Juniper EX Series Switch Workshop 筆記分享 Part I
上星期參加了Juniper原廠所舉辦的EX Series Switch Workshop,內容很多再加上時間有限,因此我利用打字的方式邊聽邊記錄重點下來,在此分享給各位,不過前提是最好對JUNOS有基本的認識不然可能看不太懂我筆記裏面的各項指令(事實上這也是我的JUNOS初體驗,不過如果有Cisco IOS指令的基礎,只要多花一點點時間很快就可以將JUNOS上手)
如果小弟的筆記有誤,還請各方大德給予指教修正,謝謝!
===============================================================================
Juniper Switch:
Model
3200
4200 (virtual chassis - 128G/redundant power)
8200 Q4
(all layer 3)
48 Port PoE need 930W
10G XFP can be virtual chassis
unsupport EtherChannel now
One Active/One Standby
USB - internal storage / firmware upgrade
Virtual Management Ethernet (VME)
IPv6/MPLS in the future(hardware ready)
NSM(all platform will use this interface)
PFE(Packer Forward Engine)
EX-PFE control 24 port
2 * VCP(Virtual chassis port)/64G(32G TX/32G RX) = 128G VCB(Virtual Chassis Backplane)
EX3200-24x/48x last 4 ports share with SPF
Extract Layer 2 Header then re-write Layer 2 with original packet
================================================================================
aka MAC address table/FDB(Forwarding Database)
"default" VLAN = NULL vlan-id
>family ethernet-switching(layer 2)
>family inet(layer 3)
RVI(Routed Virtual Interface) = VLAN interface
LAG(Link Aggregation Group)/aka Aggregated Ethernet(ae)
802.3ad LACP(Dynamic Bundling Protocol)
Up to 8 ports per group
.EX3200 32 groups
.EX4200 64 groups
Does not have to be contiguous ports
SW: Hashing(unconfigured now)
===============================================================================
IEEE Reserved MAC Address for BPDU - 01:80:C2:00:00:00
Juniper support CST(Common Spanning Tree)
ESWD(Enterprise Switch Daemon)
PVST+ VLAN 1 always advertises BPDU to IEEE STP multicast addresss(01:80:c2:00:00:00)
- interoperates with IEEE 802.1d
PVST+ advertised BPDUs on other VLANs with Cisco's reserved multicast address(01:00:0c:cc:cc:cd)
IEEE 802.1w(Rapid Spanning Tree Protocol, RSTP)
- BPDU Ver field = 0x02
- Alternet Port
- Backup Port
If a switch does not support RSTP will ignore RSTP BPDU, else it will reverts to 802.1d BPDU.
IEEE 802.1s(Multiple Spanning Tree Protocol, MST)
- map multiple VLANs to one or multiple instances
- Max of 64 instances
- Backward compatible with STP, RSTP via CST(Common Spanning Tree)
- CST across all MST regions
- MSTI(Multiple Spanning Tree Instance)
===============================================================================
Redundant Trunk Group(RTG)
RTG and STP are mutually exclusive on a given port
Maximum number of RTG per system/virtual chassis are 16
===============================================================================
Virtual Chassis:
Master Route Engine(RE0)
Backup Route Engine(RE1)
Virtual Chassis Control Protocol Daemons(VCCPd)
Master(Highest Priority)
Backup(Lower Priority)
Linecard(Lowest Priority)
Member ID(0~9)
Individual Ethernet management ports(me0)
- on member switches
Single L3 virtual management interface(vme)
- always follows the Master RE
GRES(Graceful Route Engine Switchover)
NSR(Non-stop Routing)(System Default)
Field Research Software (FRS)
Not support GRE tunnel port mirror now
===============================================================================
Power over Ethernet(PoE)
- IEEE 802.3af
- Power Sourcing Equipment(PSE)
- Powered Device(PD)
- class 0(15.4 watts)
- class 1(4 watts)
- class 2(7 watts)
- class 3(15.4 watts)
- class 4(Future Expansion)
If redundant power spec. are mismatch switch will use the lower one spec. output
Voice VLAN
- support CoS(IEEE 802.1p)
- Native VLAN(untagged VLAN) transport Data
- Voice VLAN(tagged VLAN) transport Voice
LLDP(Link Layer Discovery Protocol)
IEEE 802.1AB-2005
The Link Layer Discovery Protocol or LLDP is a vendor-neutral Layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network.
