EX Configs ALL

Complete Software Guide for JUNOS for EX-series Software,
Release 9.0
Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Part Number: , Revision R1
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue
Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public
domain.
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software
included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by
Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol.
Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the
University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service
marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOS for EX-series Software Complete Software Guide for JUNOS for EX-series Software, Release 9.0
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writing: Appumon Joseph, Aviva Garrett, Bhargava Y.P, Brian Deutscher, Hareesh Kumar K N, Janet Bein, Keldyn West, Regina Roman, Vinita Kurup
Editing: Cindy Martin
Illustration: Faith Bradford Brown
Cover Design: Christine Nay
Revision History
15 March 2008—Revision R1
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain
uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
ii ■
End User License Agreement
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively “Juniper”), and the person or organization that
originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, and updates and
releases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller. “Embedded
Software” means Software which Juniper has embedded in the Juniper equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use the Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from
Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius software on multiple computers requires multiple licenses, regardless of whether such computers are physically contained on a single
chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use the Embedded Software on non-Juniper equipment; (j) use the Software (or make it available for use) on Juniper equipment that the Customer
did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third
party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
■ iii
7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively “Taxes”). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of
the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
iv ■
Table of Contents
About This Topic Collection xxxv
How To Use This Guide ..............................................................................xxxv

List of EX-series Guides for JUNOS 9.0 .......................................................xxxv
Downloading Software ..............................................................................xxxvi
Documentation Symbols Key ...................................................................xxxvii
Documentation Feedback .......................................................................xxxviii
Getting Support .......................................................................................xxxviii
Part 1 JUNOS for EX-series Product Overview
Chapter 1 Product Overview 3
Software Overview ..........................................................................................3

Features in JUNOS Software for EX-series Switches, Release 9.0 ..............3
Hardware ..................................................................................................3
Layer 2 Protocols ......................................................................................4
Layer 3 Protocols ......................................................................................5
Access Control and Port Security ..............................................................5
Firewall Filters ..........................................................................................6
CoS ...........................................................................................................6
Port Mirroring ...........................................................................................6
High Availability ........................................................................................6
Management and RMON ..........................................................................6
Security Features for EX-series Switches Overview ...................................7
High Availability Features for EX-series Switches Overview ......................9
VRRP ........................................................................................................9
Graceful Protocol Restart ........................................................................11
EX 4200 Redundant Routing Engines .....................................................11
EX 4200 GRES ........................................................................................12
Link Aggregation .....................................................................................12
Additional High Availability Features of EX-series Switches ....................12
Understanding Software Infrastructure and Processes ............................13
Routing Engine and Packet Forwarding Engine .......................................13
JUNOS Software Processes ......................................................................14
Supported Hardware .....................................................................................15
EX-series Switch Hardware Overview .....................................................15
EX-series Switch Types ...........................................................................15
EX 3200 Switches ...................................................................................16
EX 4200 Switches ...................................................................................16
Table of Contents ■ v
Complete Software Guide for JUNOS for EX-series Software, Release 9.0
Uplink Modules .......................................................................................17

Power over Ethernet (PoE) Ports .............................................................17
EX 3200 Switch Models ..........................................................................17
EX 4200 Switch Models ..........................................................................18
Part 2 Complete Software Configuration Statement Hierarchy and

Operational Mode Commands
Chapter 2 Complete Software Configuration Statement Hierarchy 23
[edit access] Configuration Statement Hierarchy ...........................................23

[edit chassis] Configuration Statement Hierarchy ..........................................24
[edit class-of-service] Configuration Statement Hierarchy ..............................24
[edit ethernet-switching-options] Configuration Statement Hierarchy ............25
[edit firewall] Configuration Statement Hierarchy .........................................26
[edit interfaces] Configuration Statement Hierarchy ......................................27
[edit poe] Configuration Statement Hierarchy ...............................................28
[edit protocols] Configuration Statement Hierarchy .......................................29
[edit snmp] Configuration Statement Hierarchy ............................................32
[edit virtual-chassis] Configuration Statement Hierarchy ...............................32
[edit vlans] Configuration Statement Hierarchy .............................................32
Part 3 Software User Interfaces
Chapter 3 Command-Line Interface 37
CLI ................................................................................................................37
CLI User Interface Overview ...................................................................37
CLI Overview ..........................................................................................37
CLI Help and Command Completion ......................................................38
CLI Command Modes .............................................................................38
CLI ................................................................................................................39
CLI User Interface Overview ...................................................................39
CLI Overview ..........................................................................................39
CLI Help and Command Completion ......................................................40
CLI Command Modes .............................................................................40
Chapter 4 J-Web Graphical User Interface 43
J-Web Interface .............................................................................................43

J-Web User Interface for EX-series Switches Overview ............................43
Using the CLI Viewer in the J-Web Interface to View Configuration
Text ..................................................................................................45
Using the Point and Click CLI Tool in the J-Web Interface to Edit
Configuration Text ............................................................................45
vi ■ Table of Contents
Table of Contents
Using the CLI Editor in the J-Web Interface to Edit Configuration

Text ..................................................................................................47
Using the CLI Terminal ...........................................................................48
Understanding J-Web Configuration Tools ..............................................48
Starting the J-Web Interface ....................................................................50
Understanding J-Web User Interface Sessions .........................................51
Part 4 Software Installation, Upgrades, and Initial Configuration
Chapter 5 Software Installation and Initial Configuration 55
Software Installation ......................................................................................55

Understanding Software Installation on EX-series Switches ....................55
Overview of the Software Installation Process ........................................56
Installing Software on a Virtual Chassis ...................................................56
Software Package Security ......................................................................56
Troubleshooting Software Installation .....................................................56
Software Installation Package Names ......................................................57
Downloading Software Packages from Juniper Networks ........................57
Installing Software on EX-series Switches with the CLI ...........................58
Installing Software on EX-series Switches with the J-Web Interface ........59
Installing Software Upgrades from a Server with the J-Web Interface .....59
Installing Software Upgrades by Uploading Files with the J-Web
Interface ...........................................................................................60
Connecting and Configuring the EX-series Switch (CLI Procedure) ..........61
Connecting and Configuring the EX-series Switch (J-Web Procedure) ......62
Recovering from a Failed Software Upgrade on an EX-series Switch .......65
EX 3200 and EX 4200 Default Configuration ..........................................66
Understanding Configuration Files for EX-series Switches .......................70
Configuration Files Terms .......................................................................71
Uploading a Configuration File (CLI Procedure) .......................................71
Upload a Configuration File with the J-Web Interface ..............................73
Part 5 System Basics
Chapter 6 Understanding Basic System Concepts 77
Understanding Alarm Types and Severity Levels on EX-series Switches ........77
Chapter 7 Configuring Basic System Functions 79
Configuring Management Access for the EX-series Switch (J-Web

Procedure) ..............................................................................................79
Configuring Date and Time for the EX-series Switch (J-Web Procedure) ........81
Generating SSL Certificates to Be Used for Secure Web Access .....................82
Table of Contents ■ vii

Chapter 8 Administering and Monitoring Basic System Functions 85
Monitoring Hosts Using the J-Web Ping Host Tool .........................................85

Monitoring Switch Control Traffic ..................................................................87
Monitoring Network Traffic Using Traceroute ................................................89
Monitoring System Properties .......................................................................91
Monitoring System Process Information ........................................................92
Rebooting or Halting the EX-series Switch (J-Web Procedure) .......................93
Managing Users (J-Web Procedure) ................................................................94
Managing Log, Temporary, and Crash Files on the Switch (J-Web
Procedure) ..............................................................................................96
Cleaning Up Files ...........................................................................................96
Downloading Files .........................................................................................97
Deleting Files .................................................................................................97
Setting or Deleting the Rescue Configuration (CLI Procedure) .......................98
Setting or Deleting the Rescue Configuration (J-Web Procedure) ...................99
Loading a Previous Configuration File (CLI Procedure) ..................................99
Checking Active Alarms with the J-Web Interface ........................................100
Monitoring System Log Messages ................................................................101
Chapter 9 Troubleshooting Basic System Functions 105
Troubleshooting Loss of the Root Password ................................................105
Chapter 10 Operational Mode Commands for … 109
clear snmp rmon history ...........................................................................1020

show snmp rmon history ..........................................................................1020
Part 6 Virtual Chassis
Chapter 11 Understanding Virtual Chassis 117
Virtual Chassis Concepts .............................................................................117

Virtual Chassis Overview ......................................................................117
Basic Configuration of a Virtual Chassis with Master and Backup
Switches .........................................................................................118
Expanding Configurations—Within a Single Wiring Closet and Across
Wiring Closets ................................................................................118
Global Management of Member Switches in a Virtual Chassis ...............118
High Availability Through Redundant Routing Engines .........................119
Adaptability as an Access Switch or Distribution Switch .......................119
Understanding Virtual Chassis Components ..........................................119
Virtual Chassis Ports (VCPs) ..................................................................120
Master Role ...........................................................................................120
Backup Role ..........................................................................................121
Linecard Role ........................................................................................121
viii ■ Table of Contents

Table of Contents
Member Switch and Member ID ...........................................................122

Mastership Priority ................................................................................122
Virtual Chassis Identifier (VCID) ............................................................123
Understanding How the Master in a Virtual Chassis Is Elected ..............124
Understanding Software Upgrade in a Virtual Chassis ...........................124
Understanding Global Management of a Virtual Chassis .......................125
Understanding Nonvolatile Storage in a Virtual Chassis ........................127
Nonvolatile Memory Features ...............................................................127
Understanding the High-Speed Interconnection of the Virtual Chassis
Members ........................................................................................127
Understanding Virtual Chassis and Link Aggregation ............................128
Understanding Virtual Chassis Configuration ........................................129
Understanding Virtual Chassis EX 4200 Switch Version
Compatibility ..................................................................................130
Chapter 12 Examples of Configuring Virtual Chassis 131
Virtual Chassis Configuration Examples ......................................................131

Example: Configuring a Virtual Chassis with a Master and Backup in a
Single Wiring Closet .......................................................................131
Example: Expanding a Virtual Chassis in a Single Wiring Closet ...........136
Example: Setting Up a Multimember Virtual Chassis Access Switch with
a Default Configuration ..................................................................142
Example: Configuring a Virtual Chassis Interconnected Across Multiple
Wiring Closets ................................................................................147
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ............................................................................................156
Example: Configuring Aggregated Ethernet High-Speed Uplinks with
LACP Between a Virtual Chassis Access Switch and a Virtual Chassis
Distribution Switch .........................................................................163
Example: Configuring a Virtual Chassis with a Preprovisioned
Configuration File ...........................................................................169
Table of Contents ■ ix
Chapter 13 Configuring Virtual Chassis 181
Virtual Chassis Configuration Tasks .............................................................181

Configuring a Virtual Chassis (J-Web Procedure) ...................................181
Adding a New Switch to an Existing Virtual Chassis (CLI Procedure) .....182
Adding a New Switch to an Existing Virtual Chassis Within the Same
Wiring Closet ..................................................................................183
Adding a New Switch from a Different Wiring Closet to an Existing Virtual
Chassis ...........................................................................................184
Configuring Mastership of the Virtual Chassis (CLI Procedure) ..............185
Configuring Mastership Using a Preprovisioned Configuration File .......186
Configuring Mastership Using a Nonprovisioned Configuration File ......186
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) ............187
Setting an Uplink VCP on the Master or on an Existing Member ...........188
Setting an Uplink VCP on a Standalone Switch .....................................189
Configuring the Virtual Management Ethernet Interface for Global
Management of a Virtual Chassis (CLI Procedure) ...........................190
Configuring the Timer for the Backup Member to Start Using Its Own
MAC Address, as Master of Virtual Chassis (CLI Procedure) ............191
Chapter 14 Verifying Virtual Chassis 193
Virtual Chassis Verification Tasks ................................................................193

Verifying the Member ID, Role, and Neighbor Member Connections of
a Virtual Chassis Member ...............................................................193
Verifying That the Virtual Chassis Ports Are Operational .......................194
Monitoring Virtual Chassis Status and Statistics ....................................195
Command Forwarding Usage with Virtual Chassis ................................196
Replacing a Member Switch of a Virtual Chassis (CLI Procedure) ..........199
Remove, Repair, and Reinstall the Same Switch ...................................200
Remove a Member Switch, Replace with a Different Switch, and Reapply
the Old Configuration .....................................................................200
Remove a Member Switch and Make Its Member ID Available for
Reassignment to a Different Switch ................................................201
Chapter 15 Troubleshooting Virtual Chassis 203
Troubleshooting a Virtual Chassis ................................................................203

Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment .......................................................................................203
Load Factory Default Does Not Commit on a Multi-Member Virtual
Chassis ..................................................................................................203
Member ID Persists When Member Switch is Disconnected From Virtual
Chassis ..................................................................................................204
x ■ Table of Contents
Table of Contents
Chapter 16 Configuration Statements for Virtual Chassis 205
Virtual Chassis Configuration Statement Hierarchy .....................................205

[edit chassis] Configuration Statement Hierarchy .................................205
[edit virtual-chassis] Configuration Statement Hierarchy .......................205
Individual Virtual Chassis Configuration Statements ....................................206
mac-persistence-timer ........................................................................1027
mastership-priority .............................................................................1027
member ..............................................................................................1027
no-management-vlan ..........................................................................1027
pre-provisioned ...................................................................................1027
role .....................................................................................................1027
serial-number .....................................................................................1027
traceoptions ........................................................................................1027
virtual-chassis .....................................................................................1027
Chapter 17 Operational Mode Commands for Virtual Chassis 217
Virtual Chassis Commands ..........................................................................217

clear virtual-chassis vc-port statistics .....................................................218
request session member .......................................................................219
request virtual-chassis recycle .............................................................1020
request virtual-chassis vc-port .............................................................1020
request virtual-chassis vc-port .............................................................1020
request virtual-chassis renumber ..........................................................225
show system uptime .............................................................................226
show virtual-chassis active topology .....................................................228
show virtual-chassis status ....................................................................230
show virtual-chassis vc-port ..................................................................232
show virtual-chassis vc-port statistics ....................................................235
Part 7 Interfaces
Chapter 18 Understanding Interfaces 239
EX-series Switches Interfaces Overview ......................................................239

Network Interfaces ......................................................................................239
Special Interfaces ........................................................................................240
Understanding Interface Naming Conventions on EX-series Switches .........241
Physical Part of an Interface Name .............................................................241
Logical Part of an Interface Name ...............................................................242
Wildcard Characters in Interface Names .....................................................243
Understanding Aggregated Ethernet Interfaces and LACP ...........................243
Link Aggregation Group (LAG) .....................................................................243
Link Aggregation Control Protocol (LACP) ...................................................244
Table of Contents ■ xi
Chapter 19 Examples of Configuring Interfaces 245
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a

Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................245
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP
Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ...................................................................................................252
Chapter 20 Configuring Interfaces 257
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ..........................257

Configuring Gigabit Ethernet Interfaces on EX-series Switches (CLI
Procedure) ............................................................................................261
Configuring VLAN Options and Port Mode ..................................................261
Configuring the Link Settings .......................................................................261
Configuring the IP Options ..........................................................................262
Configuring Aggregated Ethernet Interfaces on EX-series Switches (CLI
Procedure) ............................................................................................263
Configuring Link Aggregation (J-Web Procedure) .........................................264
Configuring Aggregated Ethernet LACP on EX-series Switches (CLI
Procedure) ............................................................................................266
Chapter 21 Verifying Interfaces 267
Monitoring Interface Status and Traffic .......................................................267

Verifying the Status of a LAG Interface ........................................................268
Verifying That LACP Is Configured Correctly and Bundle Members Are
Exchanging LACP Protocol Packets .......................................................268
Verifying the LACP Setup ............................................................................268
Verifying That the LACP Packets are Being Exchanged ................................269
Chapter 22 Troubleshooting Interfaces 271
Troubleshooting an Aggregated Ethernet Interface ......................................271

Troubleshooting Disabled or Down Interfaces .............................................271
Disabled ports on EX 3200 switches with a 4-port Gigabit Ethernet uplink
module (EX-UM-4SFP) installed .............................................................271
Port Role Configuration with the J-Web Interface—CLI Reference ...............272
Chapter 23 Configuration Statements for Interfaces 277
Interface Configuration Statement Hierarchy ..............................................277

[edit interfaces] Configuration Statement Hierarchy .............................277
Individual Interface Configuration Statements .............................................278
802.3ad ..............................................................................................1027
auto-negotiation ..................................................................................1027
description ..........................................................................................1027
xii ■ Table of Contents

Table of Contents
ether-options ......................................................................................1027
family .................................................................................................1027
filter ....................................................................................................1027
flow-control ........................................................................................1027
l3-interface ..........................................................................................1027
lacp .....................................................................................................1027
link-mode ...........................................................................................1027
members ............................................................................................1027
mtu .......................................................................................................287
native-vlan-id ......................................................................................1027
periodic ..............................................................................................1027
port-mode ...........................................................................................1027
speed ..................................................................................................1027
translate ..............................................................................................1027
unit .....................................................................................................1027
vlan .....................................................................................................1027
Chapter 24 Operational Mode Commands for Interfaces 295
show interfaces ...........................................................................................296

show interfaces ...........................................................................................306
show interfaces diagnostics optics ...............................................................317
Part 8 Layer 2 Bridging, VLANs, and Spanning Trees
Chapter 25 Understanding Layer 2 Bridging, VLANs, and GVRP 323
Understanding Bridging and VLANs on EX-series Switches ..........................323

Ethernet LANs, Transparent Bridging, and VLANs .......................................323
How Bridging Works ...................................................................................324
Types of Switch Ports ..................................................................................326
IEEE 802.1Q Encapsulation and Tags ..........................................................326
Assignment of Traffic to VLANs ...................................................................326
Bridge Tables ...............................................................................................327
Layer 2 and Layer 3 Forwarding of VLAN Traffic .........................................327
GVRP ...........................................................................................................327
Routed VLAN Interface ................................................................................327
Chapter 26 Examples of Configuring Layer 2 Bridging, VLANs, and GVRP 329
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch ....329
Example: Setting Up Bridging with Multiple VLANs for EX-series
Switches ...............................................................................................336
Example: Connecting an Access Switch to a Distribution Switch .................345
Example: Configure Automatic VLAN Administration Using GVRP ..............355
Table of Contents ■ xiii

Chapter 27 Configuring Layer 2 Bridging, VLANs, and GVRP 365
Configuring VLANs for EX-Series Switches (J-Web Procedure) .....................365

Configuring Routed VLAN Interfaces for EX-series Switches (CLI
Procedure) ............................................................................................367
Configuring MAC Table Aging on EX-series Switches (CLI Procedure) ..........368
Chapter 28 Understanding Spanning Trees 369
Understanding RSTP for EX-series Switches ................................................369

Understanding MSTP for EX-series Switches ...............................................370
Understanding STP for EX-series Switches ..................................................371
Chapter 29 Examples of Configuring Spanning Trees 373
Example: Configuring Faster Convergence and Improving Network Stability

with RSTP on EX-series Switches ..........................................................373
Example: Configuring Network Regions for VLANs with MSTP on EX-series
Switches ...............................................................................................381
Chapter 30 Configuration Statements for Bridging, VLANs, and Spanning

Trees 405
[edit vlans] Configuration Statement Hierarchy ...........................................405

[edit interfaces] Configuration Statement Hierarchy ....................................405
[edit protocols] Configuration Statement Hierarchy .....................................406
bridge-priority .............................................................................................410
cost .............................................................................................................411
description ..................................................................................................412
disable .........................................................................................................412
disable .........................................................................................................428
edge ............................................................................................................414
ethernet-switching-options ........................................................................1011
filter ..........................................................................................................1027
forward-delay ..............................................................................................417
group-name .................................................................................................514
gvrp .............................................................................................................419
hello-time ....................................................................................................420
interface ......................................................................................................421
interface ......................................................................................................515
interface ......................................................................................................423
join-timer ....................................................................................................424
l3-interface ................................................................................................1027
leaveall-timer ...............................................................................................425
leave-timer ..................................................................................................426
mac-table-aging-time .................................................................................1027
max-age ......................................................................................................428
members ...................................................................................................1027
mode ...........................................................................................................430
xiv ■ Table of Contents

Table of Contents
mstp ............................................................................................................431
native-vlan-id .............................................................................................1027
port-mode .................................................................................................1027
priority ........................................................................................................434
redundant-trunk-group ................................................................................516
rstp ..............................................................................................................436
stp ...............................................................................................................437
translate ....................................................................................................1027
vlan ...........................................................................................................1027
vlan-id .......................................................................................................1027
vlans .........................................................................................................1027
Chapter 31 Operational Mode Commands for Bridging, VLANs, and Spanning

Trees 443
clear gvrp statistics ......................................................................................444

clear spanning-tree statistics .......................................................................445
show ethernet-switching interfaces .............................................................446
show ethernet-switching mac-learning-log ...................................................449
show ethernet-switching table .....................................................................451
show gvrp ...................................................................................................456
show gvrp statistics .....................................................................................458
show redundant-trunk-group .......................................................................518
show spanning-tree bridge ..........................................................................461
show spanning-tree interface ......................................................................464
show spanning-tree mstp configuration .......................................................468
show spanning-tree statistics .......................................................................469
show vlans ..................................................................................................470
Part 9 Layer 3 Protocols
Chapter 32 Understanding Layer 3 Protocols 477
DHCP Services for EX-series Switches Overview .........................................477
Chapter 33 Configuring Layer 3 Protocols 479
Configuring BGP Sessions (J-Web Procedure) ...............................................479

Configuring DHCP Services (J-Web Procedure) ............................................480
Configuring an OSPF Network (J-Web Procedure) ........................................483
Configuring a RIP Network (J-Web Procedure) .............................................484
Configuring SNMP (J-Web Procedure) ..........................................................485
Configuring Static Routing (CLI Procedure) ..................................................488
Configuring Static Routes (J-Web Procedure) ...............................................488
Table of Contents ■ xv
Chapter 34 Verifying Layer 3 Protocols 491
Monitoring BGP Routing Information ..........................................................491

Monitoring DHCP Services ..........................................................................493
Monitoring OSPF Routing Information ........................................................494
Monitoring RIP Routing Information ...........................................................497
Monitoring Routing Information ..................................................................498
Part 10 Redundant Trunk Groups
Chapter 35 Understanding Redundant Trunk Groups 503
Understanding Redundant Trunk Links on EX-series Switches ....................503
Chapter 36 Examples of Configuring Redundant Trunk Groups 507
Example: Configuring Redundant Trunk Links for Faster Recovery .............507
Chapter 37 Configuration Statements for Redundant Trunk Groups 513
[edit ethernet-switching-options] Configuration Statement Hierarchy ..........513

group-name .................................................................................................514
interface ......................................................................................................515
redundant-trunk-group ................................................................................516
Chapter 38 Operational Mode Commands for Redundant Trunk Groups 517
show redundant-trunk-group .......................................................................518
Part 11 802.1X, Port Security, and VoIP
Chapter 39 Understanding 802.1X, Port Security, and VoIP 521
802.1X for EX-series Switches Overview .....................................................521

Understanding 802.1X Authentication on EX-series Switches ......................523
Understanding Guest VLANs for 802.1X on EX-series Switches ...................527
Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches .....528
Understanding 802.1X and VoIP on EX-series Switches ..............................530
Understanding 802.1X and VSAs on EX-series Switches ..............................533
Understanding Dynamic VLANs for 802.1X on EX-series Switches ..............535
Port Security with DHCP Snooping, DAI, MAC Limiting, and MAC Move
Limiting for EX-series Switches Overview .............................................536
xvi ■ Table of Contents

Table of Contents
Understanding How to Protect Access Ports on EX-series Switches from

Common Attacks ..................................................................................537
Mitigation of Ethernet Switching Table Overflow Attacks ............................537
Mitigation of Rogue DHCP Server Attacks ...................................................538
Protection Against ARP Spoofing Attacks ....................................................538
Protection Against DHCP Snooping Database Alteration Attacks .................538
Protection Against DHCP Starvation Attacks ................................................539
Understanding DHCP Snooping for Port Security on EX-series Switches .....539
DHCP Snooping Basics ................................................................................539
DHCP Snooping Process ..............................................................................540
DHCP Server Access ....................................................................................541
DHCP Snooping Table .................................................................................542
Understanding DAI for Port Security on EX-series Switches ........................543
Address Resolution Protocol ........................................................................543
ARP Spoofing ..............................................................................................544
DAI on EX-series Switches ...........................................................................544
Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches ................................................................................545
MAC Limiting ..............................................................................................545
MAC Move Limiting .....................................................................................546
Actions for MAC Limiting and MAC Move Limiting ......................................546
MAC Addresses That Exceed the MAC Limit or MAC Move Limit .................546
Understanding Trusted DHCP Servers for Port Security on EX-series
Switches ...............................................................................................547
Chapter 40 Examples of Configuring 802.1X, Port Security, and VoIP 549
Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch ...................................................................................................549
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access
to Corporate Visitors on an EX-series Switch .........................................554
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant
Configurations on an EX-series Switch ..................................................559
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series
Switch ...................................................................................................564
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series
Switch ...................................................................................................571
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch ..................................576
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC
Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks ..................................................................................................584
Example: Configuring a DHCP Server Interface as Untrusted to Protect the
Switch from Rogue DHCP Server Attacks ..............................................588
Example: Configuring MAC Limiting to Protect the Switch from DHCP
Starvation Attacks .................................................................................591
Example: Configuring DHCP Snooping and DAI to Protect the Switch from
ARP Spoofing Attacks ...........................................................................595
Table of Contents ■ xvii

Example: Configuring Allowed MAC Addresses to Protect the Switch from

DHCP Snooping Database Alteration Attacks ........................................599
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an
EX-series Switch with Access to a DHCP Server Through a Second
Switch ...................................................................................................603
Chapter 41 Configuring 802.1X, Port Security, and VoIP 613
Configuring 802.1X Authentication on EX-series Switches (CLI

Procedure) ............................................................................................614
Configuring the RADIUS Server ...................................................................614
Configuring the 802.1X Exclusion List .........................................................615
Configuring 802.1X Port Settings ................................................................615
Configuring 802.1X Authentication (J-Web Procedure) ................................616
Configuring 802.1X RADIUS Accounting (CLI Procedure) ............................619
Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI
Procedure) ............................................................................................620
Load the Juniper Dictionary .........................................................................621
Configuring Match Conditions and Actions ..................................................622
Combining a Filter-ID with a VSA ................................................................622
Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI
Procedure) ............................................................................................623
Load the Juniper Dictionary .........................................................................623
Configuring Match Conditions and Actions ..................................................624
Combining a Filter-ID with a VSA ................................................................624
Configuring LLDP on EX-series Switches (CLI Procedure) ............................625
Configuring LLDP (J-Web Procedure) ...........................................................626
Configuring LLDP-MED on EX-series Switches (CLI Procedure) ....................627
Configuring VoIP on EX-series Switches (CLI Procedure) .............................629
Configuring Port Security (CLI Procedure) ...................................................630
Configuring Port Security (J-Web Procedure) ...............................................632
Enabling DHCP Snooping on a VLAN (CLI Procedure) .................................634
Enabling DHCP Snooping on a VLAN (J-Web Procedure) .............................635
Enabling a Trusted DHCP Server on an Interface (CLI Procedure) ...............636
Enabling a Trusted DHCP Server on an Interface (J-Web Procedure) ...........636
Enabling DAI on a VLAN (CLI Procedure) .....................................................638
Enabling DAI on a VLAN (J-Web Procedure) ................................................639
Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses,
on an Interface (CLI Procedure) ............................................................640
Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses,
on an Interface (J-Web Procedure) ........................................................641
Configuring MAC Move Limiting on a VLAN (CLI Procedure) .......................643
Configuring MAC Move Limiting on a VLAN (J-Web Procedure) ...................643
Setting the none Action on an Interface to Override a MAC Limit Applied to
All Interfaces .........................................................................................644
Chapter 42 Verifying 802.1X, Port Security, and VoIP 647
Monitoring 802.1X Authentication ..............................................................647

Monitoring Port Security .............................................................................648
xviii ■ Table of Contents

Table of Contents
Verifying That DHCP Snooping Is Working Correctly ...................................649

Verifying That a Trusted DHCP Server Is Working Correctly ........................650
Verifying That DAI Is Working Correctly ......................................................651
Verifying That MAC Limiting Is Working Correctly ......................................652
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working
Correctly ...............................................................................................652
Verifying That Allowed MAC Addresses Are Working Correctly ...................653
Verifying Results of Various Action Settings When the MAC Limit Is
Exceeded ..............................................................................................653
Customizing the Ethernet Switching Table Display to View Information for
a Specific Interface ...............................................................................655
Verifying That MAC Move Limiting Is Working Correctly .............................656
Chapter 43 Configuration Statements for 802.1X, Port Security, and VoIP 659
[edit access] Configuration Statement Hierarchy .........................................659

[edit protocols] Configuration Statement Hierarchy .....................................659
[edit ethernet-switching-options] Configuration Statement Hierarchy ..........662
access ..........................................................................................................664
accounting-server ........................................................................................665
advertisement-interval ................................................................................666
allowed-mac ..............................................................................................1027
arp-inspection ...........................................................................................1027
authentication-order ....................................................................................669
authenticator .............................................................................................1027
authenticator-profile-name ..........................................................................671
authentication-server ...................................................................................672
ca-type ........................................................................................................673
ca-value .......................................................................................................674
civic-based ..................................................................................................681
country-code ...............................................................................................676
dhcp-trusted ..............................................................................................1027
disable .......................................................................................................1027
disable .......................................................................................................1027
disable .......................................................................................................1027
dot1x ...........................................................................................................680
elin ..............................................................................................................681
examine-dhcp ...........................................................................................1027
fast-start ....................................................................................................1027
fast-start ......................................................................................................684
forwarding-class ..........................................................................................685
guest-vlan ....................................................................................................686
hold-multiplier .............................................................................................687
interface ....................................................................................................1027
interface ......................................................................................................689
interface ......................................................................................................690
lldp ..............................................................................................................691
lldp-med ......................................................................................................692
location .....................................................................................................1027
Table of Contents ■ xix

mac-limit ...................................................................................................1027
mac-move-limit .........................................................................................1027
maximum-requests .....................................................................................696
no-reauthentication .....................................................................................696
profile ..........................................................................................................697
quiet-period .................................................................................................698
radius ..........................................................................................................699
reauthentication ..........................................................................................700
retries ..........................................................................................................701
secure-access-port .....................................................................................1027
server-timeout .............................................................................................703
static ...........................................................................................................704
stop-on-access-deny ....................................................................................705
stop-on-failure .............................................................................................705
supplicant ....................................................................................................706
supplicant-timeout .......................................................................................707
traceoptions ..............................................................................................1027
traceoptions ..............................................................................................1027
transmit-delay ...........................................................................................1027
transmit-period ...........................................................................................712
vlan ...........................................................................................................1027
vlan-assignment ..........................................................................................714
voip .............................................................................................................715
what ............................................................................................................716
Chapter 44 Operational Mode Commands for 802.1X, Port Security, and

VoIP 717
clear arp inspection statistics .......................................................................718

clear dhcp snooping binding .......................................................................719
clear dot1x ..................................................................................................720
clear lldp neighbors .....................................................................................721
clear lldp statistics .......................................................................................722
show arp inspection statistics ......................................................................723
show dhcp snooping binding .......................................................................724
show dot1x .................................................................................................725
show dot1x static-mac-address ...................................................................728
show lldp .....................................................................................................729
show lldp local-info .....................................................................................734
show lldp neighbors ....................................................................................736
show lldp statistics ......................................................................................739
show network-access aaa statistics accounting ............................................741
show network-access aaa statistics authentication ......................................743
show network-access aaa statistics dynamic-requests .................................743
xx ■ Table of Contents
Table of Contents
Part 12 Packet Filtering
Chapter 45 Understanding Packet Filtering 747
Firewall Filters for EX-series Switches Overview ..........................................747

Firewall Filter Types ....................................................................................747
Firewall Filter Components .........................................................................748
Firewall Filter Processing .............................................................................748
Understanding Planning of Firewall Filters ..................................................749
Understanding Firewall Filter Processing Points for Bridged and Routed
Packets on EX-series Switches ..............................................................751
Understanding How Firewall Filters Control Packet Flows ...........................753
Firewall Filter Match Conditions and Actions for EX-series Switches ...........754
Understanding How Firewall Filters Are Evaluated ......................................764
Understanding Firewall Filter Match Conditions ..........................................766
Filter Match Conditions ...............................................................................766
Numeric Filter Match Conditions .................................................................766
Interface Filter Match Conditions ................................................................767
IP Address Filter Match Conditions ..............................................................767
MAC Address Filter Match Conditions .........................................................768
Bit-Field Filter Match Conditions ..................................................................768
Understanding How Firewall Filters Test a Packet's Protocol .......................770
Understanding the Use of Policers in Firewall Filters ...................................771
Chapter 46 Examples of Configuring Packet Filtering 773
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
Chapter 47 Configuring Packet Filtering 795
Configuring Firewall Filters (CLI Procedure) .................................................795

Configuring a Firewall Filter ........................................................................795
Applying a Firewall Filter to a Port on a Switch ...........................................798
Applying a Firewall Filter to a VLAN on a Network ......................................799
Applying a Firewall Filter to a Layer 3 (Routed) Interface ............................799
Configuring Firewall Filters (J-Web Procedure) ............................................800
Configuring Policers to Control Traffic Rates (CLI Procedure) ......................804
Configuring Policers ....................................................................................805
Specifying Policers in a Firewall Filter Configuration ...................................806
Applying a Firewall Filter That Is Configured with a Policer .........................806
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding
Behavior (CLI Procedure) ......................................................................807
Table of Contents ■ xxi

Chapter 48 Verifying Packet Filtering 809
Verifying That Firewall Filters Are Operational ............................................809

Verifying That Policers Are Operational .......................................................810
Monitoring Firewall Filter Traffic .................................................................811
Monitoring Traffic for All Firewall Filters and Policers That Are Configured
on the Switch ........................................................................................811
Monitoring Traffic for a Specific Firewall Filter ............................................811
Monitoring Traffic for a Specific Policer .......................................................812
Chapter 49 Troubleshooting Packet Filtering 813
Troubleshooting Firewall Filters ...................................................................813

Firewall Filter Configuration Returns a No Space Available in TCAM
Message ................................................................................................813
Chapter 50 Configuration Statements for Packet Filtering 817
[edit firewall] Configuration Statement Hierarchy .......................................817

Firewall Filter Configuration Statements Supported by JUNOS Software for
bandwidth-limit .........................................................................................1027
burst-size-limit ...........................................................................................1027
family ........................................................................................................1027
filter ..........................................................................................................1027
filter ..........................................................................................................1027
from ..........................................................................................................1027
if-exceeding ...............................................................................................1027
policer .......................................................................................................1027
term ..........................................................................................................1027
then ...........................................................................................................1027
then ...........................................................................................................1027
Chapter 51 Operational Mode Commands for Packet Filtering 833
clear firewall ..............................................................................................1020

show firewall .............................................................................................1020
show interfaces filters ...............................................................................1020
show interfaces policers ............................................................................1020
show policer ..............................................................................................1020
xxii ■ Table of Contents

Table of Contents
Part 13 CoS
Chapter 52 Understanding CoS 845
JUNOS CoS for EX-series Switches Overview ...............................................845

How JUNOS CoS Works ...............................................................................846
Default CoS Behavior on EX-series Switches ................................................846
Understanding JUNOS CoS Components for EX-series Switches ..................847
Code-Point Aliases .......................................................................................847
Policers .......................................................................................................847
Classifiers ....................................................................................................847
Forwarding Classes .....................................................................................848
Tail Drop Profiles .........................................................................................848
Schedulers ...................................................................................................848
Rewrite Rules ..............................................................................................849
Understanding CoS Code-Point Aliases ........................................................850
Default Code-Point Aliases ...........................................................................850
Understanding CoS Classifiers .....................................................................852
Behavior Aggregate Classifiers .....................................................................853
Default Behavior Aggregate Classification .............................................853
Multifield Classifiers ....................................................................................854
Understanding CoS Forwarding Classes .......................................................854
Default Forwarding Classes .........................................................................855
Understanding CoS Tail Drop Profiles ..........................................................856
Default Drop Profile ....................................................................................856
Understanding CoS Schedulers ....................................................................857
Default Schedulers .......................................................................................857
Transmission Rate .......................................................................................857
Scheduler Buffer Size ...................................................................................858
Priority Scheduling ......................................................................................858
Scheduler Drop-Profile Maps .......................................................................859
Scheduler Maps ...........................................................................................859
Understanding CoS Two-Color Marking .......................................................859
Understanding CoS Rewrite Rules ...............................................................860
Default Rewrite Rule ...................................................................................860
Chapter 53 Examples of Configuring CoS 863
Example: Configuring CoS on EX-series Switches ........................................863
Chapter 54 Configuring CoS 881
Configuring CoS (J-Web Procedure) .............................................................881

Defining CoS Value Aliases (J-Web Procedure) .............................................882
Configuring CoS Code-Point Aliases (CLI Procedure) ....................................884
Configuring CoS Classifiers (CLI Procedure) .................................................885
Defining Classifiers (J-Web Procedure) ........................................................886
Configuring CoS Forwarding Classes (CLI Procedure) ..................................889
Defining Forwarding Classes (J-Web Procedure) ..........................................889
Table of Contents ■ xxiii

Configuring CoS Schedulers (CLI Procedure) ................................................891

Defining Schedulers (J-Web Procedure) .......................................................891
Configuring CoS Tail Drop Profiles (CLI Procedure) .....................................894
Configuring CoS Rewrite Rules (CLI Procedure) ...........................................895
Defining Rewrite Rules (J-Web Procedure) ...................................................896
Assigning CoS Components to Interfaces (CLI Procedure) ...........................898
Assigning CoS Components to Interfaces (J-Web Procedure) .......................898
Chapter 55 Verifying CoS 901
Monitoring CoS Classifiers ...........................................................................901

Monitoring CoS Forwarding Classes ............................................................902
Monitoring Interfaces That Have CoS Components .....................................903
Monitoring CoS Rewrite Rules .....................................................................904
Monitoring CoS Scheduler Maps ..................................................................905
Monitoring CoS Value Aliases ......................................................................907
Chapter 56 Configuration Statements for CoS 909
[edit class-of-service] Configuration Statement Hierarchy ............................909

buffer-size .................................................................................................1027
class ..........................................................................................................1027
class-of-service ..........................................................................................1027
classifiers ..................................................................................................1027
code-point-aliases ......................................................................................1027
code-points ................................................................................................1027
drop-profile-map .......................................................................................1027
dscp ..........................................................................................................1027
forwarding-class ........................................................................................1027
forwarding-class ........................................................................................1027
ieee-802.1 .................................................................................................1027
import .......................................................................................................1027
inet-precedence .........................................................................................1027
interfaces ..................................................................................................1027
loss-priority ...............................................................................................1027
priority ......................................................................................................1027
protocol .....................................................................................................1027
random-early-discard ................................................................................1027
rewrite-rules ..............................................................................................1027
scheduler-map ...........................................................................................1027
scheduler-maps .........................................................................................1027
schedulers .................................................................................................1027
shaping-rate ..............................................................................................1027
transmit-rate .............................................................................................1027
unit ...........................................................................................................1027
Chapter 57 Operational Mode Commands for CoS 937
show class-of-service ...................................................................................938
xxiv ■ Table of Contents

Table of Contents
Part 14 PoE
Chapter 58 Understanding PoE 945
PoE and EX-series Switches Overview .........................................................945

PoE and Power Supply Units in EX-series Switches .....................................945
Classes of Powered Devices ........................................................................946
Global and Specific PoE Parameters ............................................................946
Chapter 59 Examples of Configuring PoE 949
Example: Configuring PoE Interfaces on an EX-series Switch ......................949

Example: Configuring PoE Interfaces with Different Priorities on an EX-series
Switch ...................................................................................................952
Chapter 60 Configuring PoE 957
Configuring PoE on an EX-series Switch (CLI Procedure) .............................957

Configuring PoE (J-Web Procedure) .............................................................958
Chapter 61 Verifying PoE 961
Monitoring PoE ...........................................................................................961

Verifying Status of PoE Interfaces on an EX-series Switch ...........................962
Chapter 62 Configuration Statements for PoE 963
[edit poe] Configuration Statement Hierarchy .............................................963

disable .......................................................................................................1027
duration ....................................................................................................1027
guard-band ................................................................................................1027
interface ....................................................................................................1027
interval ......................................................................................................1027
management .............................................................................................1027
maximum-power .......................................................................................1027
priority ......................................................................................................1027
telemetries ................................................................................................1027
Chapter 63 Operational Mode Commands for PoE 971
show poe controller .....................................................................................972

show poe interface ......................................................................................974
show poe telemetries interface ....................................................................976
Table of Contents ■ xxv

Part 15 Port Mirroring
Chapter 64 Understanding Port Mirroring 981
Port Mirroring on EX-series Switches Overview ...........................................981

Port Mirroring Overview ..............................................................................981
Limitations of Port Mirroring .................................................................982
Port Mirroring Terminology .........................................................................983
Chapter 65 Examples of Configuring Port Mirroring 985
Example: Configuring Port Mirroring for Local Monitoring of Employee

Resource Use on EX-series Switches .....................................................985
Example: Configuring Port Mirroring for Remote Monitoring of Employee
Resource Use on EX-series Switches .....................................................992
Chapter 66 Configuring Port Mirroring 999
Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (CLI

Procedure) ............................................................................................999
Configuring Port Mirroring for Local Traffic Analysis .................................1000
Configuring Port Mirroring for Remote Traffic Analysis .............................1000
Filtering the Traffic Entering a Port Mirroring Analyzer .............................1001
Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (J-Web
Procedure) ..........................................................................................1003
Chapter 67 Configuration Statements for Port Mirroring 1007
[edit ethernet-switching-options] Configuration Statement Hierarchy ........1007

analyzer ....................................................................................................1027
egress ........................................................................................................1027
ingress .......................................................................................................1027
input .........................................................................................................1027
interface ....................................................................................................1027
loss-priority ...............................................................................................1027
output .......................................................................................................1027
ratio ..........................................................................................................1027
vlan ...........................................................................................................1027
Chapter 68 Operational Mode Commands for Port Mirroring 1019
show analyzer ...........................................................................................1020
xxvi ■ Table of Contents

Table of Contents
Part 16 Network Management
Chapter 69 Configuration Statements for Network Management 1023
[edit snmp] Configuration Statement Hierarchy ........................................1023

bucket-size ................................................................................................1027
history .......................................................................................................1027
interface ....................................................................................................1027
owner ........................................................................................................1027
rmon .........................................................................................................1027
Part 17 Index
Index .........................................................................................................1031
Table of Contents ■ xxvii

xxviii ■ Table of Contents

List of Figures
Figure 1: Basic VRRP on EX-series Switches ..................................................10
Figure 2: VRRP on EX 4200 Virtual Chassis Switches ....................................10
Figure 3: LCD Panel .......................................................................................63
Figure 4: Connecting to the Console Port on the EX-series Switch ...............105
Figure 5: Console Session Redirection .........................................................125
Figure 6: Management Ethernet Port Redirection to VME ............................126
Figure 7: Basic Virtual Chassis with Master and Backup ..............................133
Figure 8: Expanded Virtual Chassis in Single Wiring Closet .........................138
Figure 9: Default Configuration of Multimember Virtual Chassis in a Single
Wiring Closet ........................................................................................143
Figure 10: A Virtual Chassis Interconnected Across Wiring Closets ..............151
Figure 11: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................158
Figure 12: Maximum Size Virtual Chassis Interconnected Across Wiring
Closets ..................................................................................................173
Figure 13: Port Numbers on the 24-Port EX-series Switch ...........................242
Figure 14: Port Number on the 48-Port EX-series Switch .............................242
Figure 15: Topology for LAGs Connecting a Virtual Chassis Access Switch to
a Virtual Chassis Distribution Switch .....................................................247
Figure 16: Topology for Connecting an Access Switch to a Distribution
Switch ...................................................................................................347
Figure 17: Network Topology for RSTP ........................................................374
Figure 18: Network Topology for MSTP .......................................................382
Figure 19: Redundant Trunk Group, Link 1 Active .......................................504
Figure 20: Redundant Trunk Group, Link 2 Active .......................................505
Figure 21: Topology for Configuring the Redundant Trunk Links .................509
Figure 22: Example 802.1X Topology .........................................................525
Figure 23: Authentication Process ...............................................................526
Figure 24: VoIP Multiple Supplicant Topology .............................................531
Figure 25: VoIP Single Supplicant Topology .................................................532
Figure 26: DHCP Snooping ..........................................................................541
Figure 27: DHCP Server Connected to Switch ..............................................542
Figure 28: Topology for Configuration .........................................................551
Figure 29: Topology for Guest VLAN Example .............................................556
Figure 30: Topology for Configuring Multiple Supplicant Modes ..................561
Figure 31: VoIP Topology ............................................................................566
Figure 32: Topology for MAC-based Authentication Configuration ...............573
Figure 33: Network Topology for Basic Port Security ...................................600
List of Figures ■ xxix


Figure 39: Network Topology for Port Security Setup with Two Switches on
Same VLAN ...........................................................................................604
Figure 40: Firewall Filter Processing Points in the Packet Forwarding
Path ......................................................................................................752
Figure 41: Application of Firewall Filters to Control Packet Flow .................754
Figure 42: Evaluation of Terms within a Firewall Filter ................................765
Figure 43: Application of Port, VLAN, and Layer 3 Routed Firewall Filters ....775
Figure 44: Packet Flow Across the Network .................................................846
Figure 45: Topology for Configuring CoS .....................................................864
Figure 46: Network Topology for Local Port Mirroring Example ..................986
Figure 47: Remote Port Mirroring Example Network Topology ...................993
xxx ■ List of Figures

List of Tables
Table 1: JUNOS Software Processes ...............................................................14
Table 2: EX 3200 Switch Models ...................................................................18
Table 3: EX 4200 Switch Models ...................................................................18
Table 4: J-Web Interface ................................................................................44
Table 5: J-Web Edit Point & Click Configuration Links ...................................46
Table 6: J-Web Edit Point & Click Configuration Icons ...................................46
Table 7: J-Web Edit Point & Click Configuration Buttons ...............................47
Table 8: Switching Platform Configuration Interfaces ....................................49
Table 9: Configuration Tools Terms ...............................................................50
Table 10: Install Remote Summary ...............................................................60
Table 11: Upload Package Summary .............................................................60
Table 12: Configuration File Terms ...............................................................71
Table 13: Options for the load command ......................................................72
Table 14: Alarm Terms ..................................................................................77
Table 15: Secure Access Configuration Summary ..........................................79
Table 16: Date and Time Settings ..................................................................81
Table 17: J-Web Ping Host Field Summary ....................................................86
Table 18: Packet Capture Field Summary ......................................................87
Table 19: Traceroute field summary ..............................................................90
Table 20: Summary of Key System Properties Output Fields .........................91
Table 21: Summary of System Process Information Output Fields ................92
Table 22: User Management > Add a User Configuration Page
Summary ................................................................................................95
Table 23: Add an Authentication Server ........................................................95
Table 24: Summary of Key Alarm Output Fields .........................................100
Table 25: Filtering System Log Messages .....................................................101
Table 26: Viewing System Log Messages .....................................................103
Table 27: show smp rmon history Output Fields .........................................111
Table 28: Components of the Basic Virtual Chassis Access Switch
Topology ...............................................................................................133
Table 29: Components of the Expanded Virtual Chassis Access Switch .......138
Table 30: Components of a Virtual Chassis Interconnected Across Multiple
Wiring Closets .......................................................................................150
Table 31: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................247
Table 32: Components of a preprovisioned Virtual Chassis Interconnected
Across Multiple Wiring Closets ..............................................................172
Table 33: Virtual Chassis Configuration Fields .............................................182
Table 34: Commands That Can be Run on All or Specific Members of the
Virtual Chassis ......................................................................................197
Table 35: Commands Relevant Only to the Master ......................................199
Table 36: show system uptime virtual-chassis Output Fields .......................226
List of Tables ■ xxxi

Table 37: show virtual-chassis active-topology Output Fields .......................228

Table 38: show virtual-chassis Output Fields .............................................1020
Table 39: show virtual-chassis vc-port Output Fields ...................................232
Table 40: show virtual-chassis vc-port statistics Output Fields .....................235
Table 41: Components of the Topology for Connecting Virtual Chassis Access
Switches to a Virtual Chassis Distribution Switch ..................................247
Table 42: Port Edit Options .........................................................................258
Table 43: Recommended CoS Settings for Port Roles ..................................260
Table 44: VLAN Options ..............................................................................265
Table 45: Port Role Configuration Summary ...............................................272
Table 46: Recommended CoS Settings for Port Roles ..................................275
Table 47: Gigabit Ethernet show interfaces Output Fields ............................296
Table 48: 10-Gigabit Ethernet show interfaces Output Fields .......................306
Table 49: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics
Output Fields ........................................................................................317
Table 50: Components of the Basic Bridging Configuration Topology ..........330
Table 51: Components of the Multiple VLAN Topology ................................338
Table 52: Components of the Topology for Connecting an Access Switch to
a Distribution Switch .............................................................................347
Table 53: Components of the GVRP Network Topology ...............................356
Table 54: VLAN Configuration Details ..........................................................366
Table 55: Components of the Topology for Configuring RSTP on EX-series
Switches ...............................................................................................374
Table 56: Components of the Topology for Configuring MSTP on EX-series
Switches ...............................................................................................383
Table 57: show vlans Output Fields .............................................................446
Table 58: show ethernet-switching table Output Fields ................................451
Table 59: show gvrp Output Fields ..............................................................456
Table 60: show gvrp statistics Output Fields ................................................458
Table 61: show redundant-trunk-group Output Fields ..................................518
Table 62: show spanning-tree bridge Output Fields .....................................461
Table 63: show spanning-tree interface Output Fields .................................464
Table 64: show spanning-tree mstp configuration Output Fields .................468
Table 65: show spanning-tree statistics Output Fields .................................469
Table 66: show vlans Output Fields .............................................................739
Table 67: BGP Routing Configuration Summary ..........................................479
Table 68: DHCP Server Configuration Pages Summary ...............................481
Table 69: OSPF Routing Configuration Summary ........................................483
Table 70: RIP Routing Configuration Summary ...........................................484
Table 71: SNMP Configuration Page ............................................................485
Table 72: Static Routing Configuration Summary ........................................489
Table 73: Summary of Key BGP Routing Output Fields ...............................491
Table 74: Summary of DHCP Output Fields .................................................493
Table 75: Summary of Key OSPF Routing Output Fields .............................495
Table 76: Summary of Key RIP Routing Output Fields ................................497
Table 77: Summary of Key Routing Information Output Fields ...................498
Table 78: Components of the Redundant Trunk Link Topology ...................509
Table 79: show redundant-trunk-group Output Fields ..................................518
Table 80: match conditions .........................................................................534
Table 81: action Options .............................................................................534
Table 82: Components of the Topology .......................................................552
xxxii ■ List of Tables

List of Tables
Table 83: Components of the Guest VLAN Topology ...................................557

Table 84: Components of the Basic Bridging Configuration Topology ..........562
Table 85: Components of the VoIP Configuration Topology ........................566
Table 86: Components of the MAC-based Authentication Configuration
Topology ...............................................................................................574
Table 87: Components of the Port Security Topology ..................................600
Table 93: Components of Port Security Setup on Switch 1 with a DHCP Server
Connected to Switch 2 ..........................................................................604
Table 94: RADIUS Server Settings ...............................................................617
Table 95: 802.1X Exclusion List ..................................................................617
Table 96: 802.1X Port Settings ....................................................................618
Table 97: Global Settings .............................................................................626
Table 98: Edit Port Settings .........................................................................627
Table 99: Port Security Settings on VLANs ...................................................632
Table 100: Port Security on Interfaces .........................................................633
Table 101: show arp inspection statistics Output Fields ...............................723
Table 102: show dhcp snooping binding Output Fields ...............................724
Table 103: show dot1x statistics Output Fields ............................................726
Table 104: show dot1x static-mac-address Output Fields ............................728
Table 105: show lldp Output Fields .............................................................729
Table 106: show lldp local-info Output Fields ..............................................734
Table 107: show lldp neighbors Output Fields .............................................736
Table 108: show lldp statistics Output Fields ...............................................739
Table 109: show network-access aaa statistics accounting Output Fields ....741
Table 110: show network-access aaa statistics authentication Output
Fields ....................................................................................................742
Table 111: show network-access aaa statistics dynamic-requests Output
Fields ....................................................................................................743
Table 112: Supported Match Conditions for Firewall Filters on EX-series
Switches ...............................................................................................755
Table 113: Actions for Firewall Filters .........................................................763
Table 114: Action Modifiers for Firewall Filters ...........................................763
Table 115: Actions for Firewall Filters .........................................................769
Table 116: Configuration Components: Firewall Filters ...............................774
Table 117: Configuration Components: VLANs ............................................775
Table 118: Configuration Components: Switch Ports on a 48-Port All-PoE
Switch ...................................................................................................776
Table 119: Create a New Filter ....................................................................801
Table 120: Create a New Term ....................................................................801
Table 121: Term-Advanced Options ............................................................802
Table 122: Supported Options for Firewall Filter Statements .......................818
Table 123: Firewall Filter Statements That Are Not Supported byJUNOS
Software for EX-series switches ............................................................820
Table 124: show firewall Output Fields ......................................................1020
Table 125: show interfaces filters Output Fields ........................................1020
Table 126: show interfaces policers Output Fields .....................................1020
List of Tables ■ xxxiii

Table 127: show policer Output Fields ......................................................1020

Table 128: Default Code-Point Aliases .........................................................850
Table 129: Default BA Classification ............................................................853
Table 130: Default Forwarding Classes ........................................................855
Table 131: Default Packet Header Rewrite Mappings ..................................861
Table 132: Configuration Components: VLANs ............................................865
Table 133: Configuration Components: Switch Ports on a 48-Port All-PoE
Switch ...................................................................................................865
Table 134: CoS Value Aliases Configuration Pages Summary ......................882
Table 135: BA-classifier Loss Priority Assignments ......................................885
Table 136: Classifiers Configuration Page Summary ....................................886
Table 137: Forwarding Classes Configuration Pages Summary ....................890
Table 138: Schedulers Configuration Page Summary ..................................892
Table 139: Scheduler Maps Configuration Page Summary ...........................893
Table 140: Rewrite Rules Configuration Page Summary ..............................896
Table 141: Assigning CoS Components to Interfaces ...................................898
Table 142: Summary of Key CoS Classifier Output Fields ............................901
Table 143: Summary of Key CoS Forwarding Class Output Fields ...............903
Table 144: Summary of Key CoS Interfaces Output Fields ...........................904
Table 145: Summary of Key CoS Rewrite Rules Output Fields .....................905
Table 146: Summary of Key CoS Scheduler Maps Output Fields .................905
Table 147: Summary of Key CoS Value Alias Output Fields .........................907
Table 148: show class-of-service Output Fields ............................................938
Table 149: Class of Powered Device and Power Levels ................................946
Table 150: Components of the PoE Configuration Topology ........................950
Table 151: Components of the PoE Configuration Topology ........................953
Table 152: PoE Edit Settings ........................................................................959
Table 153: System Settings .........................................................................959
Table 154: show poe controller Output Fields .............................................972
Table 155: show poe interface Output Fields ...............................................974
Table 156: show poe telemetries interface Output Fields ............................976
Table 157: Port Mirroring Configuration Settings .......................................1004
Table 158: command-name Output Fields ................................................1020
xxxiv ■ List of Tables

About This Topic Collection
■ How To Use This Guide on page xxxv

■ List of EX-series Guides for JUNOS 9.0 on page xxxv
■ Downloading Software on page xxxvi
■ Documentation Symbols Key on page xxxvii
■ Documentation Feedback on page xxxviii
■ Getting Support on page xxxviii
How To Use This Guide

