Ethernet Switching User Guide - Juniper Networks ·...
Transcript of Ethernet Switching User Guide - Juniper Networks ·...
-
Ethernet Switching User Guide
Published
2020-02-10
-
Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. All other trademarks, service marks, registered marks, or registered service marksare the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the rightto change, modify, transfer, or otherwise revise this publication without notice.
Ethernet Switching User GuideCopyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-relatedlimitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)Juniper Networks software. Use of such software is subject to the terms and conditions of the EndUser License Agreement(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, youagree to the terms and conditions of that EULA.
ii
https://support.juniper.net/support/eula/
-
Table of Contents
About the Documentation | xxxiii
Documentation and Release Notes | xxxiii
Using the Examples in This Manual | xxxiii
Merging a Full Example | xxxiv
Merging a Snippet | xxxiv
Documentation Conventions | xxxv
Documentation Feedback | xxxviii
Requesting Technical Support | xxxviii
Self-Help Online Tools and Resources | xxxix
Creating a Service Request with JTAC | xxxix
Understanding Layer 2 Networking1Layer 2 Networking | 43
Overview of Layer 2 Networking | 43
Ethernet Switching and Layer 2 Transparent Mode Overview | 45
Layer 2 Transparent Mode on the SRX5000 Line Module Port Concentrator | 47
Understanding IPv6 Flows in Transparent Mode on Security Devices | 48
Understanding Layer 2 Transparent Mode Chassis Clusters on Security Devices | 49
Configuring Out-of-Band Management on SRX Devices | 51
Ethernet Switching | 51
Layer 2 Switching Exceptions on SRX Series Devices | 52
Understanding Unicast | 53
Understanding Layer 2 Broadcasting on Switches | 53
Using the Enhanced Layer 2 Software CLI | 54
Understanding Which Devices Support ELS | 55
Understanding How to Configure Layer 2 Features Using ELS | 55
Understanding ELS Configuration Statement and Command Changes | 59
Enhanced Layer 2 CLI Configuration Statement and Command Changes for SecurityDevices | 76
Layer 2 Next Generation Mode for ACX Series | 78
iii
-
Configuring Layer 2 Forwarding Tables2Layer 2 Forwarding Tables | 83
Layer 2 Learning and Forwarding for VLANs Overview | 83
Understanding Layer 2 Forwarding Tables on Switches, Routers and NFX SeriesDevices | 83
Understanding Layer 2 Forwarding Tables on Security Devices | 84
Layer 2 Learning and Forwarding for VLANs Acting as a Switch for a Layer 2 Trunk Port | 85
Understanding the Unified Forwarding Table | 86
Benefits of Unified Forwarding Tables | 86
Using the Unified Forwarding Table to Optimize Address Storage | 87
Understanding the Allocation of MAC Addresses and Host Addresses | 87
Understanding Ternary Content Addressable Memory (TCAM) and Longest Prefix MatchEntries | 93
Host Table Example for Profile with Heavy Layer 2 Traffic | 94
Example: Configuring a Unified Forwarding Table Custom Profile | 95
Configuring the Unified Forwarding Table on Switches | 99
Configuring a Unified Forwarding Table Profile | 101
Configuring the Memory Allocation for Longest Prefix Match Entries | 102
Configuring Forwarding Mode on Switches | 109
Disabling Layer 2 Learning and Forwarding | 109
Configuring MAC Addresses3MAC Addresses | 113
Introduction to the Media Access Control (MAC) Layer 2 Sublayer | 113
Understanding MAC Address Assignment on an EX Series Switch | 114
Configuring MAC Move Parameters | 115
Configuring MAC Limiting (ELS) | 117
Limiting the Number of MAC Addresses Learned by an Interface | 118
Limiting the Number of MAC Addresses Learned by a VLAN | 118
Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELSSupport | 119
Adding a Static MAC Address Entry to the Ethernet Switching Table | 120
Example: Configuring the Default Learning for Unknown MAC Addresses | 121
iv
-
Configuring MAC Learning4MAC Learning | 125
Understanding MAC Learning | 125
Disabling MAC Learning on Devices with ELS Support | 125
Disabling MAC Learning on QFX Switches | 126
Disabling MAC Learning in a VLAN on a QFX Switch | 127
Disabling MAC Learning for a VLAN or Logical Interface | 128
Disabling MAC Learning for a Set of VLANs | 129
Configuring MAC Accounting5MAC Accounting | 133
Enabling MAC Accounting on a Device | 133
Enabling MAC Accounting for a VLAN | 133
Enabling MAC Accounting for a Set of VLANs | 134
Verifying That MAC Accounting Is Working | 134
Configuring MAC Notification6MAC Notification | 139
Understanding MAC Notification on EX Series Switches | 139
Configuring MAC Notification on Switches with ELS Support | 140
Enabling MAC Notification | 140
Disabling MAC Notification | 141
Setting the MAC Notification Interval | 141
Configuring Non-ELS MAC Notification | 141
Enabling MAC Notification | 142
Disabling MAC Notification | 142
Setting the MAC Notification Interval | 143
Verifying That MAC Notification Is Working Properly | 143
Configuring MAC Table Aging7MAC Table Aging | 147
Understanding MAC Table Aging | 147
Configuring MAC Table Aging on Switches | 149
v
-
Configuring Learning and Forwarding8Layer 2 Forwarding Tables | 153
Layer 2 Learning and Forwarding for VLANs Overview | 153
Understanding Layer 2 Forwarding Tables on Switches, Routers and NFX SeriesDevices | 153
Understanding Layer 2 Forwarding Tables on Security Devices | 154
Layer 2 Learning and Forwarding for VLANs Acting as a Switch for a Layer 2 Trunk Port | 155
Understanding the Unified Forwarding Table | 156
Benefits of Unified Forwarding Tables | 156
Using the Unified Forwarding Table to Optimize Address Storage | 157
Understanding the Allocation of MAC Addresses and Host Addresses | 157
Understanding Ternary Content Addressable Memory (TCAM) and Longest Prefix MatchEntries | 163
Host Table Example for Profile with Heavy Layer 2 Traffic | 164
Example: Configuring a Unified Forwarding Table Custom Profile | 165
Configuring the Unified Forwarding Table on Switches | 169
Configuring a Unified Forwarding Table Profile | 171
Configuring the Memory Allocation for Longest Prefix Match Entries | 172
Configuring Forwarding Mode on Switches | 179
Disabling Layer 2 Learning and Forwarding | 179
Configuring Bridging and VLANs9Bridging and VLANs | 183
Understanding Bridging and VLANs on Switches | 183
Benefits of Using VLANs | 184
History of VLANs | 185
How Bridging of VLAN Traffic Works | 185
Packets Are Either Tagged or Untagged | 186
Switch Interface Modes—Access, Trunk, or Tagged Access | 187
Maximum VLANs and VLAN Members Per Switch | 189
A Default VLAN Is Configured on Most Switches | 190
Assigning Traffic to VLANs | 191
Forwarding VLAN Traffic | 192
VLANs Communicate with Integrated Routing and Bridging Interfaces or Routed VLANInterfaces | 192
vi
-
VPLS Ports | 192
Configuring VLANs on Switches with Enhanced Layer 2 Support | 194
Configuring a VLAN | 196
Configuring VLANs on Switches | 197
Configuring VLANs for EX Series Switches | 198
Why Create a VLAN? | 199
Create a VLAN Using the Minimum Procedure | 199
Create a VLAN Using All of the Options | 200
Configuration Guidelines for VLANs | 201
Example: Configuring VLANs on Security Devices | 202
Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support | 205
Example: Setting Up Basic Bridging and a VLAN on Switches | 218
Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch | 241
Example: Setting Up Bridging with Multiple VLANs | 251
Example: Setting Up Bridging with Multiple VLANs on Switches | 258
Example: Connecting Access Switches with ELS Support to a Distribution Switch with ELSSupport | 266
Example: Setting Up Bridging with Multiple VLANs for EX Series Switches | 280
Example: Connecting an Access Switch to a Distribution Switch | 290
Configuring a Logical Interface for Access Mode | 303
Configuring the Native VLAN Identifier | 304
Configuring the Native VLAN Identifier on Switches With ELS Support | 305
Configuring VLAN Encapsulation | 306
Example: Configuring VLAN Encapsulation on a Gigabit Ethernet Interface | 306
Example: Configuring VLAN Encapsulation on an Aggregated Ethernet Interface | 307
Configuring 802.1Q VLANs10802.1Q VLANs Overview | 311
802.1Q VLAN IDs and Ethernet Interface Types | 312
Configuring Dynamic 802.1Q VLANs | 313
Enabling VLAN Tagging | 314
Configuring Tagged Interface with multiple tagged vlans and native vlan | 316
Sending Untagged Traffic Without VLAN ID to Remote End | 318
vii
-
Configuring Flexible VLAN Tagging on PTX Series Packet Transport Routers | 319
Configuring an MPLS-Based VLAN CCC with Pop, Push, and Swap and ControlPassthrough | 321
Binding VLAN IDs to Logical Interfaces | 325
Associating VLAN IDs to VLAN Demux Interfaces | 329
Associating VLAN IDs to VLAN Demux Interfaces Overview | 329
Associating a VLAN ID to a VLAN Demux Interface | 330
Associating a VLAN ID to a Single-Tag VLAN Demux Interface | 330
Associating a VLAN ID to a Dual-Tag VLAN Demux Interface | 331
Configuring VLAN and Extended VLAN Encapsulation | 331
Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface | 333
Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance | 333
Specifying the Interface Over Which VPN Traffic Travels to the CE Router | 334
Specifying the Interface to Handle Traffic for a CCC | 334
Example: Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled LogicalInterface | 336
Specifying the Interface Over Which VPN Traffic Travels to the CE Router | 338
Configuring Access Mode on a Logical Interface | 338
Configuring a Logical Interface for Trunk Mode | 339
Configuring the VLAN ID List for a Trunk Interface | 340
Configuring a Trunk Interface on a Bridge Network | 341
Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN RoutingInstance | 344
Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN RoutingInstance | 345
viii
-
Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface | 346
Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance | 346
Specifying the Interface to Handle Traffic for a CCC Connected to the Layer 2 Circuit | 347
Example: Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface | 348
Guidelines for Configuring VLAN ID List-Bundled Logical Interfaces That ConnectCCCs | 350
Guidelines for Configuring Physical Link-Layer Encapsulation to Support CCCs | 351
Guidelines for Configuring Logical Link-Layer Encapsulation to Support CCCs | 351
Specifying the Interface to Handle Traffic for a CCC | 353
Specifying the Interface to Handle Traffic for a CCC Connected to the Layer 2Circuit | 354
Configuring Static ARP Table Entries11Static ARP Table Entries Overview | 357
Configuring Static ARP Table Entries For Mapping IP Addresses to MAC Addresses | 357
Configuring Restricted and Unrestricted Proxy ARP12Restricted and Unrestricted Proxy ARP Overview | 363
Restricted Proxy ARP | 363
Unrestricted Proxy ARP | 363
Topology Considerations for Unrestricted Proxy ARP | 364
Configuring Restricted and Unrestricted Proxy ARP | 365
Configuring Gratuitous ARP13Configuring Gratuitous ARP | 369
Adjusting the ARP Aging Timer14Adjusting the ARP Aging Timer | 373
Configuring Tagged VLANs15Configuring Tagged VLANs | 377
Creating a Series of Tagged VLANs | 378
Creating a Series of Tagged VLANs on EX Series Switches (CLI Procedure) | 380
ix
-
Creating a Series of Tagged VLANs on Switches with ELS Support | 382
Verifying That a Series of Tagged VLANs Has Been Created | 383
Verifying That a Series of Tagged VLANs Has Been Created on an EX Series Switch | 386
Configuring Double-Tagged VLANs on Layer 3 Logical Interfaces | 389
Stacking a VLAN Tag | 390
Rewriting a VLAN Tag and Adding a New Tag | 390
Rewriting the Inner and Outer VLAN Tags | 391
Rewriting the VLAN Tag on Tagged Frames | 392
Configuring VLAN Translation with a VLAN ID List | 394
Configuring VLAN Translation on Security Devices | 394
Example: Configuring VLAN Retagging for Layer 2 Transparent Mode on a Security Device | 396
Configuring Inner and Outer TPIDs and VLAN IDs | 397
Stacking and Rewriting Gigabit Ethernet VLAN Tags16Stacking and Rewriting Gigabit Ethernet VLAN Tags Overview | 405
Stacking and Rewriting Gigabit Ethernet VLAN Tags | 406
Configuring Frames with Particular TPIDs to Be Processed as Tagged Frames | 409
Configuring Tag Protocol IDs (TPIDs) on PTX Series Packet Transport Routers | 410
Configuring Stacked VLAN Tagging | 411
Configuring Dual VLAN Tags | 412
Configuring Inner and Outer TPIDs and VLAN IDs | 412
Stacking a VLAN Tag | 417
Stacking Two VLAN Tags | 418
Removing a VLAN Tag | 419
Removing the Outer and Inner VLAN Tags | 419
Removing the Outer VLAN Tag and Rewriting the Inner VLAN Tag | 420
Rewriting the VLAN Tag on Tagged Frames | 421
Rewriting a VLAN Tag on Untagged Frames | 423
Overview | 423
Example: push and pop with Ethernet CCC Encapsulation | 425
x
-
Example: push-push and pop-pop with Ethernet CCC Encapsulation | 426
Example: push and pop with Ethernet VPLS Encapsulation | 426
Example: push-push and pop-pop with Ethernet VPLS Encapsulation | 427
Rewriting a VLAN Tag and Adding a New Tag | 427
Rewriting the Inner and Outer VLAN Tags | 428
Examples: Stacking and Rewriting Gigabit Ethernet IQ VLAN Tags | 429
Understanding Transparent Tag Operations and IEEE 802.1p Inheritance | 438
Understanding swap-by-poppush | 441
Configuring IEEE 802.1p Inheritance push and swap from the Transparent Tag | 441
Configuring Private VLANs17Private VLANs | 447
Understanding Private VLANs | 447
Benefits of PVLANs | 449
Typical Structure and Primary Application of PVLANs | 449
Typical Structure and Primary Application of PVLANs on MX Series Routers | 452
Typical Structure and Primary Application of PVLANs on EX Series Switches | 454
Routing Between Isolated and Community VLANs | 456
PVLANs Use 802.1Q Tags to Identify Packets | 456
PVLANs Use IP Addresses Efficiently | 457
PVLAN Port Types and Forwarding Rules | 457
Creating a PVLAN | 460
Limitations of Private VLANs | 462
Understanding PVLAN Traffic Flows Across Multiple Switches | 463
Community VLAN Sending Untagged Traffic | 464
Isolated VLAN Sending Untagged Traffic | 465
PVLAN Tagged Traffic Sent on a Promiscuous Port | 466
Understanding Secondary VLAN Trunk Ports and Promiscuous Access Ports on PVLANs | 467
PVLAN Port Types | 468
Secondary VLAN Trunk Port Details | 469
Use Cases | 470
xi
-
Using 802.1X Authentication and Private VLANs Together on the Same Interface | 477
Understanding Using 802.1X Authentication and PVLANs Together on the SameInterface | 478
Configuration Guidelines for Combining 802.1X Authentication with PVLANs | 478
Example: Configuring 802.1X Authentication with Private VLANs in One Configuration | 479
Putting Access Port Security on Private VLANs | 485
Understanding Access Port Security on PVLANs | 485
Configuration Guidelines for Putting Access Port Security Features on PVLANs | 486
Example: Configuring Access Port Security on a PVLAN | 486
Creating a Private VLAN on a Single Switch with ELS Support (CLI Procedure) | 496
Creating a Private VLAN on a Single QFX Switch | 499
Creating a Private VLAN on a Single EX Series Switch (CLI Procedure) | 501
Creating a Private VLAN Spanning Multiple QFX Series Switches | 503
Creating a Private VLAN Spanning Multiple EX Series Switches with ELS Support (CLIProcedure) | 505
Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure) | 508
Example: Configuring a Private VLAN on a Single Switch with ELS Support | 510
Example: Configuring a Private VLAN on a Single QFX Series Switch | 514
Example: Configuring a Private VLAN on a Single EX Series Switch | 522
Example: Configuring a Private VLAN Spanning Multiple QFX Switches | 531
Example: Configuring a Private VLAN Spanning Multiple Switches With an IRB Interface | 550
Example: Configuring a Private VLAN Spanning Multiple EX Series Switches | 569
Example: Configuring PVLANs with Secondary VLAN Trunk Ports and Promiscuous AccessPorts on a QFX Series Switch | 590
Verifying That a Private VLAN Is Working on a Switch | 606
Troubleshooting Private VLANs on QFX Switches | 613
Limitations of Private VLANs | 613
Forwarding with Private VLANs | 614
Egress Firewall Filters with Private VLANs | 615
Egress Port Mirroring with Private VLANs | 616
Understanding Private VLANs | 616
Benefits of PVLANs | 618
Typical Structure and Primary Application of PVLANs | 618
Typical Structure and Primary Application of PVLANs on MX Series Routers | 621
xii
-
Typical Structure and Primary Application of PVLANs on EX Series Switches | 623
Routing Between Isolated and Community VLANs | 626
PVLANs Use 802.1Q Tags to Identify Packets | 626
PVLANs Use IP Addresses Efficiently | 627
PVLAN Port Types and Forwarding Rules | 627
Creating a PVLAN | 630
Limitations of Private VLANs | 632
Bridge Domains Setup in PVLANs on MX Series Routers | 634
Bridging Functions With PVLANs | 636
Flow of Frames on PVLAN Ports Overview | 637
Ingress Traffic on Isolated Ports | 638
Ingress Traffic on Community ports | 638
Ingress Traffic on Promiscuous Ports | 639
Ingress Traffic on Interswitch Links | 639
Packet Forwarding in PVLANs | 639
Guidelines for Configuring PVLANs on MX Series Routers | 640
Configuring PVLANs on MX Series Routers in Enhanced LANMode | 642
Example: Configuring PVLANs with Secondary VLAN Trunk Ports and PromiscuousAccess Ports on a QFX Series Switch | 644
IRB Interfaces in Private VLANs on MX Series Routers | 661
Guidelines for Configuring IRB Interfaces in PVLANs on MX Series Routers | 662
Forwarding of Packets Using IRB Interfaces in PVLANs | 663
Incoming ARP Requests on PVLAN Ports | 663
Outgoing ARP Responses on PVLAN Ports | 664
Outgoing ARP Requests on PVLAN Ports | 664
Incoming ARP Responses on PVLAN Ports | 664
xiii
-
Receipt of Layer 3 Packets on PVLAN Ports | 665
Configuring IRB Interfaces in PVLANBridgeDomains onMXSeries Routers in EnhancedLANMode | 665
Example: Configuring an IRB Interface in a Private VLAN on a Single MX SeriesRouter | 667
Configuring Layer 2 Bridging Interfaces18Layer 2 Bridging Interfaces Overview | 679
Configuring Layer 2 Bridging Interfaces | 680
Example: Configuring the MAC Address of an IRB Interface | 681
Configuring Layer 2 Virtual Switch Instances19Layer 2 Virtual Switch Instances | 695
Understanding Layer 2 Virtual Switches Instances | 695
