailed) • Lab 1–3

Step 1.3Log in as user lab with the password supplied by your instructor.

exD- 1 ( t t yu0)

l ogi n: labPassword:

- - - J UNOS 10. 4R3. 4 bui l t 2011- 03- 19 22: 06: 32 UTC{mast er : 0}l ab@exD- 1>

Part 2: Configuring and Monitoring Filter-Based VLAN AssignmentsIn this lab part, you configure and monitor filter-based VLAN assignments. You will

first verify the state of the starting configuration. You will then configure and apply a

firewall filter used for a filter-based VLAN assignment. You will then associate the

interfaces.

Step 2.1Use the show interfaces terse command to ensure ge-0/0/7.0, ge-0/0/8.0,

and ge-0/0/12.0 are all enabled for Layer 2 operations and are up, both physicallyand administratively.

{mast er : 0}l ab@exD- 1> show interfaces terse | match "Interfaces|0/0/(7|8|12)" I nt erf ace Admi n Li nk Prot o Local Remotege- 0/ 0/ 7 up upge- 0/ 0/ 7. 0 up up et h- swi t chge- 0/ 0/ 8 up upge- 0/ 0/ 8. 0 up up et h- swi t chge- 0/ 0/ 12 up upge- 0/ 0/ 12. 0 up up et h- swi t ch

Question: Are the referenced interfaces enabled for

Layer 2 operations and up, physically andadministratively?

Answer: The answer should be yes. You should see

up listed under the Admi n and Li nk columns andet h- swi t ch under the Proto column. If youroutput does not match the sample output, please

work with your instructor to ensure the correct

starting configuration has been loaded.

8/15/2019 AJEX_10.b-R_LGD

12/152



Step 2.2Use the show vlans command to ensure ge-0/0/7.0 and ge-0/0/8.0 are

associated with the v11 and v12 VLANs respectively. Use the same command to

ensure ge-0/0/12.0 is associated with both v11 and v12.

{mast er : 0}l ab@exD- 1> show vlans Name Tag I nter f aces

def aul t Nonev11 11

ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 12. 0*v12 12

ge- 0/ 0/ 8. 0*, ge- 0/ 0/ 12. 0*

Question: Are the referenced interfaces associated

with the correct VLANs?

Answer: The answer should be yes. You should see

ge-0/0/7.0 and ge-0/0/12.0 associated with VLAN

v11 and ge-0/0/8.0 and ge-0/0/12.0 associated

with VLAN v12. If you see something different,

please work with your instructor as needed.

Question: What operational mode command can

you issue to determine the port modes currently

assigned with the referenced interfaces?

Answer: Multiple commands are available to view

port mode assignments. The following output

illustrates two such commands and shows that

ge-0/0/7.0 and ge-0/0/8.0 are access ports (or

untagged ports), whereas ge-0/0/12.0 is a trunk

port (or a tagged port):

{mast er : 0}l ab@exD- 1> show vlans detail VLAN: def aul t , 802. 1Q Tag: Unt agged, Admi n Stat e: Enabl ed

VLAN: v11, 802. 1Q Tag: 11, Admi n St ate: Enabl edNumber of i nt erf aces: 2 ( Act i ve = 2) Unt agged i nt er f aces: ge- 0/ 0/ 7. 0* Tagged i nt er f aces: ge- 0/ 0/ 12. 0*

VLAN: v12, 802. 1Q Tag: 12, Admi n St ate: Enabl edNumber of i nt erf aces: 2 ( Act i ve = 2) Unt agged i nt er f aces: ge- 0/ 0/ 8. 0*

8/15/2019 AJEX_10.b-R_LGD

13/152



Tagged i nt er f aces: ge- 0/ 0/ 12. 0*

{mast er : 0}l ab@exD- 1> show ethernet-switching interfaces I nter f ace Stat e VLAN member s Tag Taggi ng Bl ocki ngge- 0/ 0/ 7. 0 up v11 11 unt agged unbl ockedge- 0/ 0/ 8. 0 up v12 12 unt agged unbl ockedge- 0/ 0/ 12. 0 up v11 11 t agged unbl ocked v12 12 t agged unbl ocked

Step 2.3Enter configuration mode and navigate to the [ edi t f i rewal l f ami l yet her net - swi t chi ng] hierarchy. Create a firewall filter named fbva thatmatches any source IP address in the 172.23.15.0/24 subnet and associates the

related traffic with VLAN v15 . Ensure that all other traffic is permitted.

{mast er : 0}l ab@exD- 1> configure Ent er i ng conf i gur at i on mode

{mast er : 0}[ edi t ]l ab@exD- 1# edit firewall family ethernet-switching

{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# set filter fbva term match-net from source-address 172.23.15.0/24

{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# set filter fbva term match-net then vlan v15

{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# set filter fbva term else-accept then accept

{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1# show f i l t er f bva { t er m mat ch- net { f r o m { sour ce- addr ess { 172. 23. 15. 0/ 24; } } ## ## War ni ng: Named or Non- r ange vl an must be set

## t hen vl an v15; } t er m el se- accept { t hen accept ; }}

{mast er : 0}[ edi t f i r ewal l f ami l y et her net - swi t chi ng]l ab@exD- 1#

8/15/2019 AJEX_10.b-R_LGD

14/152

8/15/2019 AJEX_10.b-R_LGD

15/152



{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show vlans v15 detail VLAN: v15, 802. 1Q Tag: 15, Admi n St at e: Enabl edNumber of i nt er f aces: 2 ( Act i ve = 2) Tagged i nt er f aces: ge- 0/ 0/ 12. 0* Mappi ng pol i cy i nt er f aces: ge- 0/ 0/ 7. 0*

Question: Are the expected interfaces now

associated with VLAN v15?

Answer: Yes, as shown in the sample output, the

ge-0/0/7.0 and ge-0/0/12.0 interfaces should both

now be associated with VLAN v15. The ge-0/0/12.0

interface is a trunk port serving VLAN v15 and the

ge-0/0/7.0 interface is an access port for all traffic

that matches the applied mapping policy (firewall

filter).

Question: Based on the current configuration, with

which VLAN would traffic entering ge-0/0/7.0 with

an IP source address of 172.23.16.100 be

associated?

Answer: Based on the current configuration, all

traffic, except traffic from the 172.23.15.0/24subnet, should be associated with VLAN v11. Traffic

sourced from the 172.23.15.0/24 subnet should

be associated with VLAN v15.

Step 2.7Issue the top save /var/home/lab/ajex/lab1part2.conf command to

save the entire configuration. Note that you will need to reload this configuration at

a later time so ensure the entire configuration is saved.

{mast er : 0}[ edi t vl ans]

l ab@exD- 1# top save /var/home/lab/ajex/lab1part2.conf Wr ot e 120 l i nes of conf i gur at i on t o ' / var / home/ l ab/ aj ex/ l ab1par t 2. conf '

STOP Before proceeding ensure that the remote team is done with Part 2.

