Juniper EX Series Switch Workshop 筆記分享 Part II
這一份是大部份我在上課作Lab時Dump下來的指令,其中比較複雜的部份我加上了些許的註釋,希望對各位會有所幫助!
Initial Configuration with DHCP
VLAN
LAG
IEEE 802.1d/802.1w/802.1s Spanning Tree
RTG
Virtual Chassis
IEEE 802.1x Authentication
IEEE 802.1x
OSPF
Loopback interface
LLDP
QoS
Final Configuration
Initial Configuration with DHCP
system {
root-authentication {
encrypted-password "$1$2Ssh2j.s$0vlh/Jv7fu5xpueSmG8O1/"; ## SECRET-DATA
! 設定 root 登入密碼
}
login {
user juniper {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$AGAzBQkY$QWZ8BSLezx0d7Oh0j.NFw."; ## SECRET-DATA
! 設定使用者登入帳號密碼
}
}
}
services {
ssh {
root-login allow;
! 設定ssh telnet
}
web-management {
http;
! 設定J-web access
}
dhcp {
pool 192.168.200.0/24 {
address-range low 192.168.200.101 high 192.168.200.110;
router {
192.168.200.10;
}
}
pool 192.168.3.0/24 {
address-range low 192.168.3.101 high 192.168.3.105;
router {
192.168.3.2;
}
}
}
! 設定 DHCP Server
}
VLAN
root# set vlans Test vlan-id 100
! 設定VLAN 'Test' VLAN id 100
root# run show vlans
Name Tag Interfaces
Test 100
ae0.0, ae1.0, ge-0/0/0.0*, ge-0/0/1.0, ge-0/0/2.0,
ge-0/0/3.0
(* 代表實體port有connection)
Trust 300
ae0.0, ae1.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0,
ge-0/0/15.0
default
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/21.0, ge-0/0/23.0
vlab 200
ae0.0, ae1.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0,
ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0,
ge-0/0/11.0
# run show system service dhcp
# run show vlans
LAG
root# set chassis aggregated-devices ethernet device-count 2
! 設定LAG有兩個groups
root# set interfaces ge-0/0/20 ether-options 802.3ad ae1
! 設定 GE-0/0/20 成為LAG Group "ae1"的成員
root# set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
! 設定LAG interface "ae1" 成為 Trunk Port
root# set interfaces ae1 unit 0 family ethernet-switching native-vlan-id 100
! 設定LAG interface ae1 Trunk native-vlan-id 100
root# set interfaces ae1 unit 0 family ethernet-switching vlan members 200
! 設定LAG interface ae1 Trunk 可通過VLAN id 200
IEEE 802.1d/802.1w/802.1s Spanning Tree
root#set protocol stp bridge-priority
root#set protocol stp hello-time
root#set protocol stp max-age
root#set protocol rstp bridge-priority
root#set protocol rstp hello-time
root#set protocol rstp max-age
#set protocols mstp bridge-priority 32k
#set protocols mstp interface ae0.0 cost 1000
#set protocols mstp interface ae0.0 mode point-to-point
#set protocols mstp interface ae1.0 cost 1000
#set protocols mstp interface ae1.0 mode point-to-point
#set protocols mstp msti 1 bridge-priority 8k
#set protocols mstp msti 1 vlan 100
#set protocols mstp msti 2 bridge-priority 4k
#set protocols mstp msti 2 vlan 200 3
>show spanning-tree bridge
>show spanning-tree mstp configuration
>show spanning-tree interface msti
mstp {
bridge-priority 32k;
! 設定本機priority 32000
interface ae0.0 {
cost 1000;
mode point-to-point;
! 設定LAG group1
}
interface ae1.0 {
cost 1000;
mode point-to-point;
! 設定LAG group1
}
msti 1 {
bridge-priority 8k;
vlan 100;
! 設定MSTP Instance 1 priority 8192, including VLAN 100
}
msti 2 {
bridge-priority 4k;
vlan [ 200 3 ];
! 設定MSTP Instance 2 priority 4096, including VLAN 200, 3
}
}
RTG
#ethernet-switching options redundant-group group-name TEST interface ge-0/0/0.0 primary
#ethernet-switching options redundant-group group-name TEST interface ge-0/0/0.0 (non-active)
#ethernet-switching options redundant-group group-name TEST interface ge-0/0/1.0 (active)
#ethernet-switching options redundant-group group-name TEST interface ge-0/0/0.0
#ethernet-switching options redundant-group group-name TEST interface ge-0/0/1.0 primary (with pre-emption)
>show redundant-trunk-group
>edit protocol mstp
Virtual Chassis
>show virtual-chassis protocol interface
#set preprovisioned member 1 role line-card
#run request virtual-chassis vc-port set pic-slot 1 port 1 member 0
IEEE 802.1x Authentication
access {
radius-server {
192.168.1.10 {
secret "$9$hymcK8-ds4JDwY"; ## SECRET-DATA
timeout 3;
retry 1;
}
}
profile dot1x-lab {
authentication-order radius;
radius {
authentication-server 192.168.1.10;