Configuring a Layer 2 Virtual Switch on an EX Series Switch | 696
Configuring a Layer 2 Virtual Switch with a Layer 2 Trunk Port | 697
Configuring Link Layer Discovery Protocol20LLDP Overview | 701
Configuring LLDP | 702
Example: Configuring LLDP | 707
LLDP Operational Mode Commands | 708
Tracing LLDP Operations | 709
Configuring Layer 2 Protocol Tunneling21Layer 2 Protocol Tunneling | 713
Understanding Layer 2 Protocol Tunneling | 713
Benefits of Layer 2 Protocol Tunneling | 714
How Layer 2 Protocol Tunneling Works | 714
MX Series Router Support for Layer 2 Protocol Tunneling | 715
ACX Series Router Support for Layer 2 Protocol Tunneling | 718
xiv
-
EX Series and QFX Series Switch Support for Layer 2 Protocol Tunneling | 719
Configuring Layer 2 Protocol Tunneling | 723
Clearing a MAC Rewrite Error on an Interface with Layer 2 Protocol Tunneling | 726
Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELS Support | 727
Example: Configuring Layer 2 Protocol Tunneling on EX Series Switches Without ELSSupport | 729
Configuring Virtual Routing Instances22Virtual Routing Instances | 739
Understanding Virtual Routing Instances on EX Series Switches | 739
Configuring Virtual Routing Instances on EX Series Switches | 740
Example: Using Virtual Routing Instances to Route Among VLANs on EX Series Switches | 741
Verifying That Virtual Routing Instances Are Working on EX Series Switches | 746
Configuring Layer 3 Logical Interfaces23Layer 3 Logical Interfaces | 751
Understanding Layer 3 Logical Interfaces | 751
Configuring a Layer 3 Logical Interface | 752
Verifying That Layer 3 Logical Interfaces Are Working | 752
Configuring Routed VLAN Interfaces24Routed VLAN Interfaces | 757
Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch | 757
Verifying Routed VLAN Interface Status and Statistics on EX Series Switches | 758
Configuring Integrated Routing and Bridging25Integrated Routing and Bridging | 763
Understanding Integrated Routing and Bridging | 763
IRB Interfaces on SRX Series Devices | 766
When Should I Use an IRB Interface or RVI? | 766
How Does an IRB Interface or RVI Work? | 767
Creating an IRB Interface or RVI | 767
Viewing IRB Interface and RVI Statistics | 768
IRB Interfaces and RVI Functions and Other Technologies | 769
Configuring IRB Interfaces on Switches | 770
Configuring Integrated Routing and Bridging for VLANs | 772
xv
-
Configuring Integrated Routing and Bridging Interfaces on Switches (CLI Procedure) | 774
Using an IRB Interface in a Private VLAN on a Switch | 775
Configuring an IRB Interface in a Private VLAN | 775
IRB Interface Limitation in a PVLAN | 776
Example: Configuring Routing Between VLANs on One Switch Using an IRB Interface | 776
Example: Configuring an IRB Interface on a Security Device | 784
Example: Configuring VLAN with Members Across Two Nodes on a Security Device | 787
Example: Configuring IRB Interfaces on QFX5100 Switches over an MPLS Core Network | 792
Example: Configuring a Large Delay Buffer on a Security Device IRB Interface | 805
Configuring a Set of VLANs to Act as a Switch for a Layer 2 Trunk Port | 808
Excluding an IRB Interface from State Calculations on a QFX Series Switch | 809
Verifying Integrated Routing and Bridging Interface Status and Statistics on EX SeriesSwitches | 811
Configuring VLANS and VPLS Routing Instances26VLANs and VPLS Routing Instances | 817
Guidelines for Configuring VLAN Identifiers for VLANs and VPLS Routing Instances | 817
Configuring VLAN Identifiers for VLANs and VPLS Routing Instances | 817
Configuring Multiple VLAN Registration Protocol (MVRP)27Multiple VLAN Registration Protocol | 825
Understanding Multiple VLAN Registration Protocol (MVRP) | 825
MVRP Operations | 826
How MVRP Updates, Creates, and Deletes VLANs on Switches | 827
MVRP Is Disabled by Default on Switches | 827
MRP Timers Control MVRP Updates | 828
MVRP Uses MRP Messages to Transmit Switch and VLAN States | 828
Compatibility Issues with Junos OS Releases of MVRP | 829
QFabric Requirements | 830
Determining Whether MVRP is Working | 831
Understanding Multiple VLAN Registration Protocol (MVRP) for Dynamic VLANRegistration | 831
How MVRP Works | 832
Using MVRP | 833
MVRP Registration Modes | 833
xvi
-
MRP Timers Control MVRP Updates | 833
MVRP Uses MRP Messages to Transmit Device and VLAN States | 834
MVRP Limitations | 834
Configuring Multiple VLAN Registration Protocol (MVRP) on Switches | 835
Enabling MVRP on Switches With ELS Support | 835
Enabling MVRP on Switches Without ELS Support | 836
Enabling MVRP on Switches With QFX Support | 836
Disabling MVRP | 837
Disabling Dynamic VLANs on EX Series Switches | 838
Configuring Timer Values | 838
Configuring Passive Mode on QFX Switches | 840
Configuring MVRP Registration Mode on EX Switches | 840
Using MVRP in a Mixed-Release EX Series Switching Network | 841
Configuring Multiple VLAN Registration Protocol (MVRP) to Manage Dynamic VLANRegistration on Security Devices | 843
Enabling MVRP | 843
Changing the Registration Mode to Disable Dynamic VLANs | 844
Configuring Timer Values | 844
Configuring the Multicast MAC Address for MVRP | 845
Configuring an MVRP Interface as a Point-to-Point Interface | 845
Configuring MVRP Tracing Options | 845
Disabling MVRP | 846
Example: Configuring Automatic VLAN Administration on QFX Switches Using MVRP | 846
Example: Configuring Automatic VLAN Administration Using MVRP on EX Series Switcheswith ELS Support | 853
Example: Configuring Automatic VLAN Administration Using MVRP on EX Series Switches | 870
Verifying That MVRP Is Working Correctly on Switches | 885
Verifying That MVRP Is Working Correctly on EX Series Switches with ELS Support | 887
Verifying That MVRP Is Working Correctly | 889
Configuring Ethernet Ring Protection Switching28Example: Configuring Ethernet Ring Protection Switching on EX Series Switches | 895
Example: Configuring Ethernet Ring Protection Switching on QFX Series and EX SeriesSwitches Supporting ELS | 914
xvii
-
Configuring Q-in-Q Tunneling and VLAN Translation29Configuring Q-in-Q Tunneling and VLAN Q-in-Q Tunneling and VLAN Translation | 929
Understanding Q-in-Q Tunneling and VLAN Translation | 929
How Q-in-Q Tunneling Works | 930
How VLAN Translation Works | 932
Using Dual VLAN Tag Translation | 933
Sending and Receiving Untagged Packets | 933
Disabling MAC Address Learning | 935
Mapping C-VLANs to S-VLANs | 935
Routed VLAN Interfaces on Q-in-Q VLANs | 939
Constraints for Q-in-Q Tunneling and VLAN Translation | 939
Configuring Q-in-Q Tunneling on QFX Series Switches | 941
Configuring Q-in-Q Tunneling on EX Series Switches with ELS Support | 942
Configuring All-in-One Bundling | 943
Configuring Many-to-Many Bundling | 945
Configuring a Specific Interface Mapping with VLAN Rewrite Option | 949
Configuring Q-in-Q Tunneling on EX Series Switches | 952
Configuring Q-in-Q Tunneling Using All-in-One Bundling | 953
Configuring Q-in-Q Tunneling Using Many-to-Many Bundling | 956
Configuring a Specific Interface Mapping with VLAN ID Translation Option | 960
Example: Setting Up Q-in-Q Tunneling on QFX Series Switches | 962
Example: Setting Up Q-in-Q Tunneling on EX Series Switches | 967
Setting Up a Dual VLAN Tag Translation Configuration on QFX Switches | 971
Verifying That Q-in-Q Tunneling Is Working on Switches | 975
Configuring Redundant Trunk Groups30Redundant Trunk Groups | 979
Understanding Redundant Trunk Links (Legacy RTG Configuration) | 980
Configuring Redundant Trunk Links for Faster Recovery on EX Series Switches | 982
Example: Configuring Redundant Trunk Links for Faster Recovery on Devices with ELSSupport | 983
Example: Configuring Redundant Trunk Links for Faster Recovery on EX Series Switches | 989
xviii
-
Configuring Proxy ARP31Proxy ARP | 999
Understanding Proxy ARP | 999
Benefits of Using Proxy ARP | 1000
What Is ARP? | 1000
Proxy ARP Overview | 1000
Best Practices for Proxy ARP | 1001
Configuring Proxy ARP on Devices with ELS Support | 1002
Configuring Proxy ARP on Switches | 1003
Configuring Proxy ARP | 1004
Verifying That Proxy ARP Is Working Correctly | 1004
Configuring Layer 2 Interfaces on Security Devices32Layer 2 Interfaces on Security Devices | 1009
Understanding Layer 2 Interfaces on Security Devices | 1009
Example: Configuring Layer 2 Logical Interfaces on Security Devices | 1010
Understanding Mixed Mode (Transparent and Route Mode) on Security Devices | 1011
Example: Improving Security Services by Configuring an SRX Series Device UsingMixedMode(Transparent and Route Mode) | 1015
Configuring Security Zones and Security Policies on Security Devices33Security Zones and Security Policies on Security Devices | 1027
Understanding Layer 2 Security Zones | 1027
Example: Configuring Layer 2 Security Zones | 1028
Understanding Security Policies in Transparent Mode | 1030
Example: Configuring Security Policies in Transparent Mode | 1031
Understanding Firewall User Authentication in Transparent Mode | 1033
Configuring Ethernet Port Switching Modes on Security Devices34Ethernet Port Switching Modes on Security Devices | 1037
Understanding Switching Modes on Security Devices | 1037