8/15/2019 AJEX_10.b-R_LGD

16/152



Part 3: Configuring and Monitoring a PVLANIn this lab part, you configure and monitor a PVLAN. You will first delete the current

VLAN configuration. You will then configure and monitor a PVLAN named pvlan-50

with two community VLANs named finance and sales. Refer to the network

diagram for configuration details associated with this lab.

Step 3.1Delete all configuration under the [ edi t vl ans] hierarchy level.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete Del et e ever yt hi ng under t hi s l evel ? [ yes, no] ( no) yes

Step 3.2Delete all configuration under the [ edi t f i rewal l ] hierarchy and remove theapplication of the fbva firewall filter from the ge-0/0/7.0 interface.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete firewall

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete interfaces ge-0/0/7.0 family ethernet-switching filter

Step 3.3Configure a primary VLAN named pvlan-50 with a VLAN ID of 50. Associate the

ge-0/0/12 interface with this newly defined VLAN. Configure ge-0/0/12 to function

as a PVLAN trunk port.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set pvlan-50 vlan-id 50 interface ge-0/0/12.0 pvlan-trunk

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set pvlan-50 no-local-switching

Step 3.4Use the details shown on the network diagram for this lab and configure two

community VLANs: one named finance and the other named sales. Ensure that

ge-0/0/7.0 and ge-0/0/8.0 are associated with their respective community VLANs

and that both community VLANs are linked to the primary VLAN ( pvlan-50).

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set finance vlan-id 41 interface ge-0/0/7.0

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set finance primary-vlan pvlan-50

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set sales vlan-id 42 interface ge-0/0/8.0

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set sales primary-vlan pvlan-50

8/15/2019 AJEX_10.b-R_LGD

17/152



Step 3.5Attempt to activate the changes using the commit command.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit er r or : Tr unk por t ge- 0/ 0/ 12. 0 cannot be made member of communi t y vl an er r or : conf i gur at i on check- out f ai l ed

Question: Does the commit operation succeed? Ifnot can you explain why not?

Answer: No, as shown in the sample output the

ge-0/0/12.0 trunk port is currently associated with

one or more community VLANs. After a closer look

at the active configuration it should be obvious

where the problem lies:

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top show interfaces ge-0/0/12.0 f ami l y et her net - swi t chi ng { port - mode t r unk; vl an { members al l ; }}

Step 3.6Remove the vlan members all statement from the ge-0/0/12.0 interface

configuration and attempt the commit operation once again.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete interfaces ge-0/0/12.0 family ethernet-switching vlan

{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete

Question: Does the commit operation succeed

now?


commit operation should now succeed.

Step 3.7Issue the run show vlans pvlan-50 extensive command to determine the

current PVLAN designations for the associated interfaces and community VLANs.

8/15/2019 AJEX_10.b-R_LGD

18/152



{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show vlans pvlan-50 extensive VLAN: pvl an- 50, Cr eated at : Fr i May 13 23: 02: 03 2011802. 1Q Tag: 50, I nt er nal i ndex: 9, Admi n St at e: Enabl ed, Or i gi n: St at i cPr i vat e VLAN Mode: Pr i maryProtocol : Por t Mode, Mac agi ng t i me: 300 secondsNumber of i nt er f aces: Tagged 1 ( Act i ve = 1) , Untagged 2 ( Act i ve = 2) ge- 0/ 0/ 12. 0*, t agged, t r unk, pvl an- t r unk ge- 0/ 0/ 7. 0*, unt agged, access

ge- 0/ 0/ 8. 0*, unt agged, accessSecondar y VLANs: I sol at ed 0, Communi t y 2, I nt er - swi t ch- i sol at ed 0

Communi t y VLANs : f i nance sal es

Question: Are the expected access and trunk ports

listed in the output?


two access ports and the trunk port should be listed

in the output.

Question: Based on the output, is the ge-0/0/12.0

properly enabled as a PVLAN trunk port?

Answer: Yes, as shown in the sample output, thege-0/0/12.0 interface should be enabled as a

PVLAN trunk port.

Note You will now log in to your assigned

SRX device. The gateway is configured with

multiple virtual routers (VRs), which are

logical devices created on your assigned

gateway. Most of the configuration required

for the SRX device has already beendefined. You will, however, be required to

modify the existing configuration

throughout the labs. Refer to the

Management Network Diagram for the IP

address of your assigned SRX device. If

needed, work with your instructor to obtain

the required information.

8/15/2019 AJEX_10.b-R_LGD

19/152

8/15/2019 AJEX_10.b-R_LGD

20/152



! ! ! ! !- - - 172. 24. 50. 3 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 0. 955/ 1. 062/ 1. 227/ 0. 093 ms

l ab@sr xD- 1> ping routing-instance vr y 1 172.24.50.z rapid PI NG 172. 24. 50. 4 ( 172. 24. 50. 4) : 56 data byt es. . . . .- - - 172. 24. 50. 4 pi ng stat i st i cs - - -

5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss

l ab@sr xD- 1> ping routing-instance vr y 2 172.24.50.z rapid PI NG 172. 24. 50. 1 ( 172. 24. 50. 1) : 56 data byt es. . . . .- - - 172. 24. 50. 1 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss

l ab@sr xD- 1> ping routing-instance vr y 2 172.24.50.z rapid PI NG 172. 24. 50. 3 ( 172. 24. 50. 3) : 56 data byt es. . . . .

- - - 172. 24. 50. 3 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss

l ab@sr xD- 1> ping routing-instance vr y 2 172.24.50.z rapid PI NG 172. 24. 50. 4 ( 172. 24. 50. 4) : 56 data byt es! ! ! ! !- - - 172. 24. 50. 4 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 025/ 5. 862/ 24. 405/ 9. 272 ms

Question: Do the ping tests between the VRs

associated with the same community VLANs

succeed?

Answer: Yes, as expected the ping tests between

the VRs associated with the same community

VLANs succeed. As shown in the sample output, the

ping tests between VRs in different community

VLANs should not succeed. If your test shows

different results, check with the remote team to

ensure they have committed the requiredconfiguration and, if needed, work with your

instructor.

STOP Before proceeding ensure that the remote team is done with Part 3.

8/15/2019 AJEX_10.b-R_LGD

21/152



Part 4: Configuring and Monitoring MVRPIn this lab part, you configure and monitor MVRP. You will first load the configuration

file saved in a previous lab part and make some minor modifications. You will then

configure and monitor MVRP. Refer to the network diagram for configuration details

associated with this lab.

Step 4.1Return to your EX Series switch.

Navigate to the root of the hierarchy level and use the load override and

commit commands to restore the configuration saved at the end of Part 2. Note

that the configuration file should be in the /var/home/lab/ajex/ directory and

should be named lab1part2.conf .

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top

{mast er : 0}[ edi t ]l ab@exD- 1# load override /var/home/lab/ajex/lab1part2.conf

l oad compl ete

{mast er : 0}[ edi t ]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl et e

{mast er : 0}[ edi t ]l ab@exD- 1#

Step 4.2Remove the vlan members all statement from the ge-0/0/12.0 interface

configuration.