Complete documentation for EX-series product family is provided on web pages at
http://www.juniper.net/techpubs/en_US/release-independent/information-products/pathway-pages/ex-series/product/index.html.
We have selected content from these web pages and created a number of EX-series
guides that collect related topics into a book-like format so that the information is
easy to print and easy to download to your local computer.
This guide, Complete Software Guide for JUNOS for EX-series Software, Release 9.0,
collects together information about the JUNOS for EX-series Release 9.0 software.
For release-specific information, see the release notes at
http://www.juniper.net/techpubs/en_US/junos9.0/information-products/pathway-pages/ex-series/software/index.html.
List of EX-series Guides for JUNOS 9.0
Title Description
Complete Hardware Guide for EX 3200 and EX 4200 Component descriptions, site preparation, installation, replacement,
Switches and safety and compliance
Complete Software Guide for JUNOS for EX-series Software feature descriptions, configuration examples and tasks, and
Software, Release 9.0 reference pages for configuration statements and operational commands
J-Web User Interface Guide for JUNOS for EX-series How to use the J-Web graphical user interface (GUI) with JUNOS for
Software EX-series software
JUNOS for EX-series Software Release Notes, Release Summary of hardware and software features and known problems with
9.0 the software and hardware
How To Use This Guide ■ xxxv

Downloading Software
You can download the JUNOS for EX-series software from the Download Software
area at http://www.juniper.net/customers/support/. To download the software, you must
have a Juniper Networks user account. For information about obtaining an account,
see http://www.juniper.net/entitlement/setupAccountInfo.do.
xxxvi ■ Downloading Software

About This Topic Collection
Documentation Symbols Key

Icon Notice Icons
Meaning Description
Informational note Indicates important features or instructions.
Caution Indicates a situation that might result in loss of data or hardware damage.
Warning Alerts you to the risk of personal injury or death.
Laser warning Alerts you to the risk of personal injury from a laser.
Text and Syntax Examples

Convention Description
Conventions
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen. No alarms currently active
Italic text like this ■ Introduces important new terms. ■ A policy term is a named structure
■ Identifies book names. that defines match conditions and
actions.
■ Identifies RFC and Internet draft
titles. ■ JUNOS System Basics Configuration
Guide
■ RFC 1997, BGP Communities
Attribute
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Plain text like this Represents names of configuration ■ To configure a stub area, include
statements, commands, files, and the stub statement at the [edit
directories; IP addresses; configuration protocols ospf area area-id] hierarchy
hierarchy levels; or labels on routing level.
platform components. ■ The console port is labeled
CONSOLE.
< > (angle brackets) Enclose optional keywords or variables. stub <default-metric metric>;
| (pipe symbol) Indicates a choice between the mutually broadcast | multicast

exclusive keywords or variables on either
side of the symbol. The set of choices is (string1 | string2 | string3)
often enclosed in parentheses for clarity.
Documentation Symbols Key ■ xxxvii

# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Enclose a variable for which you can community name members [ community-ids
substitute one or more values. ]
Indention and braces ( { } ) Identify a level in the configuration [edit]

hierarchy. routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
; (semicolon) Identifies a leaf statement at a

configuration hierarchy level.
J-Web GUI Conventions

Bold text like this Represents J-Web graphical user ■ In the Logical Interfaces box, select
interface (GUI) items you click or select. All Interfaces.
■ To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of J-Web In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. Send email to techpubs-comments@juniper.net with the
following:
■ Document URL or title
■ Page number if applicable
■ Software version
■ Your name and company
Getting Support
For technical support, open a support case with the Case Manager link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada,
or Mexico) or 1-408-745-9500 (from elsewhere).
xxxviii ■ Documentation Feedback

Part 1
JUNOS for EX-series Product Overview
■ Product Overview on page 3
JUNOS for EX-series Product Overview ■ 1

2 ■ JUNOS for EX-series Product Overview

Chapter 1
Product Overview
■ Software Overview on page 3

■ Supported Hardware on page 15
Software Overview
■ Features in JUNOS Software for EX-series Switches, Release 9.0 on page 3
■ Security Features for EX-series Switches Overview on page 7
■ High Availability Features for EX-series Switches Overview on page 9
■ Understanding Software Infrastructure and Processes on page 13
Features in JUNOS Software for EX-series Switches, Release 9.0

Date: 14 March 2008
This page describes the features in Release 9.0 of JUNOS software for EX-series
switches.
■ Hardware on page 3
■ Layer 2 Protocols on page 4
■ Layer 3 Protocols on page 5
■ Access Control and Port Security on page 5
■ Firewall Filters on page 6
■ CoS on page 6
■ Port Mirroring on page 6
■ High Availability on page 6
■ Management and RMON on page 6
■ Related Topics on page 7
Hardware
■ EX 3200 series switches—Fixed-configuration switches with either 24 or 48
10/100/1000Base-T ports, and with partial or full Power over Ethernet (PoE).
Options include 10-Gigabit Ethernet uplink modules and field-replaceable AC
power supply and fan blower.
Software Overview ■ 3
■ EX 4200 series switches—Virtual chassis switches with either 24 or 48

10/100/1000Base-T ports or 24 100Base-FX/1000Base-X SFP fiber ports, with
partial or full Power over Ethernet (PoE). Using virtual chassis technology, up to
10 switches can be aggregated to create a single 128-Gbps virtual interconnect
system supporting up to 480 10/100/1000Base-T ports plus 20 10-Gigabit Ethernet
ports.
For virtual chassis systems, you can create a preprovisioned configuration file.
Preprovisioning allows you to control the member identifier and the role assigned
to the member switches by associating both attributes with the member switch's
serial number.
Layer 2 Protocols
■ Bridging and VLANs—All EX-series switches support virtual LANs as defined in
the IEEE 802.1Q standard. Support includes per-port tagging, VLAN trunking,
MAC-based VLANs, traffic class expediting, and dynamic multicast filtering as
defined in the IEEE 802.1p standard. Up to 4096 VLANs can be created on an
EX 3200 or EX 4200 series switch. Bridging includes support for MAC address
filtering, configuring MAC address aging, assigning static MAC addresses to
interfaces, and per-VLAN MAC learning.
■ GVRP—The GARP VLAN Registration Protocol is an application protocol of the
Generic Attribute Registration Protocol (GARP) that is defined in the IEEE 802.1Q
standard. GVRP dynamically maintains and updates VLAN information for
switches on the network. Switches that support GVRP receive VLAN registration
information from each other and use this information to dynamically update the
local VLAN registration information.
NOTE: Please contact Juniper Networks customer support before implementing GVRP
on EX-series switches.
■ LACP and link aggregation—The Link Aggregation Control Protocol, defined in

IEEE 802.3ad, bundles physical Ethernet ports belonging to different member
switches in a virtual chassis configuration to form a single logical point-to-point
link known as a link aggregation group (LAG).
■ Redundant trunk group—When a trunk port goes down, traffic is routed to
another trunk port, keeping network convergence time to a minimum.
■ Routed VLAN Interfaces (RVI)—Enable switches to recognize which packets
are being sent to local addresses so that the switches will bridge whenever
possible and route only when needed.
■ Spanning trees—Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol
(RSTP), and Multiple Spanning Tree Protocol (MSTP) provide Layer 2 loop
prevention. STP is defined in IEEE 802.1D-2004. RSTP (defined in 802.1w) and
MSTP (defined in 802.1s) are both based upon STP. RSTP provides faster
convergence times than STP. MSTP is used to create a loop-free topology in
networks with a number of VLANs that require multiple spanning-tree regions
to efficiently provide a loop-free topology.
4 ■ Layer 2 Protocols
Chapter 1: Product Overview
Layer 3 Protocols
■ BFD—The Bidirectional Forwarding Detection Protocol is used to detect faults
between two forwarding points on the network.
■ BGP—The Border Gateway Protocol is an exterior gateway protocol (EGP) for
routing traffic between autonomous systems (ASs).
■ IS-IS—The Intermediate System–to–Intermediate System protocol is an interior
gateway protocol (IGP) for routing traffic within an AS.
■ OSPF—The IPv4 Open Shortest Path First protocol is an IGP for routing traffic
within an AS. EX-series switches support OSPFv1 and OSPFv2.
■ PIM—Protocol Independent Multicast (PIM) routes to multicast groups that span
wide-area and interdomain internetworks. EX-series switches support PIM sparse
mode (PIM-SM).
■ RIP—The IPv4 Routing Information Protocol is an IGP for routing traffic within
an AS. EX-series switches support RIPv2.
■ Routing policy—Controls routing information between routing protocols and
routing tables and between routing tables and the forwarding table.
■ Static routes—Static routes can be created on EX-series switches.
■ VRRP—Virtual Router Redundancy Protocol, as defined in RFC 3768, allows
hosts on a LAN to make use of redundant routing platforms on that LAN without
requiring more than the static configuration of a single default route on the hosts.
Access Control and Port Security

■ 802.1X—Provides port-based network access control (PNAC) as defined in the
IEEE 802.1X standard. EX-series switches support port-based 802.1X, with
multiple supplicants, VLAN assignment, authentication bypass access, VoIP
VLANs, authentication bypass based on the host MAC address, and dynamic
firewall filters based on RADIUS information.
■ LLDP and LLDP-MED—EX-series switches use Link Layer Discovery Protocol
(LLDP) and Link Layer Discovery Protocol/Media Endpoint Discovery (LLDP-MED)
to learn and distribute device information on network links. The information
allows the switch to quickly identify a variety of devices, including IP telephones,
resulting in a LAN that interoperates smoothly and efficiently.
■ Port security—Protects the switch's access ports against denial of service (DoS)
and other attacks on network devices. EX-series switches support DHCP snooping,
dynamic ARP inspection (DAI), MAC limiting, MAC move limiting, and trusted
DHCP servers.
Layer 3 Protocols ■ 5
Firewall Filters
■ Firewall filters—Provide rules that define whether to permit or deny packets
that are transiting an interface on a switch from a source address to a destination
address. You configure and apply firewall filters to determine whether to permit
or deny traffic before it enters or exits a port, VLAN, or router interface to which
the firewall filter is applied.
CoS
■ Layer 2 and Layer 3 Class of Service—Support includes classification, rewriting,
queuing, single-rate two-color policers (on ingress), and strict priority queuing
(on egress). Eight egress queues are available per port. These queues are useful
for networks that are converging data, voice, video, building or campus security,
and other services into a single network.
You can configure policers to discard packets that exceed the rate limits. To
configure CoS parameters such as loss-priority and forwarding-class, you must
use firewall filters.
Port Mirroring
■ Port mirroring—Facilitates analysis of traffic on a packet level. You can use it
to enforce network usage and peer-to-peer file-sharing policies and to identify
sources of problems on the network by locating abnormal or heavy bandwidth
usage by stations or applications.
High Availability
■ Graceful protocol restart—JUNOS software, which is modular by design, supports
restartable protocol processes.
■ Graceful Routing Engine Switchover (GRES) for Layer 3 protocols—Maintains
routing tables in case of a switch over from the master to the backup Routing
Engine.
NOTE: Please contact Juniper Networks customer support before implementing GRES
on EX-series switches.
Management and RMON

■ J-Web—The J-Web graphical user interface (GUI) allows you to configure and
monitor EX-series switches.
■ CLI—The JUNOS command-line interface allows you to configure and monitor
EX-series switches through the switch console, Telnet, SSH, or the J-Web CLI
6 ■ Firewall Filters
terminal. The CLI provides role-based management and access control to the
switch.
■ Configuration management—Features include rollback of configuration and
software images.
■ SNMP—EX-series switches support the Simple Network Management Protocol
versions 1, 2, and 3.
■ RMON history—EX-series switches support the RMON history group.
Related Topics
■ Outstanding and Resolved Issues in JUNOS 9.0 for EX-series Switches
Security Features for EX-series Switches Overview

JUNOS software is a network operating system that has been hardened through the
separation of control forwarding and services planes, with each function running in
protected memory. The control-plane CPU is protected by rate limiting, routing policy,
and firewall filters to ensure switch uptime even under severe attack. In addition,
the switches fully integrate with the Juniper Network Unified Access Control (UAC)
product to provide both standards-based 802.1X port-level access and Layer 2 through
Layer 4 policy enforcement based on user identity. Access port security features such
as dynamic ARP inspection, DHCP snooping, and MAC limiting are controlled through
a single JUNOS CLI command.
EX-series switches provide the following hardware and software security features:
Console Port—Allows use of the console port to connect to the Routing Engine
through an RJ-45 cable. You then use the command-line interface (CLI) to configure
the switch. You can disable the console port.
Out-of-Band Management—A dedicated management Ethernet port on the rear

panel allows out-of-band management.
Software Images—All JUNOS software images are signed by Juniper Networks

certificate authority (CA) with public key infrastructure (PKI).
User Authentication, Authorization, and Accounting (AAA)—Features include:

■ User and group accounts with password encryption and authentication.
■ Access privilege levels configurable for login classes and user templates.
■ RADIUS authentication, TACACS+ authentication, or both, for authenticating
users who attempt to access the switch.
■ Auditing of configuration changes through system logging or RADIUS/TACACS+.
IP Security (IPSec) Architecture—Provides a security suite for the network layer.

IPSec functionality includes origin authentication, data integrity, confidentiality,
replay protection, and nonrepudiation of source. IPSec also defines mechanisms for
key generation and exchange, management of security associations, and support
for digital certificates, and it supports secure communication across Routing Engines.
Related Topics ■ 7
802.1X Authentication—Provides network access control. Supplicants (hosts) are

authenticated when they initially connect to a LAN. Authenticating supplicants before
they receive an IP address from a DHCP server prevents unauthorized supplicants
from gaining access to the LAN. EX-series switches support Extensible Authentication
Protocol (EAP) methods, including EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP.
Port Security—Access port security features include:

■ DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted
ports; builds and maintains an IP-address/MAC-address binding database (called
the DHCP snooping database).
■ Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests
and replies are compared against entries in the DHCP snooping database, and
filtering decisions are made based on the results of those comparisons.
■ MAC limiting—Protects against flooding of the Ethernet switching table.
■ MAC move limiting—Detects MAC movement and MAC spoofing on access ports.
Prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network.
■ Trusted DHCP server—With a DHCP server on a trusted port, protects against
rogue DHCP servers sending leases.
Firewall Filters—Allows auditing of various types of security violations, including

attempts to access the switch from unauthorized locations. Firewall filters can detect
such attempts and create audit log entries when they occur. The filters can also
restrict access by limiting traffic to source and destination MAC addresses, specific
protocols, or, in combination with policers, to specified data rates to prevent denial
of service (DoS) attacks
Policers—Providse rate-limiting capability to control the amount of traffic that enters

an interface, which acts to counter DoS attacks.
Encryption Standards—Supported standards include:

■ 128-, 192-, and 256-bit Advanced Encryption Standard (AES)
■ 56-bit Data Encryption Standard (DES) and 168-bit 3DES
Related Topics
■ 802.1X EX-series Switches Overview

■ Firewall Filters for EX-series Switches Overview
■ Port Security with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting
for EX-series Switches Overview
■ Understanding the Use of Policers in Firewall Filters
8 ■ Related Topics
High Availability Features for EX-series Switches Overview

High availability refers to the hardware and software components that provide
redundancy and reliability for packet-based communications. This topic covers the
following high availability features of EX-series switches:
■ VRRP on page 9
■ Graceful Protocol Restart on page 11
■ EX 4200 Redundant Routing Engines on page 11
■ EX 4200 GRES on page 12
■ Link Aggregation on page 12
■ Additional High Availability Features of EX-series Switches on page 12
VRRP
For Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, and logical interfaces
on EX-series switches, you can configure the Virtual Router Redundancy Protocol
(VRRP). The switches act as virtual routing platforms. VRRP enables hosts on a LAN
to make use of redundant routing platforms on that LAN without requiring more than
the static configuration of a single default route on the hosts. The VRRP routing
platforms share the IP address corresponding to the default route configured on the
hosts. At any time, one of the VRRP routing platforms is the master (active) and the
others are backups. If the master routing platform fails, one of the backup routing
platforms becomes the new master, providing a virtual default routing platform and
enabling traffic on the LAN to be routed without relying on a single routing platform.
Using VRRP, a backup EX-series switch can take over a failed default switch within
few seconds. This is done with minimum VRRP traffic and without any interaction
with the hosts.
NOTE: The VRRP master and backup routing platforms should not be confused with
the master and backup member switches of a virtual chassis. The master and backup
members of a virtual chassis compose a single host. In a VRRP topology, one host
operates as a master routing platform and another host operates as a backup routing
platform, as shown in Figure 2 on page 10.
Switches running VRRP dynamically elect master and backup routing platforms. You
can also force assignment of master and backup routing platforms using priorities
from 1 through 255, with 255 being the highest priority. In VRRP operation, the
default master routing platform sends advertisements to backup routing platforms
at regular intervals. The default interval is 1 second. If a backup routing platform
does not receive an advertisement for a set period, the backup routing platform with
the next highest priority takes over as master and begins forwarding packets.
Figure 1 on page 10 illustrates a basic VRRP topology with EX-series switches. In

this example, Switches A, B, and C are running VRRP and together they make up a
virtual routing platform. The IP address of this virtual routing platform is 10.10.0.1
(the same address as the physical interface of Switch A).
High Availability Features for EX-series Switches Overview ■ 9

Figure 1: Basic VRRP on EX-series Switches
Figure 2 on page 10 illustrates a basic VRRP topology using virtual chassis

configurations. Switch A, Switch B, and Switch C are each composed of multiple
interconnected EX 4200 switches. Each virtual chassis configuration operates as a
single switch, which is running VRRP, and together they make up a virtual routing
platform. The IP address of this virtual routing platform is 10.10.0.1 (the same address
as the physical interface of Switch A).
Figure 2: VRRP on EX 4200 Virtual Chassis Switches
Because the virtual routing platform uses the IP address of the physical interface of
Switch A, Switch A is the master VRRP routing platform, while switches B and C
function as backup VRRP routing platforms. Clients 1 through 3 are configured with
the default gateway IP address of 10.10.0.1. As the master router, Switch A forwards
packets sent to its IP address. If the master virtual routing platform fails, the switch
configured with the higher priority becomes the master virtual routing platform and
10 ■ VRRP
provides uninterrupted service for the LAN hosts. When Switch A recovers, it becomes
the master virtual routing platform again.
VRRP is defined in RFC 3768, Virtual Router Redundancy Protocol.
Graceful Protocol Restart

With standard implementations of routing protocols, any service interruption requires
an affected switch to recalculate adjacencies with neighboring switches, restore
routing table entries, and update other protocol-specific information. An unprotected
restart of a switch can result in forwarding delays, route flapping, wait times stemming
from protocol reconvergence, and even dropped packets. Graceful protocol restart
allows a restarting switch and its neighbors to continue forwarding packets without
disrupting network performance. Because neighboring switches assist in the restart
(these neighbors are called helper switches), the restarting switch can quickly resume
full operation without recalculating algorithms from scratch.
On EX-series switches, graceful protocol restart can be applied to aggregate and static
routes and for routing protocols (BGP, IS-IS, OSPF and RIP).
Graceful protocol restart works similarly for the different routing protocols. The main
benefits of graceful protocol restart are uninterrupted packet forwarding and
temporary suppression of all routing protocol updates. Graceful protocol restart thus
allows a switch to pass through intermediate convergence states that are hidden
from the rest of the network. Most graceful restart implementations define two types
of switches—the restarting switch and the helper switch. The restarting switch requires
rapid restoration of forwarding state information so it can resume the forwarding of
network traffic. The helper switch assists the restarting switch in this process.
Individual graceful restart configuration statements typically apply to either the
restarting switch or the helper switch.
EX 4200 Redundant Routing Engines

Two to ten EX 4200 switches can be interconnected to create a virtual chassis
configuration that operates as a single network entity. Every virtual chassis with two
or more members has a master and a backup. The master acts as the master Routing
Engine and the backup acts as the backup Routing Engine. The Routing Engine
provides the following functionality:
■ Runs various routing protocols
■ Provides the forwarding table to the Packet Forwarding Engines (PFEs) in all the
member switches of the virtual chassis
■ Runs other management and control processes for the entire virtual chassis
The master Routing Engine, which is in the master of the virtual chassis, runs JUNOS
software in the master role. It receives and transmits routing information, builds and
maintains routing tables, communicates with interfaces and Packet Forwarding
Engine components of the member switches, and has full control over the virtual
chassis.
Graceful Protocol Restart ■ 11

The backup Routing Engine, which is in the backup of the virtual chassis, runs JUNOS
software in a backup role. It stays in sync with the master Routing Engine in terms
of protocol states, forwarding tables, and so forth. If the master becomes unavailable,
the backup Routing Engine takes over the functions that the master Routing Engine
performs.
EX 4200 GRES
With EX 4200 virtual chassis configurations containing a master and backup, you
can configure GRES. Graceful Routing Engine switchover allows a virtual chassis to
switch from the master Routing Engine in the master to the backup Routing Engine
in the backup with minimal interruption to network communications. When you
configure graceful Routing Engine switchover, the backup Routing Engine
automatically synchronizes with the master Routing Engine to preserve kernel state
information and forwarding state. Any updates to the master Routing Engine are
replicated to the backup Routing Engine as soon as they occur. If the kernel on the
master Routing Engine stops operating, the master Routing Engine experiences a
hardware failure, or the administrator initiates a manual switchover, mastership
switches to the backup Routing Engine.
When the backup Routing Engine assumes mastership in a redundant failover

configuration (when graceful Routing Engine switchover is not enabled), the Packet
Forwarding Engines initialize their state to boot up state before they connect to the
new master Routing Engine. In contrast, in a graceful switchover configuration, the
Packet Forwarding Engines do not reinitialize their state, but instead resynchronize
their state with the new master Routing Engine. The interruption to the traffic is
minimal.
Link Aggregation
You can combine multiple physical Ethernet ports to form a logical point-to-point
link, known as a link aggregation group (LAG) or bundle. A LAG provides more
bandwidth than a single Ethernet link can provide. Additionally, link aggregation
provides network redundancy by load-balancing traffic across all available links. If
one of the links should fail, the system automatically load-balances traffic across all
remaining links.
You can select up to eight Ethernet interfaces and include them within a link
aggregation group. In an EX 4200 virtual chassis configuration composed of multiple
members, the interfaces that compose a LAG can be on different members of the
virtual chassis. See Understanding Virtual Chassis and Link Aggregation.
Additional High Availability Features of EX-series Switches

To ensure continuous operation, all EX-series switches use field-replaceable power
supply units, fan trays, and uplink modules. EX 4200 switches include options for
external power-supply redundancy.
The EX 3200 switches support a single field-replaceable power supply unit, a

field-replaceable fan tray, and a field-replaceable uplink module.
12 ■ EX 4200 GRES
The EX 4200 switches support two dedicated virtual chassis ports (VCPs) on the rear
panel, two internal load-sharing redundant hot-swappable power supplies,
field-replaceable fan trays with redundant blowers, and field-replaceable uplink
modules.
Notification of hardware issues is provided through system log messages and alarms.
Related Topics
■ JUNOS Software High Availability Configuration Guide at

http://www.juniper.net/techpubs/software/junos/junos90/index.html
■ Virtual Chassis Overview

■ Understanding Virtual Chassis Components
■ Understanding Virtual Chassis and Link Aggregation
Understanding Software Infrastructure and Processes

Each switch runs the JUNOS software for EX-series switches on its general-purpose
processors. JUNOS software includes processes for Internet Protocol (IP) routing and
for managing interfaces, networks, and the chassis.
The JUNOS software runs on the Routing Engine. The Routing Engine kernel
coordinates communication among the JUNOS software processes and provides a
link to the Packet Forwarding Engine.
With the J-Web interface and the command-line interface (CLI) to the JUNOS software,
you configure switching features and routing protocols and set the properties of
network interfaces on your switch. After activating a software configuration, use
either the J-Web or CLI user interface to monitor the switch, manage operations, and
diagnose protocol and network connectivity problems.
■ Routing Engine and Packet Forwarding Engine on page 13
■ JUNOS Software Processes on page 14
Routing Engine and Packet Forwarding Engine

A switch has two primary software processing components:
■ Packet Forwarding Engine—Processes packets; applies filters, routing policies,
and other features; and forwards packets to the next hop along the route to their
final destination.
■ Routing Engine—Provides three main functions:
■ Creates the packet forwarding switch fabric for the switch, providing route
lookup, filtering, and switching on incoming data packets, then directing
outbound packets to the appropriate interface for transmission to the network
■ Maintains the routing tables used by the switch and controls the routing
protocols that run on the switch.
■ Provides control and monitoring functions for the switch, including controlling
power and monitoring system status.
JUNOS Software Processes

The JUNOS software running on the Routing Engine and Packet Forwarding Engine
consists of multiple processes that are responsible for individual functions.
The separation of functions provides operational stability, because each process

accesses its own protected memory space. In addition, because each process is a
separate software package, you can selectively upgrade all or part of the JUNOS
software, for added flexibility.
Table 1 on page 14 describes the primary JUNOS software processes.
Table 1: JUNOS Software Processes
Process Name Description
Chassis process chassisd Detects hardware on the system that is used to configure network interfaces.
Monitors the physical status of hardware components and field-replaceable units

(FRUs), detecting when environment sensors such as temperature sensors are triggered.
Relays signals and interrupts—for example, when devices are taken offline, so that
the system can close sessions and shut down gracefully.
Ethernet eswd Handles Layer 2 switching functionality such as MAC address learning, Spanning Tree
switching protocol and access port security. The process is also responsible for managing Ethernet
process switching interfaces, VLANs, and VLAN interfaces.
Manages Ethernet switching interfaces, VLANs, and VLAN interfaces.
Forwarding pfem Defines how routing protocols operate on the switch. The overall performance of the
process switch is largely determined by the effectiveness of the forwarding process.
Interface dcd Configures and monitors network interfaces by defining physical characteristics such
process as link encapsulation, hold times, and keepalive timers.
Management mgd Provides communication between the other processes and an interface to the
process configuration database.
Populates the configuration database with configuration information and retrieves the
information when queried by other processes to ensure that the system operates as
configured.
Interacts with the other processes when commands are issued through one of the user
interfaces on the switch.
If a process terminates or fails to start when called, the management process attempts
to restart it a limited number of times to prevent thrashing and logs any failure
information for further investigation.
Routing protocol rpd Defines how routing protocols such as RIP, OSPF, and BGP operate on the device,
process including selecting routes and maintaining forwarding tables.
14 ■ JUNOS Software Processes

Related Topics
■ For more information about processes, see the JUNOS Network Operations Guide
at http://www.juniper.net/techpubs/software/junos/junos90/index.html.
■ For more information about basic system parameters, supported protocols, and
software processes, see JUNOS System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.
Supported Hardware
■ EX-series Switch Hardware Overview on page 15
■ EX 3200 Switch Models on page 17
■ EX 4200 Switch Models on page 18
EX-series Switch Hardware Overview

EX-series switches provide scalable connectivity for the enterprise market, including
branch offices, campus locations, and data centers. The switches run under the
JUNOS software, which provides Layer 2 and Layer 3 switching, routing, and security
services. The same JUNOS code base that runs on EX-series switches also runs on
all Juniper Networks J-series, M-series, MX-series, and T-series routing platforms.
■ EX-series Switch Types on page 15
■ EX 3200 Switches on page 16
■ EX 4200 Switches on page 16
■ Uplink Modules on page 17
■ Power over Ethernet (PoE) Ports on page 17
EX-series Switch Types

EX-series switches are available in two product lines:
■ EX 3200 switches—Typically, you deploy these switches in branch environments
or wiring closets.
■ EX 4200 switches—You can interconnect EX 4200 switches to form a virtual
chassis that operates as a single network entity. You can deploy these switches
wherever you need a high density of Gigabit Ethernet ports (24 to 480 ports),
redundancy, or the ability to span a single switch across several wiring closets.
Typically, EX 4200 switches are used in large branch offices, campus wiring
closets, and top-of-rack locations in a data center.
Both lines have these features:
■ Run under JUNOS software for EX-series switches

■ Have options of 24-port and 48-port models
■ Have options of full (all ports) or partial (8 ports) Power over Ethernet (PoE)
capability
■ Have optional uplink modules that provide connection to distribution switches
EX 3200 Switches
EX 3200 switches provide connectivity for low-density environments. Typically, you
deploy these switches in branch environments or wiring closets where only one
switch is required.
EX 3200 switches are available in models with either 24 or 48 ports and with either
all ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE.
All ports have 10/100/1000 Base-T Gigabit Ethernet connectors.
EX 3200 switches include:

■ A field-replaceable power supply and an optional additional connection to an
external power source.
■ A field-replaceable fan tray with single fan.
■ JUNOS software with its modular design that enables failed system processes to
gracefully restart.
EX 4200 Switches
EX 4200 switches provide connectivity for medium- and high-density environments
and scalability for growing networks. These switches can be deployed wherever you
need a high density of Gigabit Ethernet ports (24 to 480 ports) or redundancy.
Typically, EX 4200 switches are used in large branch offices, campus wiring closets,
and data centers where they can be positioned as the top device in a rack to provide
connectivity for all the devices in the rack.
You can connect individual EX 4200 switches together to form one unit and manage
the unit as a single chassis, called a virtual chassis. You can add more member
switches to the virtual chassis as needed, up to a total of 10 members.
EX 4200 switches are available in models with 24 or 48 ports and with either all
ports equipped for Power over Ethernet (PoE) or only 8 ports equipped for PoE. All
models provide ports that have 10/100/1000 Base-T Gigabit Ethernet connectors and
optional small form-factor pluggable (SFP) transceivers or 10-gigabit small form-factor
pluggable (XFP) transceivers for use with fiber connections.
Additionally, a 24-port model provides 100 Base-FX/1000 Base-X SFP transceivers.

This model is typically used as a small distribution switch.
All EX 4200 switches have dedicated 64-Gbps virtual chassis ports that allow you to
connect the switches to each other. You can also use optional 10-Gbps uplink ports
to connect members of a virtual chassis across multiple wiring closets.
16 ■ EX 3200 Switches
To provide carrier-class reliability, virtual chassis EX-series switches include:

■ Dual redundant power supplies that are field-replaceable and hot-swappable. An
optional additional connection to an external power source is also available.
■ A field-replaceable fan tray with three fans. The switch remains operational if a
single fan fails.
■ Redundant Routing Engines in a virtual chassis enable Graceful Routing Engine
Switchover (GRES) and nonstop routing.
■ JUNOS software with its modular design that enables failed system processes to
gracefully restart.
Uplink Modules
Optional uplink modules are available for all EX 3200 and EX 4200 models. Uplink
modules provide either two 10-Gigabit Ethernet small form-factor pluggable (XFP)
transceivers or four 1-gigabit small form-factor pluggable (SFP) transceivers. You can
use XFP ports to connect an access switch to a distribution switch, or to interconnect
member switches of a virtual chassis across multiple wiring closets.
NOTE: If you install an SFP uplink module (4-port uplink module) in an EX 3200
switch, the last four network ports are disabled. These ports are not listed in the
output of show interface commands.
Power over Ethernet (PoE) Ports

PoE ports provide electrical current to devices through the network cables so that
separate power cords for devices such as IP phones, wireless access points, and
security cameras are unnecessary. Both the EX 3200 and EX 4200 switch lines have
options of full (all 24 or 48 ports) or partial (8 ports) PoE capability.
Full PoE models are primarily used in IP telephony environments. Partial PoE models
are used in environments where, for example, only a few ports for wireless access
points or security cameras are required.
Related Topics
■ EX 3200 Switch Models

■ Field-Replaceable Units in EX-series Switches
■ Site Preparation Checklist for EX-series Switches
EX 3200 Switch Models

Table 2 on page 18 lists the EX 3200 switch models. The EX 3200 switch is available
with 24 or 48 ports with partial or full Power over Ethernet (PoE) capability.
Uplink Modules ■ 17
Table 2: EX 3200 Switch Models
Model Typical Deployment Access Ports PoE Power Supply

(Minimum)
EX 3200-24T Access or Distribution 24 Gigabit Ethernet First 8 ports 320 W
switch
EX 3200-24P Access switch 24 Gigabit Ethernet All 24 ports 320 W
EX 3200-48T Access or Distribution 48 Gigabit Ethernet First 8 ports 600 W

switch
EX 3200-48P Access switch 48 Gigabit Ethernet All 48 ports 930 W
Related Topics
■ EX-series Switch Hardware Overview

■ EX 3200 Switch—Front-Panel Description
■ EX 3200 Switch—Rear-Panel Description
EX 4200 Switch Models

Table 3 on page 18 lists the EX 4200 switch models. The EX 4200 switch is available
with 24 or 48 ports and with partial or full PoE capability.
Table 3: EX 4200 Switch Models
Model Ports Number of PoE-enabled Ports Power Supply

(Minimum)
EX 4200-24T 24 Gigabit Ethernet First 8 ports 320 W
EX 4200-24P 24 Gigabit Ethernet All 24 ports 320 W
EX 4200-48T 48 Gigabit Ethernet First 8 ports 600 W
EX 4200-48P 48 Gigabit Ethernet All 48 ports 930 W
EX 4200-24F 24 small form-factor pluggable Not applicable 320 W

(SFP) transceivers
Related Topics

Part 2
Complete Software Configuration
Statement Hierarchy and Operational
Mode Commands
■ Complete Software Configuration Statement Hierarchy on page 23
Complete Software Configuration Statement Hierarchy and Operational Mode Commands ■ 21

22 ■ Complete Software Configuration Statement Hierarchy and Operational Mode Commands

Chapter 2
Complete Software Configuration
Statement Hierarchy
■ [edit access] Configuration Statement Hierarchy on page 23

■ [edit chassis] Configuration Statement Hierarchy on page 24
■ [edit class-of-service] Configuration Statement Hierarchy on page 24
■ [edit ethernet-switching-options] Configuration Statement Hierarchy on page 25
■ [edit firewall] Configuration Statement Hierarchy on page 26
■ [edit interfaces] Configuration Statement Hierarchy on page 27
■ [edit poe] Configuration Statement Hierarchy on page 28
■ [edit protocols] Configuration Statement Hierarchy on page 29
■ [edit snmp] Configuration Statement Hierarchy on page 32
■ [edit virtual-chassis] Configuration Statement Hierarchy on page 32
■ [edit vlans] Configuration Statement Hierarchy on page 32
[edit access] Configuration Statement Hierarchy
access {
profile profile-name {
accounting {
order [ radius | none ];
stop-on-access-deny;
stop-on-f;
}
authentication-order [ authentication-method ];
radius {
accounting-server [ server-address ];
authentication-server [ server-address ];
}
}
}
[edit access] Configuration Statement Hierarchy ■ 23

Related Topics
[edit chassis] Configuration Statement Hierarchy
chassis {
aggregated-devices {
ethernet {
device-count number;
}
}
}
Related Topics
■ JUNOS Software Hierarchy and RFC Reference at
[edit class-of-service] Configuration Statement Hierarchy
class-of-service {
classifiers {
(dscp | ieee-802.1 | inet-precedence) classifier-name {
import (classifier-name | default);
forwarding-class class-name {
loss-priority loss-priority {
code-points [ aliases ] [ 6 bit-patterns ];
}
}
}
}
code-point-aliases {
(dscp | ieee-802.1 | inet-precedence) {
alias-name bits;
}
}
forwarding-classes {
class class-name queue-num queue-number;
}
interfaces {
interface-name {
scheduler-map map-name;
unit logical-unit-number {
forwarding-class class-name;
classifiers {
(dscp | ieee-802.1 | inet-precedence) (classifier-name | default);
}
}
Chapter 2: Complete Software Configuration Statement Hierarchy
}
}
rewrite-rules {
(dscp | ieee-802.1 | inet-precedence) rewrite-name {
import (rewrite-name | default);
loss-priority loss-priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
forwarding-class class-name scheduler scheduler-name;
}
}
schedulers {
scheduler-name {
buffer-size (percent percentage | remainder);
drop-profile-map loss-priority loss-priority protocol protocol drop-profile
profile-name;
priority priority;
transmit-rate (rate | percent percentage | remainder);
}
}
}
Related Topics
■ Example: Configuring CoS on EX-series Switches
■ Configuring CoS Code-Point Aliases (CLI Procedure) or Defining CoS Value Aliases
(J-Web Procedure)
■ Configuring CoS Classifiers (CLI Procedure) or Defining Classifiers (J-Web
Procedure)
■ Configuring CoS Forwarding Classes (CLI Procedure) or Defining Forwarding
Classes (J-Web Procedure)
■ Configuring CoS Tail Drop Profiles (CLI Procedure)
■ Configuring CoS Schedulers (CLI Procedure) or Defining Schedulers (J-Web
Procedure)
■ Configuring CoS Rewrite Rules (CLI Procedure) or Defining Rewrite Rules (J-Web
Procedure)
■ Assigning CoS Components to Interfaces (CLI Procedure) or Assigning CoS
Components to Interfaces (J-Web Procedure)
[edit ethernet-switching-options] Configuration Statement Hierarchy
ethernet-switching-options {
analyzer {
name {
loss-priority priority;
ratio number;
input {
ingress {
interface (all | interface-name);
vlan (vlan-id | vlan-name);
}
egress {
}
output {
interface interface-name;
}
}
}
redundant-trunk-group {
group-name name {
interface interface-name <primary>;
}
}
secure-access-port {
interface (all | interface-name) {
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted);
mac-limit action;
}
vlan (all | vlan-name) {
(arp-inspection | no-arp-inspection);
(examine-dhcp | no-examine-dhcp);
mac-move-limit action;
}
}
}
Related Topics
■ Port Mirroring on EX-series Switches Overview
■ Understanding Redundant Trunk Links on EX-series Switches
[edit firewall] Configuration Statement Hierarchy
firewall {
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
policer policer-name {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
policer-action;
}
}
}
Related Topics
■ Firewall Filter Match Conditions and Actions for EX-series Switches
■ Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on
EX-series Switches
■ Configuring Firewall Filters (CLI Procedure)
■ Configuring Policers to Control Traffic Rates (CLI Procedure)
[edit interfaces] Configuration Statement Hierarchy
interfaces {
ae-x {
aggregated-ether-options {
lacp mode {
periodic interval;
}
}
}
interface-name {
description text;
mtu bytes;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed (speed | auto-negotiation | no-autonegotiation);
}
family ethernet-switching {
filter input filter-name;
filter output filter-name;
l3-interface interface-name-logical-unit-number;
native-vlan-id vlan-id
port-mode mode;
vlan {
members [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2;
}
}
}
}
}
Related Topics
■ EX-series Switches Interfaces Overview
■ Configuring Gigabit Ethernet Interfaces on EX-series Switches (CLI Procedure)
[edit poe] Configuration Statement Hierarchy
poe {
guard-band watts;
disable;
maximum-power watts;
priority value;
telemetries {
disable;
duration hours;
interval minutes;
}
}
management type;
}
Related Topics
■ PoE and EX-series Switches Overview
■ Configuring PoE on an EX-series Switch (CLI Procedure)
[edit protocols] Configuration Statement Hierarchy

protocols {
dot1x {
authenticator {
authenticator-profile-name access-profile-name;
static {
mac-address {
vlan-assignment (vlan-id |vlan-name );
}
}
disable;
guest-vlan (vlan-name | vlan-id);
maximum-requests seconds;
no-reauthentication;
quiet-period seconds;
reauthentication {
interval seconds;
}
retries number;
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
}
gvrp {
<enable | disable>;
interface (all | [interface-name]) {
disable;
}
join-timer millseconds;
leave-timer milliseconds;
leaveall-timer milliseconds;
}
igmp-snooping {
flood-group-list [ ip-addresses ];
forwarding-cache {
threshold {
reuse number;
suppress maximum-entries;
}
timeout minutes;
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable>
<match regex>;
flag flag (detail | disable | receive | send);
}
vlan (vlan-id | vlan-number {
[edit protocols] Configuration Statement Hierarchy ■ 29

immediate-leave;
interface interface-name {
group-limit limit;
host-only-interface;
multicast-router-interface;
static {
group ip-address;
}
}
proxy-mode {
source-address ip-address;
}
query-interval seconds;
query-last-member-interval seconds;
query-response-interval seconds;
robust-count number;
}
}
lldp {
disable;
advertisement-interval seconds;
hold-multiplier number;
disable;
}
traceoptions {
<match regex>;
}
transmit-delay seconds;
}
lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
30 ■ [edit protocols] Configuration Statement Hierarchy

disable;
bridge-priority prioity;
forward-delay seconds;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
revision-level revision-level;
}
rstp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
stp {
disable;
bridge-priority priority;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}

max-age seconds;
}
}
[edit snmp] Configuration Statement Hierarchy
snmp {
rmon {
history index {
bucket-size number;
interval seconds;
owner owner-name;
}
}
}
[edit virtual-chassis] Configuration Statement Hierarchy
virtual-chassis {
mac-persistence-timer seconds;
pre-provisioned;
member member-id {
mastership-priority number;
no-management-vlan;
serial-number;
role;
}
traceoptions {
<match regex>;
flag flag ;
}
}
Related Topics
[edit vlans] Configuration Statement Hierarchy
vlans {
vlan-name {
bridging action;
description text-description;
l3-interface vlan.logical-interface-number;
mac-table-aging-time seconds;
32 ■ [edit snmp] Configuration Statement Hierarchy

vlan-id number;
}
}
Related Topics
■ Understanding Bridging and VLANs on EX-series Switches
Part 3
Software User Interfaces
■ Command-Line Interface on page 37
■ J-Web Graphical User Interface on page 43
Software User Interfaces ■ 35

36 ■ Software User Interfaces

Chapter 3
Command-Line Interface
■ CLI on page 37
■ CLI on page 39
CLI
■ CLI User Interface Overview on page 37
CLI User Interface Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage an
EX-series switch: the J-Web graphical user interface and the JUNOS command-line
interface (CLI). Both of these user interfaces are shipped with the switch. This topic
describes the CLI. For information about the J-Web user interface, see [Unresolved
xref].
■ CLI Overview on page 37
■ CLI Help and Command Completion on page 38
■ CLI Command Modes on page 38
CLI Overview
JUNOS CLI is a Juniper Networks-specific command shell that runs on top of a
UNIX-based operating system kernel. The CLI provides command help and command
completion.
The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard
sequences that allow you to move around on a command line and scroll through
recently executed commands, regular expression matching to locate and replace
values and identifiers in a configuration, filter command output, or log file entries,
store and archive router files on a UNIX-based file system, and exit from the CLI
environment and create a UNIX C shell or Bourne shell to navigate the file system,
manage switch processes, and so on.
CLI ■ 37
CLI Help and Command Completion

To access CLI Help, type a question mark (?) at any level of the hierarchy. The system
displays a list of the available commands or statements and a short description of
each.
To complete a command, statement, or option that you have partially typed, press
the Tab key or the spacebar. If the partially typed letters uniquely identify a command,
the complete command name appears. Otherwise, a beep indicates that you have
entered an ambiguous command and the possible completions are displayed. This
completion feature also applies to other strings, such as filenames, interface names,
usernames, and configuration statements.
CLI Command Modes

The CLI has two modes, operational mode and configuration mode.
In operational mode, you enter commands to monitor and troubleshoot switch

hardware and software and network connectivity. Operational mode is indicated by
the > prompt—for example, user@switch>.
In configuration mode, you can define all properties of the JUNOS software, including
interfaces, VLANs, virtual chassis information, routing protocols, user access, and
several system hardware properties.
To enter configuration mode, enter the configure command—for example,

user@switch>configure .
Configuration mode is indicated by the # prompt, and includes the current location
in the configuration hierarchy—for example:
[edit interfaces ge-0/0/12]

user@switch#
In configuration mode, you are actually viewing and changing the candidate
configuration file. The candidate configuration allows you to make configuration
changes without causing operational changes to the current operating configuration,
called the active configuration. When you commit the changes you added to the
candidate configuration, the system updates the active configuration. Candidate
configurations enable you to alter your configuration without causing potential damage
to your current network operations.
To activate your configuration changes, enter the commit command.
To return to operational mode, go to the top of the configuration hierarchy and then
quit—for example:

user@switch# top
[edit]
user@switch# quit
38 ■ CLI Help and Command Completion

Chapter 3: Command-Line Interface
You can also activate your configuration changes and exit configuration mode with
a single command, commit and-quit.
Tip When you commit the candidate configuration, you can require an explicit
confirmation for the commit to become permanent by using the commit confirmed
command. This is useful for verifying that a configuration change works correctly
and does not prevent management access to the switch. After you issue the commit
confirmed command, you must issue another commit command within the defined
period of time (10 minutes by default) or the system reverts to the previous
configuration.
Related Topics
■ JUNOS CLI User Guide at

CLI
■ CLI User Interface Overview on page 39
CLI User Interface Overview

You can use two interfaces to monitor, configure, troubleshoot, and manage an
EX-series switch: the J-Web graphical user interface and the JUNOS command-line
interface (CLI). Both of these user interfaces are shipped with the switch. This topic
describes the CLI. For information about the J-Web user interface, see [Unresolved
xref].
■ CLI Overview on page 39
■ CLI Help and Command Completion on page 40
■ CLI Command Modes on page 40
CLI Overview
JUNOS CLI is a Juniper Networks-specific command shell that runs on top of a
UNIX-based operating system kernel. The CLI provides command help and command
completion.
The CLI also provides a variety of UNIX utilities, such as Emacs-style keyboard
sequences that allow you to move around on a command line and scroll through
recently executed commands, regular expression matching to locate and replace
values and identifiers in a configuration, filter command output, or log file entries,
store and archive router files on a UNIX-based file system, and exit from the CLI
environment and create a UNIX C shell or Bourne shell to navigate the file system,
manage switch processes, and so on.
CLI Help and Command Completion

To access CLI Help, type a question mark (?) at any level of the hierarchy. The system
displays a list of the available commands or statements and a short description of
each.
To complete a command, statement, or option that you have partially typed, press
the Tab key or the spacebar. If the partially typed letters uniquely identify a command,
the complete command name appears. Otherwise, a beep indicates that you have
entered an ambiguous command and the possible completions are displayed. This
completion feature also applies to other strings, such as filenames, interface names,
usernames, and configuration statements.
CLI Command Modes

The CLI has two modes, operational mode and configuration mode.
In operational mode, you enter commands to monitor and troubleshoot switch

hardware and software and network connectivity. Operational mode is indicated by
the > prompt—for example, user@switch>.
In configuration mode, you can define all properties of the JUNOS software, including
interfaces, VLANs, virtual chassis information, routing protocols, user access, and
several system hardware properties.
To enter configuration mode, enter the configure command—for example,

user@switch>configure .
Configuration mode is indicated by the # prompt, and includes the current location
in the configuration hierarchy—for example:

user@switch#
In configuration mode, you are actually viewing and changing the candidate
changes without causing operational changes to the current operating configuration,
called the active configuration. When you commit the changes you added to the
candidate configuration, the system updates the active configuration. Candidate
configurations enable you to alter your configuration without causing potential damage
to your current network operations.
To activate your configuration changes, enter the commit command.
To return to operational mode, go to the top of the configuration hierarchy and then
quit—for example:

user@switch# top
[edit]
user@switch# quit
40 ■ CLI Help and Command Completion

Chapter 3: Command-Line Interface
You can also activate your configuration changes and exit configuration mode with
a single command, commit and-quit.
Tip When you commit the candidate configuration, you can require an explicit
confirmation for the commit to become permanent by using the commit confirmed
command. This is useful for verifying that a configuration change works correctly
and does not prevent management access to the switch. After you issue the commit
confirmed command, you must issue another commit command within the defined
period of time (10 minutes by default) or the system reverts to the previous
configuration.
Related Topics
■ JUNOS CLI User Guide at

Chapter 4
J-Web Graphical User Interface
■ J-Web Interface on page 43
J-Web Interface
■ J-Web User Interface for EX-series Switches Overview on page 43
■ Using the CLI Viewer in the J-Web Interface to View Configuration Text on page 45
■ Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration
Text on page 45
■ Using the CLI Editor in the J-Web Interface to Edit Configuration Text on page 47
■ Using the CLI Terminal on page 48
■ Understanding J-Web Configuration Tools on page 48
■ Starting the J-Web Interface on page 50
■ Understanding J-Web User Interface Sessions on page 51
J-Web User Interface for EX-series Switches Overview

Use the J-Web user interface to configure, monitor, maintain and troubleshoot
EX-series switches. You can navigate the J-Web interface, scroll pages, and expand
and collapse elements as you do in a typical Web browser interface.
Use Internet Explorer version 6.0 and higher, or Firefox version 2.0 and higher to
access the J-Web interface.
NOTE: The browser and the network should support receiving and processing HTTP
1.1 GZIP compressed data.
Each page of the J-Web interface is divided into panes.

■ Top pane—Displays system identity information and links.
■ Main pane—Location where you monitor, configure, diagnose, and manage the
switching platform by entering information in text boxes, making selections,
and clicking buttons.
J-Web Interface ■ 43
■ Side pane—Displays suboptions of the Monitor, Configure, Diagnose, or Manage

task currently displayed in the main pane. Click a suboption to access it in the
main pane.
The layout of the panes allows you to quickly navigate through the interface.
Table 4 on page 44 summarizes the elements of the J-Web interface.
The J-Web interface provides a Point and Click editor for advanced configuration
options. You can also use the JUNOS CLI configuration mode as a configuration editor
to create and modify a complete configuration hierarchy.
Table 4: J-Web Interface
J-Web Interface Element Description
Top Pane
hostname Hostname of the switching platform.
Logged in as: username Username you used to log in to the switching platform.
Help Link to context-sensitive help information.
About Displays information about the J-Web interface, such as the version number.
Logout Ends your current login session with the switching platform and returns you to the
login page.
Taskbar Menu of J-Web main options. Click the tab to access the option.
■ Dashboard — displays a high-level, graphical view of the chassis and status of
the switch. It displays system health information, alarms, and system status.
■ Configure—Configure the switch, and view configuration history.
■ Monitor—View information about configuration and hardware on the switching
platform.
■ Maintain—Manage files and licenses, upgrade software, and reboot the switching
platform.
■ Troubleshoot — Run diagnostic tools to troubleshoot network issues.
Main Pane
Help (?) icon Displays useful information—such as the definition, format, and valid range of an
option—when you move the cursor over the question mark.
Red asterisk (*) Indicates a required field.
Icon legend (Applies to the Point & Click editor only) Explains icons that appear in the user
interface to provide information about configuration statements:
■ C—Comment. Move your cursor over the icon to view a comment about the
configuration statement.
■ I—Inactive. The configuration statement does not affect the switching platform.
■ M—Modified. The configuration statement has been added or modified.
■ *—Mandatory. The configuration statement must have a value.
Task Pane
44 ■ J-Web User Interface for EX-series Switches Overview

Chapter 4: J-Web Graphical User Interface
Table 4: J-Web Interface (continued)
J-Web Interface Element Description
Configuration hierarchy (Applies to the JUNOS CLI configuration editor only) Displays the hierarchy of
committed statements in the switching platform configuration.
■ Click Expand all to display the entire hierarchy.
■ Click Hide all to display only the statements at the top level.
■ Click plus signs (+) to expand individual items.
■ Click minus signs (-) to hide individual items.
Related Topics
■ CLI User Interface Overview

■ Connecting and Configuring the EX-series Switch (J-Web Procedure)
■ EX-series Switch Software Features Overview
Using the CLI Viewer in the J-Web Interface to View Configuration Text
To view the entire configuration file contents in text format, select Configure>CLI
Tools >CLI Viewer. The main pane displays the configuration in text format.
Each level in the hierarchy is indented to indicate each statement's relative position
in the hierarchy. Each level is generally set off with braces, with an open brace ({)
at the beginning of each hierarchy level and a closing brace (}) at the end. If the
statement at a hierarchy level is empty, the braces are not displayed. Each leaf
statement ends with a semicolon (;), as does the last statement in the hierarchy.
This indented representation is used when the configuration is displayed or saved

as an ASCII file. However, when you load an ASCII configuration file, the format of
the file is not so strict. The braces and semicolons are required, but the indention
and use of new lines are not required in ASCII configuration files.
Related Topics
■ Understanding J-Web Configuration Tools
Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
To edit the configuration on a series of pages of clickable options that steps you
through the hierarchy, select Configure>CLI Tools>Point&Click CLI. The side pane
displays the top level of the configured hierarchy, and the main pane displays
configured hierarchy options and the Icon Legend.
To expand or hide the hierarchy of all the statements in the side pane, click Expand
all or Hide all. To expand or hide an individual statement in the hierarchy, click the
expand (+) or collapse (–) icon to the left of the statement.
Tip Only those statements included in the committed configuration are displayed in the
hierarchy.
The configuration information in the main pane consists of configuration options

that correspond to configuration statements. Configuration options that contain
subordinate statements are identified by the term Nested.
To include, edit, or delete statements in the candidate configuration, click one of the
links described in Table 5 on page 46. Then specify configuration information by
typing in a field, selecting a value from a list, or clicking a check box (toggle).
Table 5: J-Web Edit Point & Click Configuration Links
Link Function
Add new entry Displays fields and lists for a statement identifier, allowing you to add a new identifier to a
statement.
Configure Displays information for a configuration option that has not been configured, allowing you to
include a statement.
Delete Deletes the corresponding statement or identifier from the configuration. All subordinate statements
and identifiers contained within a deleted statement are also discarded.
Edit Displays information for a configuration option that has already been configured, allowing you to
edit a statement.
Identifier Displays fields and lists for an existing statement identifier, allowing you to edit the identifier.
As you navigate through the configuration, the hierarchy level is displayed at the top
of the main pane. You can click a statement or identifier in the hierarchy to display
the corresponding configuration options in the main pane.
The main pane includes icons that display information about statements and
identifiers when you place your cursor over them. Table 6 on page 46 describes
these icons.
Table 6: J-Web Edit Point & Click Configuration Icons
Icon Function
C Displays a comment about a statement.
I Indicates that a statement is inactive.
M Indicates that a statement has been added or modified but has not been committed.
* Indicates that the statement or identifier is required in the configuration.
46 ■ Using the Point and Click CLI Tool in the J-Web Interface to Edit Configuration Text
Table 6: J-Web Edit Point & Click Configuration Icons (continued)
Icon Function
? Provides online help information.
After typing or selecting your configuration edits, click a button in the main pane
(described in Table 7 on page 47) to apply your changes or cancel them, refresh the
display, or discard parts of the candidate configuration. An updated configuration
does not take effect until you commit it.
Table 7: J-Web Edit Point & Click Configuration Buttons
Button Function
Refresh Updates the display with any changes to the configuration made by other users.
Commit Verifies edits and applies them to the current configuration file running on the switch.
Discard Removes edits applied to or deletes existing statements or identifiers from the candidate
configuration.
Related Topics
■ CLI User Interface Overview

Using the CLI Editor in the J-Web Interface to Edit Configuration Text
To edit the entire configuration in text format:
CAUTION: We recommend that you use this method to edit and commit the
configuration only if you have experience editing configurations through the CLI.
1. Select Configure>CLI Tools>CLI Editor. The main pane displays the configuration
in a text editor.
2. Navigate to the hierarchy level you want to edit.
You can edit the candidate configuration using standard text editor
operations—insert lines (by using the Enter key), delete lines, and modify, copy,
and paste text.
3. Click Commit to load and commit the configuration.
The switching platform checks the configuration for the correct syntax before
committing it.
Related Topics
Using the CLI Terminal

The J-Web CLI terminal provides access to the JUNOS command line interface (CLI)
through the J-Web interface. The functionality and behavior of the CLI available
through the CLI terminal page is the same as that of the JUNOS CLI available through
the switch console. The CLI terminal supports all CLI commands and other features
such as CLI help and autocompletion. Using the CLI terminal page you can fully
configure, monitor, and manage the switch.
NOTE: To use the CLI terminal the domain name and hostname of the switch must
be configured. See Configuring System Identity for the EX-Series Switch for more
information.
Select Troubleshoot >CLI Terminal to access the CLI terminal.
To access the CLI through the J-Web interface, your management device requires
the following features:
■ SSH access—Enable Secure shell (SSH) on your system. SSH provides a secured
method of logging in to the switch, to encrypt traffic so that it is not intercepted.
If SSH is not enabled on the system, the CLI terminal page displays an error.
■ Java applet support—Make sure that your Web browser supports Java applets.
■ JRE installed on the client—Install Java Runtime Environment (JRE) version 1.4
or later on your system. JRE is a software package that must be installed on a
system to run Java applications. Download the latest JRE version from the Java
Software Web site http://www.java.com/. Installing JRE installs Java plug-ins,
which once installed, load automatically and transparently to render Java applets.
NOTE: The CLI terminal is supported on JRE version 1.4 and later only.
Related Topics
Understanding J-Web Configuration Tools

The J-Web graphical user interface (GUI) allows you to monitor, configure,
troubleshoot, and manage the switching platform by means of a Web browser with
Hypertext Transfer Protocol (HTTP) or HTTP over Secure Sockets Layer (HTTPS)
enabled. The J-Web interface provides access to all the configuration statements
supported by the switch, so you can fully configure the switch without using the CLI.
The J-Web interface provides two methods of configuring the switch:

■ Configure menu
■ Point & Click Editor
■ CLI Editor
Table 8 on page 49 gives a comparison of the two methods of configuration.
In addition to configuration, you can use the J-Web interface to perform many
monitoring, troubleshooting, and management tasks on the switch.
Table 8: Switching Platform Configuration Interfaces
Tool Description Function Use

Configure Web browser pages for setting up the switch quickly Configure basic switch platform Use for basic
menu and easily without configuring each statement services: configuration.
individually.
■ Interfaces
For example, use the Virtual Chassis Configuration ■ Switching
page to configure the virtual chassis parameters on ■ Virtual Chassis
the switch. Security
■
■ Services
■ System Properties
■ Routing
Point & Web browser pages divided into panes in which Configure all switching platform Use for complete
Click you can do any of the following: services: configuration if you
editor are not familiar with
■ Expand the entire configuration hierarchy and ■ System parameters the JUNOS CLI or
click a configuration statement to view or edit. ■ User Accounting and Access prefer a graphical
The main pane displays all the options for the interface.
statement, with a text box for each option. ■ Interfaces
■ Paste a complete configuration hierarchy into ■ VLAN properties

a scrollable text box, or edit individual lines. ■ Virtual Chassis properties
■ Upload or download a complete configuration. ■ Secure Access
■ Roll back to a previous configuration. ■ Services
■ Create or delete a rescue configuration. ■ Routing protocols
CLI editor Interface in which you do either of the following: Configure all switching platform Use for complete
services: configuration if you
■ Type commands on a line and press Enter to know the JUNOS CLI
create a hierarchy of configuration statements. ■ System parameters or prefer a command
■ Create an ASCII text file that contains the ■ User Accounting and Access interface.
statement hierarchy. ■ Interfaces
■ Upload a complete configuration, or roll back ■ VLAN properties
to a previous configuration.
■ Virtual Chassis properties
■ Create or delete a rescue configuration.
■ Secure Access
■ Services
■ Routing protocols
Understanding J-Web Configuration Tools ■ 49

Before using the switching platform configuration tools, become familiar with the
terms defined in Table 9 on page 50.
Table 9: Configuration Tools Terms
Term Definition
candidate configuration A working copy of the configuration that users can edit without affecting the switching
platform until that copy is committed.
configuration group Group of configuration statements that can be inherited by the rest of the configuration.
commit a configuration Have the candidate configuration checked for proper syntax, activated, and marked as the
current configuration file running on the switching platform.
configuration hierarchy The JUNOS software configuration consists of a hierarchy of statements. There are two
types of statements: container statements, which contain other statements, and leaf
statements, which do not contain other statements. All the container and leaf statements
together form the configuration hierarchy.
rescue configuration Configuration that recovers a switching platform from a configuration that denies
management access. You set a current committed configuration to be the rescue
configuration through the J-Web interface or CLI for emergency use.
roll back a configuration Return to a previously committed configuration.
Related Topics
■ Understanding J-Web User Interface Sessions

■ J-Web User Interface for EX-series Switches Overview
Starting the J-Web Interface

To start the J-Web interface:
1. Launch your HTTP-enabled or HTTPS-enabled Web browser.
To use HTTPS, you must have installed a certificate on the switch and enabled
HTTPS.
2. After http:// or https:// in your Web browser, type the hostname or IP address
of the switch and press Enter.
The J-Web login page appears.