Ethernet Ports Switching Overview for Security Devices | 1038
Supported Devices and Ports | 1038
Integrated Bridging and Routing | 1040
Link Layer Discovery Protocol and LLDP-Media Endpoint Discovery | 1040
xix
-
Types of Switch Ports | 1042
uPIM in a Daisy Chain | 1042
Q-in-Q VLAN Tagging | 1042
Example: Configuring Switching Modes on Security Devices | 1045
Configuring Ethernet Port VLANs in Switching Mode on Security Devices35Ethernet Port VLANs in Switching Mode on Security Devices | 1051
Understanding VLAN Retagging on Security Devices | 1051
Configuring VLAN Retagging on a Layer 2 Trunk Interface of a Security Device | 1052
Example: Configuring a Guest VLAN on a Security Device | 1053
Configuring Secure Wire on Security Devices36Secure Wire on Security Devices | 1057
Understanding Secure Wire on Security Devices | 1057
Example: Simplifying SRX Series Device Deployment with Secure Wire over Access ModeInterfaces | 1059
Example: Simplifying SRX Series Device Deployment with Secure Wire over Trunk ModeInterfaces | 1066
Example: Simplifying SRX Series Device Deployment with Secure Wire over AggregatedInterface Member Links | 1070
Example: Simplifying Chassis Cluster Deployment with SecureWire over Redundant EthernetInterfaces | 1076
Example: SimplifyingChassis ClusterDeploymentwith SecureWire over Aggregated RedundantEthernet Interfaces | 1082
Configuring Reflective Relay on Switches37Reflective Relay on Switches | 1093
Understanding Reflective Relay for Use with VEPA Technology | 1093
Benefits of VEPA and Reflective Relay | 1093
VEPA | 1094
Reflective Relay | 1094
Configuring Reflective Relay on Switches | 1095
Example: Configuring Reflective Relay for Use with VEPA Technology on QFX Switches | 1096
Configuring Reflective Relay on Switches with ELS Support | 1102
Example: Configuring Reflective Relay for Use with VEPA Technology on QFX Switches withELS Support | 1103
xx
-
Configuring Edge Virtual Bridging38Edge Virtual Bridging | 1111
Understanding Edge Virtual Bridging for Usewith VEPA Technology on EX Series Switches | 1111
What Is EVB? | 1111
What Is VEPA? | 1112
Why Use VEPA Instead of VEB? | 1112
How Does EVB Work? | 1112
How Do I Implement EVB? | 1113
Configuring Edge Virtual Bridging on an EX Series Switch | 1113
Example: Configuring Edge Virtual Bridging for Use with VEPA Technology on an EX SeriesSwitch | 1115
Troubleshooting Ethernet Switching39Troubleshooting Ethernet Switching | 1127
Troubleshooting Ethernet Switching on EX Series Switches | 1128
MAC Address in the Switch’s Ethernet Switching Table Is Not Updated After a MAC AddressMove | 1128
Configuration Statements40address | 1139
add-attribute-length-in-pdu | 1142
advertisement-interval | 1144
aggregated-ether-options | 1146
autostate-exclude | 1150
bpdu-destination-mac-address | 1152
bridge-domains | 1154
bridge-priority | 1156
community-vlan | 1158
control-channel | 1159
control-vlan | 1160
xxi
-
customer-vlans | 1161
cut-through | 1162
data-channel | 1163
description (Interfaces) | 1164
description (VLAN) | 1166
destination-address (Security Policies) | 1167
dhcp-relay | 1168
disable | 1175
disable (MVRP) | 1176
domain-type (Bridge Domains) | 1177
dot1q-tunneling | 1179
dot1x | 1181
drop-threshold | 1185
east-interface | 1187
edge-virtual-bridging | 1189
enable-all-ifl | 1190
encapsulation | 1191
ether-options | 1198
ether-type | 1200
ethernet (Chassis Cluster) | 1201
ethernet-ring | 1202
ethernet-switch-profile | 1204
ethernet-switching | 1207
ethernet-switching-options | 1210
exclusive-mac | 1219
xxii
-
extend-secondary-vlan-id | 1221
fabric-control | 1222
filter (VLANs) | 1223
flexible-vlan-tagging | 1225
forwarding-options | 1227
global-mac-limit (Protocols) | 1233
global-mac-move | 1234
global-mac-statistics | 1235
global-mac-table-aging-time | 1236
global-mode (Protocols) | 1238
global-no-mac-learning | 1239
gratuitous-arp-reply | 1240
group (Redundant Trunk Groups) | 1241
guard-interval | 1243
hold-interval (Protection Group) | 1244
host-inbound-traffic | 1245
hold-multiplier | 1246
inner-tag-protocol-id | 1247
inner-vlan-id | 1248
input-native-vlan-push | 1249
input-vlan-map | 1250
instance-type | 1252
inter-switch-link | 1255
interface | 1256
interface (MVRP) | 1258
xxiii
-
interface (Layer 2 Protocol Tunneling) | 1260
interface (Redundant Trunk Groups) | 1261
interface (Routing Instances) | 1263
interface (Switching Options) | 1264
interface (VLANs) | 1265
interface-mac-limit | 1267
interface-mode | 1270
interfaces (Q-in-Q Tunneling) | 1272
interfaces (Security Zones) | 1273
interfaces | 1274
isid | 1276
isid-list | 1277
isolated | 1278
isolated-vlan | 1279
isolation-id | 1280
isolation-vlan-id | 1281
join-timer (MVRP) | 1282
l2-learning | 1284
l3-interface (VLAN) | 1286
l3-interface-ingress-counting | 1288
layer2-control | 1289
layer2-protocol-tunneling | 1291
leave-timer (MVRP) | 1293
leaveall-timer (MVRP) | 1295
lldp | 1298
xxiv
-
lldp-configuration-notification-interval | 1300
mac | 1301
mac (Static MAC-Based VLANs) | 1302
mac-limit | 1303
mac-lookup-length | 1306
mac-notification | 1308
mac-rewrite | 1309
mac-statistics | 1311
mac-table-aging-time | 1313
mac-table-size | 1315
mapping | 1317
mapping-range | 1319
members | 1320
mvrp | 1324
native-vlan-id | 1328
next-hop (Static MAC-Based VLANs) | 1331
no-attribute-length-in-pdu | 1332
no-dynamic-vlan | 1333
no-gratuitous-arp-request | 1334
no-local-switching | 1335
no-mac-learning | 1336
no-native-vlan-insert | 1340
node-id | 1342
notification-interval | 1343
num-65-127-prefix | 1344
xxv
-
output-vlan-map | 1346
packet-action | 1347
passive (MVRP) | 1350
peer-selection-service | 1351
pgcp-service | 1352
point-to-point (MVRP) | 1353
pop | 1355
pop-pop | 1356
pop-swap | 1357
port-mode | 1358
preempt-cutover-timer | 1360
prefix-65-127-disable | 1362
primary-vlan | 1366
private-vlan | 1368
profile (Access) | 1370
promiscuous | 1372
protection-group | 1373
protocol | 1376
protocols (Fabric) | 1379
proxy-arp | 1380
push | 1382
push-push | 1383
pvlan | 1384
pvlan-trunk | 1385
recovery-timeout | 1386
xxvi
-
redundancy-group (Interfaces) | 1387
redundant-trunk-group | 1388
reflective-relay | 1389
registration | 1390
ring-protection-link-end | 1392
ring-protection-link-owner | 1393
routing-instances | 1394
security-zone | 1395
service-id | 1397
shutdown-threshold | 1398
source-address (Security Policies) | 1399
stacked-vlan-tagging | 1400
stale-routes-time (Fabric Control) | 1401
static-mac | 1402
swap | 1404
swap-by-poppush | 1405
swap-push | 1406
swap-swap | 1407
switch-options (VLANs) | 1408
system-services (Security Zones Interfaces) | 1410
tag-protocol-id (TPIDs Expected to Be Sent or Received) | 1412
tag-protocol-id (TPID to Rewrite) | 1414
traceoptions | 1415
traceoptions (LLDP) | 1421
traceoptions (MVRP) | 1424
xxvii
-
transmit-delay (LLDP) | 1426
trap-notification | 1427
unconditional-src-learn | 1429
unframed | no-unframed (Interfaces) | 1430
unicast-in-lpm | 1431
unknown-unicast-forwarding | 1433
vlan | 1434
vlan-id | 1437
transmit-delay (LLDP) | 1442
vlan-id-list | 1443
vlan-id-range | 1445
vlan-id-range | 1447
vlan-id-start | 1449
vlan-prune | 1450
vlan-range | 1451
vlan-rewrite | 1452
vlan-tagging | 1453
vlan-tags | 1456
vlan-tags | 1457
vlan-tags (Dual-Tagged Logical Interface) | 1459
vlan-tags (Stacked VLAN Tags) | 1461
vlan members (VLANs) | 1463
vlans | 1464
vrf-mtu-check | 1480
vsi-discovery | 1481
xxviii
-
vsi-policy | 1482
west-interface | 1483
Operational Commands41clear dot1x | 1489
clear edge-virtual-bridging | 1491
clear error mac-rewrite | 1492
clear ethernet-switching layer2-protocol-tunneling error | 1494
clear ethernet-switching layer2-protocol-tunneling statistics | 1496
clear ethernet-switching recovery-timeout | 1498
clear ethernet-switching table | 1499
clear interfaces statistics swfabx | 1501
clear lldp neighbors | 1502
clear lldp statistics | 1504
clear mvrp statistics | 1506
show chassis forwarding-options | 1508
show dot1x authentication-bypassed-users | 1512
show dot1x authentication-failed-users | 1514
show dot1x interface | 1516
show dot1x static-mac-address | 1523
show dot1x statistics | 1525
show edge-virtual-bridging | 1526
show ethernet-switching flood | 1530
show ethernet-switching interface | 1538
show ethernet-switching interfaces | 1542
show ethernet-switching layer2-protocol-tunneling interface | 1552
xxix
-
show ethernet-switching layer2-protocol-tunneling statistics | 1554
show ethernet-switching layer2-protocol-tunneling vlan | 1557
show ethernet-switching mac-learning-log | 1559
show ethernet-switching statistics | 1565
show ethernet-switching statistics aging | 1569
show ethernet-switching statistics mac-learning | 1571
show ethernet-switching table | 1577
show lldp | 1608
show lldp local-information | 1612
show lldp neighbors | 1615
show lldp remote-global-statistics | 1626
show lldp statistics | 1628
show mac-rewrite interface | 1631
show mvrp | 1633
show mvrp applicant-state | 1637
show mvrp dynamic-vlan-memberships | 1640
show mvrp interface | 1643
show mvrp registration-state | 1645
show mvrp statistics | 1648
show protection-group ethernet-ring aps | 1654