{mast er : 0}[ edi t ]l ab@exD- 1# delete interfaces ge-0/0/12.0 family ethernet-switching vlan

Step 4.3Delete the ge-0/0/12.0 interface from all currently defined VLANs. Issue the

commit command to activate the changes.

{mast er : 0}[ edi t ]l ab@exD- 1# delete vlans v11 interface ge-0/0/12.0



{mast er : 0}[ edi t ]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete

8/15/2019 AJEX_10.b-R_LGD

22/152



Step 4.4Issue the run show vlans command to ensure the ge-0/0/12.0 interface is no

longer associated with any of the defined VLANs.

{mast er : 0}[ edi t ]l ab@exD- 1# run show vlans Name Tag I nter f acesdef aul t

Nonev11 11ge- 0/ 0/ 7. 0*

v12 12ge- 0/ 0/ 8. 0*

v15 15ge- 0/ 0/ 7. 0*

Question: Is the ge-0/0/12.0 interface currently

associated with any of the defined VLANs?

Answer: No, as shown in the sample output, the

trunk port ge-0/0/12.0 is no longer associated with

any of the defined VLANs.Note that this behavior is

expected based on the current configuration.

Step 4.5Enable MVRP on the ge-0/0/12.0 interface. Activate the change using the commit

command.

{mast er : 0}[ edi t ]l ab@exD- 1# set protocols mvrp interface ge-0/0/12.0

{mast er : 0}[ edi t ]l ab@exD- 1# commit conf i gurat i on check succeedscommi t compl et e

Note

Step 4.6Issue the run show vlans command once again to determine whether the

ge-0/0/12.0 interface is now associated with the defined VLANs.

Before proceeding, ensure that the remote

team in your pod finishes the previous step.

8/15/2019 AJEX_10.b-R_LGD

23/152



{mast er : 0}[ edi t ]l ab@exD- 1# run show vlans Name Tag I nter f acesdef aul t

Nonev11 11

ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 12. 0*v12 12

ge- 0/ 0/ 8. 0*, ge- 0/ 0/ 12. 0*

v15 15ge- 0/ 0/ 7. 0*, ge- 0/ 0/ 12. 0*

Question: Is the ge-0/0/12.0 interface now

associated with the defined VLANs?


trunk port ge-0/0/12.0 is now associated with all of

the defined VLANs. Note that you can also view

dynamic VLAN membership associations using the

show mvrp dynamic-vlan-memberships

command as shown in the following:

{mast er : 0}[ edi t ]l ab@exD- 1# run show mvrp dynamic-vlan-memberships MVRP dynami c vl ans f or r out i ng i nst ance ' def aul t - swi t ch' ( s ) s tat i c vl an, ( f ) f i xed regi s t rat i on

VLAN I D I nt er f aces11( s) ge- 0/ 0/ 12. 012( s) ge- 0/ 0/ 12. 015( s) ge- 0/ 0/ 12. 0

Step 4.7Issue the run show mvrp statistics command to display MVRP statistics.

{mast er : 0}[ edi t ]l ab@exD- 1# run show mvrp statistics MVRP st at i st i csI nt er f ace name : ge- 0/ 0/ 12. 0

MRPDU r ecei ved : 15I nval i d PDU r ecei ved : 0New r ecei ved : 0

J oi n Empt y r ecei ved : 12 J oi n I n r ecei ved : 33Empt y r ecei ved : 0I n r ecei ved : 0Leave r ecei ved : 0LeaveAl l r ecei ved : 4MRPDU t r ansmi t t ed : 15MRPDU t r ansmi t f ai l ur es : 0

8/15/2019 AJEX_10.b-R_LGD

24/152

8/15/2019 AJEX_10.b-R_LGD

25/152

8/15/2019 AJEX_10.b-R_LGD

26/152



l ab@exD- 1# set v12 dot1q-tunneling

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v15 dot1q-tunneling

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 dot1q-tunneling layer2-protocol-tunneling all


l ab@exD- 1# commit and-quit conf i gurat i on check succeedscommi t compl et eExi t i ng conf i gur at i on mode

{mast er : 0}l ab@exD- 1>

Step 5.5Issue the show vlans cust-1 detail command.

{mast er : 0}l ab@exD- 1> show vlans cust-1 detail VLAN: cust - 1, 802. 1Q Tag: 200, Admi n State: Enabl edDot1q Tunnel i ng st at us: Enabl edLayer 2 Pr ot ocol Tunnel i ng st at us: Enabl edNumber of i nt erf aces: 2 ( Act i ve = 2) Unt agged i nt er f aces: ge- 0/ 0/ 6. 0* Tagged i nt er f aces: ge- 0/ 0/ 12. 0*

Question: Based on the output, are Q-in-Q tunneling

and L2PT now enabled?

Answer: Yes, as shown in the sample capture, Q-in-Q

tunneling and L2PT are now enabled.

Step 5.6Return to the session opened for your SRX device.

Use the ping utility once again and verify reachability between customer sites. Refer

to the network diagram for the instance names and the IP address information. Do

not forget to reference the correct routing instance when performing this operation.

l ab@sr xD- 1> ping routing-instance vr y 0 172.27.100.z rapid PI NG 172. 27. 100. 2 ( 172. 27. 100. 2) : 56 data byt es! ! ! ! !- - - 172. 27. 100. 2 pi ng st at i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 038/ 5. 765/ 24. 069/ 9. 153 ms

8/15/2019 AJEX_10.b-R_LGD

27/152



Question: Does the ping operation succeed now?

Answer: Yes, as shown in sample output, the ping

operation should now succeed.

STOP Tell your instructor that you have completed Lab 1.

8/15/2019 AJEX_10.b-R_LGD

28/152



8/15/2019 AJEX_10.b-R_LGD

29/152

www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–110.b.10.4R3.4

Lab 2

Implementing MSTP and VSTP Detailed)

OverviewIn this lab, you will use the command-line interface (CLI) to configure and monitor the

Multiple Spanning Tree Protocol (MSTP) and VLAN STP (VSTP).





• Modify the existing configuration.

• Configure and monitor MSTP.

• Configure and monitor VSTP.

8/15/2019 AJEX_10.b-R_LGD

30/152


Lab 2–2 • Implementing MSTP and VSTP (Detailed) www.juniper.net

Part 1: Modifying the Existing ConfigurationIn this lab part, you will modify the existing configuration on your EX Series switch

and perform some basic verification tasks to prepare for subsequent lab parts.

Refer to network diagram for this lab for topological and configuration details.

Step 1.1Enter configuration mode and configure the ge-0/0/9 and ge-0/0/10 interfaces for

Layer 2 operations and as trunk ports.