3. On the login page, type your username and password, and click Log In.
To correct or change the username or password you typed, click Reset, type the
new entry or entries, and click Log In.
NOTE: The default username is root with no password. You must change this during
initial configuration or the system does not accept the configuration.
The Chassis Dashboard information page appears.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics

■ Understanding How to Use the J-Web Interface to View System Information
Understanding J-Web User Interface Sessions

You establish a J-Web session with the switch through an HTTP-enabled or
HTTPS-enabled Web browser. The HTTPS protocol, which uses 128-bit encryption,
is available only in domestic versions of the JUNOS software. To use HTTPS, you
must have installed a certificate, see “Generating SSL Certificates to Be Used for
Secure Web Access” on page 82 on the switch and enabled HTTPS.
When you attempt to log in through the J-Web interface, the switch authenticates
your username with the same methods used for telnet and SSH.
If the switch does not detect any activity through the J-Web interface for 15 minutes,
the session times out and is terminated. You must log in again to begin a new session.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related Topics

■ Configuring Management Access for the EX-series Switch (J-Web Procedure)
Part 4
Software Installation, Upgrades, and
Initial Configuration
■ Software Installation and Initial Configuration on page 55
Software Installation, Upgrades, and Initial Configuration ■ 53

54 ■ Software Installation, Upgrades, and Initial Configuration

Chapter 5
Software Installation and Initial
Configuration
■ Software Installation on page 55
Software Installation
■ Understanding Software Installation on EX-series Switches on page 55
■ Software Installation Package Names on page 57
■ Downloading Software Packages from Juniper Networks on page 57
■ Installing Software on EX-series Switches with the CLI on page 58
■ Installing Software on EX-series Switches with the J-Web Interface on page 59
■ Connecting and Configuring the EX-series Switch (CLI Procedure) on page 61
■ Connecting and Configuring the EX-series Switch (J-Web Procedure) on page 62
■ Recovering from a Failed Software Upgrade on an EX-series Switch on page 65
■ EX 3200 and EX 4200 Default Configuration on page 66
■ Understanding Configuration Files for EX-series Switches on page 70
■ Configuration Files Terms on page 71
■ Uploading a Configuration File (CLI Procedure) on page 71
■ Upload a Configuration File with the J-Web Interface on page 73
Understanding Software Installation on EX-series Switches

An EX-series switch is delivered with the JUNOS software preinstalled. As new features
and software fixes become available, you must upgrade your software to use them.
You can also downgrade a newly purchased system to a previous JUNOS software
release if you want to maintain consistent versions in your network.
This topic covers:

■ Overview of the Software Installation Process on page 56
■ Installing Software on a Virtual Chassis on page 56
■ Software Package Security on page 56
Software Installation ■ 55
■ Troubleshooting Software Installation on page 56

Overview of the Software Installation Process

An EX-series switch is delivered with the JUNOS software preinstalled. When you
connect power to the switch, it starts (boots) up from the installed software.
You upgrade the JUNOS software on an EX-series switch by copying a software

package to your switch or another system on your local network, then use either the
J-Web interface or the CLI to install the new software package on the switch. Finally,
you reboot the switch, at which time it boots from the upgraded software.
During a successful upgrade, the upgrade package removes all files from /var and
/var/tmp and completely reinstalls the existing software. It retains configuration files,
and similar information, such as secure shell and host keys, from the previous version.
The previous software package is preserved in a separate disk partition, and you can
manually revert back to it if necessary. If the software installation fails for any reason,
such as loss of power during the installation process, the system returns to the
originally active installation when you reboot.
Installing Software on a Virtual Chassis

the unit as a single chassis, called a virtual chassis. The virtual chassis operates as a
single network entity comprised of members. Each member of a virtual chassis runs
JUNOS software packages.
For ease of management, the virtual chassis provides flexible methods to upgrade
software releases. You can deploy a new software release to all of the members of
a virtual chassis or to only a particular member.
Software Package Security

All JUNOS software is delivered in signed packages that contain digital signatures to
ensure official Juniper Networks software. For more information about signed software
packages, see the JUNOS Software Installation and Upgrade Guide.
Troubleshooting Software Installation

If the JUNOS software loads but the CLI is not working for any reason, or if the switch
has no software installed, EX-series switches provide a recovery installation procedure
to install the JUNOS software.
NOTE: You can also use this procedure to load two versions of JUNOS in separate
partitions on the switch.
56 ■ Overview of the Software Installation Process

Chapter 5: Software Installation and Initial Configuration
Related Topics
■ Downloading Software Packages from Juniper Networks

■ Installing Software on EX-series Switches with the J-Web Interface
■ Installing Software on EX-series Switches with the CLI
■ Recovering from a Failed Software Upgrade on an EX-series Switch
Software Installation Package Names

An upgrade software package name is in the following format:
package-name-m.nZx-distribution.tgz.
■ package-name is the name of the package—for example, jinstall-ex.
■ m.n is the software release, with m representing the major release number—for
example, 9.0.
■ Z indicates the type of software release. For example, R indicates released
software, and B indicates beta-level software.
■ x represents the version of the major software release—for example, 2.
■ distribution indicates the area for which the software package is provided—For
most JUNOS packages, domestic is used for the United States and Canada and
export for worldwide distribution. However, for EX-series software, the domestic
is used for worlwide distribution as well.
A sample EX-series software package name is jinstall-ex-9.0R2-domestic.tgz.
Related Topics
■ Understanding Software Installation on EX-series Switches

Downloading Software Packages from Juniper Networks

To download software upgrades, you must have a Juniper Networks Web account
and a valid support contract. To obtain an account, complete the registration form
at the Juniper Networks Web site: https://www.juniper.net/registration/Register.jsp.
Follow these steps to download software upgrades from Juniper Networks:
1. Using a Web browser, follow the links to the download URL on the Juniper
Networks Web page. Depending on your location, select either Canada and U.S.
Version or Worldwide Version:
■ https://www.juniper.net/support/csc/swdist-domestic/
■ https://www.juniper.net/support/csc/swdist-ww/
2. Log in to the Juniper Networks authentication system using the username

(generally your e-mail address) and password supplied by Juniper Networks
representatives.
3. Using the J-Web interface or the CLI, select the appropriate software package for
your application.
4. Download the software to a local host or to an internal software distribution site.
Related Topics

■ Software Installation Package Names
Installing Software on EX-series Switches with the CLI

This topic describes how to upgrade software packages on a single fixed-configuration
switch, an individual member of a virtual chassis, or for all members of a virtual
chassis.
To install software upgrades on an EX-series switch with the CLI:

1. Download the software package as described in Downloading Software Packages
from Juniper Networks
2. Copy the software package to the switch. We recommend that you use FTP to
copy the file to the /var/tmp directory.
3. To install the new package on the switch, enter the following command:
user@host> request system software add source [member member_id] reboot
Include the member option to install the software package on only one member
of a virtual chassis. Other members of the virtual chassis are not affected. To
install the software on all members of the virtual chassis, do not include the
member option.
Replace source with one of the following paths:

■ For a software package that is installed from a local directory on the
router—/pathname/package-name, where package-name is, for example,
jinstall-ex-9.0R2-domestic.tgz.
■ For software packages that are downloaded and installed from a remote
location:
■ ftp://hostname/pathname/package-name
■ http://hostname/pathname/package-name
Related Topics

■ See the JUNOS Software System Basics and Services Command Reference for details
about the request system software add command.
Installing Software on EX-series Switches with the J-Web Interface

You can use the J-Web interface to install software upgrades from a server using FTP
or HTTP, or by copying the file to the switch.
This section contains the following tasks:
1. Installing Software Upgrades from a Server with the J-Web Interface on page 59
2. Installing Software Upgrades by Uploading Files with the J-Web
Interface on page 60
3. Related Topics on page 61
Installing Software Upgrades from a Server with the J-Web Interface
You can use the J-Web interface to install software upgrades from a remote server
by using FTP or HTTP, or by uploading the file to the switching platform.
1. Download the software package as described in Downloading Software Packages
from Juniper Networks.
2. Log in to the Juniper Networks authentication system using the username
(generally your e-mail address) and password supplied by Juniper Networks
representatives.
3. In the J-Web interface, select Maintain>Software>Install Package.
4. On the Install Remote page, enter information into the fields described in
Table 10 on page 60.
5. Click Fetch and Install Package. The software is activated after the switch has
rebooted.
Table 10: Install Remote Summary
Field Function Your Action
Package Location Specifies the FTP or HTTP server, file path, and Type the full address of the software package
(required) software package name. location on the FTP or HTTP server—one of the
following:
ftp://hostname/pathname/package-name
http://hostname/pathname/package-name
User Specifies the username, if the server requires Type the username.
one.
Password Specifies the password, if the server requires Type the password.
one.
Reboot If Required If this box is checked, the switching platform is Check the box if you want the switching platform
automatically rebooted when the upgrade is to reboot automatically when the upgrade is
complete. complete.
Installing Software Upgrades by Uploading Files with the J-Web Interface
You can use the J-Web interface to install software packages copied from your
computer to the switching platform.
To install software upgrades by uploading files:

1. Download the software package.
2. In the J-Web interface, select Maintain>Software>Upload Package.
3. On the Upload Package page, enter information into the fields described in
4. Click Upload Package. The software is activated after the switching platform has
rebooted.
Table 11: Upload Package Summary
File to Upload (required) Specifies the location of the software Type the location of the software package, or click
package. Browse to navigate to the location.
Reboot If Required Specifies that the switching platform is Select the check box if you want the switching
automatically rebooted when the upgrade is platform to reboot automatically when the upgrade
complete. is complete.
60 ■ Installing Software Upgrades by Uploading Files with the J-Web Interface

Related Topics

Connecting and Configuring the EX-series Switch (CLI Procedure)

There are two ways to connect and configure the EX-series switch: one method is
through the console and the other is using the J-Web interface. This section describes
the CLI procedure.
To configure the switch from the console:

1. Connect the console port to a laptop or PC using the RJ-45 to DB-9 serial port
adapter. The RJ-45 cable and RJ-45 to DB-9 serial port adapter are supplied with
the switch.
2. At the shell prompt type ezsetup.
3. Enter the hostname. This is optional.
4. Enter the root password. You are prompted to re-enter the root password.
5. Enter yes to enable services like Telnet and SSH. By default, Telnet will not be
enabled and SSH is enabled.
6. Next, select one of the switch management options:
■ Configure in-band management. In this scenario you have the following two
options:
■ Use the default VLAN
■ Create a new VLAN—If you select this option, you are prompted to
specify the VLAN name, VLAN ID, management IP address, default
gateway. Select the ports that must be part of this VLAN.
■ Configure out-of-band management. Specify the IP address and gateway of

the management interface. Use this IP address to connect to the switch.
7. Specify the SNMP Read Community, Location, and Contact to configure SNMP
parameters. These parameters are optional.
8. Specify the system date and time. Select the time zone from the list. These
options are optional.
The configured parameters are displayed. Enter yes to commit the configuration.
The configuration is committed as the active configuration for the switch. You
can now log in with the CLI or the J-Web interface to continue configuring the
switch. If you use the J-Web interface to continue configuring the switch, the
Web session is redirected to the new management IP address. If the connection
cannot be made, the J-Web interface displays instructions for starting a J-Web
session.
Related Topics
■ Installing and Connecting an EX-series Switch

■ EX-series Switch—LCD
Connecting and Configuring the EX-series Switch (J-Web Procedure)

There are two ways to connect and configure the EX-series switch: one method is
through the console and the other is using the J-Web interface. This section describes
the J-Web procedure.
NOTE: To obtain an IP address dynamically, you must enable a DHCP client on the
management PC you connect to the switch.
1. To transition the switch into EZ Setup mode, use the buttons to the right of the
LCD panel on the front panel of the switch (see Figure 3 on page 63:
Figure 3: LCD Panel
■ Press Menu (top button) until you see MAINTENANCE MENU. Then press Enter
(bottom button).
■ Press Menu until you see ENTER EZ Setup. Then press Enter.
NOTE: If EZ Setup does not appear as an option in the Maintenance menu, select
Factory Default to return the box to the factory default configuration. EZ Setup is
displayed in the menu only when the switch is set to the factory default configuration.
■ The display says CONFIRM SETUP?. Press Enter to continue with EZ Setup.
The ge-0/0/0 interface on the front panel of the switch is configured as the DHCP
server with the default IP address, 192.168.1.1. The switch can assign an IP
address to the management PC in the IP address range 192.168.1.2 through
192.168.1.253.
NOTE: You must complete the initial configuration using the J-Web interface within
10 minutes. The LCD displays a count-down timer. The switch exits the EZ Setup
mode after 10 minutes and reverts to factory configuration, and the PC loses
connectivity to the switch.
2. Insert one end of the Ethernet cable into the Ethernet port on the PC and connect
the other end to port 0 (ge-0/0/0) on the front panel of the switch.
3. From the PC, open a Web browser and type http://192.168.1.1 in the address
field.
4. On the Login page enter root as the username and no password.
5. On the Introduction page, click Next.
6. On the Basic Settings page, modify the hostname, the root password, and date
and time settings.
Connecting and Configuring the EX-series Switch (J-Web Procedure) ■ 63

■ Enter the hostname. This is optional.

■ Enter a password and reenter the password.
■ Specify the time zone.
■ Select an option button to either synchronize the date and time settings of
the switch with the management PC or set them manually. This is optional.
Click Next.
7. Use the Management Options page to select the management scenario:
■ In-band Management-Use VLAN 'default' for management.
Select this option to configure all data interfaces as members of the default
VLAN. Click Next. Specify the management IP address and the default gateway
for the default VLAN.
■ In-band Management-Create new VLAN for management.
Select this option to create a management VLAN. Click Next. Specify the
VLAN name, VLAN ID, member interfaces, and management IP address and
default gateway for the new VLAN.
■ Out-of-band Management-Configure management port.
Select this option to configure only the management interface. Click Next.
Specify the IP address and default gateway for the management interface.
8. Click Next.
9. On the Manage Access page, you may select options to enable Telnet, SSH, and
SNMP services. For SNMP, you can configure the read community, location, and
contact.
10. Click Next.
11. The Summary screen displays the configured settings. Click Finish.
The configuration is committed as the active configuration for the switch. You can
now log in with the CLI or the J-Web interface to continue configuring the switch. If
you use the J-Web interface to continue configuring the switch, the Web session is
redirected to the new management IP address. If the connection cannot be made,
the J-Web interface displays instructions for starting a J-Web session.
NOTE: After the configuration takes effect, you might lose connectivity between the
PC and the switch. To renew the connection, release and renew the IP address by
executing the appropriate commands on the management PC or by removing and
re-inserting the Ethernet cable.
64 ■ Connecting and Configuring the EX-series Switch (J-Web Procedure)

Related Topics
■ Installing and Connecting an EX-series Switch

■ Connecting and Configuring the EX-series Switch (CLI Procedure)
■ EX-series Switch—LCD
Recovering from a Failed Software Upgrade on an EX-series Switch

If the JUNOS software loads but the CLI is not working for any reason, or if the switch
has no software installed, you can use this recovery installation procedure to install
the JUNOS software.
If there is already a JUNOS image on the system, you can either install the new JUNOS
package in a separate partition and both JUNOS images will remain on the system,
or you can wipe the disk clean before the new installation proceeds.
To perform a recovery installation:

1. Power on the switch. The loader script starts.
2. After the Loading /boot/defaults/loader.conf displays, you are promptedwith:
Hit [Enter] to boot immediately, or space bar for command prompt.
Hit the space bar to enter the manual loader. The loader> prompt displays.
3. Enter the following command:
install [––format] source
Where:
■ Include the ––format option if you want to wipe the internal disk before
installing the software package. If you do not include this option, the system
installs the new JUNOS software package in a different partition from any
existing JUNOS software package.
■ source represents the name and location of the JUNOS software package
either on a server on the network or as a file on an external USB drive:
■ Network address of the server and the path on the server. For example,
tftp://192.17.1.28/junos/jinstall-ex-9.0R1-domestic.tgz
■ The JUNOS package on a USB device is commonly stored in the root
drive as the only file. For example, file:///jinstall-ex-9.0R1-domestic.tgz
4. The installation proceeds as normal and ends with a login prompt.
The system disk has two partitions and can have a different software package installed
in each partition. You can manually reset the system to boot from the other partition.
You can set the system to boot from the other partition on the next reboot only, or
make the change permanent so that it will boot from the other partition on all
subsequent reboots.
To specify reboot from the partition that is not currently active for the next reboot
only, issue the following commands from within the loader:
1. set currdev=disk0Sdisk-number:, where disk-number indicates the partition
number, either 1 or 2.
2. boot
To reset the partition that is designated the active partition, exit the CLI and enter
the following commands from the UNIX prompt:
1. # echo "adisk-number" |fdisk –f –/dev/da0, where disk-number indicates the
partition number, either 1 or 2.
2. # reboot
Related Topics

EX 3200 and EX 4200 Default Configuration

Each EX-series switch is programmed with a factory default configuration that contains
the values set for each configuration parameter when a switch is shipped. The default
configuration file sets values for system parameters such as syslog and commit,
configures PoE and Ethernet-switching on all interfaces, and enables the lldp and
rstp protocols.
The following factory default configuration file is for a 24-port switch. For models
that have more ports, this default configuration file has more interfaces.
NOTE: In this example, ge-0/0/0 through ge0/0/23 are the network interface ports.
Optional uplink modules provide either two 10-Gigabit Ethernet small-form factor
pluggable (XFP) transceivers (xe-0/1/1/ and xe-0/1/1/) or four 1-Gigabit Ethernet small
form factor pluggable (SFP) transceivers (ge-0/1/0 through ge-0/1/3) .
When you commit changes to the configuration, a new configuration file is created
which becomes the active configuration. You can always revert to the factory default
configuration.
This topic shows the factory default configuration file of a 24-port Ex-series switch.
system {
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
unit 0 {
}
}
ge-0/0/4 {
unit 0 {
}
}
ge-0/0/5 {
unit 0 {
}
}
ge-0/0/6 {
unit 0 {
}
}
ge-0/0/7 {
unit 0 {
EX 3200 and EX 4200 Default Configuration ■ 67

}
}
ge-0/0/8 {
unit 0 {
}
}
ge-0/0/9 {
unit 0 {
}
}
ge-0/0/10 {
unit 0 {
}
}
ge-0/0/11 {
unit 0 {
}
}
ge-0/0/12 {
unit 0 {
}
}
ge-0/0/13 {
unit 0 {
}
}
ge-0/0/14 {
unit 0 {
}
}
ge-0/0/15 {
unit 0 {
}
}
ge-0/0/16 {
unit 0 {
}
}
ge-0/0/17 {
unit 0 {
}
}
ge-0/0/18 {
unit 0 {
68 ■ EX 3200 and EX 4200 Default Configuration

}
}
ge-0/0/19 {
unit 0 {
}
}
ge-0/0/20 {
unit 0 {
}
}
ge-0/0/21 {
unit 0 {
}
}
ge-0/0/22 {
unit 0 {
}
}
ge-0/0/23 {
unit 0 {
}
}
ge-0/1/0 {
unit 0 {
}
}
xe-0/1/0 {
unit 0 {
}
}
ge-0/1/1 {
unit 0 {
}
}
xe-0/1/1 {
unit 0 {
}
}
ge-0/1/2 {
unit 0 {
}
}
ge-0/1/3 {
unit 0 {
}
EX 3200 and EX 4200 Default Configuration ■ 69

}
}
protocols {
lldp {
interface all;
}
rstp;
}
poe {
interface all;
}
Related Topics
■ Reverting to the Default Factory Configuration for the EX-series Switch

■ Understanding Configuration Files for EX-series Switches
Understanding Configuration Files for EX-series Switches

A configuration file stores the complete configuration of a switch. The current
configuration of a switch is called the active configuration. You can alter this current
configuration and you can also return to a previous configuration. For more
information see Configuration Files Terms
JUNOS saves the 50 most recently committed configuration files on the switch so
that you can return to a previous configuration. The configuration files are named:
■ juniper.conf.gz—The current active configuration.
■ juniper.conf.1.gz to juniper.conf.49.gz—Rollback configurations.
To make changes to the configuration file, you have to work in the configuration
mode in the CLI or use the configuration tools in the J-Web interface. When making
changes to a configuration file, you are viewing and changing the candidate
changes without causing operational changes to the active configuration or causing
potential damage to your current network operations. Once you commit the changes
made to the candidate configuration, the system updates the active configuration.
Related Topics
■ Managing Configuration Files Through the Configuration History (J-Web Procedure)

■ Uploading a Configuration File (CLI Procedure)
■ Upload a Configuration File with the J-Web Interface
Configuration Files Terms

Table 12 on page 71 lists the various configuration file terms and their definitions.
Table 12: Configuration File Terms
Term Definition
active configuration The current committed configuration of a switch.
candidate configuration A working copy of the configuration that allows users to make configurational changes
without causing any operational changes until this copy is committed.
configuration group Group of configuration statements that can be inherited by the rest of the configuration.
commit a configuration Have the candidate configuration checked for proper syntax, activated, and marked as
the current configuration file running on the switching platform.
configuration hierarchy The JUNOS software configuration consists of a hierarchy of statements. There are two
types of statements: container statements, which contain other statements, and leaf
statements, which do not contain other statements. All the container and leaf statements
together form the configuration hierarchy.
default configuration The default configuration contains the initial values set for each configuration parameter
when a switch is shipped.
roll back a configuration Return to a previously committed configuration.
Related Topics

■ EX 3200 and EX 4200 Default Configuration
■ Loading a Previous Configuration File (CLI Procedure)
Uploading a Configuration File (CLI Procedure)

You can create a configuration file on your local system, copy the file to the EX-series
switch and then load the file into the CLI. After you have loaded the configuration
file, you can commit it to activate the configuration on the switch. You can also edit
the configuration interactively using the CLI and commit it at a later time.
To upload a configuration file from your local system:
Configuration Files Terms ■ 71

1. Create the configuration file using a text editor such as Notepad, making sure
that the syntax of the configuration file is correct. For more information about
testing the syntax of a configuration file see System Basics and Services Command
Reference at http://www.juniper.net/techpubs/software/junos/junos90/index.html.
2. In the configuration text file, use an option to perform the required action when
the file is loaded. Table 13 on page 72 lists and describes some options for the
load command.
Table 13: Options for the load command
Options Description
merge Combines the current active configuration and the configuration
in filename or the one that you type at the terminal. A merge
operation is useful when you are adding a new section to an
existing configuration. If the active configuration and the incoming
configuration contain conflicting statements, the statements in
the incoming configuration override those in the active
configuration.
override Discards the current candidate configuration and loads the

configuration in filename or the one that you type at the terminal.
When you use the override option and commit the configuration,
all system processes reparse the configuration. You can use the
override option at any level of the hierarchy.
replace Searches for the replace tags, deletes the existing statements of
the same name, if any, and replaces them with the incoming
configuration. If there is no existing statement of the same name,
the replace operation adds the statements marked with the replace
tag to the active configuration.
NOTE: For this operation to work, you must include replace tags
in the text file or in the configuration you type at the terminal.
3. Press Ctrl+A to select all the text in the configuration file.

4. Press Ctrl+C to copy the contents of the configuration text file to the Clipboard.
5. On the switch, enter configuration mode:
user@switch> cli
[edit]
user@switch#
6. Load the configuration file:
[edit]
user@switch# load merge terminal
7. At the prompt, paste the contents of the Clipboard using the mouse and the
Paste icon.
[edit]
user@switch# load merge terminal
[Type ^D at a new line to end input]
>Paste the contents of the clipboard here<
8. Press Enter.
72 ■ Uploading a Configuration File (CLI Procedure)

9. Press Ctrl+D to indicate the end-of-file marker.

10. Commit the configuration to activate it on the switch. You can also edit the
configuration interactively using the CLI and commit it at a later time.
Related Topics
■ Upload a Configuration File with the J-Web Interface

Upload a Configuration File with the J-Web Interface

To upload a configuration file from your local system:
1. Select Maintain > Config Management > Upload.
The main pane displays the File to Upload box.

2. Specify the name of the file to upload using one of the following methods:
■ Type the absolute path and filename in the File to Upload box.
■ Click Browse to navigate to the file.
3. Click Upload and Commit to upload and commit the configuration.
The switch checks the configuration for the correct syntax before committing it.
Related Topics
■ Uploading a Configuration File (CLI Procedure)

Part 5
System Basics
■ Understanding Basic System Concepts on page 77
■ Configuring Basic System Functions on page 79
■ Administering and Monitoring Basic System Functions on page 85
■ Troubleshooting Basic System Functions on page 105
■ Operational Mode Commands for … on page 109
System Basics ■ 75
76 ■ System Basics
Chapter 6
Understanding Basic System Concepts
■ Understanding Alarm Types and Severity Levels on EX-series Switches on page 77
Understanding Alarm Types and Severity Levels on EX-series Switches

Before monitoring alarms on the switch, become familiar with the terms defined in
Table 14: Alarm Terms
Term Definition
alarm Signal alerting you to conditions that might prevent normal operation. On a switch, the alarm
signal is the yellow ALARM LED lit on the front of the chassis.
alarm condition Failure event that triggers an alarm.
alarm severity Seriousness of the alarm. The level of severity can be either major (red) or minor (yellow).
chassis alarm Predefined alarm triggered by a physical condition on the switch such as a power supply failure,
excessive component temperature, or media failure.
system alarm Predefined alarm triggered by a missing rescue configuration or failure to install a license for a
licensed software feature.
Alarm Types
The switch supports these alarms:

■ Chassis alarms indicate a failure on the switch or one of its components. Chassis
alarms are preset and cannot be modified.
■ System alarms indicate a missing rescue configuration. System alarms are preset
and cannot be modified, although you can configure them to appear automatically
in the J-Web interface display or CLI display.
Alarm Severity Levels
Alarms on a Ex-series switch have two severity levels:

■ Major (red)—Indicates a critical situation on the switch that has resulted from
one of the following conditions. A red alarm condition requires immediate action.
Understanding Alarm Types and Severity Levels on EX-series Switches ■ 77

■ One or more hardware components have failed.

■ One or more hardware components have exceeded temperature thresholds.
■ An alarm condition configured on an interface has triggered a critical warning.
■ Minor (yellow)—Indicates a noncritical condition on the switch that, if left

unchecked, might cause an interruption in service or degradation in performance.
A yellow alarm condition requires monitoring or maintenance.
A missing rescue configuration generates a yellow system alarm.
Related Topics
■ Checking Active Alarms on the Switch with the J-Web Interface
Chapter 7
Configuring Basic System Functions
■ Configuring Management Access for the EX-series Switch (J-Web

Procedure) on page 79
■ Configuring Date and Time for the EX-series Switch (J-Web Procedure) on page 81
■ Generating SSL Certificates to Be Used for Secure Web Access on page 82
Configuring Management Access for the EX-series Switch (J-Web Procedure)

You can set up secure access to the J-Web interface.
Navigate to the Secure Access Configuration page by selecting Configure>System

Properties>Management Access. On this page, you can enable HTTP and HTTPS
access on interfaces for managing the EX-series switch through the J-Web interface.
You can also install SSL certificates and enable JUNOScript over SSL with the Secure
Access page.
1. Click Edit to modify the configuration. Enter information into the Management
Access Configuration page, as described in Table 15 on page 79.
2. To verify that Web access is enabled correctly, connect to the switch using the
appropriate method:
■ For HTTP access—In your Web browser, type http://URL or http://IP address.
■ For HTTPS access—In your Web browser, type https://URL or https://IP
address.
■ For SSL JUNOScript access— To use this option, you must have aJUNOScript
client such as JUNOScope. For information about how to log into JUNOScope,
see the JUNOScope Software User Guide.
Table 15: Secure Access Configuration Summary
Management Access tab

Management Port IP Specifies the management port IP address Type a 32-bit IP address, in dotted decimal notation.
Subnet Mask Specifies the subnet mask. Enter the subnet mask or address prefix. For example,
24 bits represents 255.255.255.0.
Configuring Management Access for the EX-series Switch (J-Web Procedure) ■ 79

Table 15: Secure Access Configuration Summary (continued)
Default Gateway Defines a default gateway through which Type a 32-bit IP address, in dotted decimal notation.
to direct packets addressed to networks
that are not explicitly listed in the bridge
table constructed by the switch.
Services Specifies services to be enabled: telnet Select to enable the required services.
and SSH.
Enable JUNOScript Enables clear text access to the To enable clear text access, select the Enable JUNOScript
over Clear Text JUNOScript XML scripting API. over Clear Text check box.
Enable JUNOScript Enables secure SSL access to the To enable SSL access, select the Enable JUNOScript over
over SSL JUNOScript XML scripting API. SSL check box.
JUNOScript Certificate Specifies SSL certificates to be used for To enable an SSL certificate, select a certificate from the
encryption. JUNOScript SSL Certificate list—for example, new.
This field is available only after you create

at least one SSL certificate.
HTTP Web Access

Enable HTTP Access Enables HTTP access on interfaces. To enable HTTP access, select the Enable HTTP access
check box.
Select and clear interfaces by clicking the direction

arrows:
■ To enable HTTP access on an interface, add the
interface to the HTTP Interfaces list. You can either
select all interfaces or specific interfaces.
HTTPS Web Access

Enable HTTPS Access Enables HTTPS access on interfaces. To enable HTTPS access, select the Enable HTTPS access
check box.
Select and deselect interfaces by clicking the direction

arrows:
■ To enable HTTPS access on an interface, add the
interface to the HTTPS Interfaces list. You can either
select all interfaces or specific interfaces.
NOTE: Specify the certificate to be used for HTTPS

access.
Certificates tab
80 ■ Configuring Management Access for the EX-series Switch (J-Web Procedure)

Chapter 7: Configuring Basic System Functions
Table 15: Secure Access Configuration Summary (continued)
Certificates Displays digital certificates required for To add a certificate:

SSL access to the switch.
1. Have a general SSL certificate
available. See Generating SSL
Allows you to add and delete SSL
Certificates for more information.
certificates.
2. Click Add. The Add a Local
Certificate page opens.
3. Type a name in the Certificate
Name box—for example, new.
4. Paste the generated certificate and
RSA private key in the Certificate
box.
To edit a certificate, select it and click

Edit.
To delete a certificate, select it and click

Delete.
Related Topics
■ Security Features for EX-series Switches Overview
■ Understanding J-Web User Interface Sessions
Configuring Date and Time for the EX-series Switch (J-Web Procedure)
To configure date and time:
1. Select Configure>System Properties>Date & Time.
2. To modify the information, click Edit. Enter information into the Edit Date &
Time page, as described in Table 16 on page 81.
3. Click one:
■ To apply the configuration, click OK.
■ To cancel your entries and return to the System Properties page, click Cancel.
Table 16: Date and Time Settings
Time
Time Zone Identifies the timezone that the Select the appropriate time zone from
switching platform is located in. the list.
Table 16: Date and Time Settings (continued)
Set Time Synchronizes the system time with that To immediately set the time, click one:
of the NTP server. You can also manually
set the system time and date. ■ Synchronize with PC time—The
switch synchronizes the time with
that of the PC.
■ NTP Servers—The switch sends a
request to the NTP server and
synchronizes the system time.
■ Manual—A pop-up window allows
you to select the current date and
time from a list.
Related Topics
Generating SSL Certificates to Be Used for Secure Web Access

To enable secure Web access, you must generate a digital SSL certificate and then
enable HTTPS access on the switching platform.
To generate an SSL certificate:

1. Enter the following openssl command in your Secure Shell command-line
interface. The openssl command generates a self-signed SSL certificate in the
privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted
1024-bit RSA private key to the specified file.
% openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -out

filename.pem
Replace filename with the name of a file in which you want the SSL certificate
to be written—for example, new.pem.
2. When prompted, type the appropriate information in the identification form.
For example, type US for the country name.
3. Display the contents of the file new.pem.
cat new.pem
NOTE: When you are ready to install the SSL certificate, open this file and copy its
contents so you can paste it into the Certificate box on the Secure Access
Configuration page.
You can use either J-Web Configuration or a configuration editor to install the SSL
certificate and enable HTTPS.
Chapter 7: Configuring Basic System Functions
Related Topics
■ Configuring Management Access for the EX-series Switch (J-Web Procedure)
Chapter 8
Administering and Monitoring Basic
System Functions
■ Monitoring Hosts Using the J-Web Ping Host Tool on page 85

■ Monitoring Switch Control Traffic on page 87
■ Monitoring Network Traffic Using Traceroute on page 89
■ Monitoring System Properties on page 91
■ Monitoring System Process Information on page 92
■ Rebooting or Halting the EX-series Switch (J-Web Procedure) on page 93
■ Managing Users (J-Web Procedure) on page 94
■ Managing Log, Temporary, and Crash Files on the Switch (J-Web
■ Setting or Deleting the Rescue Configuration (CLI Procedure) on page 98
■ Setting or Deleting the Rescue Configuration (J-Web Procedure) on page 99
■ Loading a Previous Configuration File (CLI Procedure) on page 99
■ Checking Active Alarms with the J-Web Interface on page 100
■ Monitoring System Log Messages on page 101
Monitoring Hosts Using the J-Web Ping Host Tool

Purpose Use the J-Web ping host tool to verify that the host can be reached over the network.
The output is useful for diagnosing host and network connectivity problems. The
switch sends a series of ICMP echo (ping) requests to a specified host and receives
ICMP echo responses.
Action To use the J-Web ping host tool:

1. Select Troubleshoot>Ping Host.
2. Next to Advanced options, click the expand icon.
3. Enter information into the Ping Host page, as described in Table 17 on page 86.
The Remote Host field is the only required field.

4. Click Start.
Monitoring Hosts Using the J-Web Ping Host Tool ■ 85

The results of the ping operation are displayed in the main pane . If no options
are specified, each ping response is in the following format:
bytes bytes from ip-address: icmp_seq=number ttl=number time=time
5. To stop the ping operation before it is complete, click OK.
Table 17:What
J-Web
It Means
Ping Host Field Summary
Remote Host Identifies the host to ping. Type the hostname or IP address of the host to ping.
Advanced Options
Don't Resolve Determines whether to display hostnames of the ■ To suppress the display of the hop hostnames,
Addresses hops along the path. select the check box.
■ To display the hop hostnames, clear the check
box.
Interface Specifies the interface on which the ping requests Select the interface on which ping requests are sent
are sent. from the list. If you select any, the ping requests are
sent on all interfaces.
Count Specifies the number of ping requests to send. Select the number of ping requests to send from the
list.
Don't Fragment Specifies the Don't Fragment (DF) bit in the IP ■ To set the DF bit, select the check box.
header of the ping request packet. ■ To clear the DF bit, clear the check box.
Record Route Sets the record route option in the IP header of the ■ To record and display the path of the packet,
ping request packet. The path of the ping request select the check box.
packet is recorded within the packet and displayed ■ To suppress the recording and display of the
in the main pane. path of the packet, clear the check box.
Type-of-Service Specifies the type-of-service (TOS) value in the IP Select the decimal value of the TOS field from the
header of the ping request packet. list.
Routing Instance Name of the routing instance for the ping attempt. Select the routing instance name from the list.
Interval Specifies the interval, in seconds, between Select the interval from the list.
transmissions of individual ping requests.
Packet Size Specifies the size of the ping request packet. Type the size, in bytes, of the packet. The size can
be from 0 through 65468. The switch adds 8 bytes
of ICMP header to the size.
Source Address Specifies the source address of the ping request Type the source IP address.
packet.
Time-to-Live Specifies the time-to-live (TTL) hop count for the Select the TTL value from the list.
ping request packet.
86 ■ Monitoring Hosts Using the J-Web Ping Host Tool

Chapter 8: Administering and Monitoring Basic System Functions
Table 17: J-Web Ping Host Field Summary (continued)
Bypass Routing Determines whether ping requests are routed by ■ To bypass the routing table and send the ping
means of the routing table. requests to hosts on the specified interface
only, select the check box.
If the routing table is not used, ping requests are ■ To route the ping requests using the routing
sent only to hosts on the interface specified in the table, clear the check box.
Interface box. If the host is not on that interface,
ping responses are not sent.
Related Topics
■ Monitoring Interface Status and Traffic
Monitoring Switch Control Traffic

Purpose Use the packet capture feature when you need to quickly capture and analyze switch
control traffic on a switch. The packet capture feature allows you to capture traffic
destined for or originating from the Routing Engine.
Action To use the packet capture feature in the J-Web interface, select Troubleshoot>Packet
Capture.
To use the packet capture feature in the CLI, enter the following CLI command:
monitor traffic
What It Means You can use the packet capture feature to compose expressions with various matching
criteria to specify the packets that you want to capture. You can decode and view
the captured packets in the J-Web interface as they are captured. The packet capture
feature does not capture transient traffic.
Table 18: Packet Capture Field Summary
Interface Specifies the interface on which the packets are captured. From the list, select an interface—for
If you select default, packets on the Ethernet management example, ge-0/0/0.
port 0, are captured.
Detail level Specifies the extent of details to be displayed for the From the list, select Detail.
packet headers.
■ Brief—Displays the minimum packet header
information. This is the default.
■ Detail—Displays packet header information in
moderate detail.
■ Extensive—Displays the maximum packet header
information.
Table 18: Packet Capture Field Summary (continued)
Packets Specifies the number of packets to be captured. Values From the list, select the number of packets
range from 1 to 1000. Default is 10. Packet capture stops to be captured—for example, 10.
capturing packets after this number is reached.
Addresses Specifies the addresses to be matched for capturing the Select address-matching criteria. For example:
packets using a combination of the following parameters:
1. From the Direction list, select source.
■ Direction—Matches the packet headers for IP
address, hostname, or network address of the source, 2. From the Type list, select host.
destination or both. 3. In the Address box, type 10.1.40.48.
■ Type—Specifies if packet headers are matched for
host address or network address. 4. Click Add.
You can add multiple entries to refine the match criteria

for addresses.
Protocols Matches the protocol for which packets are captured. You From the list, select a protocol—for example,
can choose to capture TCP, UDP, or ICMP packets or a tcp.
combination of TCP, UDP, and ICMP packets.
Ports Matches packet headers containing the specified source Select a direction and a port. For example:
or destination TCP or UDP port number or port name.
■ From the Type list, select src.
■ In the Port box, type 23.
Advanced Options
Absolute TCP Specifies that absolute TCP sequence numbers are to be To display absolute TCP sequence numbers
Sequence displayed for the packet headers. in the packet headers, select this check box.
Layer
Layer 2 Headers Specifies that link-layer packet headers are to be To include link-layer packet headers while
displayed. capturing packets, select this check box.
Non-Promiscuous Specifies not to place the interface in promiscuous mode, To read all packets that reach the interface,
so that the interface reads only packets addressed to it. select this check box.
In promiscuous mode, the interface reads every packet
that reaches it.
Display Hex Specifies that packet headers, except link-layer headers, To display the packet headers in hexadecimal
are to be displayed in hexadecimal format. format, select this check box.
Display ASCII and Specifies that packet headers are to be displayed in To display the packet headers in ASCII and
Hex hexadecimal and ASCII format. hexadecimal formats, select this check box.
Header Specifies the match condition for the packets to be You can enter match conditions directly in
Expression captured. The match conditions you specify for Addresses, this field in expression format or modify the
Protocols, and Ports are displayed in expression format expression composed from the match
in this field. conditions you specified for Addresses,
Protocols, and Ports. If you change the match
conditions specified for Addresses, Protocols,
and Ports again, packet capture overwrites
your changes with the new match conditions.
88 ■ Monitoring Switch Control Traffic

Table 18: Packet Capture Field Summary (continued)
Packet Size Specifies the number of bytes to be displayed for each Type the number of bytes you want to
packet. If a packet header exceeds this size, the display capture for each packet header—for example,
is truncated for the packet header. The default value is 256.
96 bytes.
Don't Resolve Specifies that IP addresses are not to be resolved into To prevent packet capture from resolving IP
Addresses hostnames in the packet headers displayed. addresses to hostnames, select this check
box.
No Timestamp Suppresses the display of packet header timestamps. To stop displaying timestamps in the captured
packet headers, select this check box.
Write Packet Writes the captured packets to a file in PCAP format in To decode and display the packet headers on
Capture File /var/tmp. The files are named with the prefix jweb-pcap the J-Web page, clear this check box.
and the extension .pcap. If you select this option, the
decoded packet headers are not displayed on the packet
capture page.
Related Topics
■ Using the CLI Terminal
Monitoring Network Traffic Using Traceroute

Purpose Use the Traceroute page in the J-Web interface to trace a route between the switch
and a remote host. You can use a traceroute task to display a list of waypoints
between the switch and a specified destination host. The output is useful for
diagnosing a point of failure in the path from the switch platform to the destination
host and addressing network traffic latency and throughput problems.
Action To use the traceroute tool:

1. Select Troubleshoot>Traceroute.
2. Next to Advanced options, click the expand icon.
3. Enter information into the Traceroute page.
The Remote Host field is the only required field.

4. Click Start.
5. To stop the traceroute operation before it is complete, click OK while the results
of the traceroute operation are being displayed.
What It Means The switch generates the list of waypoints by sending a series of ICMP traceroute
packets in which the time-to-live (TTL) value in the messages sent to each successive
waypoint is incremented by 1. (The TTL value of the first traceroute packet is set to
1.) In this manner, each waypoint along the path to the destination host replies with
a Time Exceeded packet from which the source IP address can be obtained.
The results of the traceroute operation are displayed in the main pane. If no options
are specified, each line of the traceroute display is in the following format:
hop-number host (ip-address) [as-number] time1 time2 time3
The switch sends a total of three traceroute packets to each waypoint along the path
and displays the round-trip time for each traceroute operation. If the switch times
out before receiving a Time Exceeded message, an asterisk (*) is displayed for that
round-trip time.
Table 19: Traceroute field summary
Remote Host Identifies the destination host of the traceroute. Type the hostname or IP address of the
destination host.
Advanced Options
Don't Resolve Determines whether hostnames of the hops along the To suppress the display of the hop
Addresses path are displayed, in addition to IP addresses. hostnames, select the check box.
Gateway Specifies the IP address of the gateway to route through. Type the gateway IP address.
Source Address Specifies the source address of the outgoing traceroute Type the source IP address.
packets.
Bypass Routing Determines whether traceroute packets are routed by To bypass the routing table and send the
means of the routing table. If the routing table is not traceroute packets to hosts on the specified
used, traceroute packets are sent only to hosts on the interface only, select the check box.
interface specified in the Interface box. If the host is not
on that interface, traceroute responses are not sent.
Interface Specifies the interface on which the traceroute packets From the list, select the interface on which
are sent. traceroute packets are sent. If you select any,
the traceroute requests are sent on all
interfaces.
Time-to-live Specifies the maximum time-to-live (TTL) hop count for From the list, select the TTL.
the traceroute request packet.
Type-of-Service Specifies the type-of-service (TOS) value to include in the From the list, select the decimal value of the
IP header of the traceroute request packet. TOS field.
Resolve AS Determines whether the autonomous system (AS) To display the AS numbers, select the check
Numbers number of each intermediate hop between the router box.
and the destination host is displayed.
90 ■ Monitoring Network Traffic Using Traceroute

Related Topics
Monitoring System Properties

Purpose Use the monitoring functionality to view system properties such as the name and IP
address of the switch and resource usage.
Action To monitor system properties in the J-Web interface, select Monitor > System View >
System Information.
To monitor system properties in the CLI, enter the following commands:

■ show system uptime
■ show system users
■ show system storage
What It Means Table 20 on page 91 summarizes key output fields in the system properties display.
Table 20: Summary of Key System Properties Output Fields
Field Values Additional Information
General Information
Serial Serial number for the switch.
Number
JUNOS Version of JUNOS software active on the switch, Export software is for use outside of the U.S. and
Software including whether the software is for domestic or Canada.
Version export use.
Time Information
Current Current system time, in Coordinated Universal Time
Time (UTC).
System Date and time when the switch was last booted and
Booted how long it has been running.
Time
Protocol Date and time when the switching protocols were last
Started started and how long they have been running.
Time
Last Date and time when a configuration was last

Configured committed. This field also shows the name of the user
Time who issued the last commit command, through either
the J-Web interface or the CLI.
Load The CPU load average for 1, 5, and 15 minutes.

Average
Used Memory
Table 20: Summary of Key System Properties Output Fields (continued)
Used Memory usage details of all the USB partitions.

Memory
Logged in Users Details

User Username of any user logged in to the switching
platform.
Terminal Terminal through which the user is logged in.
From System from which the user has logged in. A hyphen
indicates that the user is logged in through the console.
Login Time Time when the user logged in. This is the LOGIN@ field in show system users command
output.
Idle Time How long the user has been idle.
Monitoring System Process Information

Purpose Use the monitoring functionality to view the processes running on the switch.
Action To view the software processes running on the switch in the J-Web interface, select
Monitor>System View>Process Details.
To view the software processes running on the switch in the CLI, enter the following
command.
show system processes
What It Means Table 21 on page 92 summarizes the output fields in the system process information
display.
The display includes the total CPU load and total memory utilization.
Table 21: Summary of System Process Information Output Fields
PID Identifier of the process.
Name Owner of the process.
State Current state of the process.
CPU Load Percentage of the CPU that is being used by the

process.
92 ■ Monitoring System Process Information

Table 21: Summary of System Process Information Output Fields (continued)
Memory Utilization Amount of memory that is being used by the

process.
Start Time Time of day when the process started.
Rebooting or Halting the EX-series Switch (J-Web Procedure)

You can use the J-Web interface to schedule a reboot or to halt the switching platform.
To reboot or halt the switching platform by using the J-Web interface:

1. In the J-Web interface, select Maintain>Reboot.
2. Select one:
■ Reboot Immediately—Reboots the switching platform immediately.
■ Reboot in number of minutes—Reboots the switch in the number of minutes
from now that you specify.
■ Reboot when the system time is hour:minute—Reboots the switch at the

absolute time that you specify, on the current day. You must select a 2-digit
hour in 24-hour format and a 2-digit minute.
■ Halt Immediately— Stops the switching platform software immediately.

After the switching platform software has stopped, you can access the
switching platform through the console port only.
3. (Optional) In the Message box, type a message to be displayed to any users on

the switching platform before the reboot occurs.
4. Click Schedule. The J-Web interface requests confirmation to perform the reboot
or halt.
5. Click OK to confirm the operation.
■ If the reboot is scheduled to occur immediately, the switch reboots. You
cannot access the J-Web interface until the switch has restarted and the boot
sequence is complete. After the reboot is complete, refresh the browser
window to display the J-Web interface login page.
■ If the reboot is scheduled to occur in the future, the Reboot page displays
the time until reboot. You have the option to cancel the request by clicking
Cancel Reboot on the J-Web interface Reboot page.
■ If the switch is halted, all software processes stop and you can access the
switching platform through the console port only. Reboot the switch by
pressing any key on the keyboard.
Rebooting or Halting the EX-series Switch (J-Web Procedure) ■ 93

Related Topics
■ Starting the J-Web Interface
Managing Users (J-Web Procedure)

You can use the Users Configuration page for user information to add new users to
a switching platform. For each account, you define a login name and password for
the user and specify a login class for access privileges.
To configure users:
1. In the J-Web interface, select Configure>System Properties>User Management.
The User Management page displays details of users, the authentication order,
the RADIUS servers and TACACS servers present.
2. Click Edit.
3. Click any of the following options on the Users tab:
■ Add—Select this option to add a user. Enter details as described in
■ Edit—Select this option to edit an existing user's details. Enter details as
described in Table 22 on page 95.
■ Delete—Select this option to delete a user.
4. Click any desired option on the Authentication Methods and Order tab:
■ Authentication Order—Drag and drop the authentication type from the
Available Methods section to the Selected Methods. Click the up or down
buttons to modify the authentication order.
■ RADIUS server—Click one:
■ Add—Select this option to add an authentication server. Enter details
as described in Table 23 on page 95.
■ Edit—Select this option to modify the authentication server details. Enter
details as described in Table 23 on page 95.
■ Delete—Select this option to delete an authentication server from the

list.
■ TACACS server—Click one:

■ Add—Select this option to add an authentication server. Enter details
as described in Table 23 on page 95.
■ Edit—Select this option to modify the authentication server details. Enter
details as described in Table 23 on page 95.
■ Delete—Select this option to delete an authentication server from the

list.
Table 22: User Management > Add a User Configuration Page Summary
User Information
Username (required) Specifies the name that Type the username. It must be unique within the switching
identifies the user. platform. Do not include spaces, colons, or commas in the
username.
Full Name Specifies the user's full name. Type the user's full name. If the full name contains spaces,
enclose it in quotation marks. Do not include colons or commas.
Login Class (required) Defines the user's access Select the user's login class from the list:
privilege.
■ operator
■ read-only
■ super-user/superuser
■ unauthorized
This list also includes any user-defined login classes.
Login Password Specifies the login password for Type the login password for this user. The login password must
(required) this user. meet these criteria:
■ The password must be at least 6 characters long.
■ It can include alphabetic, numeric, and special characters,
but not control characters.
■ It must contain at least one change of case or character
class.
Confirm Password Verifies the login password for Retype the login password for this user.
(required) this user.
Table 23: Add an Authentication Server
IP Address Specifies the IP address of the server. Type the server’s 32-bit IP address, in dotted
decimal notation.
Password Specifies the password of the server. Type the password of the server.
Confirm Password Verifies that the password of the server is entered Retype the password of the server.
correctly.
Server Port Number Specifies the port with which the server is Type the port number.
associated.
Source Address Specifies the source address of the server. Type the server’s 32-bit IP address, in dotted
decimal notation.
Retry Attempts Specifies the number of login retries allowed after Type the number.
a login failure.
NOTE: Only 1 retry is permitted for a TACACS
server.
Managing Users (J-Web Procedure) ■ 95

Table 23: Add an Authentication Server (continued)
Timeout Specifies the time interval to wait before the Type the interval in seconds.
connection to the server is closed.
Related Topics
■ Configuring Management Access for the EX-series Switch
Managing Log, Temporary, and Crash Files on the Switch (J-Web Procedure)
You can use the J-Web interface to rotate log files and delete unnecessary log,
temporary, and crash files on the switching platform.
1. Cleaning Up Files on page 96
2. Downloading Files on page 97
3. Deleting Files on page 97
Cleaning Up Files
If you are running low on storage space, use the file cleanup procedure to quickly
identify files to delete.
The file cleanup procedure performs the following tasks:

■ Rotates log files—Archives the current log files, and creates fresh log files.
■ Deletes log files in /var/log—Deletes files that are not currently being written to.
■ Deletes temporary files in /var/tmp—Deletes files that have not been accessed
within two days.
■ Deletes all crash files in /var/crash—Deletes core files that the switch has written
during an error.
To rotate log files and delete unnecessary files with the J-Web interface:
1. Select Maintain>Files.
2. In the Clean Up Files section, click Clean Up Files. The switching platform rotates
log files and identifies files that can be safely deleted.
The J-Web interface displays the files that you can delete and the amount of
space that will be freed on the file system.
3. Click one:
■ To delete the files and return to the Files page, click OK.
■ To cancel your entries and return to the list of files in the directory, click
Cancel.
Downloading Files
You can use the J-Web interface to download a copy of an individual log, temporary,
or crash file from the switching platform. When you download a file, it is not deleted
from the file system.
To download files with the J-Web interface:

1. In the J-Web interface, select Maintain>Files.
2. In the Download and Delete Files section, click one:
■ Log Files—Log files in the /var/log directory on the switch.
■ Temporary Files—Lists the temporary files in the /var/tmp directory on the
switching platform.
■ Crash (Core) Files—Lists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files located in the directory.
3. Select the files that you want to download and click Download.
4. Choose a location for the saved file.
The file is saved as a text file, with a .txt file extension.
Deleting Files
You can use the J-Web interface to delete an individual log, temporary, and crash
file from the switching platform. When you delete the file, it is permanently removed
from the file system.
CAUTION: If you are unsure whether to delete a file from the switching platform,
we recommend using the Clean Up Files tool described in Cleaning Up Files. This
tool determines which files can be safely deleted from the file system.
To delete files with the J-Web interface:

1. Select Maintain>Files.
2. In the Download and Delete Files section, click one:
■ Log Files—Lists the log files in the /var/log directory on the switching
platform.
■ Temporary Files—Lists the temporary files in the /var/tmp directory on the
switching platform.
■ Crash (Core) Files—Lists the core files in the /var/crash directory on the
switching platform.
The J-Web interface displays the files in the directory.
Downloading Files ■ 97
3. Select the box next to each file you plan to delete.