LLDP-MED(Link Layer Discovery Protocol - Media Endpoint Discovery)
LLDP-MED is an enhancement to the Link Layer Discovery Protocol (LLDP) that is designed to allow for things such as:
- Auto-discovery of LAN policies (such as VLAN, Layer 2 Priority and Diffserv settings) leading to "plug and play" networking.
- Device location discovery to allow creation of location databases and, in the case of VoIP, E911 services.
- Extended and automated power management of Power over Ethernet endpoints.
- Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, serial / asset number).
The LLDP-MED protocol was formally approved and published as the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA) in April 2006.
Multicast MAC Address:01-80-C2-00-00-0E
ethertype:88-CC
CDP(Cisco Discovery Protocol)
Multicast MAC Address:0100.0ccc.cccc
===============================================================================
DHCP snooping
- All access ports are untrusted by default
- All trunk ports are trusted by default
DAI(Dynamic ARP Inspection)
- Trunk port will bypass DAI
- DHCP snooping is required
- enabled/disable per VLAN
EAPOL(Extensible Authenticaion Protocol over LAN)
IEEE 802.1x
- Single
- Single-Secure
- Multiple
Guest VLAN
- when 802.1x authentication fail
- wehn client not response for 802.1x
VSA(Vendor Specific Attributes)
Firewall ACLs
- Port-based ACL
- VLAN-based
- Router-based
Firewall Filter(FF)
- nput
Port FF => VLAN FF => Router FF
- Output
Router FF => VLAN FF => Port FF(Port FF not supported now)
===============================================================================
Port Mirror
- Physical ports(ingress/egress)
- VLANs(ingress only)
- Tunnel interface (in the future)
- Local Analyzer(L2 header will not be modified)
- Remote Analyzer(Original VLAN ID tag will be added with the intermediate VLAN used to transport the mirrored packets)
one port-mirroring session per system (so far)
- 1 destionation port
- 1 vlan
- 1 tunnel (in the future)
===============================================================================
QoS(Quality of Service)
- L2 CoS(Class of Service)
- L3 ToS(Tyoe of Service)
FC(Forwarding Class)
LP(Lost Priority)
Support 8 queues per port(Network, CPU & VCP(Virtual chassis port))
16 FCs
Default :
4FC
BE(Best-Effort)(Queue 0),
AF(Assure-Forwarding)(Queue 1),
EF(Expedited-Forwarding)(Queue 5),
NC(Network Control)(Queue 7)
PFEM(Packet Forwarding Engine)
BA(Behavior Aggregate)
- L2 Access port: default is "untrust"
- L2 Trunk port: default is "trust 802.1p"
- L3 Physcial interface: default is "trust DSCP"
CoS Traffic Policing
- Limits inbound transmission
- ACL-based traffic policing
- 1-rate 2-color policers
. Single token bucket
. CIR(Commit Information Rate) + CBS(Commit Burst Size) "in-profile" are passed through
. CIR + CBS "out-profile" are dropped
PFE(Packet Forwarding Engine)
- Packet memory consists of fixed-length 256 bytes buffers
Egress Queueing and Scheduling
SP(Strict-Priority)
SDWRR(Shaped Deficit Weighted Round Robin)
- SP queue must always be the highest numbered
- Tail-drop
VC Port Remapping/Scheduling
- Not user-configurable - fixed
如果小弟的筆記有誤,還請各方大德給予指教修正,謝謝!