{mast er : 0}[ edi t ]l ab@exD- 1# edit interfaces

{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1# set ge-0/0/9.0 family ethernet-switching port-mode trunk

{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1# set ge-0/0/10.0 family ethernet-switching port-mode trunk

{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1#

Step 1.2Associate these newly defined trunk ports with all currently defined VLANs. Note

that the VLANs must be statically associated with these new trunk ports, because

the attached SRX devices do not support the Multiple VLAN registration Protocol

(MVRP). Also note that you cannot use the vlan members all statement

because Q-in-Q tunneling is in place.

{mast er : 0}[ edi t i nt er f aces]l ab@exD- 1# top edit vlans

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set ? Possi bl e compl et i ons: VLAN name+ appl y- gr oups Gr oups f r om whi ch t o i nher i t conf i gur at i on dat a+ appl y- gr oups- except Don' t i nher i t conf i gur at i on dat a f r om t hese gr oups cust - 1 VLAN name

> t r aceopt i ons VLAN t r ace opt i ons v11 VLAN name v12 VLAN name v15 VLAN name{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 interface ge-0/0/9.0

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 interface ge-0/0/10.0


8/15/2019 AJEX_10.b-R_LGD

31/152


www.juniper.net Implementing MSTP and VSTP (Detailed) • Lab 2–3

l ab@exD- 1# set v11 interface ge-0/0/9.0

{mast er : 0}[ edi t vl ans]l ab@exD- 1# set v11 interface ge-0/0/10.0



l ab@exD- 1# set v12 interface ge-0/0/10.0



{mast er : 0}[ edi t vl ans]l ab@exD- 1#

Step 1.3Activate the configuration changes using the commit command and verify the

spanning-tree topology details using the run show spanning-tree bridge

command.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete

{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show spanning-tree bridge

STP br i dge par ameter sCont ext I D : 0Enabl ed pr ot ocol : RSTP Root I D : 4096. 00: 26: 88: e1: 45: 10 Root cost : 20000 Root por t : ge- 0/ 0/ 9. 0 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 1

Number of t opol ogy changes : 4 Ti me si nce l ast t opol ogy change : 1808 seconds

Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters

Br i dge I D : 32768. 50: c5: 8d: ba: 62: 00 Extended syst em I D : 0 I nt er nal i nst ance I D : 0

8/15/2019 AJEX_10.b-R_LGD

32/152



Question: Which device is elected as the root

bridge? Which interface will your switch use to

forward traffic through the Layer 2 network?

Answer: The srxX -1 device should be elected the

root bridge device based on its current bridge

priority of 4 K. The root port, used to forward traffic

through the root bridge, varies depending on yourassigned switch. If you are assigned exX -1, the root

port should be ge-0/0/9.0. If you are assigned

exX -2, the root port should be ge-0/0/10.0.

Question: What limitation exists with the current

spanning-tree implementation? What options exist

that overcome this limitation?

Answer: The current spanning-tree topology offersno load balancing. The links between the EX Series

switches and the srxX -2 device will not be used.

This problem is a known limitation of STP and RSTP.

You can use MSTP or VSTP instead of RSTP to

overcome this limitation. We make use of MSTP and

VSTP in subsequent lab parts.

Part 2: Configuring and Monitoring MSTPIn this lab part, you configure and monitor MSTP. You create two multiple

spanning-tree instances (MSTIs); one for all VLAN IDs between 1 and 199, and a

second for all VLAN IDs between 200 and 399. Once configured, you use various

operational mode commands to monitor MSTP.

Step 2.1Delete RSTP, under the [ edi t pr ot ocol s] hierarchy.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top edit protocols

{mast er : 0}[ edi t pr ot ocol s]

l ab@exD- 1# show rstp;mvr p { i nt er f ace ge- 0/ 0/ 12. 0;}

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# delete rstp

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1#

8/15/2019 AJEX_10.b-R_LGD

33/152

8/15/2019 AJEX_10.b-R_LGD

34/152



Step 2.6Configure a non-default bridge priority for each MSTI. If you are assigned srxX -1,

specify a bridge priority of 4k for MSTI 1 and 8k for MSTI 2. If you are assigned

srxX -2, specify a bridge priority of 8k for MSTI 1 and 4k for MSTI 2. Activate the

changes using the commit command. The following captures illustrate the

commands and expected configurations for both SRX devices in pod D:

[ edi t pr ot ocol s]

l ab@sr xD- 1# set mstp msti 1 bridge-priority 4k

[ edi t pr ot ocol s]l ab@sr xD- 1# set mstp msti 2 bridge-priority 8k

[ edi t pr ot ocol s]l ab@sr xD- 1# show mst p { conf i gur at i on- name my- mst p- conf i g; mst i 1 { br i dge- pr i or i t y 4k; vl an 1- 199;

} mst i 2 { br i dge- pr i or i t y 8k; vl an 200- 399; }}

[ edi t pr ot ocol s]l ab@sr xD- 1# commit commi t compl et e



[ edi t pr ot ocol s]l ab@sr xD- 2# show mst p { conf i gur at i on- name my- mst p- conf i g; mst i 1 { br i dge- pr i or i t y 8k;

vl an 1- 199; } mst i 2 { br i dge- pr i or i t y 4k; vl an 200- 399; }}

[ edi t pr ot ocol s]l ab@sr xD- 2# commit commi t compl et e

8/15/2019 AJEX_10.b-R_LGD

35/152



Question: Based on the current configurations,

what forwarding paths would you expect for traffic

associated with the various VLANs currently in use?

Answer: The spanning-tree topology now offerssome level of load balancing for the defined VLANs.

Based on the current configurations, all traffic

associated with VLAN ID 200 (SVLAN assigned to

the attached customer) should pass through srxX -2.

The traffic associated with all other VLAN IDs (11,

12, and 15) should pass through srxX -1.

Note

Step 2.7Return to the session opened for your EX Series switch.

Issue the run show spanning-tree bridge command and answer the

questions that follow.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree bridge

STP br i dge par ameter s

Cont ext I D : 0Enabl ed pr ot ocol : MSTP

STP br i dge paramet ers f or CI ST Root I D : 32768. 00: 26: 88: e1: 45: 10 Root cost : 0 Root por t : ge- 0/ 0/ 9. 0 CI ST r egi onal r oot : 32768. 00: 26: 88: e1: 45: 10 CI ST i nt er nal r oot cost : 20000 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds

Hop count : 19Message age : 0Number of t opol ogy changes : 12

Ti me si nce l ast t opol ogy change : 18 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters




8/15/2019 AJEX_10.b-R_LGD

36/152



STP br i dge parameters f or MSTI 1 MSTI r egi onal r oot : 4097. 00: 26: 88: e1: 45: 10 Root cost : 20000 Root por t : ge- 0/ 0/ 9. 0 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Hop count : 19

Number of t opol ogy changes : 12

Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters

Br i dge I D : 32769. 50: c5: 8d: ba: 62: 00 Ext ended syst em I D : 0 I nt er nal i nst ance I D : 1

STP br i dge parameters f or MSTI 2 MSTI r egi onal r oot : 4098. 00: 26: 88: e1: 4f : 90 Root cost : 20000 Root por t : ge- 0/ 0/ 10. 0

Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Hop count : 19

Number of t opol ogy changes : 12 Topol ogy change i ni t i at or : ge- 0/ 0/ 10. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 45: 09 Local parameters


Question: Are the expected devices elected rootbridges for MSTI 1 and MSTI 2?