4. Click Delete.
The J-Web interface displays the files you can delete and the amount of space
that will be freed on the file system.
5. Click one of the following buttons on the confirmation page:
■ To delete the files and return to the Files page, click OK.
■ To cancel your entries and return to the list of files in the directory, click
Cancel.
Setting or Deleting the Rescue Configuration (CLI Procedure)

A rescue configuration is a previously defined, valid configuration with a known state
that you can rollback to at any time.
You use the rescue configuration when you need to roll back to a known configuration
or if your switch configuration and/or the backup configuration files become damaged
beyond repair or if you loose management access to the switch.
The rescue configuration must have been set previously either through the J-Web
interface or the CLI.
To set the current active configuration as the rescue configuration:
user@switch> request system configuration rescue save

user@switch>
Activate the rescue configuration you have loaded:
[edit]
user@switch# rollback rescue
load complete
[edit]
user@switch# commit
To delete an existing rescue configuration:
user@switch> request system configuration rescue delete
NOTE: If the rescue configuration does not exist, or if the rescue configuration is not
a complete, viable configuration [THIS SENTENCE WILL NOT BE CORRECT], the
rollback command fails, an error message appears, and the current configuration
remains active.
1. Can we save a non-viable configuration as the rescue configuration? a.

If yes, what is the error message when the commit fails? b. What is the
current configuration is corrupted and you cannot revert to it? Can you
rollback to another stored configuration?
98 ■ Setting or Deleting the Rescue Configuration (CLI Procedure)

2. If I have a rescue file designated but want to change rescue configuration

to another file, can we change that designation without having to delete
the original file? Is it a toggle field? How is it done?
Related Topics
■ Setting or Deleting the Rescue Configuration (J-Web Procedure)
■ Loading a Previous Configuration File or the Rescue Configuration File (CLI
Procedure)
Setting or Deleting the Rescue Configuration (J-Web Procedure)

If someone inadvertently commits a configuration that denies management access
to a switch, you can delete the invalid configuration and replace it with a rescue
configuration. You must have previously set the rescue configuration through the
J-Web interface or the CLI. The rescue configuration is a previously committed, valid
configuration.
To view, set, or delete the rescue configuration, select Maintain > Config Management
>Rescue. On the Rescue page, you can perform the following tasks:
■ View the current rescue configuration—Click View rescue configuration.
■ Set the current running configuration as the rescue configuration—Click Set
rescue configuration.
■ Delete the current rescue configuration—Click Delete rescue configuration.
Related Topics
■ Setting or Deleting the Rescue Configuration (CLI Procedure)
Loading a Previous Configuration File (CLI Procedure)

You can return to a previously committed configuration file if you need to revert to
a previous configuration or if you have lost management access to the switch. The
EX-series switch saves the last 50 committed configurations, including the rollback
number, date, time, and name of the user who issued the commit configuration
command.
Syntax
rollback (number)
Options
■ None — Return to the most recently saved configuration.
■ Number — Configuration to return to.
■ Range: 0 through 49. The most recently saved configuration is number 0,
and the oldest saved configuration is number 49.
■ Default: 0
To return to a configuration prior to the most recently committed one:

1. Specify the rollback number:
[edit]
user@switch# rollback number
load complete
2. Activate the configuration you have loaded:
[edit]
user@switch# commit
Related Topics
■ For more information on rollback see CLI User Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html .
Checking Active Alarms with the J-Web Interface

Purpose Use the monitoring functionality to view alarm information including alarm type,
alarm severity, and a brief description for each active alarm on the switching platform.
Action To view the active alarms:

1. Select Monitor> Events and Alarms > View Alarms in the J-Web interface.
2. Select an alarm filter based on alarm type, severity, description, and date range.
3. Click Go.
All the alarms matching the filter are displayed.
NOTE: On loading and when the switch is reset, the active alarms are displayed.
What It Means Table 24 on page 100 lists the alarm output fields.
Table 24: Summary of Key Alarm Output Fields
Field Values
Type Category of the alarm:

■ Chassis—Indicates an alarm condition on the chassis (typically an environmental alarm such
as one related to temperature).
■ System—Indicates an alarm condition in the system.

Table 24: Summary of Key Alarm Output Fields (continued)
Field Values
Severity Alarm severity—either major (red) or minor (yellow).
Description Brief synopsis of the alarm.
Time Date and time when the failure was detected.
Related Topics
■ Understanding Alarm Types and Severity Levels on EX-series Switches
Monitoring System Log Messages

Purpose Use the monitoring functionality to filter and view system log messages.
Action To view events in the J-Web interface, select Monitor > Events and Alarms > View
Events.
Apply a filter or a combination of filters to view messages. You can use filters to
display relevant events. Table 25 on page 101 describes the different filters, their
functions, and the associated actions.
To view events in the CLI, enter the following command:
show log
Table 25: Filtering System Log Messages
System Log Specifies the name of a system log file for which you want To specify events recorded in a particular file,
File to display the recorded events. select the system log filename from the list—for
example, messages.
Lists the names of all the system log files that you configure.
By default, a log file, messages, is included in the /var/log/

directory.

Table 25: Filtering System Log Messages (continued)
Event ID Specifies the event ID for which you want to display the To specify events with a specific ID, type the
messages. partial or complete ID—for example,
TFTPD_AF_ERR.
Allows you to type part of the ID and completes the
remainder automatically.
An event ID, also known as a system log message code,

uniquely identifies a system log message. It begins with a
prefix that indicates the generating software process or
library.
Text in Event Specifies text from the description of events that you want To specify events with a specific description,
Description to display. type a text string from the description with
regular expression.
Allows you to use regular expressions to match text from
the event description. For example, type ^Initial* to display all
messages with lines beginning with the term
NOTE: Regular expression matching is case-sensitive. Initial.
Process Specifies the name of the process generating the events you To specify events generated by a process, type
want to display. the name of the process.
To view all the processes running on your system, enter the For example, type mgd to list all messages
CLI command show system processes. generated by the management process.
For more information about processes, see the JUNOS

Software Installation and Upgrade Guide.
Start Time Specifies the time period in which the events you want To specify the time period:
displayed are generated.
■ Select the Start Time checkbox and select
End Time
the year, month, date, and time—for
Displays a calendar that allows you to select the year,
example, 02/10/2007 11:32.
month, day, and time. It also allows you to select the local
time. ■ Select the End Time checkbox and select
the year, month, date, and time—for
By default, the messages generated in the last hour are example, 02/10/2007 3:32.
displayed. End Time shows the current time and Start Time
shows the time one hour before End Time.
To select the current time as the start time,
select local time.
Number of Specifies the number of events to be displayed on the View To view a specified number of events, select
Events to Events page. the number from the list—for example, 50.
Display
By default, the View Events page displays 25 events.
OK Applies the specified filter and displays the matching To apply the filter, click OK.
messages.
What It Means Table 26 on page 103 describes the Event Summary fields.
102 ■ Monitoring System Log Messages

NOTE: By default, the View Events page in the J-Web interface displays the most
recent 25 events, with severity levels highlighted in different colors. After you specify
the filters, Event Summary displays the events matching the specified filters. Click
First, Next, Prev, and Last links to navigate through messages.
Table 26: Viewing System Log Messages
Field Function Additional Information
Time Displays the time at which the message was logged.
Process Displays the name and ID of the process that generated The information displayed in this field is different
the system log message. for messages generated on the local Routing Engine
than for messages generated on another Routing
Engine (on a system with two Routing Engines
installed and operational). Messages from the other
Routing Engine also include the identifiers re0 and
re1 to identify the Routing Engine.
Event ID Displays a code that uniquely identifies the message. The event ID begins with a prefix that indicates the
generating software process.
The prefix on each code identifies the message source,
and the rest of the code indicates the specific event or Some processes on a switching platform do not use
error. codes. This field might be blank in a message
generated from such a process.
Displays context-sensitive help that provides more
information about the event: An Event can belong to one of the following Type
categories:
■ Help—Short description of the message.
■ Description—More detailed explanation of the ■ Error—Indicates an error or failure condition
message. that might require corrective action.
■ Type—Category to which the message belongs. ■ Event—Indicates a condition or occurrence
that does not generally require corrective
■ Severity—Level of severity. action.
Event Displays a more detailed explanation of the message.

Description
Monitoring System Log Messages ■ 103

Table 26: Viewing System Log Messages (continued)
Field Function Additional Information
Severity Severity level of a message is indicated by different colors. A severity level indicates how seriously the
triggering event affects switch functions. When you
■ Unknown—Gray—Indicates no severity level is configure a location for logging a facility, you also
specified. specify a severity level for the facility. Only
■ Debug/Info/Notice—Green— Indicates conditions messages from the facility that are rated at that
that are not errors but are of interest or might warrant level or higher are logged to the specified file.
special handling.
■ Warning—Yellow—Indicates conditions that warrant
monitoring.
■ Error—Blue— Indicates standard error conditions
that generally have less serious consequences than
errors in the emergency, alert, and critical levels.
■ Critical—Pink—Indicates critical conditions, such as
hard drive errors.
■ Alert—Orange—Indicates conditions that require
immediate correction, such as a corrupted system
database.
■ Emergency—Red—Indicates system panic or other
conditions that cause the switching platform to stop
functioning.
104 ■ Monitoring System Log Messages

Chapter 9
Troubleshooting Basic System Functions
■ Troubleshooting Loss of the Root Password on page 105
Troubleshooting Loss of the Root Password

Problem If you forget the root password for the switch, you can use the password recovery
procedure to reset the root password.
NOTE: You need physical access to the switch to recover the root password.
Solution To recover the root password:

1. Power off your switch by unplugging the power cord or turning off the power at
the wall switch.
2. Insert one end of the Ethernet cable into the serial port on the management
device and connect the other end to the console port on the back of the switch.
See Figure 4 on page 105
Figure 4: Connecting to the Console Port on the EX-series Switch
3. On the management device, start your asynchronous terminal emulation

application (such as Microsoft Windows Hyperterminal) and select the appropriate
COM port to use (for example, COM1).
4. Configure the port settings as follows:
Troubleshooting Loss of the Root Password ■ 105

■ Bits per second: 9600

■ Data bits: 8
■ Parity: None
■ Stop bits: 1
■ Flow control: None
5. Power on your switch by plugging in the power cord or turning on the power at
the wall switch.
6. When the following prompt appears, press the Spacebar to access the switch's
bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 1 second...
7. At the following prompt, type boot -s to start up the system in single-user mode:
loader> boot -s
8. At the following prompt, type recovery to start the root password recovery
procedure:
Enter full path name of shell or 'recovery' for root password recovery or RETURN for
/bin/sh: recovery
A series of messages describe consistency checks, mounting of filesystems, and

initialization and checkout of management services. Then the CLI prompt appears.
9. Enter configuration mode in the CLI:
user@switch> cli
10. Set the root password. For example:
user@switch# set system root-authentication plain-text-password
11. At the following prompt, enter the new root password. For example:
New password: juniper1
Retype new password:
12. At the second prompt, reenter the new root password.

13. If you are finished configuring the network, commit the configuration.
root@switch# commit
commit complete
14. Exit configuration mode in the CLI.

root@switch# exit
15. Exit operational mode in the CLI.
root@switch> exit
16. At the prompt, enter y to reboot the switch.
Reboot the system? [y/n] y
106 ■ Troubleshooting Loss of the Root Password

Chapter 9: Troubleshooting Basic System Functions
Related Topics
■ For information about configuring an encrypted root password, configuring SSH
keys to authenticate root logins, and configuring special requirements for
plain-text passwords, see the JUNOS System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/.


Chapter 10
Operational Mode Commands for …
■ 109
clear snmp rmon history
Syntax clear snmp rmon history <interface-name | all>
Release Information Command introduced in JUNOS Release 9.0 for EX-series switches.
Description Delete the samples of Ethernet statistics collected, but do not delete the RMON history
configuration.
The clear snmp rmon history command deletes all the samples collected for the
interface configured for the history group, but not the configuration of that group. If
you want to delete the RMON history group configuration, you must use the delete
snmp rmon history configuration-mode command.
Options interface-name—Delete the samples of Ethernet statistics collected for this interface.
all—Delete the samples of Ethernet statistics collected for all interfaces that have
been configured for RMON monitoring.
Required Privilege Level clear
Related Topics
■ show snmp rmon history
110 ■ clear snmp rmon history

Chapter 10: Operational Mode Commands for …
show snmp rmon history
Syntax show snmp rmon history

<history-index>
<sample-index>
Description Display the contents of the RMON history group.
Options none—Display all the entries in the RMON history group.
history-index—(Optional) Display the contents of the specified entry in the RMON

history group.
sample-index—(Optional) Display the statistics collected for the specified sample

within the specified entry in the RMON history group.
Required Privilege Level view
Related Topics
■ clear snmp rmon history
List of Sample Output show snmp rmon history 1 on page 112

show snmp rmon history 1 sample 15 on page 113
Output Fields Table 27 on page 111 lists the output fields for the show smp rmon history command.
Output fields are listed in the approximate order in which they appear.
Table 27: show smp rmon history Output Fields
Field Name Field Description
History Index Identifies this RMON history entry within the RMON history group.
Owner The entity that configured this entry. Range is 0 to 32 alphanumeric characters.
Status The status of the RMON history entry.
Interface or Data The ifndex object that identifies the interface that is being monitored.
Source
Interval The interval (in seconds) configured for this RMON history entry.
Buckets Requested The requested number of buckets (intervals) configured for this RMON history
entry.
Buckets Granted The number of buckets granted for this RMON history entry.
show snmp rmon history ■ 111

Table 27: show smp rmon history Output Fields (continued)
Sample Index The sample statistics taken at the specified interval.

■ Drop Events—Number of packets dropped by the input queue of the I/O
Manager ASIC. If the interface is saturated, this number increments once
for every packet that is dropped by the ASIC's RED mechanism.
■ Octets—Total number of octets and packets. For Gigabit Ethernet IQ PICs,
the received octets count varies by interface type.
■ Packets—Total number of packets.
■ Broadcast Packets—Number of broadcast packets.
■ Multicast Packets—Number of multicast packets.
■ CRC errors—Total number of packets received that had a length (excluding
framing bits, but including FCS octets) of between 64 and 1518 octets,
inclusive, and had either a bad FCS with an integral number of octets (FCS
error) or a bad FCS with a nonintegral number of octets (alignment error).
■ Undersize Pkts—Number of packets received during this sampling interval
that were less than 64 octets long (excluding framing bits but including
FCS octets) and were otherwise well formed.
■ Oversize Pkts—Number of packets received during the sampling interval
that were longer than 1518 octets (excluding framing bits, but including
FCS octets) but were otherwise well formed.
■ Fragments—Total number of packets that were less than 64 octets in length
(excluding framing bits, but including FCS octets), and had either an FCS
error or an alignment error. Fragment frames normally increment because
both runts (which are normal occurrences caused by collisions) and noise
hits are counted.
■ Jabbers—Number of frames that were longer than 1518 octets (excluding
framing bits, but including FCS octets), and had either an FCS error or an
alignment error. This definition of jabber is different from the definition
in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2).
These documents define jabber as the condition in which any packet
exceeds 20 ms. The allowed range to detect jabber is from 20 ms to
150 ms.
■ Collisions—Number of Ethernet collisions. The Gigabit Ethernet PIC
supports only full-duplex operation, so for Gigabit Ethernet PICs, this
number should always remain 0. If it is nonzero, there is a software bug.
■ Utilization(%)—The best estimate of the mean physical layer network
utilization on this interface during this sampling interval, in hundredths
of a percent.
show snmp rmon history user@host> show snmp rmon history 1

1 History Index 1:
Interface 171
Requested Buckets 50
Interval 10
Sample Index 1: Interval Start: Tue Feb 12 04:12:32 2008

Drop Events 0
Octets 486
Packets 2
Broadcast Packet 0
Multicast Packets 2

Chapter 10: Operational Mode Commands for …
CRC errors 0
Undersize Pkts 0
Oversize Pkts 0
Fragments 0
Jabbers 0
Collisions 0
Utilization(%) 0

Drop Events 0
Octets 486
Packets 2
Broadcast Packet 0
Multicast Packets 2
CRC errors 0
Undersize Pkts 0
Oversize Pkts 0
Fragments 0
Jabbers 0
Collisions 0
Utilization(%) 0

Drop Events 0
Octets 486
Packets 2
Broadcast Packet 0
Multicast Packets 2
CRC errors 0
Undersize Pkts 0
Oversize Pkts 0
Fragments 0
Jabbers 0
Collisions 0
Utilization(%) 0
show snmp rmon history user@host> show snmp rmon history 1 sample 15
1 sample 15 Index 1
Owner = monitor
Status = valid
Data Source = ifIndex.17
Interval = 1800
Buckets Requested = 50
Buckets Granted = 50
Sample Index 44: Interval Start: Thu Jan 1 00:08:35 1970

Drop Events = 0
Octetes = 0
Packets = 0
Broadcast Pkts = 0
Multicast Pkts = 0
CRC Errors = 0
Undersize Pkts = 0
Oversize Pkts = 0
Fragments = 0
Jabbers = 0
Collisions = 0
Utilization (%) = 0


Part 6
Virtual Chassis
■ Understanding Virtual Chassis on page 117
■ Examples of Configuring Virtual Chassis on page 131
■ Configuring Virtual Chassis on page 181
■ Verifying Virtual Chassis on page 193
■ Troubleshooting Virtual Chassis on page 203
■ Configuration Statements for Virtual Chassis on page 205
■ Operational Mode Commands for Virtual Chassis on page 217
Virtual Chassis ■ 115

116 ■ Virtual Chassis

Chapter 11
Understanding Virtual Chassis
■ Virtual Chassis Concepts on page 117
Virtual Chassis Concepts

■ Virtual Chassis Overview on page 117
■ Understanding Virtual Chassis Components on page 119
■ Understanding How the Master in a Virtual Chassis Is Elected on page 124
■ Understanding Software Upgrade in a Virtual Chassis on page 124
■ Understanding Global Management of a Virtual Chassis on page 125
■ Understanding Nonvolatile Storage in a Virtual Chassis on page 127
■ Understanding the High-Speed Interconnection of the Virtual Chassis
Members on page 127
■ Understanding Virtual Chassis and Link Aggregation on page 128
■ Understanding Virtual Chassis Configuration on page 129
■ Understanding Virtual Chassis EX 4200 Switch Version Compatibility on page 130
Virtual Chassis Overview

The EX 4200 switch is the basis for the virtual chassis flexible, scaling switch solution.
the unit as a single chassis, called a virtual chassis. Up to ten EX 4200 switches can
be interconnected, providing up to a total of 480 access ports. The available bandwidth
increases as you include more members within the virtual chassis. See Understanding
the High Speed Interconnection of the Virtual Chassis Members.
The virtual chassis provides the following key features:

■ Basic Configuration of a Virtual Chassis with Master and Backup
Switches on page 118
■ Expanding Configurations—Within a Single Wiring Closet and Across Wiring
Closets on page 118
■ Global Management of Member Switches in a Virtual Chassis on page 118
■ High Availability Through Redundant Routing Engines on page 119
Virtual Chassis Concepts ■ 117

■ Adaptability as an Access Switch or Distribution Switch on page 119

Basic Configuration of a Virtual Chassis with Master and Backup Switches

To take advantage of the virtual chassis’ higher bandwidth capacity and software
redundancy features, you need to interconnect at least two EX 4200 switches as a
virtual chassis. You can start with a default configuration, composed of two EX 4200
member switches interconnected with the dedicated 64-Gbps virtual chassis ports
(VCPs) on the rear panel. These ports do not have to be configured. They are
operational as soon as the member switches are powered on. See Example:
Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet for
additional information.
Expanding Configurations—Within a Single Wiring Closet and Across Wiring Closets

As your needs grow, you can easily expand the virtual chassis to include more
member switches. Within a single wiring closet, simply add member switches by
cabling together the dedicated VCPs. For more information about expanding virtual
chassis configurations within a single wiring closet, see Example: Expanding a Virtual
Chassis in a Single Wiring Closetand Example: Setting Up a Multimember Virtual
Chassis Access Switch with a Default Configuration.
You can also expand a virtual chassis beyond a single wiring closet. Interconnect
switches located in multiple wiring closets or in a multiple data center rack by
installing the optional uplink module (EX-UM-2XFP) and connecting the 10-Gbps fiber
uplink ports. To use the uplink ports for interconnecting member switches, you must
explicitly configure the uplink ports as virtual chassis ports (VCPs). This includes
configuring the uplink ports of a standalone EX 4200 switch as VCPs prior to
interconnecting the new member switch with the existing virtual chassis. See
Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets
for detailed information.
When you are creating a virtual chassis with multiple members, you might want to
deterministically control the role and member ID assigned to each member switch.
You can do this by creating a preprovisioned configuration. See Example: Configuring
a Virtual Chassis with a Pre-Provisioned Configuration File for detailed information.
Global Management of Member Switches in a Virtual Chassis

The interconnected member switches in a virtual chassis operate and as a single
network entity. chassis. You run EZsetup only once to specify the identification
parameters for the master, and these parameters implicitly apply to all members of
the virtual chassis. You can view the virtual chassis as a single device in the J-Web
user interface and apply various device management functions to all members of
the virtual chassis.
The serial console port and dedicated out-of-band management port that are on the
rear panel of the individual switches have global virtual counterparts when the
switches are interconnected as a virtual chassis. A virtual console allows you to
connect to the master by connecting a terminal directly to the console port of any
118 ■ Basic Configuration of a Virtual Chassis with Master and Backup Switches
Chapter 11: Understanding Virtual Chassis
member switch. A virtual management Ethernet (VME) interface allows you to remotely
manage the virtual chassis by connecting to the out-of-band management port of
any member switch through a single IP address. See Understanding Global
Management of a Virtual Chassis.
High Availability Through Redundant Routing Engines

A virtual chassis has a master and a backup, each of which has a Routing Engine.
These redundant Routing Engines handle all routing protocol processes and control
the virtual chassis. See Understanding High Availability on EX-series Switches for
further information on redundant Routing Engines and additional high availability
features.
Adaptability as an Access Switch or Distribution Switch

A virtual chassis supports a variety of user environments, because it can be composed
of different model EX 4200 switches, with either 24 or 48 access ports, and with
these having either full (24 or 48 ports) or partial (8 ports) Power over Ethernet (PoE)
port capabilities. You can select different switch models to support various functions.
For example, you might set up one virtual chassis access switch configuration,
composed of the full PoE models to support users sitting in cubicles equipped with
PCs and VoIP phones. You could set up another virtual chassis with partial PoE models
to support the company's internal servers and configure one more virtual chassis
configuration with partial PoE models to support the company's external servers.
Alternatively, the virtual chassis can be used as a distribution switch. For this type
of deployment, you might select the EX 4200-24F model with fiber-optic cables to
connect the distribution switch to multiple access switches located in different
buildings on the campus.
Related Topics

■ Understanding How the Master in a Virtual Chassis Is Elected
■ Understanding Virtual Chassis EX 4200 Switch Version Compatibility
Understanding Virtual Chassis Components

A virtual chassis configuration allows you to interconnect two to ten EX 4200 switches
and run them as a single network entity. While it is true that you need at least two
interconnected switches to take advantage of virtual chassis features, it is also true
that any individual EX 4200 switch has some virtual chassis components.
This topic covers:

■ Virtual Chassis Ports (VCPs) on page 120
■ Master Role on page 120
High Availability Through Redundant Routing Engines ■ 119

■ Backup Role on page 121

■ Linecard Role on page 121
■ Member Switch and Member ID on page 122
■ Mastership Priority on page 122
■ Virtual Chassis Identifier (VCID) on page 123
Virtual Chassis Ports (VCPs)

There are two dedicated virtual chassis ports (VCPs) on the rear panel of the EX 4200
switch that are used exclusively to interconnect EX 4200 switches as a virtual chassis.
The interfaces for these dedicated ports are operational by default when the ports
are properly cabled. For an example of two EX 4200 switches interconnected with
their dedicated VCPs, see Example: Configuring a Virtual Chassis with a Master and
Backup in a Single Wiring Closet. In addition, you can install an optional EX-UM-2XFP
uplink module in an EX 4200 switch in order to interconnect the switch with another
EX 4200 switch across a wider distance. To do this, you need to install one
EX-UM-2XFP uplink module in at least one EX 4200 switch at each end of the link.
You must set the uplinks ports to function as VCPs in order for the interconnected
switches to be recognized as members of the same virtual chassis. This includes
setting the uplink ports of a standalone EX 4200 switch as VCPs prior to
interconnecting the new member switch with the existing virtual chassis. For an
example of EX 4200 switches interconnected with the uplink ports functioning as
VCPs, see Example: Configuring a Virtual Chassis Interconnected Across Multiple
Wiring Closets
You can display the status of both the dedicated VCP interfaces and the uplinks
configured as VCP interfaces with the show virtual-chassis vc-port command.
Master Role
The member that functions in the master role:
■ Manages the member switches.
■ Runs JUNOS software for EX-series in a master role.
■ Runs the chassis management processes and control protocols.
■ Represents all the member switches interconnected within the virtual chassis
configuration. (The hostname and other properties that you assign to this switch
during setup apply to all members of the virtual chassis.)
When an EX 4200 switch is powered on as a standalone switch, it is considered the

master member. In a multi-member virtual chassis, two members function as the
master and the backup of the virtual chassis:
■ In a preprovisioned configuration, one of the two members assigned as
routing-engine functions as the master member. The selection of which assigned
routing-engine functions as master and which as backup is determined by the
120 ■ Virtual Chassis Ports (VCPs)

software based on the master election algorithm. See Understanding How the
Master in a Virtual Chassis Is Elected.
■ In a nonprovisioned configuration, the selection of the master and backup is
determined by the mastership priority value and secondary factors in the master
election algorithm.
Backup Role
The member that functions in the backup role:
■ Maintains a state of readiness to take over the master role if the master fails.
■ Runs JUNOS for EX-series software in a backup role.
■ Synchronizes with the master in terms of protocol states, forwarding tables, and
so forth, so that it is prepared to preserve routing information and maintain
network connectivity without disruption in case the master is unavailable.
You must have at least two member switches in a virtual chassis in order to have a
backup member.
■ In a preprovisioned configuration, one of the two members assigned as
routing-engine functions in the backup role. The selection of which assigned
routing-engine functions as master and which as backup is determined by the
software based on the master election algorithm. See Understanding How the
Master in a Virtual Chassis Is Elected.
■ In a nonprovisioned configuration, the selection of the master and backup is
determined by the mastership priority value and secondary factors in the master
election algorithm.
Linecard Role
A member that functions in the linecard role:
■ Runs only a subset of JUNOS software for EX-series software.
■ Does not run the chassis control protocols.
■ Can detect certain error conditions (such as an unplugged cable) on any interfaces
that have been configured on it through the master.
A virtual chassis must have at least three members in order to include a linecard
member.
■ In a preprovisioned configuration, you can explicitly configure a member with
the role of linecard, which makes it ineligible for functioning as a master or
backup.
■ In a nonprovisioned configuration, the members that are not selected as master
or backup function as linecard members of the virtual chassis. The selection of
the master and backup is determined by the mastership priority value and
secondary factors in the master election algorithm.
Backup Role ■ 121

Member Switch and Member ID

Each physically discrete EX 4200 switch is a potential member of a virtual chassis
configuration. When an EX 4200 switch is powered on, it receives a member ID that
is displayed on the front-panel LCD. If the switch is powered on as a standalone
switch, its member ID is always 0. When the switch is interconnected with other
EX 4200 switches as a virtual chassis, its member ID (0 through 9) is assigned by
the master based on various factors such as the sequence when the switch was added
to the virtual chassis. As each switch is added and powered on, it receives the next
available (unused) member ID.
If the virtual chassis previously included a member switch and that member was
physically disconnected or removed from the virtual chassis, its member ID is not
available for assignment as part of the standard sequential assignment by the master.
For example, you might have a virtual chassis composed of member 0, member 2,
and member 3, because member 1 was removed. When you add another member
switch and power it on, the master assigns it as member 4. However, you can use
the request virtual-chassis renumber command to explicitly change the member ID
of the new member switch to use member ID 1.
The member ID distinguishes the member switches from one another. You use the
member ID:
■ To assign a mastership priority value to a member switch
■ To configure interfaces for a member switch (the function is similar to a slot
number in Juniper Networks routers)
■ To apply some operational commands to a member switch
■ To display status or characteristics of a member switch
Mastership Priority
In a nonprovisioned configuration, you can designate the role (master, backup, or
linecard) that a member switch performs within the virtual chassis by configuring
its mastership priority (from 1 to 255). The mastership priority value is the factor
with the highest precedence for selecting the master of the virtual chassis.
The default value for mastership priority is 128. When an EX 4200 switch is powered
on, it receives the default mastership priority value. Because it is the only member
of the virtual chassis, it is also the master. When you interconnect a standalone
switch to an existing virtual chassis (which implicitly includes its own master), we
recommend that you explicitly configure the mastership priority of the members
that you want to function as the master and backup.
We recommend that you specify the same mastership priority value for both the
master and backup members.
122 ■ Member Switch and Member ID

NOTE: Configuring the same mastership priority value for both the master and backup
helps to ensure a smooth transition from master to backup in case the master
becomes unavailable. It prevents the old master from preempting control from the
backup in situations where the backup has taken control of the virtual chassis due
to the original master being unavailable.
We also recommend that you configure the highest possible mastership priority value
(255) for those two members, because that guarantees that these two members
continue to function as the master and backup when other members are added to
the virtual chassis. Any other members of the virtual chassis (members with lower
mastership priority) are considered linecard members.
In a preprovisioned configuration, the mastership priority value is assigned by the

software, based on the specified role.
Virtual Chassis Identifier (VCID)

All members of a virtual chassis share one virtual chassis identifier (VCID). This
identifier is derived from internal parameters. When you are monitoring a virtual
chassis, the VCID is displayed in the user interface.
Related Topics

■ Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure)
■ Example: Configuring a Virtual Chassis with a Master and Backup in a Single
Wiring Closet
■ Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring
Closets
■ Example: Configuring a Virtual Chassis with a Pre-Provisioned Configuration File
Virtual Chassis Identifier (VCID) ■ 123

Understanding How the Master in a Virtual Chassis Is Elected

All switches that are interconnected as a virtual chassis are member switches of that
virtual chassis. Each virtual chassis has one member that functions as the master
and controls the virtual chassis.
When a virtual chassis boots, the JUNOS software for EX-series switches automatically
runs a master election algorithm to determine which member switch takes the role
of master.
The algorithm that the software uses to determine the master is as follows:
1. Choose the member with the highest user-configured mastership priority (255
is highest possible value).
2. Choose the member that was master the last time the virtual chassis booted.
3. Choose the member that has been included in the virtual chassis for the longest
period of time. (For this to be a deciding factor, there has to be a minimum time
lapse of one minute between powering on the interconnected member switches.)
4. Choose the member with the lowest MAC address.
The variations among switch models, such as whether the switch has 48 or 24 ports,
do not impact the master election algorithm. To ensure that a specific member is
elected as the master:
1. Power on only the switch that you want to configure as master of the virtual
chassis.
2. Configure the mastership priority of that member to have the highest possible
value (255).
3. Continue to configure other members through the master member, as desired.
4. Power on the other members.
Related Topics

■ Understanding Virtual Chassis Configuration
Understanding Software Upgrade in a Virtual Chassis

A virtual chassis can be composed of multiple EX 4200-series switches and each
member switch is running JUNOS software packages. For ease of management, the
virtual chassis provides flexible methods to upgrade software releases.
A new software release can be upgraded to the entire virtual chassis or to a particular
member in the virtual chassis through a CLI or J-Web command. A user can add
software packages to either a single member of the virtual chassis or to all members
of the virtual chassis at the same time.
124 ■ Understanding How the Master in a Virtual Chassis Is Elected

Related Topics

Understanding Global Management of a Virtual Chassis

A virtual chassis is composed of multiple EX 4200 switches, so it has multiple console
ports and multiple out-of-band management Ethernet ports located on the rear panels
of the switches.
You can connect a PC or laptop directly to a console port of any member switch to
set up and configure the virtual chassis. When you connect to the console port of
any member switch, the console session is redirected to the master switch, as shown
in Figure 5 on page 125.
Figure 5: Console Session Redirection

If the master becomes unavailable, the console session is disconnected from the old
master and a new session is established with the newly elected master.
An out-of-band management Ethernet port is often referred to simply as a

management Ethernet port. It uses a dedicated management channel for device
maintenance and allows a system administrator to monitor and manage the switch
by remote control.
The virtual chassis can be managed remotely through SSH or Telnet using a global
management interface called the virtual management Ethernet (VME) interface. VME
is a logical interface representing any and all of the out-of-band management ports
on the member switches. When you connect to the virtual chassis using the VME IP
address, the connection is redirected to the master member as shown in
Figure 6 on page 126.
Figure 6: Management Ethernet Port Redirection to VME
126 ■ Understanding Global Management of a Virtual Chassis

If the master management Ethernet link is unavailable, the session is redirected

through backup management Ethernet link. If there is no active management Ethernet
link on the backup, the VME interface chooses a management Ethernet link on one
of linecard members, selecting the linecard member with the lowest member ID as
its first choice.
You can configure an IP address for the VME global management interface at any
time at any time. See Configuring the Virtual Management Ethernet Interface for
Global Management of a Virtual Chassis.
You can perform remote configuration and administration of all members of the
virtual chassis through the VME interface.
Related Topics

Understanding Nonvolatile Storage in a Virtual Chassis

The EX 4200 switch stores JUNOS system files in internal flash memory. In a virtual
chassis, both the master and the backup switch store the configuration information
for all the member switches.
■ Nonvolatile Memory Features on page 127
Nonvolatile Memory Features

The JUNOS for EX-series software optimizes the way the virtual chassis stores its
configuration if a member switch or the virtual chassis is shut down improperly:
■ If the master is not available, the backup switch takes on the role of the master
and its internal flash memory takes over as the alternate location for maintaining
nonvolatile configuration memory.
■ If a member switch is taken offline for repair, the master stores the configuration
of the member switch.
USB storage devices can be used for user data, such as copying log files from the
switch to a personal computer.
Related Topics
Understanding the High-Speed Interconnection of the Virtual Chassis Members

Two high-speed virtual chassis ports (VCPs) on the rear panel of the virtual chassis
member switches enable the members to be interconnected and operate as a single,

powerful switch. Each VCP interface is 32 Gbps bidirectional. When VCP interfaces
are used to form a ring topology, each segment provides 64 Gbps bidirectional
bandwidth. Because the VCP links act as point-to-point links, multiple segments of
the ring can be used simultaneously. This allows the virtual chassis bandwidth to
scale as you interconnect more members within the ring topology.
Related Topics

■ Cabling EX 4200 Switches for Virtual Chassis Configuration
Understanding Virtual Chassis and Link Aggregation

You can combine physical Ethernet ports belonging to different member switches
of a virtual chassis to form a logical point-to-point link, known as a link aggregation
group (LAG) or bundle. A LAG provides more bandwidth than a single Ethernet link
can provide. Additionally, link aggregation provides network redundancy by
load-balancing traffic across all available links. If one of the links fails, the system
automatically load-balances traffic across all remaining links.
You can select up to 8 Ethernet interfaces from the different member switches of
the virtual chassis and include them within a link aggregation group. A full virtual
chassis configuration can support up to 127 LAGs.
NOTE: The interfaces that are included within a LAG are sometimes referred to as
member interfaces. Do not confuse member interfaces and member switches. The
member switches are individual EX 4200 switches that have been interconnected
with their virtual chassis ports (VCPs) to operate as a single network entity. In a virtual
chassis, you can create a LAG formed of member interfaces that represent ports
belonging to different member switches.
Related Topics

■ Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual
Chassis Access Switch and a Virtual Chassis Distribution Switch
■ Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP
Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch

Understanding Virtual Chassis Configuration

You configure and manage almost all aspects of a virtual chassis through the master
of the virtual chassis. However, you can also configure virtual chassis parameters
when an EX 4200 is a standalone switch not interconnected with other members.
An EX 4200 switch has some innate characteristics of a virtual chassis by default. A

standalone EX 4200 switch is assigned member ID 0 and is the master of itself.
Therefore, you can edit its virtual chassis configuration. When the standalone switch
is interconnected with an existing virtual chassis, the virtual chassis configuration
statements and any VCP uplink settings that you previously specified on the
standalone switch remain part of its configuration.
A switch cannot be recognized as a member of a virtual chassis configuration until

it is interconnected with the master, or interconnected with an existing member of
the virtual chassis configuration. When a switch is located too far away to be
interconnected with the dedicated virtual chassis ports, you can specify an uplink as
a virtual chassis port using the request virtual-chassis vc-port command. This
command, setting an uplink port as a VCP must be executed on the standalone
switch, because it is not yet part of the virtual chassis configuration. Without an
uplink VCP, the standalone switch cannot be recognized by the master as belonging
to the virtual chassis.
While an uplink port is set as a VCP interface, it cannot be used for any additional
purpose. If you want to use the uplink port for another purpose, you can delete the
VCP setting by using the request virtual-chassis vc-port command. You can execute
this command directly on the member whose uplink VCP setting you want to delete
or through the master of the virtual chassis.
In addition, you may choose to create a preprovisioned configuration. This type of

configuration allows you to deterministically control the member ID and role assigned
to a member switch by tying it to its serial number. For an example of a
preprovisioned configuration, see Example: Configuring a Virtual Chassis with a
Preprovisioned Configuration File.
Related Topics

■ Understanding How the Master in a Virtual Chassis Is Elected
Closets
Wiring Closet
■ Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File
Understanding Virtual Chassis Configuration ■ 129

Understanding Virtual Chassis EX 4200 Switch Version Compatibility

For EX 4200 switches to be interconnected as a virtual chassis, the switches must
be running the same software versions. The master checks the hardware version,
JUNOS software version, and other component versions running in a switch that is
physically interconnected to its virtual chassis port (VCP). Different hardware models
can be members of the same virtual chassis. However, the master will not assign a
member ID to a switch that is running a different software version. A switch that is
running a different version of software will not be allowed to join the virtual chassis.
Related Topics

■ Understanding Software Upgrade in a Virtual Chassis
130 ■ Understanding Virtual Chassis EX 4200 Switch Version Compatibility

Chapter 12
Examples of Configuring Virtual Chassis
■ Virtual Chassis Configuration Examples on page 131
Virtual Chassis Configuration Examples

Wiring Closet on page 131
■ Example: Expanding a Virtual Chassis in a Single Wiring Closet on page 136
■ Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default
Configuration on page 142
Closets on page 147
Chassis Access Switch and a Virtual Chassis Distribution Switch on page 156
Switch on page 163
■ Example: Configuring a Virtual Chassis with a Preprovisioned Configuration
File on page 169
Example: Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet
A virtual chassis is a scalable switch. You can provide secure, redundant network
accessibility with a basic two-member virtual chassis and later expand the virtual
chassis to provide additional access ports as your office grows.
This example describes how to configure a virtual chassis with a master and backup
in a single wiring closet:
■ Requirements on page 132
■ Overview and Topology on page 132
■ Configuration on page 133
■ Verification on page 134
■ Troubleshooting the Virtual Chassis on page 135
Virtual Chassis Configuration Examples ■ 131

Requirements
This example uses the following hardware and software components:

■ JUNOS Release 9.0 or later software for EX-series switches
■ One EX 4200-48P switch
■ One EX 4200-24T switch
■ One EX-UM-2XFP uplink module
Before you begin, be sure you have:

1. Rack-mounted the switches. See Mounting an EX-series Switch on a Rack or
Cabinet or Mounting an EX-series Switch on a Desk or Other Level Surface.
2. Installed the uplink module. See Installing an Uplink Module in an EX-series
Switch.
3. Cabled the switches. See Connecting a Virtual Chassis Cable to an EX-series
Switch.
Overview and Topology
A virtual chassis allows you to accommodate the networking needs of a growing

office. The default configuration of a two-member virtual chassis includes a master
and a backup switch. In addition to providing more access ports than a single EX 4200
switch can provide, a virtual chassis provides high availability through redundancy.
This example shows a virtual chassis composed of two EX 4200 switches. One of
the switches has an uplink module with ports that can be configured to connect to
a distribution switch or customer edge (CE) router or that can be configured as virtual
chassis ports (VCPs) to interconnect with a member switch that is located too far for
the dedicated VCP cabling. For information on configuring the uplink ports as trunk
ports to a distribution switch, see Configuring Gigabit Ethernet Interfaces on EX-series
Switches (CLI Procedure). For an example of configuring uplink ports as VCPs, see
Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets.
The virtual chassis provides networking access for 50 onsite workers, who are sitting
within range of a single wiring closet. The workers all use personal computers and
VoIP phones. As the office grows, you can add more EX 4200 switches to meet
increased needs for access ports.
The topology for this example consists of two switches, one of which contains an
uplink module:
■ One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports
that support PoE
■ One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support PoE
■ One EX-UM-2XFP uplink module, with two 10–Gigabit Ethernet ports, is installed
in the EX 4200-48P switch
132 ■ Requirements
Chapter 12: Examples of Configuring Virtual Chassis
Table 28 on page 133 shows the default configuration settings for the two-member
virtual chassis.
Table 28: Components of the Basic Virtual Chassis Access Switch Topology
Member Switch Hardware Member ID Role and Priority

SWA-0 EX 4200-48P switch 0 Master: mastership priority
128
SWA-1 EX 4200-24T switch 1 Backup: mastership priority

128
Figure 7 on page 133 shows that SWA-0 and SWA-1 are interconnected with their
dedicated VCPs on the rear panel. The LCD on the front displays the Member ID and
Role. SWA-0 also includes an uplink module. Its uplink ports can be used to connect
to a distribution switch.
Figure 7: Basic Virtual Chassis with Master and Backup
Configuration
Configure a virtual chassis with a default master and backup in a single wiring closet:
Step-by-Step Procedure By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. The software elects a master based on several
criteria, including how long a member switch has belonged to the virtual chassis.
For additional details, see Understanding How the Master in a Virtual Chassis Is
Elected. Therefore, we recommend that you start by powering on only one member
switch, the one that you want to function as the master.NOTE:We recommend that
you use the commit synchronize command to save any configuration changes that
you make to a multimember virtual chassis.To configure a virtual chassis with master
and backup:
1. Make sure the VCPs on the rear panel of the member switches are properly
cabled. See Virtual Chassis Cabling Configuration Examples.
2. Power on SWA-0 (the member switch that you want to function as the master).
3. Check the front-panel LCD to confirm that the switch has powered on correctly.
Configuration ■ 133
4. Run the EZ Setup program on SWA-0, specifying the identification parameters.

See Connecting and Configuring the EX-series Switch (CLI Procedure) for details.
5. Configure SWA-0 with the virtual management Ethernet (VME) interface for
out-of-band management of the virtual chassis, if desired.
[edit]
user@SWA-0# set interfaces vme unit 0 family inet /ip-address/mask/
6. Power on SWA-1.
Verification
To confirm that the virtual chassis is operational, perform these tasks:

■ Verifying That the Mastership Priority is Assigned Appropriately on page 134
■ Verifying That the VCPs Are Operational on page 135
Verifying That the Mastership Priority is Assigned Appropriately

Purpose Verify that the master, which has been selected by default, is the member switch
that you want to function in that role.
Action 1. Check the front-panel LCD to confirm that the switch has powered on correctly
and that a member ID has been assigned.
2. List the member switches of the virtual chassis.
user@SWA-0>show virtual-chassis status

Virtual Chassis ID: 0019.e250.47a0
Mastership Neighbor List
Member ID Status Serial No Model priority Role ID Interface
0 (FPC 0) Prsnt AK0207360276 ex4200-48p 128 Master* 1 vcp-0
1 vcp-1
1 (FPC 1) Prsnt AK0207360281 ex4200-24t 128 Backup 0 vcp-0
0 vcp-1
Member ID for next new member: 2 (FPC 2)
What It Means The show virtual-chassis status command lists the member switches interconnected
as a virtual chassis with the member IDs that have been assigned by the master, the
mastership priority values, and the roles. It also displays the neighbor members with
which each member is interconnected. The output shows that SWA-0, member 0,
has been assigned default mastership priority 128. Because SWA-0 is the first member
to be powered on, it has the most seniority and is therefore assigned the role of
master. SWA-1 is powered on after member 0, so it is assigned the role of backup.
The member IDs are displayed on the front panel of the switches. Check and confirm
whether the default assignment is satisfactory.
134 ■ Verification
Verifying That the VCPs Are Operational

Purpose Verify that the dedicated virtual chassis ports interconnecting the switches are
operational.
Action Display the virtual chassis ports of all the members

user@SWA-0> show virtual-chassis vc-port all-members
fpc0:
--------------------------------------------------------------------------
Interface Type Status
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
What It Means The show virtual-chassis vc-port command lists the interfaces that are enabled for
the member switches of the virtual chassis and shows the status of the interfaces.
The output in this example shows that two of the VCPs are operational and two VCPs
are not. A single cable has been used to interconnect vcp-0 of member ID 0 and
vcp-0 of member ID 1. That interconnection is sufficient for the switch to be
operational. However, we recommend that you connect the second set of VCPs for
redundancy.
Troubleshooting the Virtual Chassis
To troubleshoot the configuration of a virtual chassis, perform these tasks:
Troubleshooting the Assignment of Roles

Problem The master and backup roles are not assigned to the member switches that you want
to function in these roles
Solution Modify the mastership priority values
To quickly modify the mastership priority of SWA-1 (member ID 1), copy the following
command and paste it into the switch terminal window:
[edit virtual-chassis]
user@SWA-1# set member 1 mastership-priority 255
Verifying That the VCPs Are Operational ■ 135

Troubleshooting the VCPs

Problem The VCPs are down.
Solution 1. Check to make sure that you have cabled the appropriate ports.
2. Check to make sure that the cables are seated properly.
You should generally cable and interconnect both of the VCPs on the member
switches, for redundancy and high availability.
Related Topics
■ Example: Expanding a Virtual Chassis in a Single Wiring Closet

Configuration
■ Configuring a Virtual Chassis (CLI Procedure)
Example: Expanding a Virtual Chassis in a Single Wiring Closet

A virtual chassis is a scalable switch composed of multiple interconnected EX 4200
switches. Up to ten EX 4200 switches can be interconnected as a virtual chassis.
This example describes how to configure an expanding virtual chassis within a single
wiring closet:
■ Troubleshooting on page 141
Requirements

■ One EX 4200-24T switch
■ One EX-UM-2XFP uplink module
136 ■ Troubleshooting the VCPs

■ Confirmed that the existing virtual chassis is operating correctly. See Example:
Configuring a Virtual Chassis with a Master and Backup in a Single Wiring Closet.
A virtual chassis can be expanded without disrupting the site's network connectivity.
This example describes adding a member switch to an existing virtual chassis to
provide additional access ports for connecting more PCs and VoIP phones at this
location. You can continue to expand the virtual chassis with additional members in
the same wiring closet, using the same procedure. If you want to expand the virtual
chassis to include member switches in another wiring closet, see Example: Configuring
a Virtual Chassis Interconnected Across Multiple Wiring Closets.
If you want to retain the roles of the existing master and backup switches, explicitly
configure the mastership priority of these switches, specifying the highest possible
value (255) for both the master and the backup.
During expansion, the existing virtual chassis can remain powered on and connected
to the network. Before powering up the new switch, interconnect it to the other the
switches using the dedicated VCPs on the rear panel. Do not run the EZ Setup program
on the added member switch.
This example shows an existing virtual chassis composed of two EX 4200 switches.
The virtual chassis is being expanded to include a EX 4200-24P switch as a linecard
member.
The topology for this example consists of three switches:

■ One EX 4200-24T switch (SWA-0) with 24 access ports, including eight ports
that support PoE
■ One EX 4200-48P switch (SWA-1) with 48 access ports, all of which support
Power over Ethernet (PoE)
■ One EX 4200-24P switch (SWA-2) with 24 access ports, all of which support PoE
■ One uplink module with two 10-Gigabit Ethernet ports is installed in the
EX 4200-48P switch. These ports can be configured as trunk ports to connect to
a distribution switch or customer edge (CE) router or as virtual chassis ports
(VCPs) to interconnect with a member switch that is located too far for dedicated
VCP cabling. For information on configuring the uplink ports as trunk ports to a
distribution switch, see Configuring Gigabit Ethernet Interfaces on EX-series
Switches (CLI Procedure). For information on configuring uplink ports as virtual
chassis ports, see Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure)
andExample: Configuring a Virtual Chassis Interconnected Across Multiple Wiring
Closets.
Table 29 on page 138 shows the configuration settings for the expanded virtual chassis.
Overview and Topology ■ 137

Table 29: Components of the Expanded Virtual Chassis Access Switch
Member Switch Hardware member ID Role in Virtual Chassis

SWA-0 EX 4200-48P switch 0 master; mastership priority
255
SWA-1 EX 4200-24T switch 1 backup; mastership priority

255
SWA-2 EX 4200-24P switch 2 linecard; mastership priority

128
Figure 8 on page 138 shows that the three member switches ( SWA-0, SWA-1 and
SWA-2) are interconnected with their dedicated VCPs on the rear panel. The LCD on
the front displays the member ID and role. SWA-0 also includes an uplink module.
Its uplink ports can be used to connect to a distribution switch.
Figure 8: Expanded Virtual Chassis in Single Wiring Closet
Configuration
To expand a virtual chassis to include additional member switches within a single

wiring closet, perform these tasks:
NOTE: We recommend that you use the commit synchronize command to save any
configuration changes that you make to a multimember virtual chassis.

138 ■ Configuration
CLI Quick Configuration To maintain the master and backup roles of the existing members and ensure that
the new member switch functions in a linecard role, copy the following commands
and paste them into the terminal window:
[edit]
user@SWA-0# set virtual-chassis member 0 mastership-priority 255
user@SWA-1# set virtual-chassis member 1 mastership-priority 255
Step-by-Step Procedure To ensure that the existing member switches retain their current roles and to add
another member switch in a linecard role:
1. Configure the mastership priority of SWA-0 (member 0) to be the highest possible

value, thereby ensuring that it functions as the master of the expanded virtual
chassis.

value. This setting is recommended for high availability and smooth transition
of mastership in case the original master becomes unavailable.
3. Interconnect the unpowered SWA-2 with SWA-0 and SWA-1 using the dedicated
VCPs on the rear panel. See Virtual Chassis Cabling Configuration Examples for
additional information.
4. Power on SWA-2.
You do not need to configure or run EZ Setup on SWA-2. The identification

parameters that were set up for the master apply implicitly to all members of
the virtual chassis. SWA-2 functions in a linecard role, since SWA-0 and SWA-1
have been configured to the highest mastership priority values.
Verification
To verify that the new switch has been added as a linecard and that its VCPs are
operational, performs these tasks:
■ Verifying That the New Switch Has Been Added as a Linecard on page 139
Verifying That the New Switch Has Been Added as a Linecard

Purpose Verify that SWA-2 has been added in a linecard role to the virtual chassis.
Action Use the show virtual-chassis status command to list the member switches with their
member IDs, mastership priority values, and assigned roles.
Verification ■ 139
user@SWA-0> show virtual-chassis status
Virtual Chassis ID: 0000.e255.00e0

Member ID Status Serial No Model Priority Role ID Interface
0 (FPC 0) Prsnt abc123 ex4200-48p 255 Master* 1 vcp-0

2 vcp-1
1 (FPC 1) Prsnt def456 ex4200-24t 255 Backup 2 vcp-0

0 vcp-1
2 (FPC 2) Prsnt abd231 ex4200-24p 128 Linecard 0 vcp-0

1 vcp-1
What It Means The show virtual-chassis status command lists the member switches of the virtual
chassis with the member IDs and mastership priority values. It also displays the
neighbor members with which each member is interconnected. This output shows
that SWA-2 has been assigned member ID 2 and has the default mastership priority
value 128. Because the mastership priority is lower than the mastership priority of
the other members, SWA-2 functions in the linecard role. You can continue to add
more member switches, following the same procedure. It is possible to have multiple
members in linecard roles with the same mastership priority value.

Purpose Verify that the dedicated VCPs interconnecting the member switches are operational.
Action List the VCP interfaces on the virtual chassis.
user@SWA-0>show virtual-chassis vc-port all-members
fpc0:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc2:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
140 ■ Verifying That the VCPs Are Operational

What It Means The show virtual-chassis vc-port all-members command lists all the virtual chassis
interfaces for the virtual chassis. In this case, no VCP uplinks have been configured.
However, the VCP interfaces are automatically configured and enabled when you
interconnect member switches using the dedicated virtual chassis ports. There are
two dedicated VCPs on the rear panel of each EX 4200 switch. It is recommended
that you interconnect the member switches using both VCPs for redundancy. The
VCP interfaces are identified simply as vcp-0 and vcp-1. The fpc number is the same
as the member ID.
Troubleshooting
To troubleshoot the configuration of an expanded virtual chassis, perform these

tasks:
Troubleshooting Mastership Priority

Problem You want to designate a different member as the master.
Solution Change the mastership priority value or values of the switches, designating the highest
mastership priority value for the switch that you want to be master.
1. Lower the mastership priority of the existing master (member 0).
2. Set the mastership priority of the member that you want to be the master to the
highest possible value (255):
Troubleshooting Nonoperational VCPs

Problem The VCP interface shows a status of down.
Solution Check the cable to make sure that it is properly and securely connected to the VCPs.
Related Topics

Configuration
Troubleshooting ■ 141
Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default

Configuration
You can configure a multimember virtual chassis in a single wiring closet without
setting any parameters—by simply cabling the switches together, using the dedicated
virtual chassis ports (VCPs). You do not need to modify the default configuration to
enable these ports. They are operational by default. The virtual chassis automatically
assigns the master, backup, and linecard roles, based on the sequence in which the
switches are powered on and other factors in the master election algorithm. See
Understanding How the Master in a Virtual Chassis Is Elected.
Tip We recommend that you explicitly configure the mastership priority of the switches
to ensure that the switches continue to perform the desired roles when additional
switches are added or other changes occur. However, it is possible to use the default
configuration described in this example.
This example describes how to configure a multimember virtual chassis in a single

wiring closet, using the default role assignments:
Requirements

■ Two EX 4200-48P switches
■ Four EX 4200-24P switches
A virtual chassis is easily expandable. This example shows a virtual chassis composed
of six EX 4200 switches. It provides networking access for 180 onsite workers, who
are sitting within range of a single wiring closet. The six combined switches are
identified by a single host name and managed through a global management IP
address.
To set up a multimember virtual chassis within a single wiring closet, you need to
run the EZ Setup program only once. Connect to the master and run EZ Setup to
specify its identification, time zone, and network properties. When additional switches
are connected through the virtual chassis ports (VCPs), they automatically receive
the same properties that were specified for the master.
The topology for this example (see Figure 1) consists of six switches:
142 ■ Example: Setting Up a Multimember Virtual Chassis Access Switch with a Default Configuration
■ Two EX 4200-48P switches (SWA-0 and SWA-1) with 48 access ports, all of which
support Power over Ethernet (PoE)
■ Four EX 4200-24P switches (SWA-2, SWA-3, SWA-4, and SWA-5) with 24 access
ports, all of which support PoE
Figure 9 on page 143 shows that all the member switches are interconnected with
the dedicated VCPs on the rear panel. The LCD on the front displays the member ID
and role.
Figure 9: Default Configuration of Multimember Virtual Chassis in a Single Wiring

Closet
Configuration
Configure a multimember virtual chassis access switch in a single wiring closet using
the factory defaults:
CLI Quick Configuration By default, after you interconnect the switches with the dedicated VCPs and power
on the switches, the VCPs are operational. The mastership priorities and member
IDs are assigned by the software. To determine which switch has been selected as
the master, check the LCD on the front panel. It should be the first switch that you
power on. The backup should be the second switch that you power on. The other
switches are all linecards. Wait at least one minute after powering on the master,
before continuing to power on the other switches.
Step-by-Step Procedure To configure a multimember virtual chassis with default role assignments:
1. Make sure the dedicated VCPs on the rear panel are properly cabled. See Virtual
Chassis Cabling Configuration Examples for additional information.
2. Power on the switch that you want to function as the master (SWA-0). This
examples uses one of the larger switches (EX 4200-48P) as the master.
3. Check the front panel LCD to confirm that the switch has powered on correctly
4. Run the EZ Setup program on SWA-0, the master, specifying the identification
parameters. See Connecting and Configuring the EX-series Switch (CLI Procedure)
for details.
[edit]
6. After a lapse of at least one minute, power on SWA-1. This example uses the
second EX 4200-48P switch as the backup.
7. Check the front panel LCD to confirm that the switch has powered on correctly
8. Power on SWA-2, and check the front panels to make sure that the switch is
operating correctly.
9. Continue to power on the member switches one by one, checking the front
panels as you proceed.
Verification
To confirm that the configuration is working properly, perform these tasks:

■ Verifying the Member IDs and Roles of the Member Switches on page 144
Verifying the Member IDs and Roles of the Member Switches

Purpose Verify that all the interconnected member switches are included within the virtual
chassis and that their roles are assigned appropriately.
Action Display the members of the virtual chassis:


5 vcp-1
1 (FPC 1) Prsnt def123 ex4200-48p 128 Backup 2 vcp-0

0 vcp-1

1 vcp-1
3 (FPC 3) Prsnt cab123 ex4200-24p 128 Linecard 4 vcp-0

2 vcp-1
4 (FPC 4) Prsnt fed456 ex4200-24p 128 Linecard 5 vcp-0

3 vcp-1
5 (FPC 5) Prsnt jkl231 ex4200-24p 128 Linecard 0 vcp-0

4 vcp-1
What It Means The show virtual-chassis status command lists the member switches of the virtual
chassis with the member IDs and mastership priority values. It also displays the
neighbor members with which each member is interconnected. The fpc number is
the same as the member ID.