===============================================================================
Juniper Switch:
Model
3200
4200 (virtual chassis - 128G/redundant power)
8200 Q4
(all layer 3)
48 Port PoE need 930W
10G XFP can be virtual chassis
unsupport EtherChannel now
One Active/One Standby
USB - internal storage / firmware upgrade
Virtual Management Ethernet (VME)
IPv6/MPLS in the future(hardware ready)
NSM(all platform will use this interface)
PFE(Packer Forward Engine)
EX-PFE control 24 port
2 * VCP(Virtual chassis port)/64G(32G TX/32G RX) = 128G VCB(Virtual Chassis Backplane)
EX3200-24x/48x last 4 ports share with SPF
Extract Layer 2 Header then re-write Layer 2 with original packet
================================================================================
aka MAC address table/FDB(Forwarding Database)
"default" VLAN = NULL vlan-id
>family ethernet-switching(layer 2)
>family inet(layer 3)
>show ethernet-switching interface => check trunk and switch port status
>show ethernet-switching table => MAC table
>show vlans
RVI(Routed Virtual Interface) = VLAN interface
LAG(Link Aggregation Group)/aka Aggregated Ethernet(ae)
802.3ad LACP(Dynamic Bundling Protocol)
Up to 8 ports per group
.EX3200 32 groups
.EX4200 64 groups
Does not have to be contiguous ports
SW: Hashing(unconfigured now)
>show interface ae0
===============================================================================
IEEE Reserved MAC Address for BPDU - 01:80:C2:00:00:00
Juniper support CST(Common Spanning Tree)
ESWD(Enterprise Switch Daemon)
PVST+ VLAN 1 always advertises BPDU to IEEE STP multicast addresss(01:80:c2:00:00:00)
- interoperates with IEEE 802.1d
PVST+ advertised BPDUs on other VLANs with Cisco's reserved multicast address(01:00:0c:cc:cc:cd)
IEEE 802.1w(Rapid Spanning Tree Protocol, RSTP)
- BPDU Ver field = 0x02
- Alternet Port
- Backup Port
If a switch does not support RSTP will ignore RSTP BPDU, else it will reverts to 802.1d BPDU.
IEEE 802.1s(Multiple Spanning Tree Protocol, MST)
- map multiple VLANs to one or multiple instances
- Max of 64 instances
- Backward compatible with STP, RSTP via CST(Common Spanning Tree)
- CST across all MST regions
- MSTI(Multiple Spanning Tree Instance)
>edit protocol mstp
===============================================================================
Redundant Trunk Group(RTG)
RTG and STP are mutually exclusive on a given port
Maximum number of RTG per system/virtual chassis are 16
===============================================================================
Virtual Chassis:
Master Route Engine(RE0)
Backup Route Engine(RE1)
Virtual Chassis Control Protocol Daemons(VCCPd)
Master(Highest Priority)
Backup(Lower Priority)
Linecard(Lowest Priority)
Member ID(0~9)
Individual Ethernet management ports(me0)
- on member switches
Single L3 virtual management interface(vme)
- always follows the Master RE
GRES(Graceful Route Engine Switchover)
NSR(Non-stop Routing)(System Default)
Field Research Software (FRS)
Not support GRE tunnel port mirror now
===============================================================================
Power over Ethernet(PoE)
- IEEE 802.3af
- Power Sourcing Equipment(PSE)
- Powered Device(PD)
- class 0(15.4 watts)
- class 1(4 watts)
- class 2(7 watts)
- class 3(15.4 watts)
- class 4(Future Expansion)
If redundant power spec. are mismatch switch will use the lower one spec. output
Voice VLAN
- support CoS(IEEE 802.1p)
- Native VLAN(untagged VLAN) transport Data
- Voice VLAN(tagged VLAN) transport Voice
LLDP(Link Layer Discovery Protocol)
IEEE 802.1AB-2005
The Link Layer Discovery Protocol or LLDP is a vendor-neutral Layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network.