show protection-group ethernet-ring configuration | 1659
show protection-group ethernet-ring data-channel | 1668
show protection-group ethernet-ring interface | 1671
show protection-group ethernet-ring node-state | 1676
show protection-group ethernet-ring statistics | 1683
xxx
-
show protection-group ethernet-ring vlan | 1690
show redundant-trunk-group | 1696
show system statistics arp | 1698
show vlans | 1707
traceroute ethernet | 1734
xxxi
-
About the Documentation
IN THIS SECTION
Documentation and Release Notes | xxxiii
Using the Examples in This Manual | xxxiii
Documentation Conventions | xxxv
Documentation Feedback | xxxviii
Requesting Technical Support | xxxviii
Use this guide to configure and monitor Layer 2 features.
Documentation and Release Notes
To obtain the most current version of all Juniper Networks® technical documentation, see the productdocumentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow theproduct Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.These books go beyond the technical documentation to explore the nuances of network architecture,deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load merge relativecommand. These commands cause the software to merge the incoming configuration into the currentcandidate configuration. The example does not become active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the exampleis a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example is a snippet. Inthis case, use the loadmerge relative command. These procedures are described in the following sections.
xxxiii
https://www.juniper.net/documentation/https://www.juniper.net/books
-
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a text file, save thefile with a name, and copy the file to a directory on your routing platform.
For example, copy the following configuration to a file and name the file ex-script.conf. Copy theex-script.conf file to the /var/tmp directory on your routing platform.
system {scripts {commit {file ex-script.xsl;
}}
}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;
}}
}}
2. Merge the contents of the file into your routing platform configuration by issuing the load mergeconfiguration mode command:
[edit]user@host# load merge /var/tmp/ex-script.confload complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save thefile with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy theex-script-snippet.conf file to the /var/tmp directory on your routing platform.
xxxiv
-
commit {file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following configurationmodecommand:
[edit]user@host# edit system scripts[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the load mergerelative configuration mode command:
[edit system scripts]user@host# load merge relative /var/tmp/ex-script-snippet.confload complete
For more information about the load command, see CLI Explorer.
Documentation Conventions
Table 1 on page xxxvi defines notice icons used in this guide.
xxxv
https://www.juniper.net/techpubs/content-applications/cli-explorer/junos/
-
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardwaredamage.
Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xxxvi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, typethe configure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears onthe terminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997, BGP CommunitiesAttribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet drafttitles.
Italic text like this
xxxvi
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
Configure the machine’s domainname:
[edit]root@# set system domain-namedomain-name
Represents variables (options forwhich you substitute a value) incommands or configurationstatements.
Italic text like this
• To configure a stub area, includethe stub statement at the [editprotocols ospf area area-id]hierarchy level.
• The console port is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchylevels; or labels on routing platformcomponents.
Text like this
stub ;Encloses optional keywords orvariables.
< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutually exclusive keywords orvariables on either side of the symbol.The set of choices is often enclosedin parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamic MPLSonly
Indicates a comment specified on thesame line as the configurationstatement to which it applies.
# (pound sign)
community name members [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
xxxvii
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Represents graphical user interface(GUI) items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy ofmenu selections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use eitherof the following methods:
• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the JuniperNetworks TechLibrary site, and do one of the following:
• Click the thumbs-up icon if the information on the page was helpful to you.
• Click the thumbs-down icon if the information on the page was not helpful to you or if you havesuggestions for improvement, and use the pop-up form to provide feedback.
• E-mail—Send your comments to [email protected]. Include the document or topic name,URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xxxviii
https://www.juniper.net/documentation/index.htmlhttps://www.juniper.net/documentation/index.htmlmailto:[email protected]?subject=
-
covered under warranty, and need post-sales technical support, you can access our tools and resourcesonline or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTACUserGuide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Productwarranties—For productwarranty information, visit https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal calledthe Customer Support Center (CSC) that provides you with the following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:https://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:https://www.juniper.net/company/communities/
• Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
• Visit https://myjuniper.juniper.net.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, seehttps://support.juniper.net/support/requesting-support/.
xxxix
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/support/warranty/https://www.juniper.net/customers/support/https://prsearch.juniper.net/https://www.juniper.net/documentation/https://kb.juniper.net/https://www.juniper.net/customers/csc/software/https://kb.juniper.net/InfoCenter/https://www.juniper.net/company/communities/https://myjuniper.juniper.nethttps://entitlementsearch.juniper.net/entitlementsearch/https://myjuniper.juniper.nethttps://support.juniper.net/support/requesting-support/
-
1CHAPTER
Understanding Layer 2 Networking
Layer 2 Networking | 43
-
Layer 2 Networking
IN THIS SECTION
Overview of Layer 2 Networking | 43
Ethernet Switching and Layer 2 Transparent Mode Overview | 45
Understanding Unicast | 53
Understanding Layer 2 Broadcasting on Switches | 53
Using the Enhanced Layer 2 Software CLI | 54
Enhanced Layer 2 CLI Configuration Statement and Command Changes for Security Devices | 76
Layer 2 Next Generation Mode for ACX Series | 78
Overview of Layer 2 Networking
Layer 2, also known as the Data Link Layer, is the second level in the seven-layer OSI reference model fornetwork protocol design. Layer 2 is equivalent to the link layer (the lowest layer) in the TCP/IP networkmodel. Layer2 is the network layer used to transfer data between adjacent network nodes in a wide areanetwork or between nodes on the same local area network.
A frame is a protocol data unit, the smallest unit of bits on a Layer 2 network. Frames are transmitted toand received from devices on the same local area network (LAN). Unilke bits, frames have a definedstructure and can be used for error detection, control plane activities and so forth. Not all frames carryuser data. The network uses some frames to control the data link itself..
At Layer 2, unicast refers to sending frames from one node to a single other node, whereas multicastdenotes sending traffic from one node to multiple nodes, and broadcasting refers to the transmission offrames to all nodes in a network. A broadcast domain is a logical division of a network in which all nodesof that network can be reached at Layer 2 by a broadcast.
Segments of a LAN can be linked at the frame level using bridges. Bridging creates separate broadcastdomains on the LAN, creating VLANs, which are independent logical networks that group together relateddevices into separate network segments. The grouping of devices on a VLAN is independent of where thedevices are physically located in the LAN. Without bridging and VLANs, all devices on the Ethernet LANare in a single broadcast domain, and all the devices detect all the packets on the LAN.
Forwarding is the relaying of packets from one network segment to another by nodes in the network. Ona VLAN, a frame whose origin and destination are in the same VLAN are forwarded only within the local
43
-
VLAN. A network segment is a portion of a computer network wherein every device communicates usingthe same physical layer.