Answer: The answer should be yes. The srxX -1

device should be elected root bridge for MSTI 1 and

the srxX -2 device should be elected root bridge for

MSTI 2. If you see different results, check your

configuration and ensure the remote team has

finished the previous step.

Question: Which device has been elected as the

root bridge for the Common and Internal Spanning

Tree (CIST)?

Answer: The answer might vary. In the illustrated

example, srxD-1 has been elected as the root bridge

for the CIST (MSTI 0).

8/15/2019 AJEX_10.b-R_LGD

37/152



Question: What configuration change can you make

to ensure srxX -1 is always the root bridge as long as

it is available?

Answer: To ensure one device is always the root

bridge when it is available, you must ensure the

bridge priority for that device is set to a lower value

than all other switches participating in the MSTPregion.

Step 2.8On your assigned EX Series switch, issue the run show spanning-tree mstp

configuration command.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree mstp configuration MSTP i nf ormat i onCont ext i dent i f i er : 0

Regi on name : my- mst p- conf i gRevi si on : 0Conf i gur at i on di gest : 0x91ee8012e6851d931adae71da4060690

MSTI Member VLANs0 0, 400- 40941 1- 1992 200- 399

Question: Does the output display the expected

VLAN to MSTI mapping information?

Answer: Yes, the output should show the correct

VLAN to MSTI mapping information. You should see

the previously configured ranges for MSTI 1 and

MSTI 2 (1-199 and 200-399 respectively) and the

remainder of the supported VLAN ID range

associated with the CIST (MSTI 0).

Question: Which three components in the displayed

output must match for switches participating in thesame MST region?

Answer: The region name, revision level, and the

VLAN to MSTI mappings must match on all bridges

participating in the same MST region.

8/15/2019 AJEX_10.b-R_LGD

38/152



Question: How is the configuration digest

determined?

Answer: The configuration digest is based on the

VLAN to MSTI mapping information. Note that this

mapping information must match on all switches

intending to participate in the same MST region.

Step 2.9Issue the top save /var/home/lab/ajex/ mstp.conf command to save the

current configuration on your EX Series switch to the /var/tmp directory.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top save /var/home/lab/ajex/ mstp.conf Wr ot e 166 l i nes of conf i gur at i on t o ' / var / home/ l ab/ aj ex/ mst p. conf '

Step 2.10Change the revision level to test the effects of mismatched settings that are

required to match on switches participating in the same MST region. If you areassigned exX -1, set your revision number to 1. If you are assigned exX -2, set your

revision number to 2. Issue commit to activate the configuration change.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# set mstp revision-level n

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# commit conf i gurat i on check succeedscommi t compl et e

Step 2.11Issue the run show spanning-tree mstp configuration command toverify the change. Next issue the run show spanning-tree bridge

command to verify the current state of the MSTP topology and root bridge election

details.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree mstp configuration MSTP i nf ormat i onCont ext i dent i f i er : 0Regi on name : my- mst p- conf i gRevi si on : 1Conf i gur at i on di gest : 0x91ee8012e6851d931adae71da4060690

MSTI Member VLANs0 0, 400- 40941 1- 1992 200- 399

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# run show spanning-tree bridge

STP br i dge par amet ers

8/15/2019 AJEX_10.b-R_LGD

39/152



Cont ext I D : 0Enabl ed pr ot ocol : MSTP

STP br i dge paramet ers f or CI ST Root I D : 32768. 00: 26: 88: e1: 45: 10 Root cost : 20000 Root por t : ge- 0/ 0/ 9. 0 CI ST r egi onal r oot : 32768. 50: c5: 8d: ba: 62: 00 CI ST i nt er nal r oot cost : 0

Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Hop count : 20

Message age : 1Number of t opol ogy changes : 17

Ti me si nce l ast t opol ogy change : 20 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters

Br i dge I D : 32768. 50: c5: 8d: ba: 62: 00

Extended syst em I D : 0 I nt er nal i nst ance I D : 0

STP br i dge par ameters f or MSTI 1 MSTI r egi onal r oot : 32769. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Number of t opol ogy changes : 17 Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 4f : 8a Local parameters


STP br i dge par ameters f or MSTI 2 MSTI r egi onal r oot : 32770. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Number of t opol ogy changes : 16 Topol ogy change i ni t i at or : ge- 0/ 0/ 9. 0 Topol ogy change l ast r ecvd. f r om : 00: 26: 88: e1: 45: 09

Local parametersBr i dge I D : 32770. 50: c5: 8d: ba: 62: 00

Extended syst em I D : 0 I nt er nal i nst ance I D : 2

8/15/2019 AJEX_10.b-R_LGD

40/152



Question: What impact did changing the revision

level have on the MSTP topology and root bridge

election for MSTI 1 and MSTI 2?

Answer: Because the required settings on theEX Series switches no longer match the other

devices within the MST region, each EX Series

switch is effectively running in isolation in new MST

regions that are based on new settings. This

arrangement is verified by the newly elected root

bridge in each MSTI. In the sample capture, we see

that exX -1 is now the elected root bridge for MSTI 1

and MSTI 2. Note that exX -2 should show a similar

output with itself elected root bridge for both MSTIs.

Part 3: Configuring and Monitoring VSTPIn this lab part, you configure and monitor VSTP. Once configured, you use various

operational mode commands to verify VSTP operations. Note that SRX devices do

not currently support VSTP. Because of this fact, you will need to alter the current

topology to exclude the SRX devices for this lab part.

Step 3.1Issue the set rstp and commit commands in an attempt to enable RSTP along

with MSTP.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# set rstp

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# commit [ edi t pr ot ocol s] ' mst p' Anot her xSTP pr ot ocol i s enabl eder r or : Anot her xSTP pr ot ocol i s enabl eder r or : conf i gur at i on check- out f ai l ed

Question: Did the commit operation succeed? Ifnot, why not?

Answer: No, the commit operation should not

succeed because RSTP and MSTP cannot be

enabled at the same time. Note that RSTP can,

however, be enabled at the same time as VSTP.

8/15/2019 AJEX_10.b-R_LGD

41/152



Step 3.2Delete MSTP and attempt the commit operation once again.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# delete mstp

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete

Step 3.3Delete the ge-0/0/9 and ge-0/0/10 interface references from under the [ edi ti nt er f aces] and [ edi t vl ans] hierarchy levels.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete interfaces ge-0/0/9

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete interfaces ge-0/0/10

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans cust-1 interface ge-0/0/9

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans cust-1 interface ge-0/0/10

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top delete vlans v11 interface ge-0/0/9






8/15/2019 AJEX_10.b-R_LGD

42/152

8/15/2019 AJEX_10.b-R_LGD

43/152

8/15/2019 AJEX_10.b-R_LGD

44/152



STP br i dge paramet ers f or VLAN 15 Root I D : 8207. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0

Number of t opol ogy changes : 0 Local parameters

Br i dge I D : 8207. 50: c5: 8d: ba: 62: 00

Ext ended syst em I D : 4 I nt er nal i nst ance I D : 0

Question: Based on the configuration, are the

correct root bridges currently elected? Can you

explain why?