Purpose Verify that the dedicated VCPs interconnecting the member switches are operational.
Action Display the virtual chassis interfaces.
fpc0:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc2:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
Verifying That the VCPs Are Operational ■ 145

fpc3:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc4:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc5:

or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
What It Means The show virtual-chassis vc-port all-members command lists the virtual chassis interfaces
that are enabled for the member switches of the virtual chassis and shows the status
of the interfaces. In this case, no VCP uplinks have been configured. However, the
VCP interfaces are automatically configured and enabled when you interconnect
member switches using the dedicated VCPs. There are two dedicated VCPs on the
rear panel of each EX 4200 switch. The dedicated VCP interfaces are identified simply
as vcp-0 and vcp-1. They do not use the standard interface address (in which the
member ID is represented by the first digit). The output in this example shows that
all interfaces are operational. The fpc number is the same as the member ID.
Troubleshooting
To troubleshoot the configuration of a multimember virtual chassis in a single wiring

closet, perform these tasks:
Troubleshooting Mastership Priority

Problem You want to explicitly designate one member as the master and another as backup.
Solution Change the mastership priority value of the member that you want to function as
master, designating the highest mastership priority value that member.
NOTE: These configuration changes are made through the current master, SWA-0.
1. Configure mastership priority of member 0 to be the highest possible value.
146 ■ Troubleshooting
2. Set the mastership priority of another member that you want to function as the
backup member as the same value:

Problem The VCP interface shows a status of down.
Solution Check the cable to make sure that it is properly and securely connected to the VCPs.
Related Topics

Wiring Closet
Closets
Example: Configuring a Virtual Chassis Interconnected Across Multiple Wiring Closets

A virtual chassis is a very adaptable access switch solution. You can install member
switches in different wiring closets, interconnecting the member switches by cabling
and configuring uplink ports as virtual chassis ports (VCPs).
This example describes how to configure a virtual chassis access switch interconnected
across wiring closets:
Requirements

■ Two EX 4200-24T switches
■ Four EX-UM-2XFP uplink modules
Troubleshooting Nonoperational VCPs ■ 147

Before you interconnect the members of the virtual chassis across wiring closets, be
sure you have:
1. Installed an EX-UM-2XFP uplink module in the member switches that will be
interconnected across wiring closets. See Installing an Uplink Module in an
EX-series Switch.
2. Powered on, connected and run the EZ Setup program on SWA-0. Follow the
prompts to specify the host name and other identification, time zone, and
network properties. See Connecting and Configuring the EX-series Switch (CLI
Procedure) for details. SWA-0 is going to be configured in the example to function
as the master of the virtual chassis. Thus, the properties that you specified for
SWA-0 apply to the entire virtual chassis, including all the member switches that
you later interconnect with the master.
3. Configured SWA-0 with the virtual management Ethernet (VME) for remote,
[edit]
4. Interconnected SWA-0 and SWA-1 (the two member switches in wiring closet
A) using the dedicated VCPs on the rear panel. SWA-1 should not be powered
on at this time.
5. Interconnected SWA-2 and SWA-3 (the two member switches in wiring closet
B) using the dedicated VCPs on the rear panel. SWA-2 and SWA-3 should not be
powered on at this time.
NOTE: To set an uplink as a VCP interface, it must be one of the 10-Gigabit Ethernet
uplinks (EX-UM-2XFP uplink module). When an uplink port is set as a VCP interface,
it cannot be used for any other purpose. The EX-UM-2XP uplink module has two
ports. You can set one port as a VCP interface and configure the other port in trunk
mode as an uplink to a distribution switch.
In this example, four EX 4200 switches will be interconnected as a virtual chassis.

Two switches (SWA-0 and SWA-1) are located in wiring closet A and two switches
(SWA-2 and SWA-3) are located at the other end of the floor in wiring closet B.
For easier monitoring and manageability, we want to interconnect all four switches
as members of a virtual chassis. Prior to configuring the virtual chassis, we installed
uplink modules in each of the member switches. We are going to interconnect the
member switches across wiring closets setting the 10-Gigabit Ethernet uplink ports
as VCP interfaces. In this example, uplink modules are installed in all four members
so that there are redundant VCP connections across the wiring closets. If you want
to expand this configuration to include more members within these wiring closets,
you do not need to add any more uplink modules. Simply use the dedicated VCPs
on the rear panel. The redundancy of uplink VCPs provided in this example is
sufficient.
148 ■ Overview and Topology

First, we will complete the virtual chassis configuration of the member switches in
wiring closet A.
We have decided that SWA-0 will function as the master, so we set its mastership
priority value to the highest possible value (255).
The switches (SWA-0 and SWA-1) in wiring closet A have been interconnected using
the dedicated virtual chassis ports (VCPs) . The interfaces for the rear panel, dedicated
VCPs are operational by default. They do not need to be configured.
However, the rear-panel virtual chassis cables that interconnect the VCPs of member
switches within a single wiring closet are not long enough to connect member switches
across wiring closets. Instead, you can use the fiber cable connections in the uplink
modules to interconnect the member switches in wiring closet A to the member
switch in wiring closet B. For redundancy, this example connects uplink ports from
the two member switches in wiring closet A to the two member switches in wiring
closet B.
After specifying the highest mastership priority value (255) for SWA-0, we power on
SWA-1. Because SWA-0 and SWA-1 are interconnected with the dedicated VCPs, the
master detects that SWA-1 is a member of its virtual chassis and assigns a member
ID. We can now set the VCP uplinks for both SWA-0 and SWA-1 through the master
in preparation for interconnecting them with the member switches in wiring closet
B.
However, in order for the master to recognize the existence of SWA-2, you must first
set one of the SWA-2 uplinks as a VCP. You cannot set the SWA-2 uplink through the
master of the virtual chassis, because SWA-2 is not yet interconnected as a member
switch.
We will power on and configure SWA-2 prior to powering on SWA-3.
When you power on SWA-2, its member ID is 0, its default mastership priority is
128, and it is functioning in the master role.
You can configure SWA-2 without running EZ Setup by directly connecting to the
console port. If you wish, you can run EZ Setup and specify identification parameters.
Later, when you interconnect SWA-2 with the master of the virtual chassis, the master
overwrites any conflicting parameters.
We want to use SWA-2 as the backup of the virtual chassis. If a problem occurs in
wiring closet A, SWA-2 would take control of the virtual chassis and maintain the
network connections. We configure the same mastership priority value for SWA-2
(255) that we configured for the master. Because SWA-0 has already been powered
on prior to SWA-2, it has additional prioritization properties that allow it to retain
mastership of the virtual chassis. See Understanding How the Master in a Virtual
Chassis Is Elected for additional information about the election of the master. We
recommend setting identical mastership priority values for the master and backup
members for high availability and smooth transition of mastership in case the original
master becomes unavailable. (It prevents the previous master from pre-empting the
master role from the new master when the previous master comes back online.)
After SWA-2 has been configured and its uplink port has been set as a VCP interface,
interconnect its VCP uplink port with the VCP uplink of SWA-0 in wiring closet A.

SWA-2 reboots and joins the virtual chassis as member 2 and as backup of the
expanded virtual chassis.
Now, power on SWA-3. Because SWA-3 is interconnected with SWA-2 using the
dedicated VCPs on the rear panel, the master detects that SWA-3 is part of the
expanded virtual chassis and assigns it member id 3. For redundancy, configure a
VCP uplink on member 3 through the master and interconnect this uplink with the
VCP uplink of SWA-1 in wiring closet A.
The topology for this example consists of:

■ Two EX 4200-24T switches
■ Four EX-UM-2XFP uplink modules.
Table 30 on page 150 shows the virtual chassis configuration settings for a virtual
chassis composed of member switches in different wiring closets.
Table 30: Components of a Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch Member ID Role and Priority Uplinks Hardware Location

Connecting
Member Switches
SWA-0 0 master; xe-0/1/0 EX 4200-48P and Wiring closet A
mastership priority EX-UM-2XFP
255 uplink module
SWA-1 1 linecard; xe-1/1/0 EX 4200-24T and Wiring closet A

128 uplink module
SWA-2 2 backup; xe-0/1/0 EX 4200-48P and Wiring closet B

255 uplink module
SWA-3 3 linecard; xe-3/1/0 EX 4200-24T and Wiring closet B

128 uplink module
Figure 10 on page 151 shows the different types of interconnections used for this
virtual chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink ports that have been set as VCP interfaces and
interconnected across the wiring closets. The uplink ports that are not used as VCPs
can be configured as trunk ports to connect to a distribution switch.

Figure 10: A Virtual Chassis Interconnected Across Wiring Closets
Configuration
To configure the virtual chassis across multiple wiring closets, perform these tasks:

CLI Quick Configuration To quickly configure a virtual chassis across multiple wiring closets, configure a
master in one closet and a backup in the other by copying the following commands
into the specified terminal windows (SWA-0 and SWA-2):
[edit]
user@SWA-0#set virtual-chassis member 0 mastership-priority 255
[edit]
user@SWA-2#set virtual-chassis member 0 mastership-priority 255
NOTE: At this point, SWA-2 is a standalone switch, so its member ID is 0.
Step-by-Step Procedure To configure a virtual chassis across multiple wiring closets:

value (255), thereby ensuring that it functions as the master of the expanded
virtual chassis.
user@SWA-0#set member 0 mastership-priority 255
2. Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
1:
user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0

user@SWA-0> request virtual-chassis vc-port set pic-slot 1 port 0 member
1
NOTE:
■ For redundancy, this example configures an uplink VCP in both SWA-0 and
SWA-1.
■ This example omits the specification of the member member-id option in
configuring the uplink for SWA-0. The command applies by default to the switch
where it is executed.
3. Prepare the potential member switch (SWA-2) in wiring closet B for

interconnecting with the virtual chassis by configuring its mastership priority
to be the highest possible value (255). Its member ID is currently 0, because it
is not yet interconnected with the other members of the virtual chassis. It is
operating as a standalone switch. Its member ID will change when it is
interconnected.
NOTE: SWA-2 is configured with the same mastership priority value that we
configured for SWA-0. However, the longer uptime of SWA-0 ensures that it functions
as the master and that SWA-2 functions as the backup.
4. Specify one uplink port in SWA-2 as a VCP interface. Its member ID is 0, because
it is not yet interconnected with the other members of the virtual chassis. Its
member ID will change when it is interconnected with the virtual chassis.
NOTE: The setting of the VCP interface remains intact when SWA-2 reboots and joins
the virtual chassis as member 2.
user@SWA-2>request virtual-chassis vc-port set pic-slot 1 port 0
This example omits the specification of the member member-id option. The
command applies by default to the switch where it is executed.
5. After you have set the uplink VCP in SWA-2, you should physically interconnect
SWA-0 and SWA-2 across wiring closets using their uplink VCPs. Although SWA-0
and SWA-2 have the same mastership priority value (255), SWA-0 was powered
on first and thus has longer uptime. This results in SWA-0 retaining mastership
while SWA-2 reboots and joins the now expanded virtual chassis as a backup
with member ID 2.
6. Power on SWA-3, which is interconnected with SWA-2 using the dedicated VCPs
on the rear panel. It joins the expanded virtual chassis as member 3.
NOTE: We have assumed that the member ID assigned to SWA-3 is 3, because it

was powered on in that sequence.
7. Since SWA-3 is now interconnected as a member of the virtual chassis, you can
specify a redundant VCP uplink on SWA-3 through the master of the virtual
chassis.

3
8. After you have configured the uplink VCP of SWA-3, you should physically
interconnect SWA-3 and SWA-1 across wiring closets using their uplink VCPs.
Both SWA-1 and SWA-3 have the default mastership priority value (128) and
function in a linecard role.
Results Display the results of the configuration on SWA-0:
[edit]
user@switch# show
virtual-chassis {
member 0 {
mastership-priority 255;
}
member 1 {
}
member 2 {
}
member 3 {
}
member 4 {
}
member 5 {
}
member 6 {
}
member 7 {
}
member 8 {
}
member 9 {
}
}
Verification

■ Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 155

Purpose Verify that all the interconnected member switches are included within the virtual
chassis and that their roles are assigned appropriately.
0 (FPC 0) Prsnt abc123 ex4200-48p 255 Master*

1 vcp-0
1 vcp-1
2 1/0
1 (FPC 1) Prsnt def456 ex4200-24t 128 Linecard 0 vcp-0

0 vcp-1
3 1/0
2 (FPC 2) Prsnt ghi789 ex4200-48p 255 Backup 3 vcp-0
3 vcp-1
0 1/0
3 (FPC 3) Prsnt jkl012 ex4200-24t 128 Linecard 2 vcp-0

2 vcp-1
1 1/0
What It Means The show virtual-chassis status command lists the member switches interconnected
as a virtual chassis with the member IDs that have been assigned by the master, the
mastership priority values, and the roles. It also displays the neighbor members with
which each member is interconnected.
Verifying That the Dedicated VCPs and Uplink VCPs Are

Operational
Purpose Verify that the dedicated VCPs interconnecting the member switches in wiring closet
A and the uplink VCPs interconnecting the member switches between wiring closets
are operational.
Action Display the virtual chassis interfaces:

fpc0:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc2:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc3:
--------------------------------------------------------------------------
Verifying That the Dedicated VCPs and Uplink VCPs Are Operational ■ 155

or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
What It Means The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks configured as
VCPs are displayed as 1/0. The fpc number is the same as the member ID.
Troubleshooting
To troubleshoot a virtual chassis that is interconnected across wiring closets, perform

these tasks:

Problem A VCP interface shows a status of down.
Solution ■ Check the cable to make sure that it is properly and securely connected to the
ports.
■ If the VCP is an uplink port, make sure that the uplink module is model
EX-UM-2XFP.
■ If the VCP is an uplink port, make sure that the uplink port has been explicitly
set as a VCP.
■ If the VCP is an uplink port, make sure that you have specified the options
(pic-slot, port-number, member-id) correctly.
Related Topics

Wiring Closet
Configuration
■ Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure)
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis

Access Switch and a Virtual Chassis Distribution Switch
EX-series switches allow you to combine one to eight Ethernet links into one logical
interface for higher bandwidth and redundancy. The ports that are combined in this
manner are referred to as a link aggregation group (LAG) or bundle.
This example describes how to configure uplink LAGs to connect a virtual chassis
access switch to a virtual chassis distribution switch:
■ [xref target has no title]
Requirements
This example uses the following software and hardware components:

■ JUNOS Release 9.0 or later for EX-series switches
■ Two EX-series 4200-48P switches
■ Two EX-series 4200-24F switches
Before you configure the LAGs, be sure you have:

■ Configured the virtual chassis switches. See Example: Configuring a Virtual
Chassis with a Master and Backup in a Single Wiring Closet.
■ Configured the uplink ports on the switches as trunk ports. See Configuring
Gigabit Ethernet Interfaces on EX-series Switches (CLI Procedure).
For maximum speed and resiliency, you can combine uplinks between an access
switch and a distribution switch into LAGs. Using LAGs can be particularly effective
when connecting a multi-member, virtual-chassis access switch to a multi-member
virtual-chassis distribution switch.
The virtual chassis access switch in this example is composed of two member
switches. Each member switch has an uplink module with two 10-Gigabit Ethernet
ports. These ports are configured as trunk ports, connecting the access switch with
the distribution switch.
Configuring the uplinks as LAGs has the following advantages:

■ It doubles the speed of each uplink from 10 Gbps to 20 Gbps.
■ If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.
The topology used in this example consists of one virtual chassis access switch and
one virtual chassis distribution switch. The access switch is composed of two
Requirements ■ 157
EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one vlan.
The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second
LAG connection (ae1) to SWD-1. LAG ae1, which is used for another vlan .
Figure 11: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch
Table 1 details the topology used in this configuration example.

Table 31: Components of the Topology for Connecting Virtual Chassis Access Switches to a Virtual Chassis
Distribution Switch
Switch Hostname and Base Hardware Uplink Module member ID Trunk Port
VCID
SWA-0 Host-A Access EX 4200-48P One EX-UM-2XFP 0 xe-0/1/0 to SWD-0
switch switch uplink module
xe-0/1/1 to SWD-1
VCID 1

xe-1/1/1 to SWD-1
VCID 1
SWD-0 Host-D EX-series EX 4200 One EX-UM-2XFP 0 xe-0/1/0 to SWA-0

Distribution switch L-24F switch uplink module
xe-0/1/1 to SWA-1
VCID 4

xe-1/1/1 to SWA-1
VCID 4

CLI Quick Configuration To quickly configure aggregated Ethernet high-speed uplinks between a virtual chassis
access switch and a virtual chassis distribution switch, copy the following commands
and paste them into the switch terminal window:
[edit]
set chassis aggregated-devices ethernet device-count 2
set interfaces ae0 aggregated-ether-options minimum-links 2
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae0 unit 0 family inet address 192.0.2.0/25
set interfaces xe-0/1/0 ether-options 802.ad ae0
■ 159
Step-by-Step Procedure To configure aggregated Ethernet high-speed uplinks between a virtual chassis access
switch and a virtual chassis distribution switch:
1. Specify the number of LAGs to be created on the chassis:
[edit chassis]
user@Host-A# set aggregated-devices ethernet device-count 2
2. Specify the number of links that need to present for the ae0 LAG interface to
be up.
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options minimum-links 2
be up.
[edit interfaces]
4. Specify the media speed of the ae0 link
[edit interfaces]
user@Host-A# set ae0 aggregated-ether-options link-speed 10g
[edit interfaces]
6. Specify the interface-id of the uplinks to be included in LAG ae0:
[edit interfaces]
user@Host-A# set xe-0/1/0 ether-options 802.ad ae0
[edit interfaces]
8. Specifies that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9. Specifies that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
160 ■
user@Host-A# set ae1 unit 1 family inet address family inet address
192.0.2.128/25
[Warning: element unresolved in stylesheets: <results> (in

<configuration-section>). This is probably a new element that is not yet supported
in the stylesheets.]
Display the results of the configuration:
[edit]
chassis {
ethernet {
device-count 2;
}
}
}
interfaces {
ae0 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.0/25;
}
}
}
ae1 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe–0/1/0 {
ether-options {
802.ad ae0;
}
}
xe–1/1/0 {
ether-options {
802.ad ae0;
}
}
xe–0/1/1 {
ether-options {
802.ad ae1;
}
}
■ 161
xe–1/1/1 {
ether-options {
802.ad ae1;
}
}
}
Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual
chassis distribution switch, perform these tasks:
Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:
■ Verifying That LAG ae0 Has Been Created on page 162
Verifying That LAG ae0 Has Been Created

Purpose Verify that LAG ae0 has been created on the switch.
Action show interfaces aeo terse
Interface Admin Link Proto Local Remote
ae0 up up
ae0.0 up up inet 10.10.10.2/24
What It Means The output confirms that the ae0 link is up and shows the family and IP address
assigned to this link.

Purpose Verify that LAG ae1 has been created on the switch
Action show interface ae1 terse

ae1 up down
ae1.0 up down inet
What It Means The output shows that the ae1 link is down.
Troubleshooting
Troubleshooting a LAG that is Down

Problem The show interfaces terse command shows that the LAG is down:
Solution Check the following:

■ Verify that there is no configuration mismatch
■ Verify that all member ports are up
■ Verify that a LAG is part of family Ethernet switching (L2 LAG) or family inet (L3
LAG)
■ Verify that the LAG member is connected to the correct LAG at the other end
■ Verify that the LAG members belong to the same switch (or the same virtual
chassis)
Related Topics

Wiring Closet
■ Example: Connecting an Access Switch to a Distribution Switch.
■ Virtual Chassis Cabling Configuration Examples
■ Installing an Uplink Module in an EX-series Switch
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between a Virtual
manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches
allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch:
Requirements

■ JUNOS for EX-series Release 9.0 or later
■ Four EX-series EX-UM-2XFP uplink modules
Before you configure LACP, be sure you have:

■ Installed your EX-series switches.
■ Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet.
■ Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed
Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch
This example assumes that you are already familiar with the Example: Configuring
Aggregated Ethernet High-Speed Uplinks between Virtual Chassis Access Switch and
Virtual Chassis Distribution Switch. The topology in this example is exactly the same
as the topology in that other example. This example shows how to use LACP to
enhance the LAG functionality.
LACP exchanges are made between actors (the transmitting link) and partners (the
receiving link). The LACP mode can be either active or passive.
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).
Configuration
To configure LACP for the two uplink LAGs from the virtual chassis access switch to
the virtual chassis distribution switch, perform these tasks:
Configuring LACP for the LAGs on the Virtual Chassis Access Switch
CLI Quick Configuration To quickly configure LACP for the access switch LAGs, copy the following commands
set interfaces ae0 aggregated-ether-options lacp active periodic fast

Step-by-Step Procedure To configure LACP for Host-A LAGs ae0 and ae1:
1. Specify the aggregated Ethernet options for both bundles:
[edit interfaces]
user@Host-A#set ae0 aggregated-ether-options lacp active periodic fast
Results Display the results of the configuration:
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
CLI Quick Configuration To quickly configure LACP for the distribution switch LAGs, copy the following
commands and paste them into the switch terminal window:
[edit interfaces]
set ae0 aggregated-ether-options lacp passive periodic fast
Step-by-Step Procedure To configure LACP for Host D LAGs ae0 and ae1:
1. Specify the aggregated ethernet options for both bundles:
[edit interfaces]
user@Host-D#set ae0 aggregated-ether-options lacp passive periodic fast
Verification
To verify that LACP packets are being exchanged, perform these tasks:
■ Verifying the LACP Settings on page 166
■ Verifying That the LACP Packets are Being Exchanged on page 166
Verifying the LACP Settings

Purpose To verify that the LACP has been set up correctly.
Action Use the show lacp interfaces interface-name command to check that LACP has been
enabled as active on one end.
show lacp interfaces xe-0/1/0
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
xe-0/1/0 Actor No Yes No No No Yes Fast Active
xe-0/1/0 Partner No Yes No No No Yes Fast Passive
LACP protocol: Receive State Transmit State Mux State
xe-0/1/0 Defaulted Fast periodic Detached
Verifying That the LACP Packets are Being Exchanged

Purpose To verify that LACP packets are being exchanged.
Action Use the show interfaces lag-namestatisticscommand to display LACP information.
show interfaces ae0 statistics
Physical interface: ae0, Enabled, Physical link is Down
Interface index: 153, SNMP ifIndex: 30

Link-level type: Ethernet, MTU: 1514, Speed: Unspecified, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1,
Minimum bandwidth needed: 0
Device flags : Present Running
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0
Current address: 02:19:e2:50:45:e0, Hardware address: 02:19:e2:50:45:e0
Last flapped : Never
Statistics last cleared: Never
Input packets : 0
Output packets: 0
Input errors: 0, Output errors: 0
Logical interface ae0.0 (Index 71) (SNMP ifIndex 34)

Flags: Hardware-Down Device-Down SNMP-Traps Encapsulation: ENET2
Statistics Packets pps Bytes bps
Bundle:
Input : 0 0 0 0
Output: 0 0 0 0
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.1, Broadcast: 10.10.10.255
What It Means The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting:
Troubleshooting Non-Working LACP Link

Problem LACP link is not working.

■ Remove LACP configuration and verify whether the static lag is up.
■ Verify that LACP is configured at both ends.
■ Verify that LACP is not passive at both ends.
■ Verify whether LACP protocol data units are being exchanged by running the
monitor traffic-interface lag-member detail command.
Related Topics

Wiring Closet
■ Example: Connecting an Access Switch to a Distribution Switch

Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File

You can deterministically control both the role and the member ID assigned to each
member switch in a virtual chassis by creating a preprovisioned configuration file.
A preprovisioned configuration file links the serial number of each EX 4200 switch
to a specified member ID and role. The serial number must be specified in the
configuration file in order for the member to be recognized as part of the virtual
chassis.
You must select two members that you want to make eligible for election as master
of the virtual chassis. When you list these two members in the preprovisioned
configuration file, you designate the member’s role as routing-engine. One will function
as the master of the virtual chassis and the other will function as the backup.
Additional members, not eligible for election as master, can be specified as linecard
in the preprovisioned configuration file.
NOTE: When you use a preprovisioned configuration, you cannot modify the
mastership priority or member ID of member switches through the user interfaces.
This example describes how to configure a virtual chassis across multiple wiring
closets using a preprovisioned configuration file:
Requirements

■ Five EX 4200-48P switches
■ Five EX 4200-24T switches
Example: Configuring a Virtual Chassis with a Preprovisioned Configuration File ■ 169

Before you create the preprovisioned configuration of the virtual chassis and
interconnect the members across the wiring closets, be sure you have:
1. Made a list of the serial numbers of all the switches to be connected as a virtual
chassis.
2. Noted the desired role (routing-engine or linecard) of each switch. If you configure
the member with a routing-engine role, it is eligible to function as a master or
backup. If you configure the member with a linecard role , it is not eligible to
become a master or backup.
3. Installed an EX-UM-2XFP uplink module in the member switches that will be
interconnected across wiring closets. See Installing an Uplink Module in an
EX-series Switch.
4. Interconnected the member switches within each wiring closet using the
dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis
Cable to an EX-series Switch.
5. Powered on the switch that you plan to use as the master switch (SWA-0).
6. Run the EZ Setup program on SWA-0, specifying the identification parameters.
SWA-0 is going to be configured in the example to function as the master of the

virtual chassis. Thus, the properties that you specified for SWA-0 apply to the
entire virtual chassis, including all the member switches that you specify in the
preprovisioned configuration file.
[edit]
In this example, five EX 4200 switches (SWA-0 through SWA-4) are interconnected
with their dedicated VCPs in wiring closet A and five EX 4200 switches (SWA-5
through SWA-9) are interconnected with their dedicated VCPs in wiring closet B.
SWA-0 (in wiring closet A) is going to be the master of the virtual chassis. This example
shows how to create a preprovisioned configuration file on SWA-0 for all member
switches that will be interconnected in the virtual chassis. The preprovisioned
configuration file includes member IDs for the members in wiring closet A and for
the members in wiring closet B.
SWA-5 (in wiring closet B) is going to be the backup of the virtual chassis. Both SWA-0
and SWA-5 are specified in the preprovisioned configuration file with the role of
routing-engine. All other members are specified with the role of linecard.
If all member switches could be interconnected with their dedicated VCPs, you could
simply power on the switches after saving and committing the preprovisioned
configuration file. The master detects the connection of the members through the

dedicated VCPs and applies the parameters specified in the preprovisioned

configuration file.
However, the virtual chassis cables that interconnect the VCPs of member switches
within a single wiring closet are not long enough to connect member switches across
wiring closets. Instead, you can use the fiber cable connections in the EX-UM-2XFP
uplink modules to interconnect the member switches in wiring closet A to the member
switch in wiring closet B. For redundancy, this example connects uplink ports from
two member switches in wiring closet A (SWA–0 and SWA–2) to two member
switches (SWA-5 and SWA-7) in wiring closet B.
NOTE: To set an uplink as a VCP interface, it must be one of the 10–Gigabit uplinks
(EX-UM-2XFP uplink module). When a link is set as a VCP interface, it cannot be
used for any other purpose. The EX-UM-2XP uplink module has two ports. You can
set one uplink port as a VCP interface and configure the other port in trunk mode as
an uplink to a distribution switch.
Because this particular preprovisioned configuration is for a virtual chassis that is

interconnected across wiring closets, we will bring up the virtual chassis in stages.
First, we power on SWA-0 (without powering on any other switches) and create the
preprovisioned configuration file. Then we power on the remaining switches in wiring
closet A. If we check the status of the virtual chassis at this point by using the show
virtual-chassis status command, it will display only member 0 through member 4. The
members that have not yet been interconnected will not be listed.
Next power on SWA-5 without powering on the remaining switches (SWA-6 through
SWA-9) in wiring closet B. Bring up SWA-5 as a standalone switch and set one of its
uplinks as a VCP interface prior to interconnecting it with the virtual chassis in wiring
closet A. Without this setting, SWA-5 cannot be detected as a member switch by the
master of the virtual chassis.
You can set the uplink VCP of SWA–5 without running the EZ Setup program by
directly connecting to the console port. If you wish, you can run EZ Setup program
and specify identification parameters. When you interconnect SWA-5 with the master
of the virtual chassis, the master overwrites any conflicting parameters.
After setting the VCP uplink in SWA-5, connect this VCP uplink with the VCP uplink
of SWA-0 in wiring closet A. SWA-5 (serial number pqr678) is specified as a
routing-engine in the preprovisioned configuration file.
This example uses SWA-5 as the backup of the virtual chassis. If a problem occurs
in wiring closet A, SWA-5 would take control of the virtual chassis and maintain the
network connections. Specify both SWA-0 and SWA-5 as routing-engine. Because
SWA-0 is powered on prior to SWA-5, it has additional prioritization properties that
cause it to be elected as master of the virtual chassis.
After being physically interconnected with SWA-0, SWA-5 reboots and comes up as
member 5 and as the backup of the virtual chassis.
Power on the remaining switches (SWA-6 through SWA-9) in wiring closet B. The
master can now detect that all members are present. Finally, for redundancy,
configure an additional VCP uplink on SWA-7 through the master.

The topology for this example consists of:

■ Three EX 4200-48P switches (SWA-0 , SWA-2, and SWA-4) in wiring closet A.
■ Two EX 4200-48P switches (SWA-5 and SWA-9) in wiring closet B.
■ Two EX 4200-24T switches (SWA-1 and SWA-3) in wiring closet A.
■ Three EX 4200-24T switches (SWA-6, SWA-7, and SWA-8) in wiring closet B.
■ Four EX-UM-2XFP uplink modules. Two are installed in wiring closet A and two
are installed in wiring closet B.
Table 32 on page 172 shows the virtual chassis configuration settings for a
preprovisioned virtual chassis composed of member switches in different wiring
closets.
Table 32: Components of a preprovisioned Virtual Chassis Interconnected Across Multiple Wiring Closets
Switch Serial number Member ID Role Uplink Ports Hardware Location

SWA-0 abc123 0 routing-engine xe-0/1/0 EX 4200-48P Wiring closet A
and
EX-UM-2XFP
uplink module
SWA-1 def456 1 linecard EX 4200-24T Wiring closet A
SWA-2 ghi789 2 linecard xe-2/1/0 EX 4200-48P Wiring closet A
SWA-3 jkl012 3 linecard EX 4200-24T Wiring closet A
SWA-4 mno345 4 linecard EX 4200-48P Wiring closet A
SWA-5 pqr678 5 routing-engine xe-0/1/0 EX 4200-48P Wiring closet B

and
NOTE: The EX-UM-2XFP
member ID of uplink module
SWA-5 is 0 at
the time that its
uplink port is
configured as a
VCP.
SWA-6 stu901 6 linecard EX 4200-24T Wiring closet B
SWA-7 vwx234 7 linecard xe-7/1/0 EX 4200-24T Wiring closet B
SWA-8 yza567 8 linecard EX 4200-24T Wiring closet B
SWA-9 bcd890 9 linecard EX 4200-48P Wiring closet B
Figure 12 on page 173 shows the different types of interconnections used for this
virtual chassis configuration. The rear view shows that the member switches within
each wiring closet are interconnected to each other using the dedicated VCPs. The
front view shows that the uplink ports that have been set as VCPs and interconnected

across the wiring closets. The uplink ports that are not set as VCPs can be configured
as trunk ports to connect to a distribution switch.
NOTE: The interconnections shown in this figure are the same as they would be for
a nonprovisioned configuration across wiring closets.
Figure 12: Maximum Size Virtual Chassis Interconnected Across Wiring Closets
Configuration
To configure the virtual chassis across multiple wiring closets using a preprovisioned
configuration, perform these tasks:

CLI Quick Configuration To quickly configure SWA-0 with a preprovisioned configuration, copy the following
[edit]
set virtual-chassis pre-provisioned
set virtual-chassis member 0 serial-number abc123 role routing-engine
set virtual-chassis member 1 serial-number def456 role linecard
set virtual-chassis member 2 serial-number ghi789 role linecard
set virtual-chassis member 3 serial-number jkl012 role linecard
set virtual-chassis member 4 serial-number mno345 role linecard
set virtual-chassis member 5 serial-number pqr678 role routing-engine
set virtual-chassis member 6 serial-number stu901 role linecard
set virtual-chassis member 7 serial-number vwx234 role linecard
set virtual-chassis member 8 serial-number yza567 role linecard
set virtual-chassis member 9 serial-number bcd890 role linecard
Step-by-Step Procedure To create a preprovisioned configuration for the virtual chassis:
1. Specify the preprovisioned configuration mode:
user@SWA–0# set pre-provisioned
2. Specify all the members that will be included in the virtual chassis, listing each
switch's serial number with the desired member ID and the desired role:
user@SWA–0# set member 0 serial-number abc123 role routing-engine
user@SWA–0# set member 1 serial-number def456 role linecard
user@SWA–0# set member 2 serial-number ghi789 role linecard
user@SWA–0# set member 3 serial-number jkl012 role linecard
user@SWA–0# set member 4 serial-number mno345 role linecard
user@SWA–0# set member 5 serial-number pqr678 role routing-engine
user@SWA–0# set member 6 serial-number stu901 role linecard
user@SWA–0# set member 7 serial-number vwx234 role linecard
user@SWA-0# set member 8 serial-number yza567 role linecard
user@SWA–0# set member 9 serial-number bcd890 role linecard
3. Power on the member switches in wiring closet A.
4. Prepare the members in wiring closet A for interconnecting with the member
switches in wiring closet B by setting uplink VCPs for member 0 and member
2:

2
NOTE:
■ For redundancy, this example sets an uplink VCP interface in both SWA-0 and
SWA-2.
■ This example omits the specification of the member0 in setting the uplink for
SWA-0. The command applies by default to the switch where it is executed.
5. Power on and connect to SWA-5. This switch comes up as member ID 0 and

functions as master of itself. Although SWA-5 is listed in the preprovisioned
configuration file, it is not a present member of the virtual chassis that has been
powered on thus far. In order for the master to detect SWA-5 as a connected
member, you must first set an uplink VCP on SWA-5 and interconnect that VCP
uplink with the VCP uplink of SWA-0.
6. Set the first uplink of SWA-5 to function as a VCP interface. Because SWA-5 has
been powered on as a separate switch and is still operating independently at
this point, its member ID is 0.
user@SWA-5>request virtual-chassis vc-port set pic-slot 1 port 0
NOTE: This example omits the specification of the member0 in configuring the uplink
for SWA-5 (at this point the member ID of SWA-5 is still 0). The command applies
by default to the switch where it is executed.
7. Power off SWA-5 and connect the fiber cable from SWA-5 uplink port xe-0/1/0
to the uplink port xe-0/1/0 on SWA-0.
8. Power on SWA-5.
9. Now that SWA-5 has been brought up as member 5 of the virtual chassis, power
on the remaining switches (SWA-6 through SWA-9) in wiring closet B. They are
interconnected with SWA-5 using the dedicated VCPs on the rear panel and are
therefore detected by the master as interconnected members. If you check the
status of the virtual chassis at this point, all the members that were specified
in the preprovisioned configuration file should be displayed as present. Additional
configuration for member switches can now be done through the master switch.
10. Set one uplink port of SWA-7 to function as a VCP:

7
Results Display the results of the configuration on SWA-0:
[edit]
user@switch# show
virtual-chassis {
member 0 {
role routing-engine;
serial-number abc123;
}
member 1 {
role linecard;
serial-number def456;
}
member 2 {
role linecard;
serial-number ghi789;
}
member 3 {
role linecard;
serial-number jkl012;
}
member 4 {
role linecard;
serial-number mno345;
}
member 5 {
role routing-engine;
serial-number pqr678;
}
member 6 {
role linecard;
serial-number stu901;
}
member 7 {
role linecard;
serial-number vwx234;
}
member 8 {
role linecard;
serial-number yza567;
}
member 9 {
role linecard;
serial-number bcd890;
}
pre-provisioned;
}
Verification

■ Verifying That the Dedicated VCPs and Uplink VCPs Are Operational on page 178

Purpose Verify that the member IDs and roles are all set as expected.

Pre-Provisioned Virtual Chassis
Virtual Chassis ID: 0000.e255.0000

4 vcp-1
5 1/0
1 (FPC 1) Prsnt def456 ex4200-24t 0 Linecard 2 vcp-0

0 vcp—1
2 (FPC 2) Prsnt ghi789 ex4200-48p 0 Linecard 3 vcp-0

1 vcp-1
7 1/0
3 (FPC 3) Prsnt jkl012 ex4200-24t 0 Linecard 4 vcp-0

2 vcp-1
4 (FPC 4) Prsnt mno345 ex4200-48p 0 Linecard 0 vcp-0

3 vcp-1
5 FPC 5) Prsnt pqr678 ex4200-48p 129 Backup 6 vcp-0

9 vcp-1
0 1/0
6 (FPC 6) Prsnt stu901 ex4200-24t 0 Linecard 7 vcp-0

5 vcp-1
7 (FPC 7) Prsnt vwx234 ex4200-24t 0 Linecard 8 vcp-0

6 vcp-1
2 1/0
8 (FPC 8) Prsnt yza567 ex4200-24t 0 Linecard 9 vcp-0

7 vcp-1
9 (FPC 9) Prsnt bc7890 ex4200-48p 0 Linecard 5 vcp-0

8 vcp-1
What It Means The output shows that all members listed in the preprovisioned configuration file are
connected to the virtual chassis. It confirms that SWA-0 (member 0) is functioning
as the master of the virtual chassis, which was the intention of the configuration
procedure. The other configured routing-engine (SWA-5) is functioning as the backup.
The Neighbor List displays the interconnections of the member VCPs.
Verifying That the Dedicated VCPs and Uplink VCPs Are

Operational
Purpose Verify that the dedicated VCPs interconnecting the member switches within each
wiring closet and the uplink VCPs interconnecting the member switches across wiring
closets are operational.
Action Display the virtual chassis interfaces:

fpc0:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc2:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc3:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc4:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc5:
178 ■ Verifying That the Dedicated VCPs and Uplink VCPs Are Operational

or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc6:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc7:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc8:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc9:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
What It Means The dedicated VCPs interconnecting the member switches within wiring closets are
displayed as vcp-0 and vcp-1. The uplink VCP ports interconnecting member switches
(members 0, 2, 5 and 7) across wiring closets are displayed as 1/0 and 1/1 and
identified as Configured.
Troubleshooting
To troubleshoot a preprovisioned virtual chassis that is interconnected across wiring

closets, perform these tasks:

Problem A VCP interface shows a status of down.
Solution Check the cable to make sure that it is properly and securely connected to the ports.
Related Topics

Wiring Closet
Configuration
Closets
■ request virtual-chassis vc-port (Uplink Port)

Chapter 13
Configuring Virtual Chassis
■ Virtual Chassis Configuration Tasks on page 181
Virtual Chassis Configuration Tasks

■ Configuring a Virtual Chassis (J-Web Procedure) on page 181
■ Adding a New Switch to an Existing Virtual Chassis (CLI Procedure) on page 182
■ Configuring Mastership of the Virtual Chassis (CLI Procedure) on page 185
■ Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure) on page 187
■ Configuring the Virtual Management Ethernet Interface for Global Management
of a Virtual Chassis (CLI Procedure) on page 190
■ Configuring the Timer for the Backup Member to Start Using Its Own MAC
Address, as Master of Virtual Chassis (CLI Procedure) on page 191
Configuring a Virtual Chassis (J-Web Procedure)

To configure a virtual chassis using the J-Web interface:
1. From the Configure menu, select the option Virtual Chassis.
NOTE: The Virtual Chassis option is not available for Ex 2400 switches.
2. The properties you can configure are displayed .
The first section of the Virtual Chassis configuration page displays the virtual
chassis member configuration. the display includes a list of member switches,
their member IDs, and the mastership priority.
The second section displays the operational status of the virtual chassis, member
details, and the dedicated and configured virtual chassis ports (VCPs).
3. Enter information into the page as described in Table 33 on page 182.
4. Click one:
Virtual Chassis Configuration Tasks ■ 181

■ Add — To add a member's configuration to the virtual chassis, click Add.

■ Edit — To modify an existing member's configuration, click Edit.
■ Delete — To delete the configuration of a member, click Delete.
5. To configure an uplink as a VCP, select the member in the Virtual Chassis
members list and select Action > Select Uplink Port as VCP. Select the port from
the list.
6. To delete an uplink VCP from a member, select the member in the Virtual Chassis
members list and select Action > Delete Uplink Port as VCP.
Table 33: Virtual Chassis Configuration Fields
Member Details
Member ID Specifies the identifier for the member switch. The Select an identifier from the list. Select an
master switch assigns member IDs. ID from 0 through 9.
Priority Specifies the mastership priority to be assigned to the Select a number from 1 through 255, with
member. 255 being the highest priority (128 is the
default).
Disable If you want to reserve an individual member's Click to disable management VLAN on the
Management VLAN management Ethernet port for local troubleshooting, you port.
can remove that port from being part of the Virtual
Management Ethernet (VME).
Refresh Refreshes the operational status of virtual chassis Click to refresh the operational status.
members.
Related Topics

■ Monitoring Virtual Chassis Status and Statistics
Closets
Adding a New Switch to an Existing Virtual Chassis (CLI Procedure)

You can add one or more EX 4200 switches to an existing virtual chassis configuration.
Up to ten EX 4200 switches can be included within a virtual chassis.

Chapter 13: Configuring Virtual Chassis
To add a switch to an existing virtual chassis, use the procedure that matches what
you need to accomplish:
1. Adding a New Switch to an Existing Virtual Chassis Within the Same Wiring
Closet on page 183
2. Adding a New Switch from a Different Wiring Closet to an Existing Virtual
Chassis on page 184
Adding a New Switch to an Existing Virtual Chassis Within the Same Wiring
Closet

■ Installed the hardware components.
■ Mounted the new switch in a rack.
■ Confirmed that the new switch is powered off.
■ If you are expanding a preprovisioned configuration, made a note of the serial
number (on the back of the switch). You will need to edit the virtual chassis
configuration to include the serial number of the new member switch.
■ If you are expanding a preprovisioned configuration, edited the existing virtual
chassis configuration to include the serial number of the new member switch.
To add a new member switch to an existing virtual chassis within the same wiring
closet:
1. If the new member switch has been previously configured, reverted that switch’s
configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX-series Switch.
2. Interconnect the unpowered new switch to at least one member of the existing
virtual chassis, using the dedicated virtual chassis ports (VCPs).
3. Power on the new switch.
4. Confirm that the new member switch is now included within the virtual chassis
by checking the front-panel display for the member ID. It should display a
member ID that is higher than 0 ( 1 through 9), because there is already at least
one member of the virtual chassis.
NOTE: If you are using a preprovisioned configuration, the member ID is assigned

to the member’s serial number in the configuration file.
Adding a New Switch to an Existing Virtual Chassis Within the Same Wiring Closet ■ 183
Adding a New Switch from a Different Wiring Closet to an Existing Virtual

Chassis
To add a new switch from a different wiring closet to an existing virtual chassis, you
must use a longer cable to connect the new member switch across wiring closets.
An EX-UM-2XFP uplink port and fiber optic cable can be used for this purpose. The
uplink ports on both sides of the link must be configured as virtual chassis port (VCPs).
The new member switch in the other wiring closet must first be powered on as a
standalone switch in order to configure its uplinks as VCPs. Otherwise, it cannot be
recognized as a member switch by the master.

■ Installed the hardware components.
■ Mounted the new switch in a rack.
■ If the new member switch has been previously configured, reverted to factory
defaults. See Reverting to the Default Factory Configuration for the EX-series
Switch.
■ If you are expanding a preprovisioned configuration, made a note of the serial
number (on the back of the switch). You will need to edit the virtual chassis
configuration to include the serial number of the new member switch.
■ If you are expanding a preprovisioned configuration, edited the existing virtual
chassis configuration to include the serial number of the new member switch.
You can specify the role of the new member switch when you add its serial
number in the virtual chassis configuration file. The parameters specified in the
master virtual-chassis configuration file are applied after the new member switch
has been interconnected with its uplink VCP.
■ Confirmed that the new, currently standalone switch is powered off.
■ Prepared an existing member for interconnecting with the new switch through
an uplink port by configuring an uplink port as a VCP on the existing member.
To add a new member switch that is going to be interconnected with the existing
virtual chassis across wiring closets:
1. Power on the new switch.
2. Connect a laptop or terminal to the console port of the switch, or use EZ Setup
on the standalone switch to specify temporary identification parameters. (When
you interconnect the new member switch with the existing virtual chassis, the
master will overwrite and disable any specified parameters that conflict with the
virtual chassis parameters or assigned member configuration.)
3. Use the CLI or the J-Web interface to set the uplink ports as VCP interfaces.
NOTE: If you are using a nonprovisioned configuration, you may wish to configure
the new member switch with a mastership priority value that is less than that of the
existing member switches. Doing so ensures that the new member switch will function
in a linecard role when it is included within the virtual chassis configuration.
4. Power off the new switch.
184 ■ Adding a New Switch from a Different Wiring Closet to an Existing Virtual Chassis
5. Interconnect the new member switch to at least one member of the existing
virtual chassis, using the uplink ports that have been configured as VCPs.
6. Power on the new member switch.
7. Confirm that the new member switch is now included within the virtual chassis
by checking the front-panel display for the member ID. It should display a
member ID that is higher than 0 (1 through 9), because there is already at least
one member of the virtual chassis.
NOTE: If you are using a preprovisioned configuration, the member-id is assigned

to the member's serial number in the configuration file.
Related Topics

Configuration
Closets
■ Replacing a Member Switch of a Virtual Chassis (CLI Procedure)
Configuring Mastership of the Virtual Chassis (CLI Procedure)

You can designate the role (master, backup, or linecard) that a member switch
performs within a virtual chassis whether you are using a preprovisioned or a
nonprovisioned configuration.
NOTE: A multimember virtual chassis has two Routing Engines, one in the master
and the other in the backup. Therefore, we recommend that you always use commit
synchronize rather than simply commit to save configuration changes made for a
virtual chassis. This ensures that the configuration changes are saved in both Routing
Engines.
1. Configuring Mastership Using a Preprovisioned Configuration File on page 186

2. Configuring Mastership Using a Nonprovisioned Configuration File on page 186

Configuring Mastership Using a Preprovisioned Configuration File
To configure mastership using a preprovisioned configuration:

1. Note the serial numbers of the switches that you want to function in the master
role and backup role.
2. Power on only the switch (SWA-0) that you want to function in the master role.
3. Edit the configuration to specify the preprovisioned configuration mode:
user@SWA-0# set pre-provisioned
4. List the serial numbers of the member switches that you want to function as
master and backup, specifying their role as routing-engine:
[edit]
user@SWA-0# set virtual-chassis member 0 serial-number abc123 role

routing-engine
user@SWA-0# set virtual-chassis member 2 serial-number def456 role

routing-engine
NOTE: You cannot directly modify the mastership priority value when you are using
a preprovisioned configuration. The mastership priority values are generated
automatically and controlled by the role that is assigned to the member switch in
the configuration file. The two routing engines are assigned the same mastership
priority value (129). However, the member that was powered on first has higher
prioritization according to the master election algorithm. See Understanding How
the Master in a Virtual Chassis Is Elected. Only two members can be specified with
the routing-engine role.
5. List the serial numbers of any other member switches that you want to include
in the virtual chassis. You may also specify their role as linecard, if desired.
Configuring Mastership Using a Nonprovisioned Configuration File
To configure mastership of the virtual chassis through a nonprovisioned configuration:

1. Power on only the switch that you want to function in the master role (SWA-0).
2. Configure the highest possible mastership priority value (255) for the member
that you want to function in the master role:
3. Configure the same mastership priority value (continue to edit the virtual chassis
configuration on the master) for the member that you want to be the backup
(SWA-1):
186 ■ Configuring Mastership Using a Preprovisioned Configuration File

NOTE: We recommend that the master and backup have the same mastership
priority value to prevent toggling back and forth between master and backup status
in failover conditions
4. Use the default mastership priority value (128) for the remaining member
switches or configure the mastership priority to a value that is lower than the
value specified for members functioning in the master and backup roles.
Related Topics
■ Configuring a Virtual Chassis (J-Web Procedure)

■ Verifying the Member ID, Role, and Neighbor Member Connections of a Virtual
Chassis Member
Setting an Uplink Port as a Virtual Chassis Port (CLI Procedure)

You can interconnect EX 4200 switches that are beyond the reach of the virtual
chassis cables as members of a virtual chassis configuration by installing the optional
uplink module (EX-UM-2XFP) and connecting the 10-Gbps fiber uplink ports. To use
the uplink ports for interconnecting member switches, you must explicitly set the
uplink ports VCPs.
NOTE: To use an uplink as a VCP, it must be one of the 10-Gigabit uplinks

(EX-UM-2XFP uplink module). When a link is set as a VCP, it cannot be used for any
other purpose. The EX-UM-2XP uplink module has two ports. You can set one port
as a VCP and use the other port as a regular uplink.
Before you set an uplink as a VCP:

1. Install the uplink module (EX-UM-2XFP) in the member switches that you want
to interconnect.
2. Power on and connect to the switch that you plan to designate as the master of
the virtual chassis.

NOTE: Do not power on the other switches at this point.
3. Run EZ Setup on the switch that you are configuring to be the master. Follow
the prompts to specify the host name and other identification, time zone, and
network properties. See Configuring Basic Settings for an EX-series Switch for
details. The properties that you specify for the master apply to the entire virtual
chassis, including all the member switches that you later interconnect with the
master.
4. If you want to configure and manage the virtual chassis remotely, specify the
VME global management interface. You can configure the VME global
management interface when you are setting up the master or you can do it after
completing the other configuration steps for the virtual chassis. See Configuring
the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure).
5. Configure mastership of the virtual chassis using either the nonprovisioned or
preprovisioned configuration. See Configuring Mastership of the Virtual Chassis
(CLI Procedure) for details.
NOTE: A multimember virtual chassis has two Routing Engines, one in the master
and the other in the backup. Therefore, we recommend that you always use commit
synchronize rather than simply commit to save configuration changes made for a
virtual chassis. This ensures that the configuration changes are saved in both Routing
Engines.
To interconnect a virtual chassis across longer distances, such as wiring closets, you
need to:
■ Prepare the existing virtual chassis for interconnecting with a potential member
switch that is beyond the reach of a virtual chassis cable by setting at least one
uplink VCP on an existing member of virtual chassis.
■ Prepare the potential member switch for interconnecting with the existing virtual
chassis by setting at least one uplink VCP on the standalone switch.
NOTE: We recommend that you set two uplink VCPs within each wiring closet for
redundancy.
1. Setting an Uplink VCP on the Master or on an Existing Member on page 188

2. Setting an Uplink VCP on a Standalone Switch on page 189
Setting an Uplink VCP on the Master or on an Existing Member
Set an uplink port of a virtual chassis member as a VCP by executing the operational
command request virtual-chassis vc-port on the master of the virtual chassis.
188 ■ Setting an Uplink VCP on the Master or on an Existing Member

To set the uplink ports for the master (for example, member 0) and for an existing
member (for example, member 1) to function as VCPs:
1. Set one uplink port of member 0 (the master) as a VCP interface. You do not
need to specify the member member-id option, because the command applies by
default on the member where it is executed.
2. Set one uplink port of member 1 as VCP interface.
user@SWA-0>request virtual-chassis vc-port set pic-slot 1 port 0 member

1
This example includes the member member-id option, because it is executed on

the master (the master is member 0).
Setting an Uplink VCP on a Standalone Switch
To set an uplink VCP on a switch that is not interconnected with the master through
the dedicated VCPs on the rear panel, first power on the switch as a standalone
switch. You must set an uplink port on the standalone switch as a VCP prior to
physically interconnecting the switch with the existing virtual chassis. Otherwise,
the master cannot detect that the switch is a member of the virtual chassis.
To set one uplink VCP on the potential member (SWA-2), which is currently operating
as a standalone switch:
1. Power on the standalone switch.
2. Set one uplink port as a VCP interface. You do not need to specify the member
member-id option, because the command applies by default on the member
where it is executed.
NOTE: If you do specify the member member-id option, use member ID 0. Because
the switch is not yet interconnected with the other members of the virtual chassis,
its current member ID is 0. Its member ID will change when it is interconnected with
the virtual chassis. It does not impact the functioning of the uplink VCP that its VCP
interface is set with 0 as the member ID. The VCP interface has significance only on
the local switch.
3. After you have set the uplink VCP on the standalone switch, physically
interconnect its uplink port with the VCP uplink ports of the members in the
existing virtual chassis.
4. The new member switch reboots and joins the now expanded virtual chassis
with a different member ID.
Setting an Uplink VCP on a Standalone Switch ■ 189

NOTE: Its setting for the uplink VCP remains intact and is not affected by the change
of member ID.
5. If you have additional members in the second wiring closet, set a redundant VCP
uplink on another member switch by issuing the command through the master
of the virtual chassis.
Related Topics

Closets
Configuring the Virtual Management Ethernet Interface for Global Management of a Virtual
Chassis (CLI Procedure)
If you want to configure and manage a virtual chassis remotely through SSH or Telnet,
configure the virtual management Ethernet (VME) interface on the master of the
virtual chassis. You can configure and manage all members of the virtual chassis
through this single global interface.
1. Power on the switch that you want to function as the master.
2. Check the front-panel LCD to confirm that the switch has powered on correctly.
3. Run the EZ Setup program on the switch, specifying the identification parameters.
To configure the VME:
[edit]
Related Topics
Understanding Global Management of a Virtual Chassis

Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as
Master of Virtual Chassis (CLI Procedure)
When a backup member takes control of a virtual chassis because of a reset or other
temporary failure, the backup uses the MAC address of the old master. This helps to
ensure a smooth transition of mastership with no disruption to network connectivity.
The MAC persistence timer is used in situations when the master is no longer a
member of the virtual chassis, because it has been physically disconnected or
removed. If the old master does not rejoin the virtual chassis before the timer elapses,
the new master starts using its own MAC address.
The default timer value is 10 minutes. There are no minimum or maximum limits.
Before you begin configuring the timer, ensure that you have at least two members
in the virtual chassis. To configure or modify the MAC persistence timer, use the
following command:
user@switch# set mac-persistence-timer 30
This command modifies the MAC persistence timer value to specify a timer value of
30 minutes rather than the default timer value of 10 minutes.
Related Topics

Configuring the Timer for the Backup Member to Start Using Its Own MAC Address, as Master of Virtual Chassis (CLI
Procedure) ■ 191

Chapter 14
Verifying Virtual Chassis
■ Virtual Chassis Verification Tasks on page 193
Virtual Chassis Verification Tasks

Chassis Member on page 193
■ Verifying That the Virtual Chassis Ports Are Operational on page 194
■ Monitoring Virtual Chassis Status and Statistics on page 195
■ Command Forwarding Usage with Virtual Chassis on page 196
■ Replacing a Member Switch of a Virtual Chassis (CLI Procedure) on page 199
Verifying the Member ID, Role, and Neighbor Member Connections

of a Virtual Chassis Member
Purpose You can designate the role that a member performs within a virtual chassis or you
can allow the role to be assigned by default. You can designate the member ID that
is assigned to a specific switch by creating a permanent association between the
switch’s serial number and a member ID, using a preprovisioned configuration. Or
you can let the member ID be assigned by the master, based on the sequence in
which the member switch is powered on and on which member IDs are currently
available.
The role and member ID of the member switch are displayed on the front-panel LCD.
Each member switch can be cabled to one or two other member switches, using
either the dedicated virtual chassis ports (VCPs) on the rear panel or an uplink port
that has been set as a VCP. The members that are cabled together are considered
neighbor members.
Action To display the role and member ID assignments using the CLI, use the show
virtual-chassis status command:

Member ID Status Serial No Model Priority Role ID, Interface
Virtual Chassis Verification Tasks ■ 193


2 vcp-1
1 (FPC 1) Prsnt def456 ex4200-24t 255 Backup 2 vcp-0

0 vcp-1

1 vcp-1
What It Means This output verifies that three EX 4200 switches have been interconnected as a virtual
chassis using their dedicated VCPs . The display shows which of the VCPs is connected
to which neighbor. The first port (vcp-0) of member 0 is connected to member 1 and
the second port of member 0 (vcp-1) is connected to member 2. The FPC slots for
EX-series switches are the same as the member IDs.
The Mastership Priority values indicate that the master and backup members have
been explicitly configured, because they are not using the default value (128).
Related Topics
■ Configuring Mastership of the Virtual Chassis (CLI Procedure)

Configuration
Verifying That the Virtual Chassis Ports Are Operational

Purpose Use the show virtual-chassis vc-port command to display the status of virtual chassis
ports (VCPs).
NOTE: The interfaces for VCPs are not displayed when you issue the show interfaces
command.
Action Display the VCP interfaces:

fpc0:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up

Chapter 14: Verifying Virtual Chassis
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc2:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
fpc3:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Up
What It Means The dedicated VCPs are displayed as vcp-0 and vcp-1. The uplinks set as VCPs are
displayed as 1/0 and 1/. The FPC slots for EX-series switches are the same as the
member IDs.
Related Topics

Closets
Monitoring Virtual Chassis Status and Statistics

Purpose Use the monitoring functionality to view the following information about to virtual
chassis members and ports:
■ Member details and how members are connected with each other.
■ Traffic statistics between the virtual chassis ports of selected members.
Action To view virtual chassis monitoring details in the J-Web interface, select Monitor >
Virtual Chassis.
To view member details for all members in the CLI, enter the following command:

show virtual-chassis status
To view virtual-chassis port traffic statistics for a specific member in the CLI, enter
the following command:
show virtual-chassis vc-port statistics member member-id
What It Means In the J-Web interface the top half of the screen displays details of the virtual chassis,
such as:
■ Member ID
■ Priority
■ Role
■ Interface
■ The member ID of the neighboring switch
In the bottom half of the screen, select a member ID to view input and output rates.
Select the interval at which the charts must be refreshed. Click the Stop button to
stop fetching values from the switch, and click the Start button to start plotting data
again from the point where it was stopped.
For details about the output from CLI commands, refer to show virtual-chassis status
and show virtual-chassis vc-port statistics.
Related Topics

Wiring Closet
Chassis Member
Command Forwarding Usage with Virtual Chassis

Some CLI commands can be run either on all members of the virtual chassis or on
a specific member switch of the virtual chassis. This functionality is referred to as
command forwarding.
For example, to collect information about your system prior to contacting Juniper
Networks Technical Assistance Center (JTAC), use the command request support
information all-members to gather data for all the member switches. If you want to
gather this data only for a particular member switch, use the command request
support information member member-id.
Table 34 on page 197 provides a list of commands that can be run either on all
members of the virtual chassis or on a specific member switch.