}
}
}
protocols {
lldp {
interface all;
}
dot1x {
traceoptions {
! trace debug output
file dotxlog;
flag dot1x-debug;
flag eapol;
}
authenticator {
static {
00:16:d3:33:aa:11 {
vlan-assignment 200;
}
}
interface {
ge-0/0/16.0 {
supplicant single-secure;
guest-vlan 3;
}
ge-0/0/17.0 {
supplicant single-secure;
retries 2;
maximum-requests 2;
guest-vlan 3;
}
ge-0/0/21.0 {
supplicant single-secure;
guest-vlan 3;
}
ge-0/0/23.0 {
supplicant single-secure;
guest-vlan 3;
}
}
}
}
}
juniper# run show vlans
Name Tag Interfaces
Test 100
ae0.0, ae1.0, ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0
Trust 3
ae0.0, ae1.0, ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/23.0*
default
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/21.0, ge-0/0/23.0*
! because ge-0/0/23.0 IEEE 802.1x authentication fail so change vlan membership to guest vlan 3
vlab 200
ae0.0, ae1.0, ge-0/0/4.0*, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0,
ge-0/0/10.0, ge-0/0/11.0
IEEE 802.1x
# set protocol dot1x transactions file dotxlog
# set protocol dot1x transactions flag dot1
# run show log
# run monitor start
# run monitor stop
juniper# show ethernet-switching-options
analyzer VLANSPAN {
input {
ingress {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
vlan Trust;
}
egress {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
}
output {
interface {
ge-0/0/5.0;
}
}
}
OSPF
juniper# show protocols ospf
area 0.0.0.0 {
interface vlan.100;
interface ge-0/0/15.0;
}
Loopback interface
juniper# set interfaces lo0 unit 0 family inet address 1.1.1.1/32
LLDP
juniper# run show lldp neighbors
LocalInterface Chassis Id Port info System Name
ge-0/0/14.0 00:1f:12:31:c1:40 ge-0/0/14.0 SW-R1
ge-0/0/15.0 00:1f:12:31:c1:40 ge-0/0/15.0 SW-R1
QoS
# set class-of-service forwarding-classes class FF queue-num 5
# set class-of-service forwarding-classes class AF queue-num 1
# set class-of-service forwarding-classes class BE queue-num 0
! 先定義Traffic Class對應的Queue Number
# set firewall family ethernet-switching filter QoS_Class term EF from source-address 192.168.3.200/32
# set firewall family ethernet-switching filter QoS_Class term EF from protocol udp destination-port 1234
# set firewall family ethernet-switching filter QoS_Class term EF then forwarding-class EF loss-priority low
# set firewall family ethernet-switching filter QoS_Class term AF from protocol tcp destination-port 80
# set firewall family ethernet-switching filter QoS_Class term AF then forwarding-class AF loss-priority low
# set firewall family ethernet-switching filter QoS_Class term BE then forwarding-class BE loss-priority high
! 再定義Filter QoS_Class整合不同的的Class,依據條件分別Assign至這些Class
# set interfaces ge-0/0/10 unit 0 family ethernet-switching filter input QoS_Class
# set interfaces ge-0/0/11 unit 0 family ethernet-switching filter input QoS_Class
! 在Physical Interface上套用Filter QoS_Class來進行Traffic Classification
# set class-of-service schedulers EF_Schedule priority strict-high
# set class-of-service schedulers AF_Schedule transmit-rate percent 30
# set class-of-service schedulers AF_Schedule priority low
# set class-of-service schedulers BE_Schedule transmit-rate percent 60
# set class-of-service schedulers BE_Schedule priority high
! 準備接下來的scheduler(queueing)將會進行的動作
# set class-of-service scheduler-maps QoS_SCH_MAP forwarding-class EF scheduler EF_Schedule
# set class-of-service scheduler-maps QoS_SCH_MAP forwarding-class AF scheduler AF_Schedule
# set class-of-service scheduler-maps QoS_SCH_MAP forwarding-class BE scheduler BE_Schedule
! 依據不同的Traffic Class套用之前定義好的scheduler,整合在同一個scheduler-maps QoS_SCH_MAP中
# set class-of-service interfaces ge-0/0/12 scheduler-map QoS_SCH_MAP
# set class-of-service interfaces ge-0/0/13 scheduler-map QoS_SCH_MAP
! 將整合後的scheduler-map套用至physical interface
Final Configuration
juniper# show
## Last changed: 2008-03-06 19:13:27 UTC
version 9.0R2.10;
system {
root-authentication {
encrypted-password "$1$ZlxV3U3G$llcI3VguUsmlwhqbto546."; ## SECRET-DATA
}
radius-server {
192.168.1.10 {