Answer: No, your switch is currently elected as the

root bridge for all VLANs. This election does notmatch the expectations based on the current

configuration. This situation is because of a known

limitation with VSTP and MVRP. MVRP does not

currently support VSTP. Because of this lack of

support, you will need to manually associate the

ge-0/0/12.0 interface with the defined VLANs. You

will perform that task next.

Step 3.6Manually associate the ge-0/0/12.0 interface with all currently defined VLANs.

Activate the configuration changes using the commit command.

{mast er : 0}[ edi t pr ot ocol s]l ab@exD- 1# top edit vlans




{mast er : 0}[ edi t vl ans]l ab@exD- 1# set cust-1 interface ge-0/0/12.0

{mast er : 0}[ edi t vl ans]l ab@exD- 1# commit conf i gurat i on check succeedscommi t compl et e


8/15/2019 AJEX_10.b-R_LGD

45/152



Note

Step 3.7Issue the run show spanning-tree bridge command once again to determine

the current root bridge designations for each VLAN.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# run show spanning-tree bridge . . .STP br i dge parameter s f or VLAN 200 Root I D : 4296. 50: c5: 8d: ae: b7: 80 Root cost : 20000 Root por t : ge- 0/ 0/ 12. 0 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 1

Number of t opol ogy changes : 1 Ti me si nce l ast t opol ogy change : 5 seconds Topol ogy change i ni t i at or : ge- 0/ 0/ 12. 0 Topol ogy change l ast r ecvd. f r om : 50: c5: 8d: ae: b7: 8c Local parameters


STP br i dge par ameter sCont ext I D : 2Enabl ed pr ot ocol : RSTP

STP br i dge parameter s f or VLAN 11 Root I D : 4107. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0



STP br i dge par ameter sCont ext I D : 3Enabl ed pr ot ocol : RSTP

STP br i dge parameter s f or VLAN 12 Root I D : 4108. 50: c5: 8d: ba: 62: 00 Hel l o t i me : 2 seconds



8/15/2019 AJEX_10.b-R_LGD

46/152



Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 0


Br i dge I D : 4108. 50: c5: 8d: ba: 62: 00

Ext ended syst em I D : 3 I nt er nal i nst ance I D : 0

STP br i dge par amet ersCont ext I D : 4Enabl ed pr otocol : RSTP

STP br i dge paramet ers f or VLAN 15 Root I D : 4111. 50: c5: 8d: ae: b7: 80 Root cost : 20000 Root por t : ge- 0/ 0/ 12. 0

Hel l o t i me : 2 seconds Maxi mum age : 20 seconds Forward del ay : 15 seconds Message age : 1



Question: Are the correct root bridges now elected?

Answer: Yes, the expected root bridges should now

be elected. Based on the current configuration,

exX -1 should be root bridge for the v11 and v12

VLANs and exX -2 should be root bridge for the v15

and cust-1 VLANs. If your results do not match

the expected results, check your configuration andwork with the remote team and instructor as

needed.

8/15/2019 AJEX_10.b-R_LGD

47/152



Step 3.8Use the load override command to restore the mstp.conf configuration file

saved in the /var/home/lab/ajex/ directory. Activate the changes and return to

operational mode using the commit and-quit command.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top

{mast er : 0}[ edi t ]l ab@exD- 1# load override /var/home/lab/ajex/ mstp.conf l oad compl ete

{mast er : 0}[ edi t ]l ab@exD- 1# commit and-quit conf i gur at i on check succeedscommi t compl et eExi t i ng conf i gur at i on mode


STOP Tell your instructor that you have completed Lab 2.

8/15/2019 AJEX_10.b-R_LGD

48/152



8/15/2019 AJEX_10.b-R_LGD

49/152

www.juniper.net Authentication and Access Control (Detailed) • Lab 3–110.b.10.4R3.4

Lab 3

Authentication and Access Control Detailed)

OverviewIn this lab, you will use the command-line interface (CLI) to configure and monitor various

authentication and access control features supported on EX Series switches.





• Modify the existing configuration.

• Configure and monitor 802.1X.

• Configure and monitor other authentication and access features.

8/15/2019 AJEX_10.b-R_LGD

50/152


Lab 3–2 • Authentication and Access Control (Detailed) www.juniper.net

Part 1: Modifying the Existing ConfigurationIn this lab part, you modify the existing configuration. In preparation for Part 2, you

must modify the Q-in-Q and filter-based VLAN configuration because those features

cannot be enabled with 802.1X on the same interface at the same time.

Step 1.1Enter configuration mode and navigate to the [ edi t vl ans] hierarchy.


{mast er : 0}[ edi t ]l ab@exD- 1# edit vlans


Step 1.2Delete the dot1q-tunneling statement from the v11 and v12 VLANs.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete v11 dot1q-tunneling

{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete v12 dot1q-tunneling

Step 1.3Delete the v15 VLAN and all configuration related to the filter-based VLAN

assignment defined in Lab 1.

{mast er : 0}[ edi t vl ans]l ab@exD- 1# delete v15

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete firewall

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top delete interfaces ge-0/0/7.0 family ethernet-switching filter

Step 1.4Navigate to the [ edi t et her net - swi t chi ng] hierarchy and set theEthernet-type for the switch to 0x8100. Activate the changes and return to


8/15/2019 AJEX_10.b-R_LGD

51/152


www.juniper.net Authentication and Access Control (Detailed) • Lab 3–3

{mast er : 0}[ edi t vl ans]l ab@exD- 1# top edit ethernet-switching-options

{mast er : 0}[ edi t et her net - swi t chi ng- opt i ons]l ab@exD- 1# set dot1q-tunneling ether-type 0x8100

{mast er : 0}[ edi t et her net - swi t chi ng- opt i ons]l ab@exD- 1# commit and-quit conf i gur at i on check succeedscommi t compl ete

Exi t i ng conf i gur at i on mode


Step 1.5Return to the session opened for your assigned SRX device. If needed, open a new

session and log in using the credentials provided by your instructor.

Use the ping utility and attempt to verify access to and reachability through the

Layer 2 network. Use the virtual routers (VRs) associated with your assigned

SRX device as the source devices for these tests. Use the corresponding VR

connected to the remote team’s EX Series switch as the destination. Refer to the

network diagram for the instance names and the IP addresses assigned to the

various VRs. Do not forget to reference the correct routing instance.

l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es. . . . .- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 0 packet s r ecei ved, 100% packet l oss


NoteChanging the Ethernet-type to 0x8100

allows trunk ports to support VLANs

configured for Q-in-Q tunneling as well as

standard 802.1Q VLANs at the same time.