LLDP-MED(Link Layer Discovery Protocol - Media Endpoint Discovery)
LLDP-MED is an enhancement to the Link Layer Discovery Protocol (LLDP) that is designed to allow for things such as:
- Auto-discovery of LAN policies (such as VLAN, Layer 2 Priority and Diffserv settings) leading to "plug and play" networking.
- Device location discovery to allow creation of location databases and, in the case of VoIP, E911 services.
- Extended and automated power management of Power over Ethernet endpoints.
- Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, serial / asset number).
The LLDP-MED protocol was formally approved and published as the standard ANSI/TIA-1057 by the Telecommunications Industry Association (TIA) in April 2006.
Multicast MAC Address:01-80-C2-00-00-0E
ethertype:88-CC
CDP(Cisco Discovery Protocol)
Multicast MAC Address:0100.0ccc.cccc
===============================================================================
DHCP snooping
- All access ports are untrusted by default
- All trunk ports are trusted by default
DAI(Dynamic ARP Inspection)
- Trunk port will bypass DAI
- DHCP snooping is required
- enabled/disable per VLAN
EAPOL(Extensible Authenticaion Protocol over LAN)
IEEE 802.1x
- Single
- Single-Secure
- Multiple
Guest VLAN
- when 802.1x authentication fail
- wehn client not response for 802.1x
VSA(Vendor Specific Attributes)
Firewall ACLs
- Port-based ACL
- VLAN-based
- Router-based
Firewall Filter(FF)
- nput
Port FF => VLAN FF => Router FF
- Output
Router FF => VLAN FF => Port FF(Port FF not supported now)
===============================================================================
Port Mirror
- Physical ports(ingress/egress)
- VLANs(ingress only)
- Tunnel interface (in the future)
- Local Analyzer(L2 header will not be modified)
- Remote Analyzer(Original VLAN ID tag will be added with the intermediate VLAN used to transport the mirrored packets)
one port-mirroring session per system (so far)
- 1 destionation port
- 1 vlan
- 1 tunnel (in the future)
===============================================================================
QoS(Quality of Service)
- L2 CoS(Class of Service)
- L3 ToS(Tyoe of Service)
FC(Forwarding Class)
LP(Lost Priority)
Support 8 queues per port(Network, CPU & VCP(Virtual chassis port))
16 FCs
Default :
4FC
BE(Best-Effort)(Queue 0),
AF(Assure-Forwarding)(Queue 1),
EF(Expedited-Forwarding)(Queue 5),
NC(Network Control)(Queue 7)
PFEM(Packet Forwarding Engine)
>show cos forwarding-class table
>show halp-cos qos-attribs profile all
BA(Behavior Aggregate)
- L2 Access port: default is "untrust"
- L2 Trunk port: default is "trust 802.1p"
- L3 Physcial interface: default is "trust DSCP"
#set class-of-service classifiers
>show class-of-service classifier name
>show cos classifier
CoS Traffic Policing
- Limits inbound transmission
- ACL-based traffic policing
- 1-rate 2-color policers
. Single token bucket
. CIR(Commit Information Rate) + CBS(Commit Burst Size) "in-profile" are passed through
. CIR + CBS "out-profile" are dropped
# set firewall policer QOS if-exceeding bandwidth-limit 64000 burst-size-limit 128
# set interfaces ge-0/0/16.0 family inet filter ..
PFE(Packet Forwarding Engine)
- Packet memory consists of fixed-length 256 bytes buffers
Egress Queueing and Scheduling
SP(Strict-Priority)
SDWRR(Shaped Deficit Weighted Round Robin)
- SP queue must always be the highest numbered
- Tail-drop
>set class-of-service drop-profiles ..
>set class-of-service shcedulers ..
#run show class-of-service scheduler-map
>show halp-cos scheduler dev 0 port 21
VC Port Remapping/Scheduling
- Not user-configurable - fixed
Comments