Layer 2 contains two sublayers:
• Logical link control (LLC) sublayer, which is responsible for managing communications links and handlingframe traffic.
• Media access control (MAC) sublayer, which governs protocol access to the physical network medium.By using the MAC addresses that are assigned to all ports on a switch, multiple devices on the samephysical link can uniquely identify one another.
The ports, or interfaces, on a switch operate in either access mode, tagged-access, or trunk mode:
• Accessmode ports connect to a network device such as a desktop computer, an IP telephone, a printer,a file server, or a security camera. The port itself belongs to a single VLAN. The frames transmittedover an access interface are normal Ethernet frames. By default, all ports on a switch are in accessmode.
• Tagged-Access mode ports connect to a network device such as a desktop computer, an IP telephone,a printer, a file server, or a security camera. The port itself belongs to a single VLAN. The framestransmitted over an access interface are normal Ethernet frames. By default, all ports on a switch arein accessmode. Tagged-accessmode accommodates cloud computing, specifically scenarios includingvirtual machines or virtual computers. Because several virtual computers can be included on onephysical server, the packets generated by one server can contain an aggregation of VLAN packetsfrom different virtual machines on that server. To accommodate this situation, tagged-access modereflects packets back to the physical server on the same downstream port when the destination addressof the packet was learned on that downstream port. Packets are also reflected back to the physicalserver on the downstream port when the destination has not yet been learned. Therefore, the thirdinterface mode, tagged access, has some characteristics of access mode and some characteristics oftrunk mode:
• Trunk mode ports handle traffic for multiple VLANs, multiplexing the traffic for all those VLANs overthe same physical connection. Trunk interfaces are generally used to interconnect switches to otherdevices or switches.
With native VLAN configured, frames that do not carry VLAN tags are sent over the trunk interface.If you have a situation where packets pass from a device to a switch in access mode, and you want tothen send those packets from the switch over a trunk port, use native VLAN mode. Configure thesingle VLAN on the switch’s port (which is in access mode) as a native VLAN. The switch’s trunk portwill then treat those frames differently than the other tagged packets. For example, if a trunk port hasthree VLANs, 10, 20, and 30, assigned to it with VLAN 10 being the native VLAN, frames on VLAN10 that leave the trunk port on the other end have no 802.1Q header (tag). There is another nativeVLAN option. You can have the switch add and remove tags for untagged packets. To do this, youfirst configure the single VLAN as a native VLAN on a port attached to a device on the edge. Then,assign a VLAN ID tag to the single native VLAN on the port connected to a device. Last, add the VLAN
44
-
ID to the trunk port. Now, when the switch receives the untagged packet, it adds the ID you specifiedand sends and receives the tagged packets on the trunk port configured to accept that VLAN.
Including the sublayers, Layer 2 on the QFX Series supports the following functionality:
• Unicast, multicast, and broadcast traffic.
• Bridging.
• VLAN 802.1Q—Also known as VLAN tagging, this protocol allows multiple bridged networks totransparently share the same physical network link by adding VLAN tags to an Ethernet frame.
• Extension of Layer 2 VLANs across multiple switches using Spanning Tree Protocol (STP) preventslooping across the network.
• MAC learning, including per-VLANMAC learning and Layer 2 learning suppression–This process obtainsthe MAC addresses of all the nodes on a network
• Link aggregation—This process groups of Ethernet interfaces at the physical layer to form a single linklayer interface, also known as a link aggregation group (LAG) or LAG bundle
NOTE: Link aggregation is not supported on NFX150 devices.
• Storm control on the physical port for unicast, multicast, and broadcast
NOTE: Storm control is not supported on NFX150 devices.
• STP support, including 802.1d, RSTP, MSTP, and Root Guard
SEE ALSO
Understanding Bridging and VLANs on Switches | 183
Ethernet Switching and Layer 2 Transparent Mode Overview
Layer 2 transparent mode provides the ability to deploy the firewall without making changes to the existingrouting infrastructure. The firewall is deployed as a Layer 2 switch with multiple VLAN segments andprovides security services within VLAN segments. Secure wire is a special version of Layer 2 transparentmode that allows bump-in-wire deployment.
45
-
A device operates in transparent modewhen there are interfaces defined as Layer 2 interfaces. The deviceoperates in routemode (the default mode) if there are no physical interfaces configured as Layer 2 interfaces.
For SRX Series devices, transparent mode provides full security services for Layer 2 switching capabilities.On these SRX Series devices, you can configure one or more VLANs to perform Layer 2 switching. A VLANis a set of logical interfaces that share the same flooding or broadcast characteristics. Like a virtual LAN(VLAN), a VLAN spans one or more ports of multiple devices. Thus, the SRX Series device can function asa Layer 2 switch with multiple VLANs that participate in the same Layer 2 network.
In transparent mode, the SRX Series device filters packets that traverse the device without modifying anyof the source or destination information in the IP packet headers. Transparent mode is useful for protectingservers that mainly receive traffic from untrusted sources because there is no need to reconfigure the IPsettings of routers or protected servers.
In transparent mode, all physical ports on the device are assigned to Layer 2 interfaces. Do not route Layer3 traffic through the device. Layer 2 zones can be configured to host Layer 2 interfaces, and securitypolicies can be defined between Layer 2 zones. When packets travel between Layer 2 zones, securitypolicies can be enforced on these packets.
Table 3 on page 46 lists the security features that are supported and are not supported in transparentmode for Layer 2 switching.
Table 3: Security Features Supported in Transparent Mode
Not SupportedSupportedMode Type
• Network Address Translation (NAT)
• VPN• Application Layer Gateways (ALGs)
• Firewall User Authentication(FWAUTH)
• Intrusion Detection and Prevention(IDP)
• Screen
• AppSecure
• Unified Threat Management (UTM)
Transparent mode
NOTE: On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the DHCP serverpropagation is not supported in Layer 2 transparent mode.
In addition, the SRX Series devices do not support the following Layer 2 features in Layer 2 transparentmode:
46
-
• Spanning Tree Protocol (STP), RSTP, or MSTP—It is the user’s responsibility to ensure that no floodingloops exist in the network topology.
• Internet GroupManagement Protocol (IGMP) snooping—Host-to-router signaling protocol for IPv4 usedto report their multicast group memberships to neighboring routers and determine whether groupmembers are present during IP multicasting.
• Double-tagged VLANs or IEEE 802.1QVLAN identifiers encapsulatedwithin 802.1Q packets (also called“Q in Q” VLAN tagging)—Only untagged or single-tagged VLAN identifiers are supported on SRX Seriesdevices.
• Nonqualified VLAN learning, where only the MAC address is used for learning within the VLAN—VLANlearning on SRX Series devices is qualified; that is, both the VLAN identifier and MAC address are used.
Also, on SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX550, orSRX650 devices, some features are not supported. (Platform support depends on the Junos OS release inyour installation.) The following features are not supported for Layer 2 transparent mode on thementioneddevices:
• G-ARP on the Layer 2 interface
• IP address monitoring on any interface
• Transit traffic through IRB
• IRB interface in a routing instance
• IRB interface handling of Layer 3 traffic
NOTE: The IRB interface is a pseudointerface and does not belong to the reth interface andredundancy group.
Layer 2 Transparent Mode on the SRX5000 Line Module Port Concentrator
The SRX5000 line Module Port Concentrator (SRX5K-MPC) supports Layer 2 transparent mode andprocesses the traffic when the SRX Series device is configured in Layer 2 transparent mode.
When the SRX5K-MPC is operating in Layer 2 mode, you can configure all interfaces on the SRX5K-MPCas Layer 2 switching ports to support Layer 2 traffic.
The security processing unit (SPU) supports all security services for Layer 2 switching functions, and theMPC delivers the ingress packets to the SPU and forwards the egress packets that are encapsulated bythe SPU to the outgoing interfaces.
When the SRX Series device is configured in Layer 2 transparent mode, you can enable the interfaces onthe MPC to work in Layer 2 mode by defining one or more logical units on a physical interface with the
47
-
family address type as Ethernet switching. Later you can proceed with configuring Layer 2 security zonesand configuring security policies in transparent mode. Once this is done, next-hop topologies are set upto process ingress and egress packets.
Understanding IPv6 Flows in Transparent Mode on Security Devices
In transparent mode, the SRX Series device filters packets that traverse the device without modifying anyof the source or destination information in the packet MAC headers. Transparent mode is useful forprotecting servers thatmainly receive traffic from untrusted sources because there is no need to reconfigurethe IP settings of routers or protected servers.
A device operates in transparent mode when all physical interfaces on the device are configured as Layer2 interfaces. A physical interface is a Layer 2 interface if its logical interface is configured with theethernet-switching option at the [edit interfaces interface-name unit unit-number family] hierarchy level.There is no command to define or enable transparent mode on the device. The device operates intransparent mode when there are interfaces defined as Layer 2 interfaces. The device operates in routemode (the default mode) if all physical interfaces are configured as Layer 3 interfaces.
By default, IPv6 flows are dropped on security devices. To enable processing by security features such aszones, screens, and firewall policies, youmust enable flow-based forwarding for IPv6 traffic with themodeflow-based configuration option at the [edit security forwarding-options family inet6] hierarchy level.You must reboot the device when you change the mode.