Table 34: Commands That Can be Run on All or Specific Members of the Virtual Chassis
Commands Available for Purpose all-members member-member-id

Command Forwarding
request support information Use this command when you Displays information for all Displays information for the
contact JTAC about your members of the virtual specified member switch.
component problem. This chassis.
command is the equivalent
of using the following CLI
commands:
■ show version
■ show chassis firmware
■ show chassis hardware
■ show chassis
environment
■ show interfaces extensive
(for each configured
interface)
■ show configuration
(excluding any
SECRET-DATA)
■ show system
virtual-memory
request system partition Set up the hard disk for Partitions the hard disk on all Partitions the hard disk on
hard-disk partitioning. After this members of the virtual the specified member switch.
command is issued, the hard chassis.
disk is partitioned the next
time the system is rebooted.
When the hard disk is
partitioned, the contents of
/altroot and /altconfig are
saved and restored. All other
data on the hard disk is at
risk of being lost.
request system reboot Reboot JUNOS for EX-series Reboots all members of the Reboots the specified
software after a software virtual chassis. member switch.
upgrade and occasionally to
recover from an error
condition.
request system snapshot Back up the currently running Backs up the file systems on Backs up the file system on
and active file system. all members of the virtual the specified member switch.
chassis.
request system storage Free storage space on the Runs cleanup on all members Runs cleanup on the
cleanup switch by rotating log files of the virtual chassis. specified member switch.
and proposing a list of files
for deletion. User input is
required for file deletion.
show log user Display users who are Displays information for all Displays information for the
viewing the system log. members of the virtual specified member switch.
chassis.
Command Forwarding Usage with Virtual Chassis ■ 197

Table 34: Commands That Can be Run on All or Specific Members of the Virtual Chassis (continued)

Command Forwarding
show system alarms Display active system alarms. Displays information for all Displays information for the
members of the virtual specified member switch.
chassis.
show system audit Display the state and Displays information for all Displays information for the
checksum values for file members of the virtual specified member switch.
systems. chassis.
show system boot-messages Display initial messages Displays information for all Displays information for the
generated by the system members of the virtual specified member switch.
kernel upon startup. These chassis.
messages are the contents of
/var/run/dmesg.boot.
show system core-dumps Display a core file generated Displays information for all Displays information for the
by an internal JUNOS process. members of the virtual specified member switch.
chassis.
show system directory-usage Display directory usage Displays information for all Displays information for the
information. members of the virtual specified member switch.
chassis.
show system reboot Display pending system Displays information for all Displays information for the
reboots or halts. members of the virtual specified member switch.
chassis.
show system snapshot Display information about the Displays information for all Displays information for the
backup software that is members of the virtual specified member switch.
located in the /altroot and chassis.
/altconfig file systems. To
back up software, use the
request system snapshot
command.
show system software Display the JUNOS extensions Displays information for all Displays information for the
loaded on your switch. members of the virtual specified member switch.
chassis.
show system statistics Display systemwide Displays information for all Displays information for the
protocol-related statistics. members of the virtual specified member switch.
chassis.
show system storage Display statistics about the Displays information for all Displays information for the
amount of free disk space in members of the virtual specified member switch.
the switch's file systems. chassis.
show system uptime Display the current time and Displays information for all Displays information for the
information about how long members of the virtual specified member switch.
the switch, the switch chassis.
software, and any existing
protocols have been running
198 ■ Command Forwarding Usage with Virtual Chassis

Table 34: Commands That Can be Run on All or Specific Members of the Virtual Chassis (continued)

Command Forwarding
show system users Show all users who are Shows all users who are Shows all users who are
currently logged in. currently logged in to any currently logged in to the
members of the virtual specified member switch.
chassis.
show system virtual-memory Display the usage of JUNOS Displays information for all Displays information for the
kernel memory, listed first by members of the virtual specified member switch.
size of allocation and then by chassis.
type of usage. Use show
system virtual-memory for
troubleshooting with JTAC.
Table 35 on page 199 shows a list of commands that are relevant only to the master.
Do not use the options all-members or member-member-id with these commands.
Table 35: Commands Relevant Only to the Master
Commands Relevant Only to the Purpose

Master
set date Set the data and time.
show system buffers Display information about the buffer pool that the Routing Engine uses for local traffic.
Local traffic is the routing and management traffic that is exchanged between the Routing
Engine and the Packet Forwarding Engine within the switch, as well as the routing and
management traffic from IP (that is, from OSPF, BGP, SNMP, ping operations, and so on).
show system connections Display information about the active IP sockets on the Routing Engine. Use this command
to verify which servers are active on a system and which connections are currently in
progress.
show system processes Display information about software processes that are running on the switch and that have
controlling terminals.
Related Topics
■ JUNOS System Basics and Services Command Reference at

http://www.juniper.net/techpubs/software/junos/junos90
Replacing a Member Switch of a Virtual Chassis (CLI Procedure)

You can replace a member switch of a virtual chassis configuration without disrupting
network service for the other members. You can retain the existing configuration of
the member switch and apply it to a new member switch, or you can free up the
member ID and make it available for assignment to a new member switch.

To replace a member switch, use the procedure that matches what you need to
accomplish:
1. Remove, Repair, and Reinstall the Same Switch on page 200
2. Remove a Member Switch, Replace with a Different Switch, and Reapply the
Old Configuration on page 200
3. Remove a Member Switch and Make Its Member ID Available for Reassignment
to a Different Switch on page 201
Remove, Repair, and Reinstall the Same Switch
If you need to repair a member switch, you can remove it from the virtual chassis
without disrupting network service for the other members. The master stores the
configuration of the member ID so that it can be reapplied when the member switch
(with the same base MAC address) is reconnected.
1. Power off and disconnect the member switch to be repaired.
2. Repair, as necessary.
3. Reconnect and power on the member switch.
Remove a Member Switch, Replace with a Different Switch, and Reapply

the Old Configuration
If you are unable to repair a member switch, you can replace it with a different
member switch and retain the old configuration. The master stores the configuration
of the member that was removed. When you connect a different member switch,
the master assigns a new member ID. But the old configuration is still stored under
the previous member ID of the previous member switch.
NOTE: If you have used a preprovisioned configuration, use the replace command
to change the serial number in the virtual-chassis configuration file. Substitute the
serial number of the replacement member switch (on the back of the switch) for the
serial number of the member switch that was removed.
1. Power off and disconnect the member switch to be replaced.

2. If the replacement member switch has been previously configured, revert that
switch’s configuration to the factory defaults. See Reverting to the Default Factory
Configuration for the EX-series Switch.
3. Connect and power on the replacement member switch.
4. Note the member ID displayed on the front panel.
5. Use the request virtual-chassis renumber command to change the member
switch’s current member ID to the member ID that belonged to the member
switch that was removed from the virtual chassis).
200 ■ Remove, Repair, and Reinstall the Same Switch

Remove a Member Switch and Make Its Member ID Available for

Reassignment to a Different Switch
When you remove a member switch from the virtual chassis, the master keeps its
member ID on reserve. To make that member switch’s member ID available for
reassignment, use the request virtual-chassis recycle command.
Related Topics

■ Adding a New Switch to an Existing Virtual Chassis (CLI Procedure)
Remove a Member Switch and Make Its Member ID Available for Reassignment to a Different Switch ■ 201

Chapter 15
Troubleshooting Virtual Chassis
■ Troubleshooting a Virtual Chassis on page 203
Troubleshooting a Virtual Chassis

1. Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for
Reassignment on page 203
2. Load Factory Default Does Not Commit on a Multi-Member Virtual
Chassis on page 203
3. Member ID Persists When Member Switch is Disconnected From Virtual
Chassis on page 204
Clear Virtual Chassis NotPrsnt Status and Make Member ID Available for Reassignment
Problem You disconnected an EX 4200 from the virtual chassis, but the disconnected switch’s
member ID is still displayed in the status output. You cannot reassign that member
ID to another switch.
Solution When you disconnect a member of a virtual chassis, the master retains the member
ID and member configuration in its configuration database. The show virtual-chassis
status command continues to display the member ID of the disconnected member
with a status of NotPrsnt.
If want to permanently disconnect the member switch, you can free up the member
ID by using the request virtual-chassis recycle command. This will also clear the
status of that member.
Load Factory Default Does Not Commit on a Multi-Member Virtual Chassis

Problem The load factory default command fails on multi-member virtual chassis.
Solution The load factory default command is not supported on a multi-member virtual chassis.
For information on how to revert to factory default settings, see Reverting to the
Default Factory Configuration for the EX-series Switch.
Troubleshooting a Virtual Chassis ■ 203

Member ID Persists When Member Switch is Disconnected From Virtual Chassis

Problem Gigabit Ethernet interfaces retain previous slot number when a member switch is
disconnected from the virtual chassis
Solution If a switch had been previously connected as a member of a virtual chassis, it retains
the member ID that it was assigned as a member of that configuration even after it
is disconnected and operating as a standalone switch. The interfaces that were
configured while the switch was a member of the virtual chassis retain the old member
ID as the first digit of the interface name.
For example, if the switch was previously member 1, its interfaces are named
ge-1/0/0 and so on.
To change the switch’s member ID, so that its member id is 0 and to rename the
switch’s interfaces accordingly, enter the following operational-mode commands:
1. To change the member ID to 0, use the request virtual-chassis renumber
command:
user@switch> request virtual-chassis renumber member—id 1 new-member—id

0
2. To rename the interfaces to match the new member id, use the replace command.
user@switch> replace ge-1/ with ge-0/
Related Topics
■ JUNOS Internet Software CLI User Guide at
http://www.juniper.net/techpubs/software/junos/junos90/
204 ■ Member ID Persists When Member Switch is Disconnected From Virtual Chassis
Chapter 16
Configuration Statements for Virtual
Chassis
■ Virtual Chassis Configuration Statement Hierarchy on page 205

■ Individual Virtual Chassis Configuration Statements on page 206
Virtual Chassis Configuration Statement Hierarchy

■ [edit chassis] Configuration Statement Hierarchy on page 205
■ [edit virtual-chassis] Configuration Statement Hierarchy on page 205
[edit chassis] Configuration Statement Hierarchy

chassis {
ethernet {
device-count number;
}
}
}
Related Topics
■ JUNOS Software Hierarchy and RFC Reference at

[edit virtual-chassis] Configuration Statement Hierarchy

virtual-chassis {
pre-provisioned;
member member-id {
no-management-vlan;
serial-number;
role;
}
traceoptions {
Virtual Chassis Configuration Statement Hierarchy ■ 205


<match regex>;
flag flag ;
}
}
Related Topics
Individual Virtual Chassis Configuration Statements
mac-persistence-timer
Syntax mac-persistence-timer minutes;
Hierarchy Level [edit virtual-chassis]
Release Information Statement introduced in JUNOS Release 9.0 for EX-series switches.
Description If the master is physically disconnected or removed from the virtual chassis, the MAC
persistence timer determines how long the backup (new master) continues to use
the address of the old master. When the MAC persistence timer expires, the backup
(new master) begins to use its own MAC address.
There are no minimum or maximum timer limits.
Default 10 minutes
Required Privilege Level routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.

Chapter 16: Configuration Statements for Virtual Chassis
mastership-priority
Syntax mastership-prioritynumber ;
Hierarchy Level [edit virtual-chassis member member-id]
Description The mastership priority value is the most important factor in determining the role
of the EX 4200 member switch within the virtual chassis. Other factors ( see
Understanding How the Master in a Virtual Chassis Is Elected) also affect the election
of the master.
The mastership priority value takes the highest precedence in the master election
algorithm. The member switch with highest mastership priority becomes the master
of the virtual chassis. Toggling back and forth between master and backup status in
failover conditions is undesirable, so we recommend that you assign the same
mastership priority value to both the master and the backup. Secondary factors in
the master election algorithm determine which of these two members (that is, the
two members that are assigned the highest mastership priority value) functions as
the master of the virtual chassis.
Default 128
Options number—Mastership priority value.

Range: 1 through 255
Related Topics
mastership-priority ■ 207
member
Syntax member member-id {

no-management-vlan;
serial-number;
role;
}
Description Configure an EX 4200 switch as a member of a virtual chassis.
Default When an EX 4200 is powered on as a standalone switch (not interconnected through

its virtual chassis ports with other EX 4200 switches), its default member ID is 0.
Options member-id—Identifies a specific member switch of a virtual chassis.

Range: 0 through 9
The remaining statements are explained separately.

Related Topics

208 ■ member
no-management-vlan
Syntax no-management-vlan;
Hierarchy Level [edit virtual-chassis member member-id]
Description Remove the specified member’s out-of-band management port from the Virtual
Management Ethernet (VME) global management VLAN of the virtual chassis.
For a member that is functioning in a linecard role, you can use this statement to
reserve the member's management Ethernet port for local troubleshooting:
virtual-chassis {
member 2 {
no-management-vlan;
}
}
You cannot configure the IP address for a local management Ethernet port using the
CLI or J-Web. To do this, you need to use the shell ifconfig command.

Related Topics
■ Understanding Global Management of a Virtual Chassis
no-management-vlan ■ 209
pre-provisioned
Syntax pre-provisioned;
member member-id {
serial-number;
role;
{
Description Enable the preprovisioned configuration mode for a virtual chassis. The statements
are explained separately.
When preprovisioned configuration mode is enabled, you cannot use the CLI or the
J-Web interface to change the mastership priority or member ID of member switches.

Related Topics

210 ■ pre-provisioned
role
Syntax role (routing-engine | line-card);
Hierarchy Level [edit virtual-chassis pre-provisioned member member-id]
Description In a preprovisioned configuration of a virtual chassis, specify the role to be performed
by each EX 4200 member switch. Associate the role permanently with the member’s
serial number.
Options routing-engine— Enables the member eligible to function as a master or backup of

the virtual chassis. The master manages all the members of the virtual chassis
and runs the chassis management processes and control protocols. The backup
synchronizes with the master in terms of protocol states, forwarding tables, and
so forth, so that it is prepared to preserve routing information and maintain
network connectivity without disruption in case the master is unavailable.
Specify two and only two members as routing-engine. The software determines
which of the two routing-engines functions as master, based on the master
election algorithm. See Understanding How the Master in a Virtual Chassis Is
Elected.
line-card—Enables the member to be eligible to function only in the linecard role.

Any member of the virtual chassis other than the master or backup functions in
the linecard role and runs only a subset of JUNOS for EX-series software. A
member functioning in the linecard role does not run the chassis control
protocols. A virtual chassis must have at least three members in order to include
a member that functions in the linecard role.
When you use a preprovisioned configuration, you cannot modify the mastership
priority or member ID of member switches through the user interfaces. The
mastership-priority value is generated by the software, based on the assigned
role:
■ A member configured as routing-engine is assigned the mastership-priority 129.
■ A member configured as line-card is assigned the mastership-priority 0.
■ A member listed in the preprovisioned configuration without an explicitly
specified role is assigned the mastership-priority 128.
The configured role specifications are permanent. If both routing-engine members

should fail, a line-card member cannot take over as master of the virtual chassis.
You must delete the preprovisioned configuration in order to change the specified
roles.
It is possible to explicitly configure two members as routing-engine, and to configure

additional switches as members of the preprovisioned virtual chassis by specifying
only their serial numbers. If you do not explicitly configure the role of the
additional members, they function in a linecard role by default. In that case, a
role ■ 211
member that is functioning in a linecard role can take over mastership if the
members functioning as master and backup both fail.

Related Topics

serial-number
Syntax serial-number serial-number;
Hierarchy Level [edit virtual-chassis pre-provisioned member member-id]
Description In a preprovisioned configuration of a virtual chassis, specify the serial number of
each EX 4200 member switch to be included in the virtual chassis. If you do not
include the serial number within the virtual chassis configuration, the switch cannot
be recognized as a member of a preprovisioned configuration.
Options serial-number—The switch’s permanent serial number, which is located on the back
of the switch.

Related Topics


traceoptions
Syntax traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regex>;
flag flag ;
}
Description Define tracing operations for the virtual chassis.
Default Tracing operations are disabled.
Options file filename—Name of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
file number—(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1,
and so on, until the maximum xk to specify KB, xm to specify MB, or xg to specify
GBnumber of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the sizeoption.
Default: 3 files
flag flag—Tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
■ all—All tracing operations.
■ csn—Trace virtual chassis complete sequence number (CSN) packets.
■ error—Trace virtual chassis errored packets.
■ hello—Trace virtual chassis hello packets.
■ krt—Trace virtual chassis KRT events.
■ lsp—Trace virtual chassis link-state packets.
■ lsp-generation—Trace virtual chassis link-state packet generation.
■ me—Trace virtual chassis ME events.
■ packets—Trace virtual chassis packets.
■ parse—Trace reading of the configuration.
■ route—Trace virtual chassis routing information.
■ spf—Trace virtual chassis SPF events.
■ state—Trace virtual chassis state transitions.
traceoptions ■ 213
■ task—Trace virtual chassis task operations.
match regex—(Optional) Refine the output to include lines that contain the regular
expression.
no-world-readable—(Optional) Restricted file access to the user who created the file.
size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the filesoption.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
world-readable—(Optional) Enable unrestricted file access.

214 ■ traceoptions
virtual-chassis
Syntax virtual-chassis {
pre-provisioned;
member member-id {
no-management-vlan;
serial-number;
role;
}
traceoptions {
regex>;
flag flag ;
}
}
Hierarchy Level [edit]
Description Configure virtual chassis information on an EX 4200 switch.
The statements are explained separately.
Default A standalone EX 4200 switch is a virtual chassis by default. It has a default member
ID of 0, a default mastership priority of 128, and a default role as master.

Related Topics

Wiring Closet
virtual-chassis ■ 215

Chapter 17
Operational Mode Commands for Virtual
Chassis
■ Virtual Chassis Commands on page 217
Virtual Chassis Commands
Virtual Chassis Commands ■ 217

clear virtual-chassis vc-port statistics
Syntax clear virtual-chassis vc-port statistics <interface-name> member member-id
Description Reset the statistics of all the virtual chassis ports for the specified virtual chassis
member.
Options interface-name—(Optional) Name of the interface to be cleared of its traffic statistics.

Specify either vcp-0 or vcp-1
member member-id—Reset the VCP traffic statistics on the specified member of the
virtual chassis.
Related Topics
■ show virtual-chassis vc-port statistics

■ show virtual-chassis vc-port
List of Sample Output clear virtual-chassis vc-port statistics member 3 on page 218
clear virtual-chassis user@SWA-0> clear virtual-chassis vc-port statistics member 3

vc-port statistics Cleared statistics on member 3
member 3
218 ■ clear virtual-chassis vc-port statistics

Chapter 17: Operational Mode Commands for Virtual Chassis
request session member
Syntax request session member member-id
Description Starts a session with the specified member of a virtual chassis.
Options member-id—Select the specific member of the virtual chassis with which you want
to establish a session.
Required Privilege Level maintenance
Related Topics
member
request session member ■ 219

request virtual-chassis recycle
Syntax request virtual-chassis recycle member-id member-id
Description Make a previously used member ID available for reassignment.
When you remove a member switch from the virtual chassis, the master reserves
that member ID. To make the member ID available for reassignment, you must use
this command.
Options member-id member-id—Specify the member id that you want to make available for
reassignment to a different member switch.
Related Topics

■ request virtual-chassis renumber
List of Sample Output request virtual-chassis recycle member-id 3 on page 220
request virtual-chassis user@host> request virtual-chassis recycle member-id 3

recycle member-id 3
220 ■ request virtual-chassis recycle

request virtual-chassis vc-port
Syntax request virtual-chassis vc-port set|delete pic-slot pic-slot port port-number

<(all-members | member member-id)>
Description Enable or disable an uplink port (on the EX-UM-2XFP uplink module) as a virtual
chassis port (VCP) interface.
Options pic-slot pic-slot—Number of the PIC slot for the uplink. Specify 1 to represent the
uplink module PIC on the EX-series switch.
port port-number—Number of the uplink module port (0 or 1) that is to be enabled

or disabled as a VCP interface.
all-members—(Optional) Enable or disable the specified uplink VCP interface on all

members of the virtual chassis.
member member-id—(Optional) Enable or disable the specified VCP uplink interface

on the specified member of the virtual chassis.
Additional Information If you omit (all-members | member member-id), this command defaults to enabling
or disabling the uplink VCP interface on the switch where the command is issued.
Related Topics

■ request virtual-chassis vc-port
■ clear virtual-chassis vc-port statistics
List of Sample Output request virtual-chassis vc-port set pic-slot 1 port 0 on page 221
request virtual-chassis vc-port set pic-slot 1 port 0 all-members on page 221
request virtual-chassis vc-port set pic-slot 1 port 1 member 3 on page 222
request virtual-chassis vc-port delete pic-slot 1 port 1 member 3 on page 222
request virtual-chassis user@host>request virtual-chassis vc-port set pic-slot 1 port 0

vc-port set pic-slot 1
port 0 To check the results of this command, use the show virtual-chassis vc-port command.
request virtual-chassis user@host>request virtual-chassis vc-port set pic-slot 1 port 0 all-members

port 0 all-members To check the results of this command, use the show virtual-chassis vc-port command.
request virtual-chassis vc-port ■ 221

request virtual-chassis user@host>request virtual-chassis vc-port set pic-slot 1 port 1 member 3

port 1 member 3 To check the results of this command, use the show virtual-chassis vc-port command.
request virtual-chassis user@host>request virtual-chassis vc-port delete pic-slot 1 port 1 member 3

vc-port delete pic-slot 1
port 1 member 3 To check the results of this command, use the show virtual-chassis vc-port command.

request virtual-chassis vc-port
Syntax request virtual-chassis vc-port set interface vcp-interface-name

<(all-members | member member-id)>< disable>
Description Disable or enable a virtual chassis port (VCP) interface for a dedicated VCP on the
rear panel of the virtual chassis.
Options interface vcp-interface-name —Name of the interface to enable or disable. Specify

either vcp-0 or vcp-1.
all-members —(Optional) Enable or disable the specified VCP interface on all members
of the virtual chassis.
member member-id —(Optional) Enable or disable the specified VCP interface on the
specified member of the virtual chassis.
disable —(Optional) Disable the specified VCP. If you omit this keyword, the command
enables the dedicated VCP interface.
Additional Information If you omit (all-members | member member-id), this command defaults to disabling
or enabling the dedicated VCP interface on the switch where the command is issued.
The dedicated VCP interfaces are enabled in the factory default configuration.
Related Topics

■ request virtual-chassis vc-port
List of Sample Output request virtual-chassis vc-port set interface vcp-0 disable on page 223
request virtual-chassis vc-port set interface vcp-0 all-members disable on page 223
request virtual-chassis vc-port set interface vcp-0 member 3 disable on page 224
request virtual-chassis vc-port set interface vcp-1 all-members on page 224
request virtual-chassis user@host> request virtual-chassis vc-port set interface vcp-0 disable
vc-port set interface
vcp-0 disable To check the results of this command, use the show virtual-chassis vc-port command.
request virtual-chassis user@host> crequest virtual-chassis vc-port set interface vcp-0 all-members disable
To check the results of this command, use the show virtual-chassis vc-port command.
request virtual-chassis vc-port ■ 223

vcp-0 all-members
disable
request virtual-chassis user@host> request virtual-chassis vc-port set interface vcp-0 member 3 disable
vcp-0 member 3 disable To check the results of this command, use the show virtual-chassis vc-port command.
request virtual-chassis user@host>request virtual-chassis vc-port set interface vcp-1 all-members

vcp-1 all-members

request virtual-chassis renumber
Syntax request virtual-chassis renumber member-id old-member-id new-member-id new-member-id
Description Renumber a member of a virtual chassis.
Options member-id old-member-id—Specify the ID of the member that you wish to renumber.
new-member-id new-member-id—Specify an unassigned member ID (from 0 through

9).
Related Topics
request virtual-chassis recycle

List of Sample Output request virtual-chassis renumber member-id 5 new-member-id 4 on page 225
request virtual-chassis user@SWA-0> request virtual-chassis renumber member-id 5 new-member-id 4

renumber member-id 5
new-member-id 4
request virtual-chassis renumber ■ 225

show system uptime
Syntax show system uptime (all members | member member-id)
Release Information all-members | member member-id Options introduced in JUNOS Release 9.0 for
EX-series switches.
Description Display the current time and information about how long the virtual chassis, virtual
chassis software, and routing protocols have been running.
Options all-members—Display the current time and information about how long the virtual
chassis, virtual chassis software, and routing protocols have been running for all
the member switches of the virtual chassis.
member member-id—Display the current time and information about how long the
virtual chassis, virtual-chassis software, and routing protocols have been running
for the specific member of the virtual chassis.
Related Topics
■ virtual-chassis
■ member
List of Sample Output show system uptime member 0 on page 227

Output Fields Table 36 on page 226 lists the output fields for the show system uptime virtual-chassis
command. Output fields are listed in the approximate order in which they appear.
Table 36: show system uptime virtual-chassis Output Fields
Field Name Field Description Level of Output
Current time Current system time in UTC.
System booted Date and time when the switch was last booted and how long it has been
running.
Protocols started Date and time when the routing protocols were last started and how long they
have been running.
Last configured Date and time when a configuration was last committed. Also shows the name
of the user who issued the last commit command.
Time and up Current time, in the local time zone, and how long the switch has been
operational.
Users Number of users logged into the switch.
Load averages Load averages for the last 1 minute, 5 minutes, and 15 minutes.
226 ■ show system uptime

show system uptime user@host>show system uptime member 0

member 0 fpc0:
------------------------------------------------------------------------
Current time: 2008-02-06 05:24:20 UTC
System booted: 2008-01-31 08:26:54 UTC (5d 20:57 ago)
Protocols started: 2008-01-31 08:27:56 UTC (5d 20:56 ago)
Last configured: 2008-02-05 03:26:43 UTC (1d 01:57 ago) by root
5:24AM up 5 days, 20:57, 1 user, load averages: 0.14, 0.06, 0.01

show virtual-chassis active topology
Syntax show virtual-chassis active-topology

Description Display the active topology of the virtual chassis with reachability information.
Options none—Display the active topology of the member switch where the command is
issued.
all-members—Display the active topology of all members of the virtual chassis.
membermember-id—Display the active topology of a specified member of the virtual

chassis.
Related Topics
List of Sample Output show virtual-chassis active-topology on page 228

Output Fields Table 37 on page 228 lists the output fields for the show virtual-chassis active-topology
Table 37: show virtual-chassis active-topology Output Fields
Destination ID Specifies the member ID of the destination.
Next-hop Specifies the member ID and VCP of the next-hop to which packets for the destination ID are forwarded.
show virtual-chassis user@SWA-0> show virtual-chassis active-topology

active-topology 1 1(vcp-1)
2 1(vcp-1)
3 1(vcp-1)
4 1(vcp-1)
228 ■ show virtual-chassis active topology

5 8(vcp-0) 1(vcp-1)
6 8(vcp-0)
7 8(vcp-0)
8 8(vcp-0)

show virtual-chassis status
Syntax show virtual-chassis status
Description Display information about all the members of the virtual chassis.
Options none—Display all information for all member switches of the virtual chassis.
Related Topics
Output Fields Table 38 on page 1020 lists the output fields for the show virtual-chassis command.
Table 38: show virtual-chassis Output Fields
Virtual Chassis ID Assigned ID that applies to the entire virtual chassis configuration.
Member ID Assigned member ID and FPC slot (from 0 through 9).
Status For a nonprovisioned configuration:

■ Prsnt for a member that is currently connected to the virtual chassis
■ NotPrsnt for a member ID that has been assigned but is not currently
connected
For a preprovisioned configuration:

■ Prsnt for a member that is specified in the preprovisioned configuration
file and is currently connected to the virtual chassis.
■ Unprvsnd for a member that is interconnected with the virtual chassis, but
is not specified in the preprovisioned configuration file.
Serial No Serial number of the member switch.
Model Model number of the member switch.
Mastership Priority Mastership priority value of the member switch.
Role Role of the member switch.
Neighbor List Member ID of the neighbor member to which this member’s VCP interface is
connected.
230 ■ show virtual-chassis status

show virtual-chassis user@SWA-0> show virtual-chassis status

status
Virtual Chassis ID: 0019.e250.47a0
Member ID Status Serial No Model priority Role ID Interface
0 (FPC 0) Prsnt AK0207360276 ex4200-24t 249 Master* 8 vcp-0
1 vcp-1
1 (FPC 1) Prsnt AK0207360281 ex4200-24t 248 Backup 0 vcp-0
2 vcp-1
2 (FPC 2) Prsnt AJ0207391130 ex4200-48p 247 Linecard 1 vcp-0
3 vcp-1
3 (FPC 3) Prsnt AK0207360280 ex4200-24t 246 Linecard 2 vcp-0
4 vcp-1
4 (FPC 4) Prsnt AJ0207391113 ex4200-48p 245 Linecard 3 vcp-0
5 vcp-1
5 (FPC 5) Prsnt BP0207452204 ex4200-48t 244 Linecard 4 vcp-0
6 vcp-1
6 (FPC 6) Prsnt BP0207452222 ex4200-48t 243 Linecard 5 vcp-0
7 vcp-1
7 (FPC 7) Prsnt BR0207432028 ex4200-24f 242 Linecard 6 vcp-0
8 vcp-1
8 (FPC 8) Prsnt BR0207431996 ex4200-24f 241 Linecard 7 vcp-0
0 vcp-1
Member ID for next new member: 9 (FPC 9)

show virtual-chassis vc-port
Syntax show virtual-chassis vc-port

Description Display the status of the virtual chassis ports (VCPs), including both the dedicated
VCPs and the uplinks set as VCPs.
Options none—Display the operational status of all the virtual chassis ports of the member
switch where the command is issued.
all-members—(Optional) Display the operational status of all the virtual chassis ports
on all members of the virtual chassis.
member member-id—(Optional) Display the operational status of all the virtual chassis
ports for the specified member of the virtual chassis.
Related Topics

List of Sample Output show virtual-chassis vc-port on page 233

show virtual-chassis vc-port all-members on page 233
Output Fields Table 39 on page 232 lists the output fields for the show virtual-chassis vc-port
Table 39: show virtual-chassis vc-port Output Fields
fpcnumber The fpc number is the same as the member ID.
Interface or PIC/Port VCP interface name. Unlike network interfaces, a VCP interface name does
not include a slot number (member ID).
■ The dedicated VCP interfaces are vcp-0 and vcp-1.
■ The uplink ports set as a VCP interfaces are named 1/0 and 1/1,
representing the PIC number and port number.
Type Type of VCP:

■ dedicated (on the rear panel)
■ configured (uplink port configured as a VCP)
232 ■ show virtual-chassis vc-port

Table 39: show virtual-chassis vc-port Output Fields (continued)
Status Interface status: down or up.
show virtual-chassis user@SWA-0> show virtual-chassis vc-port

vc-port
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Down
1/1 Configured Up
show virtual-chassis user@SWA-0> show virtual-chassis vc-port all-members

vc-port all-members
fpc0:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
1/0 Configured Down
1/1 Configured Up
fpc1:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc2:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc3:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc4:
--------------------------------------------------------------------------
or

PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc5:

or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc6:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc7:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up
fpc8:
--------------------------------------------------------------------------
or
PIC / Port
vcp-0 Dedicated Up
vcp-1 Dedicated Up

show virtual-chassis vc-port statistics
Syntax show virtual-chassis vc-port statistics member member-id
Description Display the traffic statistics of the virtual chassis ports for the selected virtual chassis
member.
Options member member-id—Display the traffic statistics for the virtual chassis ports of the
specified virtual chassis member.
Related Topics

List of Sample Output show virtual-chassis vc-port statistics member 0 on page 235
Output Fields Table 40 on page 235 lists the output fields for the show virtual-chassis vc-port statistics
Table 40: show virtual-chassis vc-port statistics Output Fields
Member ID ID of the specified member.
Port RX (Receive) and TX (Transmit )statistics reported by the VCP subsystem for
internal ports and for the dedicated VCPs (vcp-0 and vcp-1).
show virtual-chassis user@SWA-0>show virtual-chassis vc-port statistics member 0

vc-port statistics Member ID: 0 Port: internal-0/24
member 0 RX TX
Total octets: 0 0
Total packets: 0 0
Member ID: 0 Port: internal-0/27

RX TX
Total octets: 0 0
Total packets: 0 0

RX TX
Total octets: 0 0
Total packets: 0 0
show virtual-chassis vc-port statistics ■ 235


RX TX
Total octets: 0 0
Total packets: 0 0
Member ID: 0 Port: vcp-0

RX TX
Total octets: 586511032 210691704
Total packets: 2927355 1987210
Member ID: 0 Port: vcp-1

RX TX
Total octets: 0 0
Total packets: 0 0

Part 7
Interfaces
■ Understanding Interfaces on page 239
■ Examples of Configuring Interfaces on page 245
■ Configuring Interfaces on page 257
■ Verifying Interfaces on page 267
■ Troubleshooting Interfaces on page 271
■ Configuration Statements for Interfaces on page 277
■ Operational Mode Commands for Interfaces on page 295
Interfaces ■ 237
238 ■ Interfaces
Chapter 18
Understanding Interfaces
■ EX-series Switches Interfaces Overview on page 239

■ Understanding Interface Naming Conventions on EX-series Switches on page 241
■ Understanding Aggregated Ethernet Interfaces and LACP on page 243
EX-series Switches Interfaces Overview

EX-series switches have two types of interfaces: network and special interfaces. This
topic provides brief information on these interfaces, including interfaces that have
been added for EX-series switches. For additional information, see the Network
Interfaces Configuration Guide at
■ Network Interfaces on page 239

■ Special Interfaces on page 240
Network Interfaces
Network interfaces connect to the network and carry network traffic. EX-series
switches support the following types of network interfaces:
■ LAN access interfaces—EX-series switches provide either 24 or 48 network ports,
depending on the switch model. These ports can be used to connect a personal
computer, laptop, file server, or printer to the network. When you power on an
EX-series switch and use the factory-default configuration, the software
automatically configures interfaces in access mode for each of the network ports.
The default configuration also enables auto-negotiation for both speed and for
link mode.
■ Trunk interfaces—EX-series access switches can be connected to a distribution
switch or customer edge (CE) router. To use a port for this type of connection,
you must explicitly configure the port interface for trunk mode. The interfaces
from the distribution switch to the access switches should also be configured for
trunk mode.
■ Power over Ethernet (PoE) interfaces— EX-series switches provide PoE network
ports with the various switch models providing either 8, 24, or 48 PoE ports.
These ports can be used to connect VoIP telephones, wireless access points,
video cameras, and point-of-sale devices to safely receive power from the same
EX-series Switches Interfaces Overview ■ 239

access ports that are used to connect personal computers to the network. PoE
interfaces are enabled by default in the factory configuration.
■ Aggregated Ethernet interfaces—EX 3200 and EX 4200 switches allow you to
group Ethernet interfaces at the physical layer to form a single link layer interface,
also known as a link aggregation group (LAG) or bundle. These aggregated Ethernet
interfaces help to balance traffic and increase the uplink bandwidth.
Special Interfaces
Special interfaces include:
■ Virtual chassis port (VCP) interfaces—Each EX 4200 switch has two dedicated
virtual chassis ports (VCPs) on its rear panel. These ports can be used to
interconnect two to ten EX 4200 switches as a virtual chassis, which functions
as a single network entity. See Understanding the High Speed Interconnection
of the Virtual Chassis Members. When you power on EX-series switches that are
interconnected in this manner, the software automatically configures the VCP
interfaces for the dedicated ports that have been interconnected. These VCP
interfaces, which are called vcp-0 and vcp-1, are not configurable or modifiable.
It is also possible to interconnect EX 4200 switches across wider distances (up
to 40 km) by using the EX-UM-2XFP uplink module ports. To use an EX-UM-2XFP
uplink module port as a virtual chassis port, you must explicitly set the uplink
VCP interface using the request virtual-chassis vc-port command.
■ Management interface—The JUNOS for EX-series software automatically creates
the switch's management Ethernet interface, me0. The management Ethernet
interface provides an out-of-band method for connecting to the switch. To use
me0 as a management port, you must configure its logical port, me0.0, with a
valid IP address. You can connect to the management interface over the network
using utilities such as ssh and telnet. Simple Network Management Protocol
(SNMP) can use the management interface to gather statistics from the switch.
(The management interface me0 is analogous to the fxp0 interfaces on JUNOS
routers.)
■ Virtual Management Ethernet (VME) interface—On EX 4200 series switches,
there is a VME interface. This is a logical interface that is used for virtual chassis
configurations and allows you to manage all the members of the virtual chassis
through the master. For more information on VME, see Understanding Global
Management of a Virtual Chassis and Configuring the Virtual Management
Ethernet Interface for Global Management of a Virtual Chassis (CLI Procedure).
■ Console port—Each EX-series switch has a serial port, labeled console, for
connecting tty-type terminals to the switch using standard PC-type tty cables.
The console port does not have a physical address or IP address associated with
it. However, it is an interface in the sense that it provide access to the switch.
On EX 4200 switches that are configured as a virtual chassis, you can access the
master and configure all members of the virtual chassis through any member's
console port. For more information on the console port in a virtual chassis, see
Understanding Global Management of a Virtual Chassis.
■ Loopback—A software-only virtual interface that is always up. This interface
provides a stable and consistent interface and IP address on the switch.
240 ■ Special Interfaces

Chapter 18: Understanding Interfaces
Related Topics
■ Understanding Interface Naming Conventions on EX-series Switches
■ Understanding Aggregated Ethernet Interfaces and LACP
Understanding Interface Naming Conventions on EX-series Switches

EX-series switches use a naming convention that is similar to that of other JUNOS
platforms for defining the interfaces. This topic provides brief information on the
naming conventions used for interfaces on EX-series switches. For additional
information, see the Network Interfaces Configuration Guide at
■ Physical Part of an Interface Name on page 241

■ Logical Part of an Interface Name on page 242
■ Wildcard Characters in Interface Names on page 243
Physical Part of an Interface Name

When you define an interface, you specify the interface type, the FPC slot in which
the Physical Interface Module (PIM) is installed, the PIC within the FPC, and the port
on that PIC. A hyphen (-) separates the interface type from the slot number, and a
slash (/) separates the slot number, PIC number, and port numbers:
type-slot/pic/port
The EX-series switches apply this convention as follows:

■ type—EX-series interfaces use the following media types:
■ ge- Gigabit Ethernet interface
■ xe-10 Gigabit Ethernet interface (These are the ports on the EX-UM-2XFP
uplink module.)
■ slot number/member-id—EX-series interfaces use the following slot numbers

(equivalent to member ID):
■ EX 3200 switches have only one FPC slot for the network ports. It is slot
number 0.
■ An individual, standalone EX 4200 switch has only one FPC slot number. It
is slot number 0.
■ If an EX 4200 switch is interconnected with other switches in a virtual chassis,

each individual switch that is included as a member of the virtual chassis is

identified with a member id. The member ID functions as an FPC slot number.
When you are configuring interfaces for a virtual chassis, you specify the
appropriate member ID 0 through 9 as the slot of the interface name.
■ PIC number—EX-series interfaces use the following PIC numbers:

■ Use the number 0 to specify the PIC for any network port on the switch
itself.
■ If you are configuring a port on an uplink module, use the number 1 as the
PIC.
■ port number—EX-series interfaces use the following port numbers:
The network ports are on the front panel of the switch and are labeled from left
to right starting with 0 followed by the remaining even numbered ports in the
top row and 1 followed by the remaining odd number ports in the bottom row.
(On the partial PoE switches, port numbers 0 through 7 have a label that is a
different color from the labels on the remaining ports to indicate that these first
eight ports are PoE ports.)
Figure 13 on page 242 shows the network ports on a 24–port EX-series switch.
Figure 13: Port Numbers on the 24-Port EX-series Switch
Figure 14 on page 242 shows the network ports on a 48–port EX-series switch.
Figure 14: Port Number on the 48-Port EX-series Switch
Logical Part of an Interface Name

The logical unit part of the interface name corresponds to the logical unit number,
which can be a number from 0 through 16384. In the virtual part of the name, a
period (.) separates the port and logical unit numbers: media-type-fpc/pic/port.logical.
For example, if you issue the show ethernet-switching interfaces command on a system
with a default VLAN, the resulting display shows the logical interfaces associated
with the VLAN:
242 ■ Logical Part of an Interface Name

Chapter 18: Understanding Interfaces
Interface State VLAN members Blocking

ge-0/0/0.0 down remote-analyzer unblocked
ge-0/0/1.0 down default unblocked
When you configure aggregated Ethernet interfaces, you configure a logical interface
that is called a bundle or a LAG. Each LAG can include up to eight Ethernet interfaces.
Wildcard Characters in Interface Names
In the show interfaces and clear interfaces commands, you can use wildcard characters
in the interface-name option to specify groups of interface names without having to
type each name individually. You must enclose all wildcard characters except the
asterisk (*) in quotation marks (" ").
Related Topics
Understanding Aggregated Ethernet Interfaces and LACP

IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form a
single link layer interface, also known as a link aggregation group (LAG) or bundle.
Link aggregation can be used for point-to-point connections. It balances traffic across
the member links within an aggregated Ethernet bundle and effectively increases
the uplink bandwidth. Another advantage of link aggregation is increased availability,
because the LAG is composed of multiple member links. If one member link fails,
the LAG continues to carry traffic over the remaining links.
■ Link Aggregation Group (LAG) on page 243
■ Link Aggregation Control Protocol (LACP) on page 244
Link Aggregation Group (LAG)

You configure a LAG by specifying the link number as a physical device and then
associating a set of ports with the link. All the ports must have the same speed and
be in full-duplex mode. JUNOS software for EX-series switches assigns a unique ID
and port priority to each port. The ID and priority are not configurable. When
configuring LAG, consider the following guidelines:
Wildcard Characters in Interface Names ■ 243

■ Up to 8 Ethernet ports can be created in each bundle.

■ Up to 128 LAGs are supported in a virtual chassis configuration.
■ LAG must be configured on both sides of the link.
■ The ports on either side of the link must be set to the same speed.
NOTE: The interfaces that are included within a bundle or LAG are sometimes referred
to as member interfaces. Do not confused this term with member switches, which
refers to EX 4200 switches that are interconnected as a virtual chassis. It is possible
to create a LAG that is composed of member interfaces, located in different member
switches of a virtual chassis.
A typical deployment for LAG would be to aggregate trunk links between an access
switch and a distribution switch or customer edge (CE) router. LAG is not supported
on virtual chassis port links. LAG can only be used for a point-to-point connection.
Link Aggregation Control Protocol (LACP)

LACP, a subcomponent of IEEE 802.3ad, provides additional functionality for LAG.
When LACP is configured, it detects misconfigurations on the local end or the remote
end of the link.
About enabling LACP:

■ When LACP is not enabled, a local LAG might attempt to transmit packets to a
remote single interface, which causes the communication to fail.
■ When LACP is enabled, a local LAG cannot transmit packets unless a LAG with
LACP is also configured on the remote end of the link.
By default, Ethernet links do not exchange protocol data units (PDUs), which contain
information about the state of the link. You can configure Ethernet links to actively
transmit PDUs, or you can configure the links to passively transmit them, sending
out LACP PDUs only when they receive them from another link. The transmitting
link is known as the actor and the receiving link is known as the partner.
Related Topics
■ Network Interfaces Configuration Guide at

244 ■ Link Aggregation Control Protocol (LACP)

Chapter 19
Examples of Configuring Interfaces

Chassis Access Switch and a Virtual Chassis Distribution Switch on page 245
Switch on page 252
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual

manner are referred to as a link aggregation group (LAG) or bundle.
This example describes how to configure uplink LAGs to connect a virtual chassis
access switch to a virtual chassis distribution switch:
Requirements
Before you configure the LAGs, be sure you have:
Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch ■ 245
■ Configured the virtual chassis switches. See Example: Configuring a Virtual

Chassis with a Master and Backup in a Single Wiring Closet.

For maximum speed and resiliency, you can combine uplinks between an access
switch and a distribution switch into LAGs. Using LAGs can be particularly effective
when connecting a multi-member, virtual-chassis access switch to a multi-member
virtual-chassis distribution switch.
The virtual chassis access switch in this example is composed of two member
switches. Each member switch has an uplink module with two 10-Gigabit Ethernet
ports. These ports are configured as trunk ports, connecting the access switch with
the distribution switch.
Configuring the uplinks as LAGs has the following advantages:

■ It doubles the speed of each uplink from 10 Gbps to 20 Gbps.
■ If one physical port is lost for any reason (a cable is unplugged or a switch port
fails, or one member switch is unavailable), the logical port transparently
continues to function over the remaining physical port.
The topology used in this example consists of one virtual chassis access switch and
one virtual chassis distribution switch. The access switch is composed of two
EX 4200-48P switches (SWA-0 and SWA-1), interconnected to each other with their
virtual chassis ports (VCPs) as member switches of Host-A. The distribution switch
is composed of two EX 4200-24F switches (SWD-0 and SWD-1), interconnected with
their VCPs as member switches of Host-D.
Each member of the access switch has an uplink module installed. Each uplink module
has two ports. The uplinks are configured to act as trunk ports, connecting the access
switch with the distribution switch. One uplink port from SWA-0 and one uplink port
from SWA-1 are combined as a LAG ae0 to SWD-0. This link is used for one vlan.
The remaining uplink ports from SWA-0 and from SWA-1 are combined as a second
LAG connection (ae1) to SWD-1. LAG ae1, which is used for another vlan .

Chapter 19: Examples of Configuring Interfaces
Figure 15: Topology for LAGs Connecting a Virtual Chassis Access Switch to a Virtual
Chassis Distribution Switch
Table 1 details the topology used in this configuration example.
Distribution Switch
Switch Hostname and Base Hardware Uplink Module member ID Trunk Port
VCID
xe-0/1/1 to SWD-1
VCID 1

xe-1/1/1 to SWD-1
VCID 1

Distribution Switch (continued)

xe-0/1/1 to SWA-1
VCID 4

xe-1/1/1 to SWA-1
VCID 4

CLI Quick Configuration To quickly configure aggregated Ethernet high-speed uplinks between a virtual chassis
access switch and a virtual chassis distribution switch, copy the following commands
[edit]
set chassis aggregated-devices ethernet device-count 2
Step-by-Step Procedure To configure aggregated Ethernet high-speed uplinks between a virtual chassis access
switch and a virtual chassis distribution switch:
1. Specify the number of LAGs to be created on the chassis:
[edit chassis]
user@Host-A# set aggregated-devices ethernet device-count 2
be up.
[edit interfaces]
248 ■
be up.
[edit interfaces]
[edit interfaces]
[edit interfaces]
[edit interfaces]
[edit interfaces]
8. Specifies that LAG ae0 belongs to the subnet for the employee broadcast domain:
[edit interfaces]
user@Host-A# set ae0 unit 0 family inet address 192.0.2.0/25
9. Specifies that LAG ae1 belongs to the subnet for the guest broadcast domain:
[edit interfaces]
user@Host-A# set ae1 unit 1 family inet address family inet address
192.0.2.128/25

[edit]
chassis {
ethernet {
■ 249
device-count 2;
}
}
}
interfaces {
ae0 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.0/25;
}
}
}
ae1 {
link-speed 10g;
minimum-links 2;
}
unit 0 {
family inet {
address 192.0.2.128/25;
}
}
xe–0/1/0 {
ether-options {
802.ad ae0;
}
}
xe–1/1/0 {
ether-options {
802.ad ae0;
}
}
xe–0/1/1 {
ether-options {
802.ad ae1;
}
}
xe–1/1/1 {
ether-options {
802.ad ae1;
}
}
}
Configuration
To configure two uplink LAGs from the virtual chassis access switch to the virtual
chassis distribution switch, perform these tasks:

Verification
To verify that switching is operational and two LAGs have been created, perform
these tasks:

Purpose Verify that LAG ae0 has been created on the switch.
ae0 up up
ae0.0 up up inet 10.10.10.2/24

Purpose Verify that LAG ae1 has been created on the switch
Action show interface ae1 terse

ae1 up down
ae1.0 up down inet
What It Means The output shows that the ae1 link is down.
Troubleshooting
Troubleshooting a LAG that is Down


LAG)
chassis)
Related Topics
Wiring Closet
■ Example: Connecting an Access Switch to a Distribution Switch.
■ Virtual Chassis Cabling Configuration Examples
Example: Configuring Aggregated Ethernet High-Speed Uplinks with LACP Between

a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch
manner are referred to as a link aggregation group (LAG) or bundle. EX-series switches
allow you to further enhance these links by configuring Link Aggregation Control
Protocol (LACP).
This example describes how to overlay LACP on the LAG configurations that were
created in Example: Configuring Aggregated Ethernet High-Speed Uplinks Between
a Virtual Chassis Access Switch and a Virtual Chassis Distribution Switch:
Requirements

■ JUNOS for EX-series Release 9.0 or later

■ Four EX-series EX-UM-2XFP uplink modules

■ Installed your EX-series switches.
■ Set up the virtual chassis switches. See Example: Configuring a Virtual Chassis
with a Master and Backup in a Single Wiring Closet.
■ Configured the LAGs. See Example: Configuring Aggregated Ethernet High-Speed
Uplinks Between a Virtual Chassis Access Switch and a Virtual Chassis Distribution
Switch

This example assumes that you are already familiar with the Example: Configuring
Aggregated Ethernet High-Speed Uplinks between Virtual Chassis Access Switch and
Virtual Chassis Distribution Switch. The topology in this example is exactly the same
as the topology in that other example. This example shows how to use LACP to
enhance the LAG functionality.
LACP exchanges are made between actors (the transmitting link) and partners (the
receiving link). The LACP mode can be either active or passive.
NOTE: If the actor and partner are both in passive mode, they do not exchange LACP
packets, which results in the aggregated Ethernet links not coming up. By default,
LACP is in passive mode. To initiate transmission of LACP packets and responses to
LACP packets, you must enable LACP in active mode.
By default, the actor and partner send LACP packets every second. You can configure
the interval at which the interfaces send LACP packets by including the periodic
statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy
level.
The interval can be fast (every second) or slow (every 30 seconds).
Configuration
To configure LACP for the two uplink LAGs from the virtual chassis access switch to
the virtual chassis distribution switch, perform these tasks:


Configuring LACP for the LAGs on the Virtual Chassis Access Switch
CLI Quick Configuration To quickly configure LACP for the access switch LAGs, copy the following commands

Step-by-Step Procedure To configure LACP for Host-A LAGs ae0 and ae1:
1. Specify the aggregated Ethernet options for both bundles:
[edit interfaces]
Configuring LACP for the LAGs on the Virtual Chassis Distribution Switch
CLI Quick Configuration To quickly configure LACP for the distribution switch LAGs, copy the following
[edit interfaces]
Step-by-Step Procedure To configure LACP for Host D LAGs ae0 and ae1:
1. Specify the aggregated ethernet options for both bundles:
[edit interfaces]
Verification
To verify that LACP packets are being exchanged, perform these tasks:
■ Verifying the LACP Settings on page 255
■ Verifying That the LACP Packets are Being Exchanged on page 255
254 ■ Configuring LACP for the LAGs on the Virtual Chassis Access Switch
Verifying the LACP Settings


Action Use the show interfaces lag-namestatisticscommand to display LACP information.

Input packets : 0
Output packets: 0

Bundle:
Input : 0 0 0 0
Output: 0 0 0 0
Flags: None
Verifying the LACP Settings ■ 255

What It Means The output here shows that the link is down and that no PDUs are being exchanged.
Troubleshooting
These are some tips for troubleshooting:
Troubleshooting Non-Working LACP Link

Problem LACP link is not working.