In production environments, ensure the

Ethernet-type is set consistently on alldevices within a given forwarding path.

8/15/2019 AJEX_10.b-R_LGD

52/152



Question: Did the ping operations succeed? Can

you explain why?

Answer: No, the ping operations should not

succeed. Because of the recent configuration

changes, the forwarding path now consists of

devices configured with different Ethernet-types.

You will remedy this problem in subsequent steps.

Step 1.6On your assigned SRX device, enter configuration mode, navigate to the [ edi tvl ans] hierarchy, and delete the v15 VLAN.

l ab@sr xD- 1> configure Ent er i ng conf i gur at i on mode

[edi t ]l ab@sr xD- 1# edit vlans

[ edi t vl ans]l ab@sr xD- 1# delete v15

[ edi t vl ans]l ab@sr xD- 1#

Step 1.7Delete the dot1q-tunneling statement from the v11 and v12 VLANs.

[ edi t vl ans]l ab@sr xD- 1# delete v11 dot1q-tunneling

[ edi t vl ans]l ab@sr xD- 1# delete v12 dot1q-tunneling

Step 1.8Navigate to the [ edi t et her net - swi t chi ng] hierarchy and set theEthernet-type for the switch to 0x8100. Activate the changes and return to


[ edi t vl ans]l ab@sr xD- 1# top edit ethernet-switching-options

[ edi t et her net - swi t chi ng- opt i ons]l ab@sr xD- 1# set dot1q-tunneling ether-type 0x8100

[ edi t et her net - swi t chi ng- opt i ons]l ab@sr xD- 1# commit and-quit commi t compl et eExi t i ng conf i gur at i on mode

l ab@sr xD- 1>

8/15/2019 AJEX_10.b-R_LGD

53/152



Step 1.9Use the ping utility and attempt to verify access to and reachability through the

Layer 2 network. Use the VRs associated with your assigned SRX device as the

source devices for these tests. Use the corresponding VR connected to the remote

team’s EX Series switch as the destination. Refer to the network diagram for the

instance names and the IP addresses assigned to the various VRs. Do not forget to

reference the correct routing instance.

l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es! ! ! ! !- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 0. 990/ 6. 243/ 24. 806/ 9. 328 ms

l ab@sr xD- 1> ping routing-instance vr y 2 172.23.12.10z rapid PI NG 172. 23. 12. 102 ( 172. 23. 12. 102) : 56 data byt es! ! ! ! !- - - 172. 23. 12. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l oss

r ound- t r i p mi n/ avg/ max/ st ddev = 0. 963/ 7. 145/ 26. 195/ 9. 765 ms

l ab@sr xD- 1>

Question: Do the ping operations succeed?

Answer: Yes, the ping operations should now

succeed. If the ping operations do not succeed,

check your configuration and work with the remote

team and your instructor as needed.

Part 2: Configuring 802.1XIn this lab part, you configure the 802.1X and the static MAC bypass option. Once

configured, you use relevant operational mode commands to monitor operations.

Refer to the network diagram for this lab for topological and configuration details.

Step 2.1Return to the session opened for your assigned EX Series switch.

Display the Ethernet switching table to determine what MAC addresses have beenlearned for the v11 and v12 VLANs.

{mast er : 0}l ab@exD- 1> show ethernet-switching table vlan v11 Et her net - swi t chi ng t abl e: 2 uni cast ent r i es VLAN MAC address Type Age I nt er f aces v11 * Fl ood - Al l - members v11 00: 26: 88: 02: 6b: 87 Learn 57 ge- 0/ 0/ 9. 0 v11 00: 26: 88: 02: 74: 87 Learn 59 ge- 0/ 0/ 7. 0

{mast er : 0}

8/15/2019 AJEX_10.b-R_LGD

54/152



l ab@exD- 1> show ethernet-switching table vlan v12 Et her net - swi t chi ng t abl e: 2 uni cast ent r i es VLAN MAC address Type Age I nt er f aces v12 * Fl ood - Al l - members v12 00: 26: 88: 02: 6b: 88 Learn 31 ge- 0/ 0/ 9. 0 v12 00: 26: 88: 02: 74: 88 Lear n 1: 02 ge- 0/ 0/ 8. 0

Question: Do the MAC addresses learned for the

v11 and v12 VLANs match the MAC addresses

shown on the network diagram for this lab?

Answer: Yes, the MAC addresses listed for the

referenced VLANs should match those shown on

the network diagram for this lab. If you do not see

any learned MAC addresses for the v11 and v12

VLANs, you might need to run through the ping tests

in Part 1 once again.

Step 2.2Enter configuration mode and navigate to the [ edi t access] hierarchy level.Define a RADIUS server using the IP address of the server located in the

management network and a secret of Juniper . Refer to the Management Network

Diagram or consult with your instructor as needed.


{mast er : 0}[ edi t ]

l ab@exD- 1# edit access

{mast er : 0}[ edi t access]l ab@exD- 1# set radius-server 10.210.n.n secret Juniper

{mast er : 0}[ edi t access]l ab@exD- 1#

Step 2.3Create an authentication profile named my-profile. Define an authentication

order of RADIUS only and use the IP address of the RADIUS defined in the previous

step as the authentication server.

{mast er : 0}[ edi t access]l ab@exD- 1# set profile my-profile authentication-order radius

{mast er : 0}[ edi t access]l ab@exD- 1# set profile my-profile radius authentication-server 10.210.n.n

8/15/2019 AJEX_10.b-R_LGD

55/152



Step 2.4Navigate to the [ edi t pr ot ocol s dot 1x] hierarchy and configure your switchas an 802.1X authenticator. Use the authentication profile defined in the previous

step and enable 802.1X authentication for the ge-0/0/7.0 and ge-0/0/8.0

interfaces. Activate the configuration changes using the commit command.

{mast er: 0}[ edi t access]l ab@exD- 1# top edit protocols dot1x

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator authentication-profile-name my-profile

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit

conf i gur at i on check succeedscommi t compl et e

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1#

Step 2.5Issue the run show dot1x interface detail command and answer the

questions that follow.

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# run show dot1x interface detail

ge- 0/ 0/ 7. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed Mac Radi us Rest r i ct : Di sabl ed Reaut hent i cat i on: Enabl ed Conf i gur ed Reaut hent i cat i on i nt er val : 3600 seconds Suppl i cant t i meout : 30 seconds Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member : ge- 0/ 0/ 8. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed

8/15/2019 AJEX_10.b-R_LGD

56/152



Mac Radi us Rest r i ct : Di sabl edReaut hent i cat i on: Enabl ed

Conf i gur ed Reaut hent i cat i on i nt er val : 3600 seconds Suppl i cant t i meout : 30 seconds Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member :

Question: What is the current supplicant mode

enabled for the listed interfaces?