In transparent mode, you can configure Layer 2 zones to host Layer 2 interfaces, and you can definesecurity policies between Layer 2 zones. When packets travel between Layer 2 zones, security policiescan be enforced on these packets. The following security features are supported for IPv6 traffic intransparent mode:
• Layer 2 security zones and security policies. See “Understanding Layer 2 Security Zones” on page 1027and “Understanding Security Policies in Transparent Mode” on page 1030.
• Firewall user authentication. See “Understanding Firewall User Authentication in Transparent Mode”on page 1033.
• Layer 2 transparent mode chassis clusters.
• Class of service functions. See Class of Service Functions in Transparent Mode Overview.
The following security features are not supported for IPv6 flows in transparent mode:
• Logical systems
• IPv6 GTPv2
• J-Web interface
• NAT
48
-
• IPsec VPN
• With the exception of DNS, FTP, and TFTP ALGs, all other ALGs are not supported.
Configuring VLANs and Layer 2 logical interfaces for IPv6 flows is the same as configuring VLANs andLayer 2 logical interfaces for IPv4 flows. You can optionally configure an integrated routing and bridging(IRB) interface for management traffic in a VLAN. The IRB interface is the only Layer 3 interface allowedin transparent mode. The IRB interface on the SRX Series device does not support traffic forwarding orrouting. The IRB interface can be configured with both IPv4 and IPv6 addresses. You can assign an IPv6address for the IRB interface with the address configuration statement at the [edit interfaces irb unitnumber family inet6] hierarchy level. You can assign an IPv4 address for the IRB interface with the addressconfiguration statement at the [edit interfaces irb unit number family inet] hierarchy level.
The Ethernet Switching functions on SRX Series devices are similar to the switching features on JuniperNetworksMX Series routers. However, not all Layer 2 networking features supported onMX Series routersare supported on SRX Series devices. See “Ethernet Switching and Layer 2 Transparent Mode Overview”on page 45.
The SRX Series device maintains forwarding tables that contain MAC addresses and associated interfacesfor each Layer 2 VLAN. The IPv6 flow processing is similar to IPv4 flows. See “Layer 2 Learning andForwarding for VLANs Overview” on page 83.
Understanding Layer 2 Transparent Mode Chassis Clusters on Security Devices
A pair of SRX Series devices in Layer 2 transparent mode can be connected in a chassis cluster to providenetwork node redundancy. When configured in a chassis cluster, one node acts as the primary device andthe other as the secondary device, ensuring stateful failover of processes and services in the event ofsystem or hardware failure. If the primary device fails, the secondary device takes over processing of traffic.
NOTE: If the primary device fails in a Layer 2 transparent mode chassis cluster, the physicalports in the failed device become inactive (go down) for a few seconds before they becomeactive (come up) again.
To form a chassis cluster, a pair of the same kind of supported SRX Series devices combines to act as asingle system that enforces the same overall security.
Devices in Layer 2 transparent mode can be deployed in active/backup and active/active chassis clusterconfigurations.
The following chassis cluster features are not supported for devices in Layer 2 transparent mode:
• Gratuitous ARP—The newly elected master in a redundancy group cannot send gratuitous ARP requeststo notify network devices of a change in mastership on the redundant Ethernet interface links.
• IP address monitoring—Failure of an upstream device cannot be detected.
49
-
A redundancy group is a construct that includes a collection of objects on both nodes. A redundancy groupis primary on one node and backup on the other. When a redundancy group is primary on a node, itsobjects on that node are active. When a redundancy group fails over, all its objects fail over together.
You can create one or more redundancy groups numbered 1 through 128 for an active/active chassiscluster configuration. Each redundancy group contains one or more redundant Ethernet interfaces. Aredundant Ethernet interface is a pseudointerface that contains physical interfaces from each node of thecluster. The physical interfaces in a redundant Ethernet interface must be the same kind—either FastEthernet or Gigabit Ethernet. If a redundancy group is active on node 0, then the child links of all associatedredundant Ethernet interfaces on node 0 are active. If the redundancy group fails over to the node 1, thenthe child links of all redundant Ethernet interfaces on node 1 become active.
NOTE: In the active/active chassis cluster configuration, the maximum number of redundancygroups is equal to the number of redundant Ethernet interfaces that you configure. In theactive/backup chassis cluster configuration, the maximum number of redundancy groupssupported is two.
Configuring redundant Ethernet interfaces on a device in Layer 2 transparent mode is similar to configuringredundant Ethernet interfaces on a device in Layer 3 route mode, with the following difference: theredundant Ethernet interface on a device in Layer 2 transparent mode is configured as a Layer 2 logicalinterface.
The redundant Ethernet interface may be configured as either an access interface (with a single VLAN IDassigned to untagged packets received on the interface) or as a trunk interface (with a list of VLAN IDsaccepted on the interface and, optionally, a native-vlan-id for untagged packets received on the interface).Physical interfaces (one from each node in the chassis cluster) are bound as child interfaces to the parentredundant Ethernet interface.
In Layer 2 transparent mode, MAC learning is based on the redundant Ethernet interface. The MAC tableis synchronized across redundant Ethernet interfaces and Services Processing Units (SPUs) between thepair of chassis cluster devices.
The IRB interface is used only formanagement traffic, and it cannot be assigned to any redundant Ethernetinterface or redundancy group.
All Junos OS screen options that are available for a single, nonclustered device are available for devicesin Layer 2 transparent mode chassis clusters.
NOTE: Spanning Tree Protocols (STPs) are not supported for Layer 2 transparent mode. Youmust ensure that there are no loop connections in the deployment topology.
50
-
Configuring Out-of-Band Management on SRX Devices
You can configure the fxp0 out-of-band management interface on the SRX Series device as a Layer 3interface, even if Layer 2 interfaces are defined on the device. With the exception of the fxp0 interface,you can define Layer 2 and Layer 3 interfaces on the device’s network ports.
NOTE: There is no fxp0 out-of-band management interface on the SRX300, SRX320, andSRX550M devices. (Platform support depends on the Junos OS release in your installation.)
Ethernet Switching
Ethernet switching forwards the Ethernet frames within or across the LAN segment (or VLAN) using theEthernetMAC address information. Ethernet switching on the SRX1500 device is performed in the hardwareusing ASICs.
Starting in Junos OS Release 15.1X49-D40, use the set protocols l2-learningglobal-mode(transparent-bridge | switching) command to switch between the Layer 2 transparent bridgemode and Ethernet switching mode. After switching the mode, you must reboot the device for theconfiguration to take effect. Table 4 on page 51 describes the default Layer 2 global mode on SRX Seriesdevices.
Table 4: Default Layer 2 Global Mode on SRX Series Devices
DetailsDefault Layer 2Global ModePlatformsJunos OS Release
NoneSwitching modeSRX300, SRX320,SRX340, and SRX345
Prior to Junos OS Release15.1X49-D50
and
Junos OS Release 17.3R1onwards
When you delete the Layer 2 globalmode configuration on a device, thedevice is in transparent bridge mode.
Switching modeSRX300, SRX320,SRX340, and SRX345
Junos OS Release15.1X49-D50 to Junos OSRelease 15.1X49-D90
51
-
Table 4: Default Layer 2 Global Mode on SRX Series Devices (continued)
DetailsDefault Layer 2Global ModePlatformsJunos OS Release
When you delete the Layer 2 globalmode configuration on a device, thedevice is in switching mode. Configurethe set protocols l2-learningglobal-mode transparent-bridgecommand under the [edit] hierarchylevel to switch to transparent bridgemode. Reboot the device for theconfiguration to take effect.
Switching modeSRX300, SRX320,SRX340, SRX345,SRX550, andSRX550M
Junos OS Release15.1X49-D100 onwards
NoneTransparentbridge mode
SRX1500Junos OS Release15.1X49-D50 onwards
The Layer 2 protocol supported in switching mode is Link Aggregation Control Protocol (LACP).
You can configure Layer 2 transparentmode on a redundant Ethernet interface. Use the following commandsto define a redundant Ethernet interface:
• set interfaces interface-name ether-options redundant-parent reth-interface-name
• set interfaces reth-interface-name redundant-ether-options redundancy-group number
Layer 2 Switching Exceptions on SRX Series Devices
The switching functions on the SRX Series devices are similar to the switching features on Juniper NetworksMX Series routers. However, the following Layer 2 networking features on MX Series routers are notsupported on SRX Series devices:
• Layer 2 control protocols—These protocols are used on MX Series routers for Rapid Spanning TreeProtocol (RSTP) orMultiple Spanning Tree Protocol (MSTP) in customer edge interfaces of a VPLS routinginstance.
• Virtual switch routing instance—The virtual switching routing instance is used on MX Series routers togroup one or more VLANs.
• Virtual private LAN services (VPLS) routing instance—The VPLS routing instance is used on MX Seriesrouters for point-to-multipoint LAN implementations between a set of sites in a VPN.
SEE ALSO
52
-
global-mode (Protocols) | 1238
l2-learning | 1284
Understanding Unicast
Unicasting is the act of sending data from one node of the network to another. In contrast, multicasttransmissions send traffic from one data node to multiple other data nodes.
Unknown unicast traffic consists of unicast frames with unknown destination MAC addresses. By default,the switch floods these unicast frames that are traveling in a VLAN to all interfaces that are members ofthe VLAN. Forwarding this type of traffic to interfaces on the switch can trigger a security issue. The LANis suddenly flooded with packets, creating unnecessary traffic that leads to poor network performance oreven a complete loss of network service. This is known as a traffic storm.