■ Remove LACP configuration and verify whether the static lag is up.
■ Verify that LACP is configured at both ends.
■ Verify that LACP is not passive at both ends.
■ Verify whether LACP protocol data units are being exchanged by running the
monitor traffic-interface lag-member detail command.
Related Topics
Wiring Closet
Chapter 20
Configuring Interfaces
■ Configuring Gigabit Ethernet Interfaces (J-Web Procedure) on page 257

■ Configuring Gigabit Ethernet Interfaces on EX-series Switches (CLI
■ Configuring Aggregated Ethernet Interfaces on EX-series Switches (CLI
■ Configuring Link Aggregation (J-Web Procedure) on page 264
■ Configuring Aggregated Ethernet LACP on EX-series Switches (CLI
Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

An Ethernet interface must be configured for optimal performance in a high-traffic
network.
To configure properties on a Gigabit Ethernet interface or 10–Gigabit Ethernet

interface on an EX-series switch:
1. Select the Interfaces option from the Configure menu.
2. Select the option Ports. The page lists all the Gigabit Ethernet and 10–Gigabit
Ethernet interfaces and their link status. When you select a particular interface,
the interface details are displayed.
The properties you can configure on the interface are displayed.

3. Configure the interface by selecting options in the Edit menu. See
Table 42 on page 258 for details on the options.
You can select multiple interfaces and modify their settings.
NOTE: When you select multiple interfaces at the same time, you cannot modify the
IP address and enable or disable the administrative status of the selected interfaces.
4. Click Enable Port/Disable Port to enable or disable the administrative status on

the selected port.
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ■ 257

Table 42: Port Edit Options
Port Role
Port Role Specifies the role assigned to the port. The options available are:
NOTE: Once a port role is configured on ■ Default—The default configuration

the interface, you cannot specify VLAN is applied.
options and IP options. ■ Desktop
Select an existing VLAN
Depending on the profile selected, the configuration or a new VLAN
corresponding configuration is applied: configuration to be associated with
■ Default—Interface family is set to the port.
ethernet-switching, port mode is set ■ Desktop and Phone
to access, and RSTP protocol is Select an existing VLAN
enabled if redundant trunk groups configuration or a new VLAN
are not configured. configuration to be associated with
■ Desktop—Interface family is set to the port.
ethernet-switching, port mode is set You can also select an existing VoIP
to access, RSTP is enabled with the VLAN configuration or a new VoIP
edge and point-to-point options if the VLAN configuration to be associated
interfaces are not part of any with the port.
redundant trunk groups, and port ■ Wireless Access Point
security parameters (MAC limit =1;
dynamic ARP Inspection and DHCP Select an existing VLAN
snooping enabled) are set. configuration or a new VLAN
configuration to be associated with
■ Desktop and Phone—Interface the port. For a new VLAN, VLAN ID
family is set to ethernet-switching, is a mandatory options.
port mode is set to access, port
security parameters (MAC limit =1; ■ Routed Uplink
dynamic ARP Inspection, DHCP Specify the IP address and the
snooping enabled) are set, and subnet mask.
recommended CoS parameters are ■ Layer 2 Uplink
specified for forwarding classes,
For this port role you can associate
schedulers, and classifiers. See
a native VLAN. To create a
Table 43 on page 260 for more
redundant trunk group, specify the
information.
group name and select the
■ Wireless Access Point—Interface secondary interface.
family is set to ethernet-switching,
■ None—No port role is configured
port mode is set to access, RSTP is
for the selected interface.
enabled with the edge and
point-to-point options if the
interfaces are not part of any Select the option and click OK.
redundant trunk groups.
NOTE: Refer to Port Role
■ Routed Uplink—Port family is set
to inet, and recommended CoS Configuration with the J-Web
parameters are set for schedulers Interface—CLI Reference for the CLI
and classifiers. See command reference.
Table 43 on page 260 for more
information.
■ Layer 2 Uplink—Interface family is
set to ethernet-switching, port mode
is set to trunk, RSTP is enabled with
the edge and point-to-point options
if the interfaces are not part of any
redundant trunk groups, and port
security is set to dhcp-trusted.
258 ■ Configuring Gigabit Ethernet Interfaces (J-Web Procedure)

Chapter 20: Configuring Interfaces
Table 42: Port Edit Options (continued)
VLAN Options
Port Mode Specifies the mode of operation for the If you select Trunk, you can:
port: trunk or access.
1. Click Add to add a VLAN member.
2. Select the VLAN and click OK.
3. (Optional) Associate a native VLAN
with the interface.
If you select Access, you can:

1. Select the VLAN member to be
associated with the interface.
2. (Optional) Associate a VoIP VLAN
with the interface. Only a VLAN
with a VLAN ID can be associated
as a VoIP VLAN.
3. Click OK.
Link Options
MTU (bytes) Specifies the maximum transmission Type a value from 256 through 9216
unit size for the interface. bytes. The default MTU for Gigabit
Ethernet interfaces is 1514.
Speed Specifies the speed for the mode. Select one of the following values: 10
Mbps, 100 Mbps, 1000 Mbps, or 10
Gbps.
Duplex Specifies the link mode. Select one: automatic, half-duplex, or

full-duplex.
Description Describes the link. Enter a brief description for the link.
NOTE: If the port is part of an aggregate,

only the option Description is enabled.
Enable Auto Negotiation Enables or disables autonegotiation. Select the checkbox to enable
autonegotiation, or clear the checkbox
to disable it. By default, autonegotiation
is enabled.
Enable Flow Control Enables or disables flow control. Select the checkbox to enable flow
control to regulate the amount of traffic
sent out of the interface, or clear the
checkbox to disable flow control and
permit unrestricted traffic. Flow control
is disabled by default.
IP Options
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ■ 259

Table 42: Port Edit Options (continued)
Enable IP Address Specifies an IP address for the interface. 1. Click the checkbox to enable IP
settings
NOTE: If the IP address is cleared, the
interface belongs to the inet family. 2. Type an IP address, for example:
10.10.10.10
3. Enter the subnet mask or address

prefix. For example, 24 bits
represents 255.255.255.0.
4. Click OK.
Table 43: Recommended CoS Settings for Port Roles
CoS Parameter Recommended Settings
Forwarding Classes There are 4 forwarding classes:

■ voice—Queue number is set to 7. This is the default queue that is used for network packets.
■ expedited-forwarding—Queue number is set to 5.
■ assured-forwarding—Queue number is set to 1.
■ best-effort—Queue number is set to 0.
Schedulers The schedulers and their settings are:

■ Strict-priority—Transmission rate is set to 10 percent, buffer size to 5 percent, and priority
to strict-high
■ Expedited-scheduler—Transmission rate is set to 30 percent, buffer size to 30 percent , and
priority is set to low.
■ Assured-scheduler—Transmission rate is set to 25 percent, buffer size to 25 percent, and
■ Best-effort scheduler—Transmission-rate is set to 35 percent, buffer size to 40 percent, and
Scheduler maps When a desktop and phone, routed uplink, or layer 2 uplink roles are applied on interfaces, the
forwarding classes and schedulers are mapped using the scheduler map.
ieee-802.1 classifier Imports the default ieee-802.1 classifier configuration, and sets loss-priority to low for the code
point 101 for the voice forwarding class.
dscp classifier Imports the default dscp classifier configuration, and sets loss-priority to low for the code points
101110 for the voice forwarding class.
Related Topics

Configuring Gigabit Ethernet Interfaces on EX-series Switches (CLI Procedure)

An Ethernet interface must be configured for optimal performance in a high-traffic
network. EX-series switches include a factory default configuration that:
■ Enables all the network interfaces on the switch
■ Sets a default port mode (access)
■ Sets default link settings
■ Specifies a logical unit (unit 0) and assigns it to family ethernet-switching
■ Specifies Spanning Tree Protocol (STP) and Link Layer Discovery Protocol (LLDP)
For information on configuring STP and LLDP, see the JUNOS Software Routing
Protocols Configuration Guide at
1. Configuring VLAN Options and Port Mode on page 261

2. Configuring the Link Settings on page 261
3. Configuring the IP Options on page 262
Configuring VLAN Options and Port Mode

The factory default configuration includes a default VLAN and enables interfaces for
the access port mode. Access interfaces typically connect to network devices such
as PCs, printers, IP telephones, and IP cameras.
If you are connecting a desktop phone or wireless access point or a security camera
to a PoE port, you can configure some parameters for the PoE interface. The PoE
interfaces are enabled by default. For detailed information on the PoE settings, see
Configuring PoE on an EX-series Switch (CLI Procedure).
If you are connecting a device to other switches and to routers on the LAN, you need
to assign the interface to a logical port and you need to configure the logical port as
a trunk port. See Network Interfaces Configuration Guide at
To configure a Gigabit Ethernet interface or 10-Gigabit Ethernet interface for trunk

port mode:
[edit]
user@switch#set port unit 0 family ethernet-switching port-mode trunk
For an example of configuring interfaces as trunk mode, see Example: Connecting

an Access Switch to a Distribution Switch.
Configuring the Link Settings

EX-series switches include a factory default configuration that enables interfaces with
the following link settings:
Configuring Gigabit Ethernet Interfaces on EX-series Switches (CLI Procedure) ■ 261

■ All the Gigabit Ethernet interfaces are set to auto-negotiation.

■ The speed for Gigabit Ethernet interfaces is set to auto, allowing the interface to
operate at 10m, 100m or 1g. The link operates at the highest possible speed,
depending on the capabilities of the remote end.
■ The flow control for Gigabit Ethernet interfaces and 10-Gigabit Ethernet interfaces
is set to enabled.
■ The link mode is set to auto, allowing the interface to operate as either full duplex
or half duplex. The link operates as full duplex unless this mode is not supported
at the remote end.
■ The 10-Gigabit Ethernet interfaces (for the EX-UM-2XFP uplink module) default
to no auto-negotiation. The default speed is 10g and the default link mode is full
duplex.
To configure the link settings:

■ Set link settings for a Gigabit Ethernet interface:
[edit]
user@switch#set interfaces ge-fpc/pic/port ether-options
■ Set link settings for a 10-Gigabit Ethernet interface:
[edit]
user@switch#set interfaces xe-fpc/1/port ether-options
NOTE: An uplink module in an EX-series switch is always PIC 1. The 10-Gigabit

Ethernet interface is available only with the EX-UM-2XFP uplink module.
The ether-options statement allows you to modify the configuration for:

■ 802.3ad—Specify an aggregated Ethernet bundle. See Configuring Aggregated
Ethernet Interfaces on EX-series Switches (CLI Procedure).
■ auto-negotiation—Enable or disable auto-negotation of flow control, link mode,
and speed.
■ flow-control—Enable or disable flow control.
■ link-mode—Specify full-duplex, half-duplex, or automatic.
■ speed—Specify 10m, 100m, 1g, or autonegotiation.
Configuring the IP Options

To specify an IP address for the logical unit:
[edit]
262 ■ Configuring the IP Options

user@switch#set interfaces vlan unit logical-unit-number family inet address

ip-address
Related Topics
■ Configuring Gigabit Ethernet Interfaces (J-Web Procedure)
■ show interfaces (Gigabit Ethernet)
■ show interfaces (10-Gigabit Ethernet)
■ Understanding Interface Naming Conventions on EX-Series Switches
Configuring Aggregated Ethernet Interfaces on EX-series Switches (CLI Procedure)

Use the link aggregation feature to aggregate one or more links to form a virtual link
or aggregation group. The MAC client can treat this virtual link as if it were a single
link. Link aggregation increases bandwidth, provides graceful degradation as failure
occurs, and increases availability.
NOTE: An interface with an already configured IP address cannot form part of the
aggregation group.
To configure aggregated ethernet interfaces, using the CLI:

1. Specify the number of aggregated Ethernet interfaces to be created:
[edit chassis]
user@switch#set aggregated-devices device-count 2
2. Specify the minimum number of links for the aggregated Ethernet interface (aex),
that is, the defined bundle, to be labeled up:
NOTE: By default only one link must be up for the bundle to be labeled up.
[edit interfaces]
user@switch#set ae0 aggregated-ether-options minimum-links 2
3. Specify the link speed for the aggregated Ethernet bundle:
[edit interfaces]
user@switch#set ae0 aggregated-ether-options link-speed 10g
4. Specify the members to be included within the aggregated Ethernet bundle:
[edit interfaces]

user@switch#set xe-0/1/0 ether-options 802.ad ae0

user@switch#set xe-1/1/0 ether-options 802.ad ae0
5. Specify an interface family for the aggregated Ethernet bundle:
[edit interfaces]
user@switch#set ae0 unit 0 family inet address 192.0.2.0/25
For information about adding LACP to a LAG, see Configuring Aggregated Ethernet
LACP on EX-series Switches (CLI Procedure).
Related Topics
■ Configuring Link Aggregation (J-Web Procedure)
■ Configuring Aggregated Ethernet LACP on EX-series Switches (CLI Procedure)
■ JUNOS Routing Protocols Configuration Guide at
Configuring Link Aggregation (J-Web Procedure)

Use the link aggregation feature to aggregate one or more links to form a virtual link
or aggregation group. The MAC client can treat this virtual link as if it were a single
link. Link aggregation increases bandwidth, provides graceful degradation as failure
occurs, and increases availability.
NOTE: Interfaces that are already configured with MTU, speed, duplex,
auto-negotiation, flow-control, and logical interfaces are not available for aggregation.
To configure link aggregation:

1. From the Configure menu, select Interfaces > Link Aggregation.
The Aggregated Interfaces list is displayed.

2. Click one:

■ Add—Creates an aggregated interface.
Add a description for the aggregation. Click >> or << to move interfaces
between the Available Interfaces and Member Interfaces columns. Click
Activate Aggregated Link to activate the link.
■ Edit > Edit Aggregation—Modifies an existing aggregation.
■ Edit > VLAN Options—Specifies VLAN options for the aggregation. See
Table 44 on page 265 for details on the options.
■ Delete—Deletes an aggregation.
■ Enable Port/Disable Port —Enables or disables the administrative status on

the selected port.
Table 44: VLAN Options
Port Mode Specifies the mode of operation for the If you select Trunk, you can:
port: trunk or access.
1. Click Add to add a VLAN member.
2. Select the VLAN and click OK.
3. (Optional) Associate a native VLAN
with the port.
If you select Access, you can:

1. Select the VLAN member to be
associated with the port.
2. (Optional) Associate a VoIP VLAN
with the interface. Only a VLAN
with a VLAN ID can be associated
as a VoIP VLAN.
3. Click OK.
Related Topics
■ Configuring Aggregated Ethernet Interfaces on EX-series Switches (CLI Procedure)
■ Verifying the Status of a LAG

Configuring Aggregated Ethernet LACP on EX-series Switches (CLI Procedure)

For aggregated Ethernet interfaces on EX-series switches, you can configure the Link
Aggregation Control Protocol (LACP). LACP is one method of bundling several physical
interfaces to form one logical interface. You can configure aggregated Ethernet with
or without LACP enabled.

■ Configured the aggregated ethernet bundles. See Configuring Aggregated Ethernet
Interfaces on EX-series Switches (CLI Procedure)
When LACP is enabled, the local and remote sides of the aggregated Ethernet links
exchange protocol data units (PDUs), containing information about the state of the
link. You can configure Ethernet links to actively transmit PDUs, or you can configure
the links to passively transmit them, sending out LACP PDUs only when they receive
them from another link. One side of the link must be configured as active in order
for the link to be up.
To configure LACP:
1. From the [edit interfaces interface-name aggregated-ether-options] hierarchy level,
enable one side of the link as active:
set ae x aggregated-ether-options lacp active
2. Specify the interval at which the interfaces send LACP packets:
set ae x aggregated-ether-options lacp periodic fast
Related Topics
■ Configuring Link Aggregation with the J-Web Interface
■ JUNOS Routing Protocols Configuration Guide at
266 ■ Configuring Aggregated Ethernet LACP on EX-series Switches (CLI Procedure)

Chapter 21
Verifying Interfaces
■ Monitoring Interface Status and Traffic on page 267

■ Verifying the Status of a LAG Interface on page 268
■ Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets on page 268
Monitoring Interface Status and Traffic

Purpose Use the monitoring functionality to view interface status or to monitor interface
bandwidth utilization and traffic statistics.
The J-Web interface monitors interface bandwidth utilization and plots real-time
charts to display input and output rates in bytes per second. In addition, the Interface
monitoring page displays input and output error counters in the form of charts.
Alternatively, you can enter the show commands in the CLI to view interface status
and traffic statistics.
Action To view general interface information in the J-Web interface such as available
interfaces, select Monitor>Interfaces. You can click any interface to view details about
its status.
Using the CLI:

■ To view interface status for all the interfaces, enter show interfaces.
■ To view status and statistics for a specific interface, enter show interfaces
interface-name.
■ To view status and traffic statistics for all interfaces, enter either show interfaces
detail or show interfaces extensive.
What It Means In the J-Web interface the charts displayed are:

■ Bar charts—Display the input and output error counters.
■ Pie charts—Display the number of broadcast, unicast, and multicast packet
counters.
To clear the statistics in the J-Web Interface monitoring page, click Clear Statistics.
Monitoring Interface Status and Traffic ■ 267

For details about output from the CLI commands, see show interfaces (Gigabit
Ethernet) or show interfaces (10-Gigabit Ethernet).
Related Topics
Verifying the Status of a LAG Interface

Purpose Verify that a LAG (ae0) has been created on the switch.
ae0 up up
ae0.0 up up inet 10.10.10.2/24
Related Topics
Verifying That LACP Is Configured Correctly and Bundle Members Are Exchanging
LACP Protocol Packets
To verify that LACP has been set up correctly and that the bundle members are
transmitting LACP protocol packets.
1. Verifying the LACP Setup on page 268
2. Verifying That the LACP Packets are Being Exchanged on page 269
Verifying the LACP Setup


Chapter 21: Verifying Interfaces
What It Means This example shows that LACP has been configured with one side as active and the
other as passive. When LACP is enabled, one side must be set as active in order for
the bundled link to be up.

Action Use the show interfaces aex statistics command to display LACP Bpdu exchange
information.

Input packets : 0
Output packets: 0

Bundle:
Input : 0 0 0 0
Output: 0 0 0 0
Flags: None
Verifying That the LACP Packets are Being Exchanged ■ 269

What It Means The output here shows that the link is down and that no PDUs are being exchanged
(when there is no other traffic flowing on the link).
Related Topics
■ Verifying the Status of a LAG

Chapter 22
Troubleshooting Interfaces
■ Troubleshooting an Aggregated Ethernet Interface on page 271

■ Troubleshooting Disabled or Down Interfaces on page 271
■ Port Role Configuration with the J-Web Interface—CLI Reference on page 272
Troubleshooting an Aggregated Ethernet Interface


LAG)
chassis)
Related Topics
Verifying the Status of a LAG Interface
Troubleshooting Disabled or Down Interfaces

This topic provides troubleshooting information for specific problems related to
interfaces.
1. Disabled ports on EX 3200 switches with a 4-port Gigabit Ethernet uplink module
(EX-UM-4SFP) installed on page 271
Disabled ports on EX 3200 switches with a 4-port Gigabit Ethernet uplink module
(EX-UM-4SFP) installed
Problem The last 4 base ports (ge-0/0/20–23 on 24 port models or ge-0/0/44–47 on 48 port
models) of EX 3200 switch are disabled.
Troubleshooting an Aggregated Ethernet Interface ■ 271

The 4-port Gigabit Ethernet uplink module (EX-UM-4SFP) is installed
When you check status with the show interfaces (Gigabit Ethernet) command or with
the J-Web user interface, the last 4 base ports display a status of down.
Cause The last 4 base ports use the same ASIC as the 4-port Gigabit Ethernet uplink module.
Therefore, the last 4 base ports are disabled when this uplink module is installed.
Solution If you need to use the disabled base ports, you should remove the 4–port Gigabit
Ethernet uplink module. You can install the 2–port 10–Gigabit Ethernet uplink module
(EX-UM-2XFP) instead. There is no ASIC conflict with the EX-UM-2XFP uplink module.
Port Role Configuration with the J-Web Interface—CLI Reference

When you configure Gigabit Ethernet interface properties with the J-Web interface
(Configure > Interfaces) you can optionally select pre-configured port roles for those
interfaces. When you select a role from the Port Role field and apply it to a port, the
J-Web interface modifies the switch configuration using CLI commands. [Unresolved
xref] lists the CLI commands applied for each port role.
NOTE: If there is an existing port role configuration, it is cleared before the new port
role configuration is applied.
Table 45: Port Role Configuration Summary
Configuration Description CLI Commands
Default Port Role
Set the port role to Default. set interfaces interfaceapply-macro juniper-port-profile

Default
Set port family to ethernet-switching. set interfaces interface unit 0 family ethernet-switching
port-mode access
Set port mode to access.
Enable RSTP if redundant trunk groups are not delete protocols rstp interface interface disable
configured.
Disable RSTP if redundant trunk groups are set protocols rstp interface interface disable
configured.
Desktop Port Role
Set the port role to desktop. set interfaces interface apply-macro juniper-port-profile
Desktop
Set VLAN if new VLAN is specified. set vlans <vlan name> vlan-id <vlan-id>
Set port family to ethernet-switching. set interfaces interface unit 0 family ethernet-switching
port-mode access
Set Port Mode to Access.
272 ■ Port Role Configuration with the J-Web Interface—CLI Reference

Chapter 22: Troubleshooting Interfaces
Table 45: Port Role Configuration Summary (continued)
Set VLAN if new VLAN is specified. set interfaces interface unit 0 family ethernet-switching
vlan members vlan-members
Set port security parameters. set ethernet-switching-options secure-access-port vlan
MacTest arp-inspection
Set RSTP protocol with edge option. set protocols rstp interface interface edge
RSTP protocol is disabled if redundant trunk groups set protocols rstp interface interface disable
are configured.
Desktop and Phone Port Role
Set the port role to desktop and phone. set interfaces interfaceapply-macro juniper-port-profile
Desktop and Phone
Set data VLAN if new VLAN is specified. set vlans vlan-namevlan-id vlan id
Set voice VLAN if new voice VLAN is specified.
Set port family to ethernet-switching. set interfaces interfaceunit 0 family ethernet-switching

port-mode access
Set Port Mode to access.
Set data VLAN on port stanza. set interfaces interface unit 0 family ethernet-switching
Set port security parameters. set ethernet-switching-options secure-access-port vlan
MacTest arp-inspection
Set VOIP VLAN. set ethernet-switching-options voip interface interface.0
vlan vlan vlan name
Set class of service parameters set class-of-service interfaces interfacescheduler-map
juniper-port-profile-map
SCHEDULER_MAP=juniper-port-profile-map set class-of-service interfaces interface unit 0
classifiers ieee-802.1 juniper_ieee_classifier
IEEE_CLASSIFIER=juniper-ieee-classifier set class-of-service interfaces interfaceunit 0
classifiers dscp juniper-dscp-classifier
DSCP_CLASSIFIER=juniper-dscp-classifier
Set CoS Configuration Refer Table 46 on page 275 for details.
Wireless Access Point Port Role
Set the port role to wireless access point. set interfaces interface apply-macro juniper-port-profile
Wireless Access Point
Set VLAN on VLANs stanza. set vlans vlan namevlan-id vlan-id
Set port family to ethernet-ewitching set interfaces interface unit 0 family ethernet-switching
port-mode access
Set port mode to Access.
Set VLAN on port stanza. set interfaces interface unit 0 family ethernet-switching
Set RSTP protocol with edge option. set protocols rstp interface interface edge
Port Role Configuration with the J-Web Interface—CLI Reference ■ 273

Table 45: Port Role Configuration Summary (continued)
RSTP protocol is disabled if redundant trunk groups set protocols rstp interface interface disable
are configured.
Routed Uplink Port Role
Set the port role to Routed Uplink. set interfaces interface apply-macro juniper-port-profile
Routed Uplink
Set port family to inet. set interfaces interfaceunit 0 family inet address
ipaddress
Set IP address on the port.
Set class-of-service parameters set class-of-service interfaces interfacescheduler-map

IEEE_CLASSIFIER=juniper-ieee-classifier set class-of-service interfaces interfaceunit 0
DSCP_CLASSIFIER=juniper-dscp-classifier
Set CoS configuration Refer Table 46 on page 275 for details.
Layer 2 Uplink Port Role
Set the port role to Layer 2 Uplink. set interfaces interface apply-macro juniper-port-profile
Layer2 Uplink
Set port family to ethernet-switching set interfaces interface unit 0 family ethernet-switching
port-mode trunk
Set port mode to trunk.
Set Native VLAN name. set interfaces interface unit 0 family ethernet-switching
native-vlan-id vlan-name
Set the port as part of all valid VLANs; ”valid" refers set interfaces interface unit 0 family ethernet-switching
to all VLANs except native VLAN and voice VLANs. vlan members vlan-members
Set port security parameter. set ethernet-switching-options secure-access-port

dhcp-trusted
Set RSTP protocol with point-to-point option. set protocols rstp interface interface mode point-to-point
Disable RSTP if redundant trunk groups are set protocols rstp interface interface disable
configured.
Set class-of-service parameters. set class-of-service interfaces interfacescheduler-map

IEEE_CLASSIFIER=juniper_ieee_classifier set class-of-service interfaces interfaceunit 0
DSCP_CLASSIFIER=juniper_dscp_classifier
Set CoS configuration Refer to Table 46 on page 275 for details.
274 ■ Port Role Configuration with the J-Web Interface—CLI Reference

Chapter 22: Troubleshooting Interfaces
[Unresolved xref] lists the CLI commands for the recommended CoS settings that
are committed when the CoS configuration is set.
Table 46: Recommended CoS Settings for Port Roles
CoS Parameter CLI Command
Forwarding Classes
voice set class-of-service forwarding-classes class voice queue-num 7
expedited-forwarding set class-of-service forwarding-classes class expedited-forwarding queue-num

5
assured-forwarding set class-of-service forwarding-classes class assured-forwarding queue-num
1
best-effort set class-of-service forwarding-classes class best-effort queue-num 0
Schedulers
strict-priority-scheduler The CLI commands are:

■
set class-of-service schedulers
strict-priority-scheduler transmit-rate
percent 10

strict-priority-scheduler buffer-size percent
5

strict-priority-scheduler priority strict-high
expedited-scheduler The CLI commands are:

■
expedited-scheduler transmit-rate percent 30

expedited-scheduler buffer-size percent 30

expedited-scheduler priority low
assured-scheduler The CLI commands are:

set class-of-service schedulers assured-scheduler transmit-rate percent 25
set class-of-service schedulers strict-priority-scheduler buffer-size percent
25
set class-of-service schedulers strict-priority-scheduler priority low
Port Role Configuration with the J-Web Interface—CLI Reference ■ 275

Table 46: Recommended CoS Settings for Port Roles (continued)
CoS Parameter CLI Command
best-effort-scheduler The CLI commands are:

set class-of-service schedulers best-effort-scheduler transmit-rate percent
35
set class-of-service schedulers best-effort-scheduler buffer-size percent 40
set class-of-service schedulers best-effort-scheduler priority low
Classifiers The classifiers are:
set class-of-service classifiers ieee-802.1 juniper_ieee_classifier import
default forwarding-class voice loss-priority low code-points 101
set class-of-service classifiers dscp juniper_dscp_classifier import default
forwarding-class voice loss-priority low code-points 101110
Related Topics

Chapter 23
Configuration Statements for Interfaces
■ Interface Configuration Statement Hierarchy on page 277

■ Individual Interface Configuration Statements on page 278
Interface Configuration Statement Hierarchy


interfaces {
ae-x {
lacp mode {
periodic interval;
}
}
}
interface-name {
description text;
mtu bytes;
ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
}
port-mode mode;
vlan {
}
Interface Configuration Statement Hierarchy ■ 277

}
}
}
}
Related Topics

Individual Interface Configuration Statements
802.3ad
Syntax 802.3ad aex;
Hierarchy Level [edit interfaces interface-name ether-options]
Description Specify the aggregated Ethernet logical interface number.
Options aex—Aggregated Ethernet logical interface number.
Required Privilege Level interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.
Related Topics
■ JUNOS Network Interfaces Configuration Guide at



Chapter 23: Configuration Statements for Interfaces
auto-negotiation
Syntax (auto-negotiation | no-auto-negotiation);
Description Explicitly enable or disable autonegotiation.
■ auto-negotiation—Enable autonegotiation.
■ no-auto-negotiation—Disable autonegotiation. When autonegotiation is disabled,
you must explicitly configure link mode, and speed options.
Default Autonegotiation is automatically enabled. No explicit action is taken after the

autonegotiation is complete or if the negotiation fails.

Related Topics

■ Configuring Interfaces on EX-series Switches (CLI Procedure)
auto-negotiation ■ 279
description
Syntax description text;
Hierarchy Level [edit interfaces ge-chassis/slot/port]
Release Information Statement introduced in JUNOS before Release 9.0.

Description Provide a textual description of the interface or the logical unit. Any descriptive text
you include is displayed in the output of the show interfaces commands, and is also
exposed in the ifAlias Management Information Base (MIB) object. It has no effect
on the operation of the interface or the routing platform.
Default No textual description is configured
Options text—Text to describe the interface. If the text includes spaces, enclose the entire
text in straight quotation marks.

Related Topics

280 ■ description
ether-options
Syntax ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
speed
}
Hierarchy Level [edit interfaces interface-name]
Description Configure ether-options properties for Gigabit-Ethernet interface on EX-series switch.
Default Enabled.

Related Topics


■ Understanding Interface Naming Conventions on EX-series Switches
ether-options ■ 281
family
Syntax family ethernet-switching {

filter input filter-name
filter output filter-name
native-vlan-id vlan-id;
port-mode mode;
vlan {
[ (names | vlan-ids) ]; [ (names | vlan-ids) ];
translate vlan-id1 vlan-id2
}
}
Hierarchy Level [edit interfaces ge-chassis/slot/port unit logical-unit-number]
Description Configure protocol family information for the logical interface.
Default You must configure a logical interface to be able to use the physical device.
Options ethernet-switching—Ethernet switch protocol family.

Related Topics

282 ■ family
filter
Syntax filter (input | output) filter-name;
Hierarchy Level [edit interfaces ge-chassis/slot/port unit logical-unit-number family family-name]
Description Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the
Layer 3 interface.
Default All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.
Options filter-name—Name of a firewall filter defined in the filter statement.

■ input—Apply a firewall filter to traffic entering the port or Layer 3 interface.
■ output—Apply a firewall filter to traffic exiting the Layer 3 interface.

Related Topics
EX-series Switches
■ Configuring Firewall Filters (J-Web Procedure)
■ JUNOS Network Interfaces Configuration Guide
filter ■ 283
flow-control
Syntax (flow-control | no-flow-control);
Hierarchy Level [edit interfacesinterface-name ether-options]
Description Explicitly enable flow control, which regulates the flow of packets from the switch
to the remote side of the connection, or disable it.
■ flow-control—Enable flow control is useful when the remote device is a Gigabit
Ethernet switch.
■ no-flow-control—Disable flow control.
Default Flow control enabled.

Related Topics

l3-interface
Syntax l3-interface interface-name-logical-unit-number;
Hierarchy Level [edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching]
Release Information Statement introduced in JUNOS for EX-series Release 9.0.

Description Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk
ports to allow the interface to transfer traffic between multiple VLANs. Within a
VLAN, traffic is bridged, while across VLANs, traffic is routed.
Default No Layer 3 (routing) interface is associated with the VLAN.
Options interface-name–logical-unit-number—Name of a logical interface.

284 ■ flow-control
lacp
Syntax lacp mode {

periodic interval;
}
Hierarchy Level [edit interfaces ae-chassis/slot/port aggregated-ether-options]
Release Information Statement introduced in JUNOS software before Release 9.0.

Description Configure the Link Aggregation Control Protocol (LACP).
Default LACP is not enabled.
Options mode—LACP mode:

■ active—Initiate transmission of LACP packets
■ passive—Respond to LACP packets
The remaining statement is explained separately.

Related Topics


lacp ■ 285
link-mode
Syntax link-mode mode;
Description Set the device’s link-connection characteristic.
Default The automatic mode is enabled.
Options mode—Link characteristic:

■ full-duplex—Connection is full duplex.
■ half-duplex—Connection is half duplex.
■ automatic—Link mode is negotiated.
If no-auto-negotiation is specified, you can select only full-duplex or half-duplex. If

auto-negotiation is specified, you can select any mode.

Related Topics

286 ■ link-mode
members
Syntax members [ (names | vlan-ids) ];
Hierarchy Level [edit interfaces ge-chassis/slot/port unit logical-unit-number family ethernet-switching

vlan]

Description For trunk interfaces, configure the VLANs for which the interface can carry traffic.
Options names—Name of one or more VLANs.
vlan-id—Numeric identifier of one or more VLANs.

Related Topics
■ JUNOS Network Interfaces Configuration Guide at JUNOS Network Interfaces

Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos90/index.html
mtu
Syntax mtu bytes;
Hierarchy Level [edit interfaces interface-name]

Description Maximum transmission unit (MTU) size for the media. Changing the media MTU
causes an interface to be deleted and added again.
Default 1514 bytes
Options bytes—MTU size.

Range: 64 through 9216 bytes
Default: 1514 bytes
members ■ 287
native-vlan-id
Syntax native-vlan-id vlan-id;

Description Configure the VLAN identifier to associate with untagged packets received on the
interface.
Options vlan-id—Numeric identifier of the VLAN.

Related Topics

288 ■ native-vlan-id
periodic
Syntax periodic interval;
Hierarchy Level [edit interfaces ae-chassis/slot/port aggregated-ether-options lacp]
Description Configure the interval for periodic transmission of LACP packets.
Default fast
Options interval—Interval at which to periodically transmit LACP packets:

■ fast—Transmit packets every second. This is the default.
■ slow—Transmit packets every 30 seconds.

Related Topics


periodic ■ 289
port-mode
Syntax port-mode mode;

Description Configure whether an interface on the switch operates in access or trunk mode.
Default All switch interfaces are in access mode.
Options access—Have the interface operate in access mode. In this mode, the interface can
be in a single VLAN only. Access interfaces typically connect to network devices
such as PCs, printers, IP telephones, and IP cameras.
trunk—Have the interface operate in trunk mode. In this mode, the interface can be
in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.

Related Topics

290 ■ port-mode
speed
Syntax speed (speed | auto-negotiation) ;
Description Configure the interface’s speed:
Default If the auto-negotiation statement at the [edit interfaces interface-name ether-options]

hierarchy level is enabled, the auto-negotiation option is enabled by default.
Options ■ speed—Specify the interface speed. If the auto-negotiation statement at the [edit
interfaces interface-name ether-options] hierarchy level is disabled, you must
specify a specific value. This value sets the speed that is used on the link. If the
auto-negotiation statement is enabled, you might want to configure a specific
speed value to advertise the desired speed to the remote end.
■ 10m—10 Mbps
■ 100m—100 Mbps
■ 1g—1 Gbps
■ auto-negotiation—Automatically negotiate the speed based on the speed of the

other end of the link. This option is available only when the auto-negotiation
statement at the [edit interfaces interface-name ether-options] hierarchy level is
enabled.

Related Topics

speed ■ 291
translate
Syntax translate vlan-id1 vlan-id2

vlan]

Description For trunk interfaces, have the interface change the VLAN identifier on received
packets to a different identifier.
Options vlan-id1—Number of the VLAN identifier in received packets. This identifier is removed
from packets received on the interface.
vlan-id2—New VLAN identifier. This identifier replaces the one removed from packets
received on the interface.

Related Topics

292 ■ translate
unit
Syntax unit logical-unit-number {

native-vlan-id vlan-id;
port-mode mode;
vlan {
}
}
}
Hierarchy Level [edit interfaces ge-chassis/slot/port]

Description Configure a logical interface on the physical device. You must configure a logical
interface to be able to use the physical device.
Default You must configure a logical interface to be able to use the physical device.
Options logical-unit-number—Number of the logical unit.

Range: 0 through 16,384

Related Topics

unit ■ 293
vlan
Syntax vlan {
}

Description For Gigabit Ethernet and Aggregated Ethernet interfaces, binds a 802.1Q VLAN tag
ID to a logical interface.
Default to be added.

Related Topics

294 ■ vlan
Chapter 24
Operational Mode Commands for
Interfaces
■ 295
show interfaces
Syntax show interfaces ge-fpc/pic/port

<brief | detail | extensive | terse>
<descriptions>
<media>
<snmp-index snmp-index>
<statistics>
Description Display status information about the specified Gigabit Ethernet interface.
Options ge-fpc/pic/port—Display standard information about the specified Gigabit Ethernet

interface.
brief | detail | extensive | terse—(Optional) Display the specified level of output.
descriptions—(Optional) Display interface description strings.
media—(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index—(Optional) Display information for the specified SNMP index

of the interface.
statistics—(Optional) Display static interface statistics.

List of Sample Output show interfaces (Gigabit Ethernet) on page 302
show interfaces brief (Gigabit Ethernet) on page 303
show interfaces detail (Gigabit Ethernet) on page 303
show interfaces extensive (Gigabit Ethernet) on page 304
Output Fields Table 47 on page 296 lists the output fields for the show interfaces command. Output
fields are listed in the approximate order in which they appear.
Table 47: Gigabit Ethernet show interfaces Output Fields
Physical Interface
Physical interface Name of the physical interface. All levels
Enabled State of the interface: Enabled or Disabled. All levels
Interface index Index number of the physical interface, which reflects its initialization sequence. detail extensive none
SNMP ifIndex SNMP index number for the physical interface. detail extensive none
Generation Unique number for use by Juniper Networks technical support only. detail extensive
296 ■ show interfaces

Chapter 24: Operational Mode Commands for Interfaces
Table 47: Gigabit Ethernet show interfaces Output Fields (continued)
Description Optional user-specified description. brief detail extensive
Link-level type Encapsulation being used on the physical interface. All levels
MTU Maximum transmission unit size on the physical interface. Default is 1514. All levels
Speed Speed at which the interface is running. All levels
Loopback Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback: All levels
Local or Remote.
Source filtering Source filtering status: Enabled or Disabled. All levels
Flow control Flow control status: Enabled or Disabled. All levels
Auto-negotiation Autonegotiation status: Enabled or Disabled. All levels
Remote-fault Remote fault status: All levels

■ Online—Autonegotiation is manually configured as online.
■ Offline—Autonegotiation is manually configured as offline.
Device flags Information about the physical device. All levels
Interface flags Information about the interface. All levels
Link flags Information about the link. All levels
CoS queues Number of CoS queues configured. detail extensive none
Hold-times Current interface hold-time up and hold-time down, in milliseconds. detail extensive
Current address Configured MAC address. detail extensive none
Hardware address MAC address of the hardware. detail extensive none
Last flapped Date, time, and how long ago the interface went from down to up. The format detail extensive none
is Last flapped: year-month-day hour:minute:second timezone (hour:minute:second
ago). For example, Last flapped: 2008–01–16 10:52:40 UTC (3d 22:58 ago).
Statistics last Time when the statistics for the interface were last set to zero. detail extensive
cleared
Traffic statistics Number and rate of bytes and packets received and transmitted on the physical detail extensive
interface.
■ Input bytes—Number of bytes received on the interface.
■ Output bytes—Number of bytes transmitted on the interface.
■ Input packets—Number of packets received on the interface
■ Output packets—Number of packets transmitted on the interface.
NOTE: The bandwidth bps counter is not enabled on this platform.
show interfaces ■ 297

Input errors Input errors on the interface. The following paragraphs explain the counters extensive
whose meaning might not be obvious:
■ Errors—Sum of the incoming frame aborts and FCS errors.
■ Drops—Number of packets dropped by the input queue of the I/O Manager
ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.
■ Framing errors—Number of packets received with an invalid frame
checksum (FCS).
■ Runts—Number of frames received that are smaller than the runt threshold.
■ Policed discards—Number of frames that the incoming packet match code
discarded because they were not recognized or not of interest. Usually,
this field reports protocols that the JUNOS software does not handle.
■ L3 incompletes—Number of incoming packets discarded because they
failed Layer 3 sanity checks of the headers. For example, a frame with
less than 20 bytes of available IP header is discarded.
■ L2 channel errors—Number of times the software did not find a valid logical
interface for an incoming frame.
■ L2 mismatch timeouts—Number of malformed or short packets that caused
the incoming packet handler to discard the frame as unreadable.
■ FIFO errors—Number of FIFO errors in the receive direction that are
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.
■ Resource errors—Sum of transmit drops.

Output errors Output errors on the interface. The following paragraphs explain the counters extensive
■ Carrier transitions—Number of times the interface has gone from down to
up. This number does not normally increment quickly, increasing only
when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.
■ Errors—Sum of the outgoing frame aborts and FCS errors.
■ Drops—Number of packets dropped by the output queue of the I/O
■ Aged packets—Number of packets that remained in shared packet SDRAM
so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.
■ FIFO errors—Number of FIFO errors in the send direction as reported by
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.
■ HS link CRC errors—Number of errors on the high-speed links between
the ASICs responsible for handling the router interfaces.
■ MTU errors—Number of packets whose size exceeded the MTU of the
interface.
Egress queues Total number of egress queues supported on the specified interface. detail extensive
Queue counters CoS queue number and its associated user-configured forwarding class name. detail extensive
(Egress )
■ Queued packets—Number of queued packets.
■ Transmitted packets—Number of transmitted packets.
■ Dropped packets—Number of packets dropped by the ASIC's RED
mechanism.
Active alarms and Ethernet-specific defects that can prevent the interface from passing packets. detail extensive none
Active defects When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the switch configuration, an alarm can ring the red or yellow alarm
bell on the switch, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.
■ None—There are no active defects or alarms.
■ Link—Interface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.

MAC statistics Receive and Transmit statistics reported by the PIC's MAC subsystem. extensive
■ Total octets and total packets—Total number of octets and packets. For
Gigabit Ethernet IQ PICs, the received octets count varies by interface
type.
■ Unicast packets, Broadcast packets, and Multicast packets—Number of
unicast, broadcast, and multicast packets.
■ CRC/Align errors—Total number of packets received that had a length
(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).
■ FIFO error—Number of FIFO errors that are reported by the ASIC on the
PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
■ MAC control frames—Number of MAC control frames.
■ MAC pause frames—Number of MAC control frames with pause operational
code.
■ Oversized frames—Number of frames that exceed 1518 octets.
■ Jabber frames—Number of frames that were longer than 1518 octets
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.
■ Fragment frames—Total number of packets that were less than 64 octets
in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.
■ VLAN tagged frames—Number of frames that are VLAN tagged. The system
uses the TPID of 0x8100 in the frame to determine whether a frame is
tagged or not.
■ Code violations—Number of times an event caused the PHY to indicate
“Data reception error” or “invalid data symbol error.”
Filter Statistics Receive and Transmit statistics reported by the PIC's MAC address filter extensive
subsystem.

Autonegotiation Information about link autonegotiation. extensive

information
■ Negotiation status:
■ Incomplete—Ethernet interface has the speed or link mode configured.
■ No autonegotiation—Remote Ethernet interface has the speed or link
mode configured, or does not perform autonegotiation.
■ Complete—Ethernet interface is connected to a device that performs
autonegotiation and the autonegotiation process is successful.
■ Link partner status—OK when Ethernet interface is connected to a device
that performs autonegotiation and the autonegotiation process is
successful.
■ Link partner:
■ Link mode—Depending on the capability of the attached Ethernet
device, either Full-duplex or Half-duplex.
■ Flow control—Types of flow control supported by the remote Ethernet
device. For Gigabit Ethernet interfaces, types are Symmetric (link
partner supports PAUSE on receive and transmit), Asymmetric (link
partner supports PAUSE on transmit), and Symmetric/Asymmetric (link
partner supports both PAUSE on receive and transmit or only PAUSE
receive).
■ Remote fault—Remote fault information from the link partner—Failure
indicates a receive link error. OK indicates that the link partner is
receiving. Negotiation error indicates a negotiation error. Offline
indicates that the link partner is going offline.
■ Link partner speed—Speed of the link partner.
■ Local resolution—Information from the link partner:
receive).
■ Remote fault—Remote fault information. Link OK (no error detected
on receive), Offline (local interface is offline), and Link Failure (link
error detected on receive).
Packet Forwarding Information about the configuration of the Packet Forwarding Engine: extensive
Engine
■ Destination slot—FPC slot number.
configuration
Logical Interface
Logical interface Name of the logical interface. All levels
Index Index number of the logical interface, which reflects its initialization sequence. detail extensive none
SNMP ifIndex SNMP interface index number for the logical interface. detail extensive none
Flags Information about the logical interface. All levels

Encapsulation Encapsulation on the logical interface. All levels
Protocol Protocol family. detail extensive none
MTU This field is not supported for logical interfaces on EX-series switches. detail extensive none
Route Table Route table in which the logical interface address is located. For example, 0 detail extensive none
refers to the routing table inet.0.
Flags Information about protocol family flags. detail extensive
protocol-family Protocol family configured on the logical interface. If the protocol is inet, the brief
IP address of the interface is also displayed.
Flags Information about address flag. detail extensive none
Destination IP address of the remote side of the connection. detail extensive none
Local IP address of the logical interface. detail extensive none
Broadcast Broadcast address of the logical interlace. detail extensive none
show interfaces (Gigabit user@host> show interfaces ge-0/0/0

Ethernet) Physical interface: ge-0/0/0, Enabled, Physical link is Down
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled
Remote fault: Online
Device flags : Present Running Down
CoS queues : 8 supported, 8 maximum usable queues
Hold-times : Up 0 ms, Down 0 ms
Current address: 00:19:e2:50:3f:41, Hardware address: 00:19:e2:50:3f:41
Last flapped : 2008-01-16 11:40:53 UTC (4d 02:30 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Ingress rate at Packet Forwarding Engine : 0 bps (0 pps)
Ingress drop rate at Packet Forwarding Engine : 0 bps (0 pps)
Active alarms : None
Active defects : None
Logical interface ge-0/0/0.0 (Index 65) (SNMP ifIndex 22)

Flags: SNMP-Traps
Encapsulation: ENET2
Input packets : 0
Output packets: 0
Protocol eth-switch, MTU: 0
Flags: None

show interfaces brief user@host> show interfaces ge-0/0/0 brief

(Gigabit Ethernet) Physical interface: ge-0/0/0, Enabled, Physical link is Down
Description: voice priority and tcp and icmp traffic rate-limiting filter at i
ngress port
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
Device flags : Present Running Down
Link flags : None
Logical interface ge-0/0/0.0

Flags: Device-Down SNMP-Traps Encapsulation: ENET2
eth-switch
show interfaces detail user@host> show interfaces ge-0/0/0 detail

(Gigabit Ethernet) Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 21, Generation: 130
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Loopback: Disabled,
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
Current address: 00:19:e2:50:a8:a1, Hardware address: 00:19:e2:50:a8:a1
Last flapped : 2008-01-29 10:54:31 UTC (01:36:47 ago)
Traffic statistics:
Input bytes : 368613240000 0 bps
Output bytes : 368642493760 0 bps
Input packets: 5759581881 0 pps
Output packets: 5760038969 0 pps
Egress queues: 8 supported, 0 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 0 5760782572 0
1 assured-forw 0 0 0
5 expedited-fo 0 0 0
7 network-cont 0 0 0
Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132)
Flags: SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes : 60
Output bytes : 0
Input packets: 1
Output packets: 0
Local statistics:
Input bytes : 60
Output bytes : 0
Input packets: 1
Output packets: 0
Transit statistics:


Protocol eth-switch, MTU: 0, Generation: 143, Route table: 0
Flags: Is-Primary
show interfaces user@host> show interfaces ge-0/0/0 extensive

extensive (Gigabit Physical interface: ge-0/0/0, Enabled, Physical link is Up
Ethernet) Interface index: 129, SNMP ifIndex: 21, Generation: 130
Link-level type: Ethernet, MTU: 1514, Speed: Auto, Loopback: Disabled,
Link flags : None
Current address: 00:19:e2:50:a8:a1, Hardware address: 00:19:e2:50:a8:a1
Traffic statistics:
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0,
Output errors:
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
0 best-effort 0 6036979415 0
MAC statistics: Receive Transmit
Total octets 386327695808 386356949568
Total packets 6036370253 6036827341
Unicast packets 6036370252 6036827341
Broadcast packets 0 0
Multicast packets 1 0
CRC/Align errors 0 0
FIFO errors 0 0
MAC control frames 0 0
MAC pause frames 0 0
Oversized frames 0
Jabber frames 0
Fragment frames 0
VLAN tagged frames 0
Code violations 0
Filter statistics:

Input packet count 0

Input packet rejects 0
Input DA rejects 0
Input SA rejects 0
Output packet count 0
Output packet pad count 0
Output packet error count 0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Complete
Link partner:
Link mode: Full-duplex, Flow control: None, Remote fault: OK,
Link partner Speed: 1000 Mbps
Local resolution:
Flow control: None, Remote fault: Link OK
Packet Forwarding Engine configuration:
Destination slot: 0
Logical interface ge-0/0/0.0 (Index 66) (SNMP ifIndex 22) (Generation 132)
Traffic statistics:
Input bytes : 60
Output bytes : 0
Input packets: 1
Output packets: 0
Local statistics:
Input bytes : 60
Output bytes : 0
Input packets: 1
Output packets: 0
Transit statistics:
Flags: Is-Primary

show interfaces
Syntax show interfaces xe-fpc/pic/port

<brief | detail | extensive | terse>
<descriptions>
<media>
<snmp-index snmp-index>
<statistics>
Description Display status information about the specified 10-Gigabit Ethernet interface.
Options xe-fpc/pic/port—Display standard information about the specified 10-Gigabit Ethernet

interface.
brief | detail | extensive | terse—(Optional) Display the specified level of output.
descriptions—(Optional) Display interface description strings.
media—(Optional) Display media-specific information about network interfaces.
snmp-index snmp-index—(Optional) Display information for the specified SNMP index

of the interface.
statistics—(Optional) Display static interface statistics.

List of Sample Output show interfaces (10-Gigabit Ethernet) on page 313
show interfaces brief (10-Gigabit Ethernet) on page 313
show interfaces detail (10-Gigabit Ethernet) on page 313
show interfaces extensive (10-Gigabit Ethernet) on page 314
Output Fields Table 48 on page 306 lists the output fields for the show interfaces command. Output
Table 48: 10-Gigabit Ethernet show interfaces Output Fields
Physical Interface
Enabled State of the interface. All levels
Interface index Index number of the physical interface, which reflects its initialization sequence. detail extensive none
SNMP ifIndex SNMP index number for the physical interface. detail extensive none

Table 48: 10-Gigabit Ethernet show interfaces Output Fields (continued)
Link-level type Encapsulation being used on the physical interface. All levels
MTU Maximum transmission unit size on the physical interface. All levels
Speed Speed at which the interface is running. All levels
Loopback Loopback status: Enabled or Disabled. If loopback is enabled, type of loopback: All levels
Local or Remote.
Source filtering Source filtering status: Enabled or Disabled. All levels
LAN-PHY mode 10-Gigabit Ethernet interface operating in Local Area Network Physical Layer All levels
Device (LAN PHY) mode. LAN PHY allows 10-Gigabit Ethernet wide area links
to use existing Ethernet applications.
Unidirectional Unidirectional link mode status for 10-Gigabit Ethernet interface: Enabled or All levels
Disabled for parent interface; Rx-only or Tx-only for child interfaces.
Flow control Flow control status: Enabled or Disabled. All levels
Auto-negotiation Autonegotiation status: Enabled or Disabled. All levels
Remote-fault Remote fault status: All levels

■ Online—Autonegotiation is manually configured as online.
■ Offline—Autonegotiation is manually configured as offline.
Device flags Information about the physical device. All levels
Interface flags Information about the interface. All levels
Link flags Information about the link. All levels
Wavelength Configured wavelength, in nanometers (nm). All levels
Frequency Frequency associated with the configured wavelength, in terahertz (THz). All levels
CoS queues Number of CoS queues configured. detail extensive none
Schedulers Number of CoS schedulers configured. extensive
Hold-times Current interface hold-time up and hold-time down, in milliseconds. detail extensive
Current address Configured MAC address. detail extensive none
Hardware address Hardware MAC address. detail extensive none
Last flapped Date, time, and how long ago the interface went from down to up. The format detail extensive none
is Last flapped: year-month-day hour: :minute:second:timezone ( hour:minute:second
ago). For example, Last flapped: 2008–01–16 10:52:40 UTC (3d 22:58 ago).
Input Rate Input rate in bits per second (bps) and packets per second (pps). None specified
Output Rate Output rate in bps and pps. None specified

Statistics last Time when the statistics for the interface were last set to zero. detail extensive
cleared
Traffic statistics Number and rate of bytes and packets received and transmitted on the physical detail extensive
interface.
■ Input bytes—Number of bytes received on the interface.
■ Output bytes—Number of bytes transmitted on the interface.
■ Input packets—Number of packets received on the interface
■ Output packets—Number of packets transmitted on the interface.
NOTE: The bandwidth bps counter is not enabled on this platform.
Input errors Input errors on the interface. The following paragraphs explain the counters extensive
■ Errors—Sum of the incoming frame aborts and FCS errors.
■ Drops—Number of packets dropped by the input queue of the I/O Manager
ASIC. If the interface is saturated, this number increments once for every
packet that is dropped by the ASIC's RED mechanism.
■ Framing errors—Number of packets received with an invalid frame
checksum (FCS).
■ Runts—Number of frames received that are smaller than the runt threshold.
■ Policed discards—Number of frames that the incoming packet match code
discarded because they were not recognized or not of interest. Usually,
this field reports protocols that the JUNOS software does not handle.
■ L3 incompletes—Number of incoming packets discarded because they
failed Layer 3 sanity checks of the header. For example, a frame with less
than 20 bytes of available IP header is discarded. L3 incomplete errors
can be ignored by if you configure the ignore-l3-incompletes statement.
■ L2 channel errors—Number of times the software did not find a valid logical
interface for an incoming frame.
■ L2 mismatch timeouts—Number of malformed or short packets that caused
the incoming packet handler to discard the frame as unreadable.
■ FIFO errors—Number of FIFO errors in the receive direction that are
reported by the ASIC on the PIC. If this value is ever nonzero, the PIC is
probably malfunctioning.

Output errors Output errors on the interface. The following paragraphs explain the counters extensive
■ Carrier transitions—Number of times the interface has gone from down to
up. This number does not normally increment quickly, increasing only
when the cable is unplugged, the far-end system is powered down and
then up, or another problem occurs. If the number of carrier transitions
increments quickly (perhaps once every 10 seconds), the cable, the far-end
system, or the PIC or PIM is malfunctioning.
■ Errors—Sum of the outgoing frame aborts and FCS errors.
■ Drops—Number of packets dropped by the output queue of the I/O
■ Aged packets—Number of packets that remained in shared packet SDRAM
so long that the system automatically purged them. The value in this field
should never increment. If it does, it is most likely a software bug or
possibly malfunctioning hardware.
■ FIFO errors—Number of FIFO errors in the send direction as reported by
the ASIC on the PIC. If this value is ever nonzero, the PIC is probably
malfunctioning.
■ HS link CRC errors—Number of errors on the high-speed links between
the ASICs responsible for handling the router interfaces.
■ MTU errors—Number of packets whose size exceeded the MTU of the
interface.
Egress queues Total number of egress queues supported on the specified interface. detail extensive
Queue counters CoS queue number and its associated user-configured forwarding class name. detail extensive
(Egress)
mechanism.
Ingress queues Total number of ingress queues supported on the specified interface. Displayed extensive
on IQ2 interfaces.
Queue counters CoS queue number and its associated user-configured forwarding class name. extensive
(Ingress) Displayed on IQ2 interfaces.
mechanism.