secret "$9$OIDZBcl8LNbYo7-"; ## SECRET-DATA
timeout 5;
}
}
login {
user juniper {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$AGAzBQkY$QWZ8BSLezx0d7Oh0j.NFw."; ## SECRET-DATA
}
}
}
services {
ssh {
root-login allow;
}
web-management {
http;
}
dhcp {
pool 192.168.200.0/24 {
address-range low 192.168.200.101 high 192.168.200.110;
router {
192.168.200.10;
}
}
pool 192.168.3.0/24 {
address-range low 192.168.3.101 high 192.168.3.105;
router {
192.168.3.2;
}
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
filter {
input QoS_Class;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
filter {
input QoS_Class;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members 100;
}
}
}
}
ge-0/0/15 {
unit 0 {
family inet {
address 172.16.15.2/29;
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
ether-options {
802.3ad ae0;
}
}
ge-0/0/19 {
ether-options {
802.3ad ae0;
}
}
ge-0/0/20 {
ether-options {
802.3ad ae1;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/22 {
ether-options {
802.3ad ae1;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
ae0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ Test vlab Trust ];
}
}
}
}
ae1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ 100 3 ];
}
native-vlan-id 200;
}
}
}
vlan {
unit 3 {
family inet {
address 192.168.3.2/24;
}
}
unit 100 {
family inet {
address 192.168.100.2/24;
}
}
unit 200 {
family inet {
address 192.168.200.10/24;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface vlan.100;
interface ge-0/0/15.0;
}
}
lldp {
interface all;
}
dot1x {
traceoptions {
file dotxlog;
flag dot1x-debug;
flag eapol;
}
authenticator {
authentication-profile-name dot1x-lab;
static {
00:16:d3:33:aa:11 {
vlan-assignment 200;
}
}
interface {
ge-0/0/16.0 {
supplicant single-secure;
guest-vlan 3;
}
ge-0/0/17.0 {
supplicant multiple;
retries 2;
maximum-requests 2;
guest-vlan 3;
}
ge-0/0/21.0 {
supplicant single-secure;
guest-vlan 3;
}
ge-0/0/23.0 {
supplicant single-secure;
supplicant-timeout 10;
guest-vlan 3;
}
}
}
}
mstp {
bridge-priority 32k;
interface ae0.0 {
cost 1000;
mode point-to-point;
}
interface ae1.0 {
cost 1000;
mode point-to-point;
}
msti 1 {
bridge-priority 8k;
vlan 100;
}
msti 2 {
bridge-priority 4k;
vlan [ 200 3 ];
}
}
}
class-of-service {
forwarding-classes {
class EF queue-num 5;
class AF queue-num 1;
class BE queue-num 0;
class NC queue-num 7;
}
interfaces {
ge-0/0/12 {
scheduler-map QoS_SCH_MAP;
}
ge-0/0/13 {
scheduler-map QoS_SCH_MAP;
}
}
scheduler-maps {
QoS_SCH_MAP {
forwarding-class EF scheduler EF_Schedule;
forwarding-class AF scheduler AF_Schedule;
forwarding-class BE scheduler BE_Schedule;
}
}
schedulers {
EF_Schedule {
priority strict-high;
}
BE_Schedule {
transmit-rate percent 60;
priority low;
}
AF_Schedule {
transmit-rate percent 30;
priority low;
}
}
}
firewall {
family ethernet-switching {
filter QoS_Class {
term EF {
from {
source-address {
192.168.3.200/32;
}
protocol udp;
destination-port 1234;
}
then {
forwarding-class EF;
loss-priority low;
}
}
term AF {
from {
protocol tcp;
destination-port 80;
}
then {
forwarding-class AF;
loss-priority low;
}
}
term BE {
then {
forwarding-class BE;
loss-priority high;
}
}
}
}
}
access {
radius-server {
192.168.1.10 {
secret "$9$hymcK8-ds4JDwY"; ## SECRET-DATA
timeout 3;
retry 1;
}
}
profile dot1x-lab {
authentication-order radius;
radius {
authentication-server 192.168.1.10;
}
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/4.0 {
dhcp-trusted;
}
}
analyzer VLANSPAN {
input {
ingress {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
vlan Trust;
}
egress {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
}
output {
interface {
ge-0/0/5.0;
}
}
}
}
vlans {
Test {
vlan-id 100;
interface {
ge-0/0/0.0;
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
}
l3-interface vlan.100;
}
Trust {
vlan-id 3;
interface {
ge-0/0/12.0;
ge-0/0/13.0;
}
l3-interface vlan.3;
}
vlab {
vlan-id 200;
interface {
ge-0/0/4.0;
ge-0/0/5.0;
ge-0/0/6.0;
ge-0/0/7.0;
ge-0/0/8.0;
ge-0/0/9.0;
ge-0/0/10.0;
ge-0/0/11.0;
}
l3-interface vlan.200;
}
}
poe {
interface all;
}
[edit]
juniper#
Comments