To prevent a storm, you can disable the flooding of unknown unicast packets to all interfaces by configuringone VLAN or all VLANs to forward any unknown unicast traffic to a specific trunk interface. (This channelsthe unknown unicast traffic to a single interface.)
SEE ALSO
Understanding Bridging and VLANs on Switches | 183
Understanding Layer 2 Broadcasting on Switches
In a Layer 2 network, broadcasting refers to sending traffic to all nodes on a network.
Layer 2 broadcast traffic stayswithin a local area network (LAN) boundary; known as the broadcast domain.Layer 2 broadcast traffic is sent to the broadcast domain using aMAC address of FF:FF:FF:FF:FF:FF. Everydevice in the broadcast domain recognizes this MAC address and passes the broadcast traffic on to otherdevices in the broadcast domain, if applicable. Broadcasting can be compared to unicasting (sending trafficto a single node) or multicasting (delivering traffic to a group of nodes simultaneously).
Layer 3 broadcast traffic, however, is sent to all devices in a network using a broadcast network address.For example, if your network address is 10.0.0.0, the broadcast network address is 10.255.255.255. Inthis case, only devices that belong to the 10.0.0.0 network receive the Layer 3 broadcast traffic. Devicesthat do not belong to this network drop the traffic.
Broadcasting is used in the following situations:
53
-
• Address Resolution Protocol (ARP) uses broadcasting to map MAC addresses to IP addresses. ARPdynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicastpackets can be sent, ARP discovers theMAC address used by the Ethernet interfacewhere the IP addressis configured.
• Dynamic Host Configuration Protocol (DHCP) uses broadcasting to dynamically assign IP addresses tohosts on a network segment or subnet.
• Routing protocols use broadcasting to advertise routes.
Excessive broadcast traffic can sometimes create a broadcast storm. A broadcast storm occurs whenmessages are broadcast on a network and each message prompts a receiving node to respond bybroadcasting its own messages on the network. This, in turn, prompts further responses that create asnowball effect. The LAN is suddenly flooded with packets, creating unnecessary traffic that leads to poornetwork performance or even a complete loss of network service.
SEE ALSO
Understanding Bridging and VLANs on Switches | 183
Using the Enhanced Layer 2 Software CLI
IN THIS SECTION
Understanding Which Devices Support ELS | 55
Understanding How to Configure Layer 2 Features Using ELS | 55
Understanding ELS Configuration Statement and Command Changes | 59
Enhanced Layer 2 Software (ELS) provides a uniform CLI for configuring and monitoring Layer 2 featureson QFX Series switches, EX Series switches, and other Juniper Networks devices, such as MX Seriesrouters. With ELS, you configure Layer 2 features in the same way on all these Juniper Networks devices.
This topic explains how to know if your platform is running ELS. It also explains how to perform somecommon tasks using the ELS style of configuration.
54
-
Understanding Which Devices Support ELS
ELS is automatically supported if your device is running a Junos OS release that supports it. You do notneed to take any action to enable ELS, and you cannot disable ELS. See Feature Explorer for informationabout which platforms and releases support ELS.
Understanding How to Configure Layer 2 Features Using ELS
IN THIS SECTION
Configuring a VLAN | 55
Configuring the Native VLAN Identifier | 56
Configuring Layer 2 Interfaces | 56
Configuring Layer 3 Interfaces | 57
Configuring an IRB Interface | 57
Configuring an Aggregated Ethernet Interface and Configuring LACP on That Interface | 58
Because ELS provides a uniform CLI, you can now perform the following tasks on supported devices inthe same way:
Configuring a VLAN
You can configure one or more VLANs to perform Layer 2 bridging. The Layer 2 bridging functions includeintegrated routing and bridging (IRB) for support for Layer 2 bridging and Layer 3 IP routing on the sameinterface. EX Series andQFX Series switches can function as Layer 2 switches, each withmultiple bridging,or broadcast, domains that participate in the same Layer 2 network. You can also configure Layer 3 routingsupport for a VLAN.
To configure a VLAN:
1. Create the VLAN by setting a unique VLAN name and configuring the VLAN ID:
[edit]
user@host# set vlans vlan-name vlan-id vlan-id-number
Using the VLAN ID list option, you can optionally specify a range of VLAN IDs.
[edit]
user@host# set vlans vlan-name vlan-id-list vlan-ids | vlan-id--vlan-id
2. Assign at least one interface to the VLAN:
55
https://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=5890&fn=Uniform+Enhanced+Layer+2+Software+(ELS)+CLI+configuration+statements+and+operational+commands
-
[edit]
user@host# set interface interface-name family ethernet-switching vlan members vlan-name
Configuring the Native VLAN Identifier
EX Series and QFX Series switches support receiving and forwarding routed or bridged Ethernet frameswith 802.1Q VLAN tags. Typically, trunk ports, which connect switches to each other, accept untaggedcontrol packets, but do not accept untagged data packets. You can enable a trunk port to accept untaggeddata packets by configuring a native VLAN ID on the interface on which you want the untagged datapackets to be received.
To configure the native VLAN ID:
1. On the interface on which you want untagged data packets to be received, set the interface mode totrunk, which specifies that the interface is in multiple VLANs and canmultiplex traffic between differentVLANs.
[edit interfaces]
user@host# set interface-name unit logical-unit-number family ethernet-switching interface-modetrunk
2. Configure the native VLAN ID and assign the interface to the native VLAN ID:
[edit interfaces]
user@host# set interface-name native-vlan-id number
3. Assign the interface to the native VLAN ID:
[edit interfaces]
user@host# set interface-name unit logical-unit-number family ethernet-switching vlan membersnative-vlan-id-number
Configuring Layer 2 Interfaces
To ensure that your high-traffic network is tuned for optimal performance, explicitly configure somesettings on the switch's network interfaces.
To configure a Gigabit Ethernet interface or a 10-Gigabit Ethernet interface as a trunk interface:
[edit]
user@host# set interfaces interface-name unit logical-unit-number family ethernet-switchinginterface-mode trunk
To configure a Gigabit Ethernet interface or a 10-Gigabit Ethernet interface as a access interface:
[edit]
56
-
user@host# set interfaces interface-name unit logical-unit-number family ethernet-switchinginterface-mode access
To assign an interface to VLAN:
[edit interfaces]
user@host# set interface-name unit logical-unit-number family ethernet-switching vlan members [all |vlan-names | vlan-ids]
Configuring Layer 3 Interfaces
To configure a Layer 3 interface, you must assign an IP address to the interface. You assign an address toan interface by specifying the address when you configure the protocol family. For the inet or inet6 family,configure the interface IP address.
You can configure interfaces with a 32-bit IP version 4 (IPv4) address and optionally with a destinationprefix, sometimes called a subnet mask. An IPv4 address utilizes a 4-octet dotted decimal address syntax(for example, 192.168.1.1). An IPv4 address with destination prefix utilizes a 4-octet dotted decimal addresssyntax with a destination prefix appended (for example, 192.168.1.1/16).
To specify an IP4 address for the logical unit:
[edit]
user@host# set interfaces interface-name unit logical-unit-number family inet address ip-address
You represent IP version 6 (IPv6) addresses in hexadecimal notation by using a colon-separated list of16-bit values. You assign a 128-bit IPv6 address to an interface.
To specify an IP6 address for the logical unit:
[edit]
user@host# set interfaces interface-name unit logical-unit-number family inet6 address ip-address
Configuring an IRB Interface
Integrated routing and bridging (IRB) provides support for Layer 2 bridging and Layer 3 IP routing on thesame interface. IRB enables you to route packets to another routed interface or to another VLAN that hasa Layer 3 protocol configured. IRB interfaces enable the device to recognize packets that are being sentto local addresses so that they are bridged (switched) whenever possible and are routed only whennecessary.Whenever packets can be switched instead of routed, several layers of processing are eliminated.An interface named irb functions as a logical router on which you can configure a Layer 3 logical interfacefor VLAN. For redundancy, you can combine an IRB interface with implementations of the Virtual RouterRedundancy Protocol (VRRP) in both bridging and virtual private LAN service (VPLS) environments.
57
-
To configure an IRB interface:
1. Create a Layer 2 VLAN by assigning it a name and a VLAN ID:
[edit]
user@host# set vlans vlan-name vlan-id vlan-id
2. Create an IRB logical interface:
[edit]
user@host# set interface irb unit logical-unit-number family inet address ip-address
3. Associate the IRB interface with the VLAN:
[edit]
user@host# set vlans vlan-name l3-interface irb.logical-unit-number
Configuring an Aggregated Ethernet Interface and Configuring LACP on That Interface
Use the link aggregation feature to aggregate one or more links to form a virtual link or link aggregationgroup (LAG). The MAC client can treat this virtual link as if it were a single link to increase bandwidth,provide graceful degradation as failure occurs, and increase availability.
To configure an aggregated Ethernet interface:
1. Specify the number of aggregated Ethernet interfaces to be created:
[edit chassis]
user@host# set aggregated-devices ethernet device-count number
2. Specify the name of the link aggregation group interface:
[edit]
user@host# set interfaces aex
3. Specify the minimum number of links for the aggregated Ethernet interface (aex)– that is, the definedb