Answer: The current supplicant mode enabled for

the ge-0/0/7.0 and ge-0/0/8.0 interfaces is the

Si ngl e supplicant mode, which is the defaultmode.

Question: If an 802.1X client authenticated through

the ge-0/0/7.0 or ge-0/0/8.0 interfaces, would that

client be forced to reauthenticate after a period oftime? If so, after what period of time?

Answer: Based on the current configuration, an

authenticated client would need to reauthenticate

after 3600 seconds (1 hour).

Step 2.6Set the supplicant mode for the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the

single-secure supplicant mode. Disable reauthentication on the ge-0/0/7.0interface and double the reauthentication interval on the ge-0/0/8.0 interface to

7200 seconds (2 hours).

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0 supplicant single-secure

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0 supplicant single-secure

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0 no-reauthentication

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0 reauthentication 7200

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# show aut hent i cat or { aut hent i cat i on- pr of i l e- name my- pr of i l e; i nt er f ace { ge- 0/ 0/ 7. 0 { suppl i cant si ngl e- secur e;

8/15/2019 AJEX_10.b-R_LGD

57/152



no- r eaut hent i cat i on; } ge- 0/ 0/ 8. 0 { suppl i cant si ngl e- secur e; r eaut hent i cat i on 7200; } }}

Step 2.7Activate the configuration changes using the commit command. Next, issue the

run show dot1x interface detail command and answer the questions that

follow.

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# run show dot1x interface detail ge- 0/ 0/ 7. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e- Secur e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed Mac Radi us Rest r i ct : Di sabl ed Reaut hent i cat i on: Di sabl ed Conf i gur ed Reaut hent i cat i on i nt er val : 3600 seconds Suppl i cant t i meout : 30 seconds

Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member : Number of connect ed suppl i cant s: 0ge- 0/ 0/ 8. 0 Rol e: Aut hent i cat or Admi ni st r at i ve st at e: Aut o Suppl i cant mode: Si ngl e- Secur e Number of r et r i es: 3 Qui et per i od: 60 seconds Transmi t per i od: 30 seconds Mac Radi us: Di sabl ed

Mac Radi us Rest r i ct : Di sabl ed Reaut hent i cat i on: Enabl ed Conf i gur ed Reaut hent i cat i on i nt er val : 7200 seconds Suppl i cant t i meout : 30 seconds Server t i meout : 30 seconds Maxi mum EAPOL r equest s: 2 Guest VLAN member : Number of connect ed suppl i cant s: 0

8/15/2019 AJEX_10.b-R_LGD

58/152



Question: Have the recent changes taken effect?


recent changes are now in effect. You can see that

both the ge-0/0/7.0 and ge-0/0/8.0 interfaces are

now enabled for the Si ngl e- Secur e supplicantmode, the ge-0/0/7.0 interface now has

reauthentication disabled, and the ge-0/0/8.0interface still has reauthentication enabled, but the

interval is now 7200 seconds (2 hours) ratherthan the previous interval of 3600 seconds

(1 hour).

Step 2.8Return to the session opened for your assigned SRX device.









Question: Can the VRs access the Layer 2 network

through your assigned EX Series switch?

Answer: No, the VRs should not be able to access

the Layer 2 network because of the lack of support

for 802.1X.


Configure the static MAC bypass option to always permit the MAC addresses shown

on the network diagram. Associate the illustrated MAC addresses with their

corresponding access ports. Refer to the network diagram for this lab as needed.

Activate the changes using the commit command.

8/15/2019 AJEX_10.b-R_LGD

59/152



{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator static 00:26:88:02:nn:87 interface ge-0/0/7.0

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator static 00:26:88:02:nn:88 interface ge-0/0/8.0

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit [ edi t pr ot ocol s dot 1x aut hent i cat or st at i c 00: 26: 88: 02: 74: 87/ 48 i nt er f ace]

' i nt er f ace ge- 0/ 0/ 7. 0' St at i c MAC cannot be conf i gur ed on i nt er f ace i n si ngl e or si ngl e- secur e mode[ edi t pr ot ocol s dot 1x aut hent i cat or st at i c 00: 26: 88: 02: 74: 88/ 48 i nt er f ace] ' i nt er f ace ge- 0/ 0/ 8. 0' St at i c MAC cannot be conf i gur ed on i nt er f ace i n si ngl e or si ngl e- secur e modeer r or : commi t f ai l ed: ( st at ement s const r ai nt check f ai l ed)

Question: Did the commit operation succeed? If

not, why not?

Answer: No, the commit operation should not

succeed because of an incompatible setting in the

configuration file. As indicated in the commit error

message, you must use the multiple supplicant

mode on interfaces that are bound to a static MAC

bypass statement.

Step 2.10Change the supplicant mode on the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the

multiple supplicant mode. Issue the commit command to activate the changes.

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/7.0 supplicant multiple

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# set authenticator interface ge-0/0/8.0 supplicant multiple

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# commit conf i gur at i on check succeedscommi t compl ete

Note

Before proceeding, ensure that the remoteteam in your pod finishes the previous step.

8/15/2019 AJEX_10.b-R_LGD

60/152



Step 2.11Return to the session opened for your assigned SRX device.







l ab@sr xD- 1> ping routing-instance vr y 1 172.23.11.10z rapid PI NG 172. 23. 11. 102 ( 172. 23. 11. 102) : 56 data byt es! ! ! ! !- - - 172. 23. 11. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 200/ 32. 826/ 159. 058/ 63. 116 ms

l ab@sr xD- 1> ping routing-instance vr y 2 172.23.12.10z rapid PI NG 172. 23. 12. 102 ( 172. 23. 12. 102) : 56 data byt es! ! ! ! !

- - - 172. 23. 12. 102 pi ng stat i st i cs - - -5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 1. 176/ 31. 789/ 153. 650/ 60. 930 ms

Question: Can the VRs access the Layer 2 network

through your assigned EX Series switch?

Answer: Yes, now that the static MAC bypass

configuration has been added, the VRs should be

able to access the Layer 2 network. If your tests do

not succeed, check your configuration and workwith the remote team and instructor as needed.

Part 3: Configuring and Monitoring Other Access and Authentication FeaturesIn this lab part, you configure the MAC RADIUS, guest VLAN, and server fail fallback

features. Once configured, you use various operational mode commands to verify

proper operations.


Issue the run show dot1x static-mac-address command to view the MAC

addresses currently permitted through static MAC bypass. Delete all static MAC

bypass entries and activate the changes using the commit command.

{mast er : 0}[ edi t pr ot ocol s dot 1x]l ab@exD- 1# run show dot1x static-mac-address MAC addr ess/ pr ef i x VLAN- Assi gnment I nt er f ace00: 26: 88: 02: 74: 87/ 48 ge- 0/ 0/ 7. 000: 26: 88: 02: 74: 88/ 48 ge- 0/ 0/ 8. 0

8/15/2019 AJEX_10.b-R_LGD

61/152

Adva

AJEX_10.b-R_LGD

Documents

Transcript of AJEX_10.b-R_LGD