Active alarms and Ethernet-specific defects that can prevent the interface from passing packets. detail extensive none
Active defects When a defect persists for a certain amount of time, it is promoted to an alarm.
Based on the router configuration, an alarm can ring the red or yellow alarm
bell on the router, or turn on the red or yellow alarm LED on the craft interface.
These fields can contain the value None or Link.
■ None—There are no active defects or alarms.
■ Link—Interface has lost its link state, which usually means that the cable
is unplugged, the far-end system has been turned off, or the PIC is
malfunctioning.
PCS statistics Physical Coding Sublayer (PCS) fault conditions from the LAN PHY device. detail extensive
MAC statistics Receive and Transmit statistics reported by the PIC's MAC subsystem. extensive
■ Total octets and total packets—Total number of octets and packets. For
Gigabit Ethernet IQ PICs, the received octets count varies by interface
type.
■ Unicast packets, Broadcast packets, and Multicast packets—Number of
unicast, broadcast, and multicast packets.
■ CRC/Align errors—Total number of packets received that had a length
(excluding framing bits, but including FCS octets) of between 64 and 1518
octets, inclusive, and had either a bad FCS with an integral number of
octets (FCS Error) or a bad FCS with a nonintegral number of octets
(Alignment Error).
■ FIFO error—Number of FIFO errors that are reported by the ASIC on the
PIC. If this value is ever nonzero, the PIC is probably malfunctioning.
■ MAC control frames—Number of MAC control frames.
■ MAC pause frames—Number of MAC control frames with pause operational
code.
■ Oversized frames—Number of frames that exceed 1518 octets.
■ Jabber frames—Number of frames that were longer than 1518 octets
error or an alignment error. This definition of jabber is different from the
definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4
(10BASE2). These documents define jabber as the condition in which any
packet exceeds 20 ms. The allowed range to detect jabber is from 20 ms
to 150 ms.
■ Fragment frames—Total number of packets that were less than 64 octets
in length (excluding framing bits, but including FCS octets), and had either
an FCS error or an alignment error. Fragment frames normally increment
because both runts (which are normal occurrences caused by collisions)
and noise hits are counted.
■ VLAN tagged frames—Number of frames that are VLAN tagged. The system
uses the TPID of 0x8100 in the frame to determine whether a frame is
tagged or not.
■ Code violations—Number of times an event caused the PHY to indicate
“Data reception error” or “invalid data symbol error.”
Filter statistics Receive and Transmit statistics reported by the PIC's MAC address filter extensive
subsystem.

Autonegotiation Information about link autonegotiation. extensive

information
■ Negotiation status:
■ Incomplete—Ethernet interface has the speed or link mode configured.
■ No autonegotiation—Remote Ethernet interface has the speed or link
mode configured, or does not perform autonegotiation.
■ Complete—Ethernet interface is connected to a device that performs
autonegotiation and the autonegotiation process is successful.
■ Link partner status—OK when Ethernet interface is connected to a device
that performs autonegotiation and the autonegotiation process is
successful.
■ Link partner:
■ Link mode—Depending on the capability of the attached Ethernet
device, either Full-duplex or Half-duplex.
device. For Fast Ethernet interfaces, the type is None. For Gigabit
Ethernet interfaces, types are Symmetric (link partner supports PAUSE
on receive and transmit), Asymmetric (link partner supports PAUSE
on transmit), and Symmetric/Asymmetric (link partner supports both
PAUSE on receive and transmit or only PAUSE receive).
■ Remote fault—Remote fault information from the link partner—Failure
indicates a receive link error. OK indicates that the link partner is
receiving. Negotiation error indicates a negotiation error. Offline
indicates that the link partner is going offline.
■ Local resolution—Information from the link partner:
receive).
■ Remote fault—Remote fault information. Link OK (no error detected
on receive), Offline (local interface is offline), and Link Failure (link
error detected on receive).

Packet Forwarding Information about the configuration of the Packet Forwarding Engine: extensive
Engine
■ Destination slot—FPC slot number.
configuration
■ CoS transmit queue—Queue number and its associated user-configured
forwarding class name.
■ Bandwidth %—Percentage of bandwidth allocated to the queue.
■ Bandwidth bps—Bandwidth allocated to the queue (in bps).
■ Buffer %—Percentage of buffer space allocated to the queue.
■ Buffer usec—Amount of buffer space allocated to the queue, in

microseconds. This value is nonzero only if the buffer size is configured
in terms of time.
■ Priority—Queue priority: low or high.
■ Limit—Displayed if rate limiting is configured for the queue. Possible values

are none and exact. If exact is configured, the queue transmits only up to
the configured bandwidth, even if excess bandwidth is available. If none
is configured, the queue transmits beyond the configured bandwidth if
bandwidth is available.
Logical Interface
Logical interface Name of the logical interface. All levels
Index Index number of the logical interface, which reflects its initialization sequence. detail extensive none
SNMP ifIndex SNMP interface index number for the logical interface. detail extensive none
Flags Information about the logical interface. All levels
Encapsulation Encapsulation on the logical interface. All levels
Protocol Protocol family. detail extensive none
MTU This field is not supported for logical interfaces on EX-series switches. detail extensive none
Route Table Route table in which the logical interface address is located. For example, 0 detail extensive none
refers to the routing table inet.0.
Flags Information about protocol family flags. detail extensive
Addresses, Flags Information about the address flags. detail extensive none
protocol-family Protocol family configured on the logical interface. If the protocol is inet, the brief
IP address of the interface is also displayed.
Flags Information about address flag. detail extensive none

Destination IP address of the remote side of the connection. detail extensive none
Local IP address of the logical interface. detail extensive none
Broadcast Broadcast address of the logical interlace. detail extensive none
show interfaces user@host> show interfaces xe-0/1/0

(10-Gigabit Ethernet) Physical interface: xe-0/1/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled
Link flags : None
Current address: 00:19:e2:50:c8:99, Hardware address: 00:19:e2:50:c8:99
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70)
Input packets : 0
Output packets: 0
Protocol eth-switch, MTU: 0
Flags: None
show interfaces brief user@host> show interfaces brief xe-0/1/0

Link flags : None
Logical interface xe-0/1/0.0

eth-switch
show interfaces detail user@host> show interfaces detail xe-0/1/0

Interface index: 153, SNMP ifIndex: 69, Generation: 154
Link flags : None


Traffic statistics:
0 best-effort 0 0 0

Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154)
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Flags: None
show interfaces user@host> show interfaces extensive xe-0/1/0

extensive (10-Gigabit Physical interface: xe-0/1/0, Enabled, Physical link is Up
Ethernet) Interface index: 153, SNMP ifIndex: 69, Generation: 154
Link flags : None
Traffic statistics:

Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0,
L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
Output errors:
FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0

0 best-effort 0 0 0

MAC statistics: Receive Transmit
Total octets 0 0
Total packets 0 0
Unicast packets 0 0
Broadcast packets 0 0
Multicast packets 0 0
CRC/Align errors 0 0
FIFO errors 0 0
MAC control frames 0 0
MAC pause frames 0 0
Oversized frames 0
Jabber frames 0
Fragment frames 0
VLAN tagged frames 0
Code violations 0
Filter statistics:
Input packet count 0
Input packet rejects 0
Input DA rejects 0
Input SA rejects 0
Output packet count 0
Output packet pad count 0
Output packet error count 0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 0
Direction : Output
CoS transmit queue Bandwidth Buffer Priority
Limit
% bps % usec
0 best-effort 95 950000000 95 0 low
none
7 network-control 5 50000000 5 0 low
none
Logical interface xe-0/1/0.0 (Index 88) (SNMP ifIndex 70) (Generation 154)
Traffic statistics:

Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Flags: None

show interfaces diagnostics optics
Syntax show interfaces diagnostics optics interface-name
Description Display diagnostics data and alarms for 10-Gigabit Ethernet dense wavelength-division
multiplexing (DWDM) interfaces.
Thresholds that trigger a high alarm, low alarm, high warning, or low warning are
set by the transponder vendors. Generally, a high alarm or low alarm indicates that
the optics module is not operating properly. This information can be used to diagnose
why a PIC is not working.
Options interface-name—Interface name: ge-fpc/pic/port or xe-fpc/pic/port.

List of Sample Output show interfaces diagnostics optics (XFP Optics) on page 319
Output Fields Table 49 on page 317 lists the output fields for the show interfaces diagnostics optics
command when the router is operating with XFP optics. Output fields are listed in
the approximate order in which they appear.
Table 49: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields
Physical interface Name of the physical interface.
Laser bias current Magnitude of the laser bias power setting current, in milliamperes. The laser bias provides direct
modulation of laser diodes and modulates currents.
Laser output power Laser output power, in milliwatts (mW) and decibels, referenced to 1.0 mW (dBm). This is a software
equivalent to the LsPOWMON pin in hardware.
Module temperature Temperature of the XFP optics module, in Celsius and Fahrenheit.
Laser rx power Laser received optical power, in mW and dBm.
Laser bias current high Laser bias power setting high alarm. Displays on or off.
alarm
Laser bias current low Laser bias power setting low alarm. Displays on or off.
alarm
Laser bias current high Laser bias power setting high warning. Displays on or off.
warning
Laser bias current low Laser bias power setting low warning. Displays on or off.
warning
Laser output power high Laser output power high alarm. Displays on or off.
alarm
show interfaces diagnostics optics ■ 317

Table 49: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Laser output power low Laser output power low alarm. Displays on or off.
alarm
Laser output power high Laser output power high warning. Displays on or off.
warning
Laser output power low Laser output power low warning. Displays on or off.
warning
Module temperature Module temperature high alarm. Displays on or off.

high alarm
Module temperature low Module temperature low alarm. Displays on or off.

alarm
Module temperature Module temperature high warning. Displays on or off.

high warning
Module temperature low Module temperature low warning. Displays on or off.

warning
Laser rx power high Receive laser power high alarm. Displays on or off.
alarm
Laser rx power low Receive laser power low alarm. Displays on or off.
alarm
Laser rx power high Receive laser power high warning. Displays on or off.
warning
Laser rx power low Receive laser power low warning. Displays on or off.
warning
Module not ready alarm Module not ready alarm. When on, indicates the module has an operational fault. Displays on or off.
Module power down Module power down alarm. When on, module is in a limited power mode, low for normal operation.
alarm Displays on or off.
Tx data not ready alarm Any condition leading to invalid data on the transmit path. Displays on or off.
Tx not ready alarm Any condition leading to invalid data on the transmit path. Displays on or off.
Tx laser fault alarm Laser fault condition. Displays on or off.
Tx CDR loss of lock Transmit clock and data recovery (CDR) loss of lock. Loss of lock on the transmit side of the CDR.
alarm Displays on or off.
Rx not ready alarm Any condition leading to invalid data on the receive path. Displays on or off.
Rx loss of signal alarm Receive Loss of Signal alarm. When on, indicates insufficient optical input power to the module.
Displays on or off.
Rx CDR loss of lock Receive CDR loss of lock. Loss of lock on the receive side of the CDR. Displays on or off.
alarm
318 ■ show interfaces diagnostics optics

Table 49: 10-Gigabit Ethernet XFP Optics show interfaces diagnostics optics Output Fields (continued)
Laser bias current high Vendor-specified threshold for the laser bias current high alarm: 130.000 mA.
alarm threshold
Laser bias current low Vendor-specified threshold for the laser bias current low alarm: 10.000 mA.
alarm threshold
Laser bias current high Vendor-specified threshold for the laser bias current high warning: 120.000 mA.
warning threshold
Laser bias current low Vendor-specified threshold for the laser bias current low warning: 12.000 mA.
warning threshold
Laser output power high Vendor-specified threshold for the laser output power high alarm: 0.8910 mW or -0.50 dBm.
alarm threshold
Laser output power low Vendor-specified threshold for the laser output power low alarm: 0.2230 mW or -6.52 dBm.
alarm threshold
Laser output power high Vendor-specified threshold for the laser output power high warning: 0.7940 mW or -100 dBm.
warning threshold
Laser output power low Vendor-specified threshold for the laser output power low warning: 0.2510 mW or -600 dBm.
warning threshold
Module temperature Vendor-specified threshold for the module temperature high alarm: 90° C or 194° F.
high alarm threshold
Module temperature low Vendor-specified threshold for the module temperature low alarm: -5° C or 23° F.
alarm threshold
Module temperature Vendor-specified threshold for the module temperature high warning: 85 ° C or 185 ° F.
high warning threshold
Module temperature low Vendor-specified threshold for the module temperature low warning: 0° C or 32° F.
warning threshold
Laser rx power high Vendor-specified threshold for the laser Rx power high alarm: 1.2589 mW or 1.00 dBm.
alarm threshold
Laser rx power low Vendor-specified threshold for the laser Rx power low alarm: 0.0323 mW or -14.91 dBm.
alarm threshold
Laser rx power high Vendor-specified threshold for the laser Rx power high warning: 1.1220 mW or 0.50 dBm.
warning threshold
Laser rx power low Vendor-specified threshold for the laser Rx power low warning: 0.0363 mW or -14.40 dBm.
warning threshold
show interfaces user@host> show interfaces diagnostics optics xe-2/1/0

diagnostics optics Physical interface: xe-2/1/0
(XFP Optics) Laser bias current : 52.060 mA
show interfaces diagnostics optics ■ 319

Laser output power : 0.5640 mW / -2.49 dBm

Module temperature : 31 degrees C / 88 degrees F
Laser rx power : 0.0844 mW / -10.74 dBm
Laser bias current high alarm : Off
Laser bias current low alarm : Off
Laser bias current high warning : Off
Laser bias current low warning : Off
Laser output power high alarm : Off
Laser output power low alarm : Off
Laser output power high warning : Off
Laser output power low warning : Off
Module temperature high alarm : Off
Module temperature low alarm : Off
Module temperature high warning : Off
Module temperature low warning : Off
Laser rx power high alarm : Off
Laser rx power low alarm : Off
Laser rx power high warning : Off
Laser rx power low warning : Off
Module not ready alarm : Off
Module power down alarm : Off
Tx data not ready alarm : Off
Tx not ready alarm : Off
Tx laser fault alarm : Off
Tx CDR loss of lock alarm : Off
Rx not ready alarm : Off
Rx loss of signal alarm : Off
Rx CDR loss of lock alarm : Off
Laser bias current high alarm threshold : 130.000 mA
Laser bias current low alarm threshold : 10.000 mA
Laser bias current high warning threshold : 120.000 mA
Laser bias current low warning threshold : 12.000 mA
Laser output power high alarm threshold : 0.8910 mW / -0.50 dBm
Laser output power low alarm threshold : 0.2230 mW / -6.52 dBm
Laser output power high warning threshold : 0.7940 mW / -1.00 dBm
Laser output power low warning threshold : 0.2510 mW / -6.00 dBm
Module temperature high alarm threshold : 90 degrees C / 194 degrees F
Module temperature low alarm threshold : -5 degrees C / 23 degrees F
Module temperature high warning threshold : 85 degrees C / 185 degrees F
Module temperature low warning threshold : 0 degrees C / 32 degrees F
Laser rx power high alarm threshold : 1.2589 mW / 1.00 dBm
Laser rx power low alarm threshold : 0.0323 mW / -14.91 dBm
Laser rx power high warning threshold : 1.1220 mW / 0.50 dBm
Laser rx power low warning threshold : 0.0363 mW / -14.40 dBm
320 ■ show interfaces diagnostics optics

Part 8
Layer 2 Bridging, VLANs, and Spanning
Trees
■ Understanding Layer 2 Bridging, VLANs, and GVRP on page 323
■ Examples of Configuring Layer 2 Bridging, VLANs, and GVRP on page 329
■ Configuring Layer 2 Bridging, VLANs, and GVRP on page 365
■ Understanding Spanning Trees on page 369
■ Examples of Configuring Spanning Trees on page 373
■ Configuration Statements for Bridging, VLANs, and Spanning Trees on page 405
■ Operational Mode Commands for Bridging, VLANs, and Spanning
Trees on page 443
Layer 2 Bridging, VLANs, and Spanning Trees ■ 321

322 ■ Layer 2 Bridging, VLANs, and Spanning Trees

Chapter 25
Understanding Layer 2 Bridging, VLANs,
and GVRP
■ Understanding Bridging and VLANs on EX-series Switches on page 323
Understanding Bridging and VLANs on EX-series Switches

Network switches use Layer 2 bridging protocols to discover the topology of their
LAN and to forward traffic toward destinations on the LAN.
This topic explains the following concepts regarding bridging and VLANs on EX-series
switches:
■ Ethernet LANs, Transparent Bridging, and VLANs on page 323
■ How Bridging Works on page 324
■ Types of Switch Ports on page 326
■ IEEE 802.1Q Encapsulation and Tags on page 326
■ Assignment of Traffic to VLANs on page 326
■ Bridge Tables on page 327
■ Layer 2 and Layer 3 Forwarding of VLAN Traffic on page 327
■ GVRP on page 327
■ Routed VLAN Interface on page 327
Ethernet LANs, Transparent Bridging, and VLANs

Ethernet is a data link layer technology, as defined by Layer 2 of the Open Systems
Interconnection (OSI) model of communications protocols. Ethernet was first
standardized by the IEEE in 1982, in IEEE 802.3. Ethernet is used to create LANs.
The network devices, called nodes, on the LAN transmit data in bundles that are
generally called frames or packets.
Each node on a LAN has a unique identifier so that it can be unambiguously located
on the network. Ethernet uses the Layer 2 media access control (MAC) address for
this purpose. MAC addresses are hardware addresses that are programmed (“burned”)
into the Ethernet processor in the node.
Understanding Bridging and VLANs on EX-series Switches ■ 323

A characteristic of Ethernet is that nodes on a LAN can transmit data frames at any
time. However, the physical connecting cable between the nodes—either coaxial,
copper-based (Category 5), or optical cable—can carry only a single stream of data
at a time. One result of this design is that when two nodes transmit at the same time,
their frames can collide on the cable and generate an error. Ethernet uses a protocol
called carrier-sense multiple access with collision detection (CSMA/CD) to detect
frame collisions. If a node receives a collision error message, it stops transmitting
immediately and waits for a period of time before trying to send the frame again. If
the node continues to detect collisions, it progressively increases the time between
retransmissions in an attempt to find a time when no other data is being transmitted
on the LAN. The node uses a backoff algorithm to calculate the increasing
retransmission time intervals.
Ethernet LANs were originally implemented for small, simple networks that carried
primarily text. Over time, LANs have become larger and more complex; the type of
data they carry has grown to include voice, graphics, and video; and the increased
speed of Ethernet interfaces on LANs has resulted in exponential increases in traffic
on the network.
The IEEE 802.1D-2004 standard addresses some of the problems caused by the
increase in LAN and complexity. This standard defines transparent bridging (generally
called simply bridging). Bridging divides a single physical LAN (a single broadcast
domain) into two or more virtual LANs, or VLANs. Each VLAN is a collection of network
nodes that are grouped together to form separate broadcast domains. On an Ethernet
network that is a single LAN, all traffic is forwarded to all nodes on the LAN. On
VLANs, frames whose origin and destination are in the same VLAN are forwarded
only within the local VLAN. Frames that are not destined for the local VLAN are the
only ones forwarded to other broadcast domains. VLANs thus limit the amount of
traffic flowing across the entire LAN, reducing the possible number of collisions and
packet retransmissions within a VLAN and on the LAN as a whole.
On an Ethernet LAN, all network nodes must be physically connected to the same
network. On VLANs, the physical location of the nodes is not important, so you can
group network devices in any way that makes sense for your organization, such as
by department or business function, types of network nodes, or even physical location.
Each VLAN is identified by a single IP subnetwork and by standardized IEEE 802.1Q
encapsulation (discussed below).
How Bridging Works

The transparent bridging protocol allows a switch to learn information about all the
nodes on the LAN, including nodes on all the different VLANs. The switch uses this
information to create address-lookup tables, called bridge tables that it consults when
forwarding traffic to or toward a destination on the LAN.
Transparent bridging uses five mechanisms to create and maintain bridge tables on
the switch:
324 ■ How Bridging Works

Chapter 25: Understanding Layer 2 Bridging, VLANs, and GVRP
■ Learning
■ Forwarding
■ Flooding
■ Filtering
■ Aging
The first bridging mechanism is learning. When a switch is first connected to an

Ethernet LAN or VLAN, it has no information about other nodes on the network. The
switch goes through a learning process to obtain the MAC addresses of all the nodes
on the network. It stores these in the bridge table. To learn MAC addresses, the switch
reads all packets that it detects on the LAN or on the local VLAN, looking for MAC
addresses of sending nodes. It places these addresses into its bridge table, along with
two other pieces of information—the interface (or port) on which the traffic was
received and the time when the address was learned.
The second bridging mechanism is forwarding. Switches forward traffic, passing it

from an incoming interface to an outgoing interface that leads to or toward the
destination. To forward frames, the switch consults the bridge table to see whether
the table contains the MAC address corresponding to the frames' destination. If the
bridge table contains an entry for the desired destination address, the switch sends
the traffic out the interface associated with the MAC address. The switch also consults
the bridge table in the same way when transmitting frames that originate on devices
connected directly to the switch. If the bridge table does not contain an entry for the
desired destination address, the switch uses flooding, which is the third bridging
mechanism.
Flooding is how the switch learns about destinations not in its bridge table. If this
table has no entry for a particular destination MAC address, the switch floods the
traffic out all interfaces except the interface on which it was received. (If traffic
originates on the switch, the switch floods it out all interfaces.) When the destination
node receives the flooded traffic, it sends an acknowledgment packet back to the
switch, allowing it to learn the MAC address of the node and to add the address to
its bridge table.
Filtering, the fourth bridging mechanism, is how broadcast traffic is limited to the
local VLAN whenever possible. As the number of entries in the bridge table grows,
the switch pieces together an increasingly complete picture of the VLAN and the
larger LAN—of which nodes are in the local VLAN and which are on other network
segments. The switch uses this information to filter traffic. Specifically, for traffic
whose source and destination MAC addresses are in the local VLAN, filtering prevents
the switch from forwarding this traffic to other network segments.
Finally, the switch uses aging, the fifth bridging mechanism, to keep the entries in
the bridge table current. For each MAC address in the bridge table, the switch records
a timestamp of when the information about the network node was learned. Each
time the switch detects traffic from a MAC address, it updates the timestamp. A timer
on the switch periodically checks the timestamp, and if it is older than a
user-configured value, the switch removes the node's MAC address from the bridge
table. This aging process ensures that the switch tracks only active nodes on the
network and that it is able to flush out network nodes that are no longer available.
How Bridging Works ■ 325

Types of Switch Ports

The ports, or interfaces, on a switch operate in either access mode or trunk mode.
An interface in access mode connects to a network device, such as a desktop

computer, an IP telephone, a printer, a file server, or a security camera. The interface
itself belongs to a single VLAN. The frames transmitted over an access interface are
normal Ethernet frames. By default, when you boot a switch and use the
factory-default configuration, or when you boot the switch and do not explicitly
configure a port mode, all interfaces on the switch are in access mode.
Trunk interfaces handle traffic for multiple VLANs, multiplexing the traffic for all
those VLANs over the same physical connection. Trunk interfaces are generally used
to interconnect switches to one another.
IEEE 802.1Q Encapsulation and Tags

To identify which VLAN traffic belongs to, all frames on an Ethernet VLAN are
identified by a tag, as defined in the IEEE 802.1Q standard. These frames are tagged
and are encapsulated with 802.1Q tags, sometimes referred to simply as dotq1 tags.
For a simple network that has only a single VLAN, all traffic has the same dot1q tag.
When an Ethernet LAN is divided into VLANs, each VLAN is identified by a unique
dot1q tag. The tag is applied to all frames so that the network nodes receiving the
frames know which VLAN the frames belong to. Trunk ports, which multiplex traffic
among a number of VLANs, use the tag to determine to origin of frames and where
to forward them.
EX-series 3200 switches support a maximum of 4096 VLANs. VLANs 0 and 4095 are
reserved by the JUNOS software, so you cannot use them in your network.
Assignment of Traffic to VLANs

You assign traffic to a particular VLAN in one of the following ways:
■ By interface (port) on the switch. You specify that all traffic received on a
particular interface on the switch is assigned to a specific VLAN. If you use the
default factory switch settings, all traffic received on an access interface is
untagged. This traffic is part of a default VLAN, but it is not tagged with a dotq1
tag. When configuring the switch, you specify which VLAN to assign the traffic
to. You configure the VLAN either by using a VLAN number (called a VLAN ID)
or by using a name, which the switch translates into a numeric VLAN ID.
■ By network protocol. You specify that all traffic received on a particular interface
that is using a particular protocol is assigned to a specific VLAN. You can classify
VLANs by IPv4, IPv6, and AppleTalk traffic. [VERIFY THAT THIS LIST IS CORRECT]
■ By MAC address. You can specify that all traffic received from a specific MAC
address be forwarded to a specific egress interface (next hop) on the switch. This
method is administratively cumbersome to configure manually, but it can be
useful when you are using automated databases to manage the switches on your
network.
326 ■ Types of Switch Ports

Chapter 25: Understanding Layer 2 Bridging, VLANs, and GVRP
Bridge Tables
As EX-series switches learn the MAC addresses of the devices on local VLANs, they
store them in the bridge on the switch. With each MAC address, the bridge table
stores and associates the name of the interface (or port) on which the switch learned
that address. The switch uses the information in this table when forwarding packets
toward their destination.
Layer 2 and Layer 3 Forwarding of VLAN Traffic

To pass traffic within a VLAN, the switch uses Layer 2 forwarding protocols, including
IEEE 802.1Q, spanning-tree protocol (STP), and Generic VLAN Registration Protocol
(GVRP).
To pass traffic between two VLANs, the switch uses standard Layer 3 routing protocols,
such as static routing, OSPF, and RIP. On EX-series switches, the same interfaces
that support Layer 2 bridging protocols also support Layer 3 routing protocols,
providing multilayer switching.
GVRP
The GARP VLAN Registration Protocol (GVRP) is an application protocol of the Generic
Attribute Registration Protocol (GARP) and is defined in the IEEE 802.1Q standard.
GVRP learns VLANs on a particular 802.1Q trunk port and adds the corresponding
trunk port to the VLAN if the advertised VLAN is preconfigured on the switch.
The VLAN registration information sent by GVRP includes the current VLANs
membership—that is, which switches are members of which VLANs—and which
switch ports are in which VLAN. GVRP shares all VLAN information configured
manually on a local switch.
As part of ensuring that VLAN membership information is current, GVRP removes

switches and ports from the VLAN information when they become unavailable.
Pruning VLAN information:
■ Limits the network VLAN configuration to active participants only, reducing
network overhead.
■ Targets the scope of broadcast, unknown unicast, and multicast (BUM) traffic to
interested devices only.
Routed VLAN Interface

In a traditional network, broadcast domains consist of either physical ports connected
to a single switch or logical ports connected to one or more switches through VLAN
configurations. Switches send traffic to hosts that are part of the same broadcast
domain, but routers are needed to route traffic from one broadcast domain to another
and to perform other Layer 3 functions such as traffic engineering. EX-series switches
use a routed VLAN interface (RVI) to perform these routing functions, using it to route
data to other Layer 3 interfaces. This functionality eliminates the need for both a
switch and a router.
Bridge Tables ■ 327

The RVI interface must be configured as part of an bridging domain or VPLS routing
instance in order for Layer 3 traffic to be routed out of it. The RVI interface supports
IPv4, IPv6, MPLS, and ISIS traffic. At least one Layer 2 logical interface should be
operationally up in order for the RVI interface to be operationally up. You must
configure an IRB bridging domain or VPLS routing instance just as you would configure
a VLAN on a switch. Multicast data, broadcast data, or unicast data is switched
between ports within the same RVI bridging domain or VPLS routing instance. The
RVI interface routes data that is destined for the router’s media access control (MAC)
address.
To learn more about configuring routing protocols and policies, see the JUNOS Routing
Protocols Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos90/.
Related Topics
■ Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch
■ Example: Setting Up Bridging with Multiple VLANs for EX-series Switches
■ Example: Configure Automatic VLAN Administration Using GVRP

Chapter 26
Examples of Configuring Layer 2 Bridging,
VLANs, and GVRP
■ Example: Setting Up Basic Bridging and a VLAN for an EX-series

Switch on page 329
■ Example: Setting Up Bridging with Multiple VLANs for EX-series
■ Example: Connecting an Access Switch to a Distribution Switch on page 345
■ Example: Configure Automatic VLAN Administration Using GVRP on page 355
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch

EX-series switches use bridging and virtual LANs (VLANs) to connect network devices
in a LAN—desktop computers, IP telephones, printers, file servers, wireless access
points, and others—and to segment the LAN into smaller bridging domains. The
switch's default configuration provides a quick setup of bridging and a single VLAN.
This example describes how to configure basic bridging and VLANs for an EX-series
switch:
Requirements
■ One EX-series 4200 virtual chassis switch
Before you set up bridging and a VLAN, be sure you have:

■ Installed your EX-series switch. See Installing and Connecting an EX-series Switch.
Example: Setting Up Basic Bridging and a VLAN for an EX-series Switch ■ 329
■ Performed the initial switch configuration. See Connecting and Configuring the
EX-series Switch (J-Web Procedure).

EX-series switches connect network devices in an office LAN or a data center LAN
to provide sharing of common resources such as printers and file servers and to
enable wireless devices to connect to the LAN through wireless access points (wireless
access points). Without bridging and VLANs, all devices on the Ethernet LAN are in
a single broadcast domain, and all the devices detect all the packets on the LAN.
Bridging creates separate broadcast domains on the LAN, creating VLANs, which are
independent logical networks that group together related devices into separate
network segments. The grouping of devices on a VLAN is independent of where the
devices are physically located in the LAN.
To use an EX-series switch to connect network devices on a LAN, you must, at a

minimum, configure bridging and VLANs. If you simply power on the switch and
perform the initial switch configuration using the factory-default settings, bridging
is enabled on all the switch's interfaces, all interfaces are in access mode, and all
interfaces belong to a VLAN called default, which is automatically configured. When
you plug access devices—such as desktop computers, Avaya IP telephones, file
servers, printers, and wireless access points—into the switch, they are joined
immediately into the default VLAN and the LAN is up and running.
The topology used in this example (see Figure 1) consists of one EX 4200-24T switch,
which has a total of 24 ports. Eight of the ports support Power over Ethernet (PoE),
which means they provide both network connectivity and electric power for the
device connecting to the port. To these ports, you can plug in devices requiring PoE,
such as Avaya VoIP telephones, wireless access points, and some IP cameras. (Avaya
phones have a built-in hub that allows you to connect a desktop PC to the phone, so
the desktop and phone in a single office require only one port on the switch.) The
remaining 16 ports provide only network connectivity. You use them to connect
devices that have their own power sources, such as desktop and laptop computers,
printers, and servers. Table 1 details the topology used in this configuration example.
Table 50: Components of the Basic Bridging Configuration Topology
Property Settings
Switch hardware EX 4200-24T switch, with 24 Gigabit Ethernet ports: 8 PoE
ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE ports
(ge-0/0/8 through ge-0/0/23)
VLAN name default
Connection to wireless access point (requires PoE) ge-0/0/0
Connections to Avaya IP telephone—with integrated hub, to ge-0/0/1 through ge-0/0/7

connect phone and desktop PC to a single port (requires PoE)
Direct connections to desktop PCs (no PoE required) ge-0/0/8 through ge-0/0/12
Connections to file servers (no PoE required) ge-0/0/17 and ge-0/0/18

Chapter 26: Examples of Configuring Layer 2 Bridging, VLANs, and GVRP
Table 50: Components of the Basic Bridging Configuration Topology (continued)
Connections to integrated printer/fax/copier machines (no PoE ge-0/0/19 through ge-0/0/20

required)
Unused ports (for future expansion) ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through
ge-0/0/23
Configuration
CLI Quick Configuration By default, after you perform the initial configuration on the EX 4200 switch, switching
is enabled on all interfaces, a VLAN named default is created, and all interfaces are
placed into this VLAN. You do not need to perform any other configuration on the
switch to set up bridging and VLANs. To use the switch, simply plug the Avaya IP
phones into the PoE-enabled ports ge-0/0/1 through ge-0/0/7, and plug in the PCs,
file servers, and printers to the non-PoE ports, ge-0/0/8 through ge-0/0/12 and
ge-0/0/17 through ge-0/0/20.
Step-by-Step Procedure To configure bridging and VLANs:
1. Make sure the switch is powered on.

2. Connect the wireless access point to switch port ge-0/0/0.
3. Connect the seven Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.
4. Connect the five PCs to ports ge-0/0/8 through ge-0/0/12.
5. Connect the two file servers to ports ge-0/0/17 and ge-0/0/18.
6. Connect the two printers to ports ge-0/0/19 and ge-0/0/20.
Results Check the results of the configuration:
[edit]
user@switch> show configuration
## Last commit: 2008-03-06 00:11:22 UTC by triumph
version 9.0;
system {
root-authentication {
encrypted-password "$1$urmA7AFM$x5SaGEUOdSI3u1K/iITGh1"; ##
SECRET-DATA
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
commit {
factory-settings {
reset-chassis-lcd-menu;
reset-virtual-chassis-configuration;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
}
}
ge-0/0/1 {
unit 0 {
}
}
ge-0/0/2 {
unit 0 {
}
}
ge-0/0/3 {
unit 0 {
}
}
ge-0/0/4 {
unit 0 {
}
}
ge-0/0/5 {
unit 0 {
}
}
ge-0/0/6 {
unit 0 {
}
}
ge-0/0/7 {
unit 0 {
}
}
ge-0/0/8 {
unit 0 {
}
}
ge-0/0/9 {
unit 0 {
}
}
ge-0/0/10 {
unit 0 {
}
}
ge-0/0/11 {
unit 0 {
}
}
ge-0/0/12 {
unit 0 {
}
}
ge-0/0/13 {
unit 0 {
}
}
ge-0/0/14 {
unit 0 {
}
}
ge-0/0/15 {
unit 0 {
}
}
ge-0/0/16 {
unit 0 {
}
}
ge-0/0/17 {
unit 0 {
}
}
ge-0/0/18 {
unit 0 {
}
}
ge-0/0/19 {
unit 0 {
}
}
ge-0/0/20 {
unit 0 {
}
}
ge-0/0/21 {
unit 0 {
}
}
ge-0/0/22 {
unit 0 {
}
}
ge-0/0/23 {
unit 0 {
}
}
ge-0/1/0 {
unit 0 {
}
}
xe-0/1/0 {
unit 0 {
}
}
ge-0/1/1 {
unit 0 {
}
}
xe-0/1/1 {
unit 0 {
}
}
ge-0/1/2 {
unit 0 {
}
}
ge-0/1/3 {
unit 0 {
}
}
}
protocols {
lldp {
interface all;
}
rstp;
}
poe {
interface all;
}
Verification
To verify that switching is operational and that a VLAN has been created, perform
these tasks:
■ Verifying That the VLAN Has Been Created on page 335
■ Verifying That Interfaces Are Associated with the Proper VLANs on page 335
Verifying That the VLAN Has Been Created

Purpose Verify that the VLAN named default has been created on the switch.
Action List all VLANs configured on the switch:

user@switch> show vlans
Name Tag Interfaces

default
ge-0/0/0.0*, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0*, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0*,
ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0*,
ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0,
ge-0/1/0.0*, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
mgmt
me0.0*
What It Means The show vlans command lists the VLANs configured on the switch. This output shows
that the VLAN default has been created.
Verifying That Interfaces Are Associated with the Proper VLANs

Purpose Verify that Ethernet switching is enabled on switch interfaces and that all interfaces
are included in the VLAN.
Action List all interfaces on which switching is enabled:
Use the operational mode commands:

user@switch> show ethernet-switching interfaces

ge-0/0/0.0 up default unblocked
ge-0/0/1.0 down default blocked - blocked by STP/RTG

me0.0 up mgmt unblocked
What It Means The show ethernet-switching interfaces command lists all interfaces on which switching
is enabled (in the Interfaces column), along with the VLANs that are active on the
interfaces (in the VLAN members column). The output in this example shows all the
connected interfaces, ge-0/0/0 through ge-0/0/12 and ge-0/0/17 through ge-0/0/20
and that they are all part of VLAN default. Notice that the interfaces listed are the
logical interfaces, not the physical interfaces. For example, the output shows
ge-0/0/0.0 instead of ge-0/0/0. This is because JUNOS software creates VLANs on
logical interfaces, not directly on physical interfaces.
Related Topics
Example: Setting Up Bridging with Multiple VLANs for EX-series Switches

To segment traffic on a LAN into separate broadcast domains, you create separate
virtual LANs (VLANs) on an EX-series switch. Each VLAN is a collection of network
nodes. When you use VLANs, frames whose origin and destination are in the same
VLAN are forwarded only within the local VLAN, and only frames not destined for
the local VLAN are forwarded to other broadcast domains. VLANs thus limit the

amount of traffic flowing across the entire LAN, reducing the possible number of
collisions and packet retransmissions within the LAN.
This example describes how to configure bridging for an EX-series switch and how
to create two VLANs to segment the LAN:
Requirements
■ One EX 4200-48P virtual chassis switch
■ JUNOS for EX–series Release 9.0 or later
Before you set up bridging and VLANs, be sure you have:

■ Installed the EX-series switch. See Installing and Connecting an EX-series Switch.

EX-series switches connect all devices in an office or data center into a single LAN
to provide sharing of common resources such as printers and file servers and to
enable wireless devices to connect to the LAN through wireless access points. The
default configuration creates a single VLAN, and all traffic on the switch is part of
that broadcast domain. Creating separate network segments reduces the span of the
broadcast domain and allows you to group related users and network resources
without being limited by physical cabling or by the location of a network device in
the building or on the LAN.
This example shows a simple configuration to illustrate the basic steps for creating
two VLANs on a single switch. One VLAN, called sales, is for the sales and marketing
group, and a second, called support, is for the customer support team. The sales and
support groups each have their own dedicated file servers, printers, and wireless
access points. For the switch ports to be segmented across the two VLANs, each
VLAN must have its own broadcast domain, identified by a unique name and tag
(VLAN ID). In addition, each VLAN must be on its own distinct IP subnet.
The topology for this example consists of one EX 4200-48P switch, which has a total
of 48 Gigabit Ethernet ports, all of which support Power over Ethernet (PoE). Most
of the switch ports connect to Avaya IP telephones. The remainder of the ports
connect to wireless access points, file servers, and printers.
Table 51: Components of the Multiple VLAN Topology
Property Settings
Switch hardware EX 4200-48P, 48 Gigabit Ethernet ports, all PoE-enabled
(ge-0/0/0 through ge-0/0/47)
VLAN names and tag IDs sales, tag 100

support, tag 200
VLAN subnets sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

support: 192.0.2.128/25 (addresses 192.0.2.129 through
192.0.2.254)
Interfaces in VLAN sales Avaya IP telephones: ge-0/0/3 through ge-0/0/19

Wireless access points: ge-0/0/0 and ge-0/0/1
Printers: ge-0/0/22 and ge-0/0/23
File servers: ge-0/0/20 and ge-0/0/21
Interfaces in VLAN support Avaya IP telephones: ge-0/0/25 through ge-0/0/43

Wireless access points: ge-0/0/24
Unused interfaces ge-0/0/2 and ge-0/0/25
This configuration example creates two IP subnets, one for the sales VLAN and the
second for the support VLAN. The switch bridges traffic within a VLAN. For traffic
passing between two VLANs, the switch routes the traffic using a Layer 3 routing
interface on which you have configured the address of the IP subnet.
To keep the example simple, the configuration steps show only a few devices in each
of the VLANs. Use the same configuration procedure to add more LAN devices.
Configuration
Configure Layer 2 switching for two VLANs:
CLI Quick Configuration To quickly configure Layer 2 switching for the two VLANs (sales and support) and to
quickly configure Layer 3 routing of traffic between the two VLANs, copy the following
[edit]
set interfaces ge-0/0/0 unit 0 description “Sales wireless access point port”
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members sales
set interfaces ge-0/0/3 unit 0 description “Sales phone port”
set interfaces ge-0/0/22 unit 0 description “Sales printer port”

set interfaces ge-0/0/20 unit 0 description “Sales file server port”
set interfaces ge-0/0/24 unit 0 description “Support wireless access point port”
set interfaces ge-0/0/24 unit 0 family ethernet-switching vlan members support
set interfaces ge-0/0/26 unit 0 description “Support phone port”
set interfaces ge-0/0/44 unit 0 description “Support printer port”
set interfaces ge-0/0/46 unit 0 description “Support file server port”
set interfaces vlan unit 0 family inet address 192.0.2.0/25
set vlans sales l3–interface vlan.0
set vlans sales vlan-id 100
set vlans support vlan-id 200
set vlans support l3-interface vlan.1
Step-by-Step Procedure Configure the switch interfaces and the VLANs to which they belong. By default, all
interfaces are in access mode, so you do not have to configure the port mode.
1. Configure the interface for the wireless access point in the sales VLAN:
[edit interfaces ge-0/0/0 unit 0]

user@switch# set description “Sales wireless access point port”
user@switch# set family ethernet-switching vlan members sales
2. Configure the interface for the Avaya IP phone in the sales VLAN:

user@switch# set description “Sales phone port”
3. Configure the interface for the printer in the sales VLAN:

user@switch# set description “Sales printer port”
4. Configure the interface for the file server in the sales VLAN:

user@switch# set description “Sales file server port”
5. Configure the interface for the wireless access point in the support VLAN:

user@switch# set description “Support wireless access point port”
user@switch# set family ethernet-switching vlan members support
6. Configure the interface for the Avaya IP phone in the support VLAN:
user@switch# set description “Support phone port”

7. Configure the interface for the printer in the support VLAN:

user@switch# set description “Support printer port”
8. Configure the interface for the file server in the support VLAN:

user@switch# set description “Support file server port”
9. Create the subnet for the sales broadcast domain:
[edit interfaces]
user@switch# set vlan unit 0 family inet address 192.0.2.1/25
10. Create the subnet for the support broadcast domain:
[edit interfaces]
user@switch# set vlan unit 1 family inet address 192.0.2.129/25
11. Configure the VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@switch# set sales vlan-id 100
user@switch# set support vlan-id 200
12. To route traffic between the sales and support VLANs, define the interfaces that
are members of each VLAN and associate a Layer 3 interface:
[edit vlans]
user@switch# set sales l3-interface vlan.0
user@switch# set support l3-interface vlan.1

interfaces {
ge-0/0/0 {
unit 0 {
description “Sales wireless access point port”;
vlan members sales;
}
}
}
ge-0/0/3 {
unit 0 {
description “Sales phone port”;
vlan members sales;
}
}
}
ge-0/0/22 {
unit 0 {
description “Sales printer port”;
vlan members sales;
}
}
}
ge-0/0/20 {
unit 0 {
description “Sales file server port”;
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {
description “Support wireless access point port”;
vlan members support;
}
}
}
ge-0/0/26 {
unit 0 {
description “Support phone port”;
}
}
}
ge-0/0/44 {
unit 0 {
description “Support printer port”;
}
}
}
ge-0/0/46 {
unit 0 {
description “Support file server port”;
}
}
}
vlan {
unit 0 {
family inet address 192.0.2.1/25;
}
unit 1 {
family inet address 192.0.2.129/25;
}
}
vlans {
sales {
vlan-id 100;
interfaces ge-0/0/0.0;
l3-interface vlan.0;
}
support {
vlan-id 200;
l3-interface vlan.1;
}
}
}
}
Tip To quickly configure the sales and support VLAN interfaces, issue the load merge
terminal command, then copy the hierarchy and paste it into the switch terminal
window.
Verification
Verify that the “sales” and “support” VLANs have been created and are operating
properly, perform these tasks:
■ Verifying That the VLANs Have Been Created on page 342
■ Verifying That the Interfaces Are Associated with the Proper VLANs on page 343
■ Verifying That Traffic Is Being Routed Between the Two VLANs on page 344
■ Verifying That Traffic Is Being Switched Between the Two VLANs on page 345
Verifying That the VLANs Have Been Created

Purpose Verify that the VLANs sales and support have been created on the switch and that
all connected interfaces on the switch are members of the correct VLAN.

Name Tag Interfaces

default
ge-0/0/1.0, ge-0/0/2.0, ge-0/0/4.0, ge-0/0/5.0,
ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0,
ge-0/0/10.0*, ge-0/0/11.0, ge-0/0/12.0, ge-0/0/13.0*,
ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0, ge-0/0/17.0,
ge-0/0/18.0, ge-0/0/19.0, ge-0/0/21.0, ge-0/0/23.0*,
ge-0/0/25.0, ge-0/0/27.0, ge-0/0/28.0, ge-0/0/29.0,
ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0, ge-0/0/33.0,
ge-0/0/34.0, ge-0/0/35.0, ge-0/0/36.0, ge-0/0/37.0,
ge-0/0/38.0, ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0,
ge-0/0/42.0, ge-0/0/43.0, ge-0/0/45.0, ge-0/0/47.0,
ge-0/1/0.0*, ge-0/1/1.0*, ge-0/1/2.0*, ge-0/1/3.0*
sales
ge-0/0/0.0*, ge-0/0/3.0, ge-0/0/20.0, ge-0/0/22.0
support
ge-0/0/0.24, ge-0/0/26.0, ge-0/0/44.0, ge-0/0/46.0*
mgmt
me0.0*
What It Means The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. For this configuration example, the output has two
entries, showing that the sales and support VLANs have been created. Each VLAN
has a total of 22 ports. As configured, the sales VLAN has a tag ID of 100, and the
support VLAN has a tag ID of 200.
[explain what Protocol Address is]
Verifying That the Interfaces Are Associated with the Proper

VLANs
Purpose Verify that Ethernet switching is enabled on all the configured switch interfaces and
that all interfaces are included in the VLAN.
Action List all the interfaces on which switching is enabled:


ge-0/0/0.0 up sales unblocked
ge-0/0/3.0 down sales blocked - blocked by STP/RTG
Verifying That the Interfaces Are Associated with the Proper VLANs ■ 343

ge-0/0/24.0 down support blocked - blocked by STP/RTG
ge-0/0/46.0 up support blocked - blocked by STP/RTG
me0.0 up mgmt unblocked
What It Means The show ethernet-switching interfaces command lists all interfaces on which switching
is enabled (in the Interfaces column), along with the VLANs that are active on the
interfaces (in the VLAN members column). The output in this example shows that the
interfaces ge-0/0/0 and ge-0/0/2 through ge-0/0/23 are in the VLAN sales, and that
the interfaces ge-0/0/24 through ge-0/0/47 are in the VLAN support. Notice that the
interfaces listed are the logical interfaces, not the physical interfaces. For example,
the output shows ge-0/0/0.0 instead of ge-0/0/0. This is because JUNOS software
creates VLANs on logical interfaces, not directly on physical interfaces.
Verifying That Traffic Is Being Routed Between the Two VLANs

Purpose Look at the contents of the routing table to ...
Action List the Layer 3 routes in the switch's routing table:
[GET PROPER OUTPUT]
344 ■ Verifying That Traffic Is Being Routed Between the Two VLANs
user@switch> show route

[TO COME]
What It Means [TO COME]
Verifying That Traffic Is Being Switched Between the Two VLANs

Purpose Look at the contents of the switching table to verify that the configured interfaces
are there.
Action List the VLANs and their corresponding interface association in the switch's switching
table:
[Match OUTPUT to example]

user@switch> show ethernet-switching table
ethernet-switching table: 4 entries, 1 learned

VLAN MAC address Type Age Interfaces
v1 * Flood - ge-0/0/1.0, ge-0/0/4.0
v1 00:00:01:00:04:0d Learn 27 ge-0/0/1.0
v1 00:00:88:99:77:00 Static - ge-0/0/1.0
default * Flood - ge-0/0/11.0
What It Means [TO COME]
Related Topics
Example: Connecting an Access Switch to a Distribution Switch

In large local area networks (LANs), you commonly need to aggregate traffic from a
number of access switches into a distribution switch.
This example describes how to connect an access switch to a distribution switch:

Requirements
■ For the distribution switch, one EX–4200-24F switch. This model is designed to
be used as a distribution switch for aggregation or collapsed core network
topologies and in space-constrained data centers. It has twenty-four 1–Gigabit
Verifying That Traffic Is Being Switched Between the Two VLANs ■ 345
Ethernet fiber SFP ports and an EX-UM-2XFP uplink module with two 10–Gigabit
Ethernet XFP ports.
■ For the access switch, one EX 3200-24P, which has twenty-four 1–Gigabit
Ethernet ports, all of which support Power over Ethernet (PoE) and an uplink
module with four 1–Gigabit Ethernet ports.
Before you connect an access switch to a distribution switch, be sure you have:
■ Installed the two switches. See Installing and Connecting EX-series Switches.
■ Performed the initial software configuration on both switches. See Connecting
and Configuring the EX-series Switch.

In a large office that is spread across several floors or buildings, or in a data center,
you commonly aggregate traffic from a number of access switches into a distribution
switch. This configuration example shows a simple topology to illustrate how to
connect a single access switch to a distribution switch.
Reviewer, writer needs to match VLANs in topology with VLANs in
configuration.

Figure 16: Topology for Connecting an Access Switch to a Distribution Switch
[add topology figure here]
In this topology, the LAN is segmented into two VLANs, one for the sales department
and the second for the support team. One 1–Gigabit Ethernet port on the access
switch's uplink module connects to the distribution switch, to one 1–Gigabit Ethernet
port on the distribution switch. Table xx explains the components of the example
topology.
Table 52: Components of the Topology for Connecting an Access Switch to a Distribution Switch
Property Settings
Access switch hardware EX 3200-24P, 24 1–Gigabit Ethernet ports, all PoE-enabled (ge-0/0/0 through
ge-0/0/23); one 4–port 1–Gigabit Ethernet uplink module (EX-UM-4SFP)
Distribution switch hardware EX 4200-24F, 24 1–Gigabit Ethernet fiber SPF ports (ge-0/0/0 through
ge-0/0/23); one 2–port 10–Gigabit Ethernet XFP uplink module (EX-UM-4SFP)

support, tag 200
VLAN subnets sales: 192.0.2.0/25 (addresses 192.0.2.1 through 192.0.2.126)

support: 192.0.2.128/25 (addresses 192.0.2.129 through 192.0.2.254)

Table 52: Components of the Topology for Connecting an Access Switch to a Distribution Switch (continued)
Trunk port interfaces On the access switch: ge-0/1/0

On the distribution switch: ge-0/0/0
Access port interfaces in VLAN sales (on Avaya IP telephones: ge-0/0/3 through ge-0/0/19
access switch) wireless access points: ge-0/0/0 and ge-0/0/1
Access port interfaces in VLAN support (on Avaya IP telephones: ge-0/0/25 through ge-0/0/43
access switch) WAP: ge-0/0/24
Unused interfaces on access switch ge-0/0/2 and ge-0/0/25
Configuration
To connect an access switch to a distribution switch, perform these tasks:
Configuring the Access Switch

CLI Quick Configuration To quickly configure the access switch, copy the following commands and paste
them into the switch terminal window:
[edit]
set interfaces ge-0/0/0 unit 0 description “Sales WAP port”
set interfaces ge-0/0/3 unit 0 description “Sales phone port”
set interfaces ge-0/0/22 unit 0 description “Sales printer port”
set interfaces ge-0/0/20 unit 0 description “Sales file server port”
set interfaces ge-0/0/24 unit 0 description “Support WAP port”
set interfaces ge-0/0/26 unit 0 description “Support phone port”
set interfaces ge-0/0/44 unit 0 description “Support printer port”
set interfaces ge-0/0/46 unit 0 description “Support file server port”
set interfaces ge-0/1/0 unit 0 description “Uplink module port connection to
distribution switch”
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching nativevlan-id 1
set interface ge-0/1/0 unit 0 family ethernet switching vlan members [sales
support]
set vlans sales interface ge-0/0/0.0
set vlans sales vlan-description “Sales VLAN”
set vlans support interface ge-0/0/24.0
set vlans support l3–interface vlan.1
set vlans support vlan-description “Support VLAN”
Step-by-Step Procedure To configure the access switch:
1. Configure the 1–Gigabit Ethernet interface on the uplink module to be the trunk
port that connects to the distribution switch:

user@access-switch# set description “Uplink module port connection to
distribution switch”
user@access-switch# set ethernet-switching port-mode trunk
2. Specify the VLANs to be aggregated on the trunk port:

user@access-switch# set ethernet-switching vlan members [ sales support
]
3. Configure the VLAN ID to use for packets that are received with no dot1q tag:

user@access-switch# set ethernet-switching native-vlan-id 1
4. Configure the sales VLAN:
[edit vlans sales]

user@access-switch# set vlan-description “Sales VLAN”
user@access-switch# set vlan-id 100
user@access-switch# set l3–interface vlan.0
5. Configure the support VLAN:
[edit vlans support]

user@access-switch# set vlan-description “Support VLAN”
user@access-switch# set vlan-id 200
user@access-switch# set l3–interface vlan.1
Configuring the Access Switch ■ 349

[edit interfaces]
user@access-switch# set vlan unit 0 family inet address 192.0.2.0/25
[edit interfaces]
user@access-switch# set vlan unit 1 family inet address 192.0.2.128/25
8. Configure the interfaces in the sales VLAN:
[edit interfaces]
user@access—switch# set ge-0/0/0 unit 0 description “Sales WAP port”
user@access—switch# set ge-0/0/0 unit 0 family ethernet-switching vlan
members sales
user@access—switch# set ge-0/0/3 unit 0 description “Sales phone port”
user@access-switch# set ge-0/0/3 unit 0 family ethernet-switching vlan
members sales
user@access-switch# set ge-0/0/20 unit 0 description “Sales file server
port”
members sales
user@access-switch# set ge-0/0/22 unit 0 description “Sales printer port”
members sales
9. Configure the interfaces in the support VLAN:
[edit interfaces]
user@access-switch# set ge-0/0/24 unit 0 description “Support WAP port”
members support
user@access-switch# set ge-0/0/26 unit 0 description “Support phone port”
members support
user@access-switch# set ge-0/0/44 unit 0 description “Support printer
port”
members support
user@access-switch# set ge-0/0/46 unit 0 description “Support file server
port”
members support
10. Configure descriptions and VLAN tag IDs for the sales and support VLANs:
[edit vlans]
user@switch# set sales vlan-description “Sales VLAN”
user@switch# set sales vlan-id 100
user@switch# set support vlan-description “Support VLAN”
user@switch# set support vlan-id 200
11. To route traffic between the sales and support VLANs, define the interfaces that
are members of each VLAN and associate a Layer 3 interface with each VLAN:
350 ■ Configuring the Access Switch

[edit vlans]
user@access-switch# set sales interface ge-0/0/0.0
user@access-switch# set sales l3–interface vlan.0
user@access-switch# set support interface ge-0/0/26.0
user@access-switch# set support l3–interface vlan.1
[edit]
user@access-switch# show
interfaces {
ge-0/0/0 {
unit 0 {
description “Sales WAP port”;
vlan members sales;
}
}
}
ge-0/0/3 {
unit 0 {
description “Sales phone port”;
vlan members sales;
}
}
}
ge-0/0/20 {
unit 0 {
description “Sales file server port”;
vlan members sales;
}
}
}
ge-0/0/22 {
unit 0 {
description “Sales printer port”;
vlan members sales;
}
}
}
ge-0/0/24 {
unit 0 {
description “Support WAP port”;
Configuring the Access Switch ■ 351

}
}
}
ge-0/0/26 {
unit 0 {
description “Support phone port”;
}
}
}
ge-0/0/44 {
unit 0 {
description “Support printer port”;
vlan members sales;
}
}
}
ge-0/0/46 {
unit 0 {
description “Support file server port”;
}
}
}
ge-0/1/0 {
unit 0 {
description “Uplink module port connection to distribution switch”;
port-mode trunk;
vlan members [ sales support ];
native-vlan-id 1;
}
}
}
vlan {
unit 0 {
unit 0 {
family inet {
address 192.0.2.0/25;
}
}
}
}
vlans {
sales {
vlan-id 100;
vlan-description “Sales VLAN”;
l3–interface vlan.0;
}
support {
vlan-id 200;
vlan-description “Support VLAN”;
352 ■ Configuring the Access Switch

}
}
Tip To quickly configure the access switch, issue the load merge terminal command, then
copy the hierarchy and paste it into the switch terminal window.
Configuring the Distribution Switch

CLI Quick Configuration To quickly configure the distribution switch, copy the following commands and paste
them into the switch terminal window:
set interfaces ge-0/0/0 description “Connection to access switch”

set interfaces ge-0/0/0 ethernet-switching port-mode trunk
set interfaces ge-0/0/0 ethernet-switching vlan members [ sales support ]
set interfaces ge-0/0/0 ethernet-switching native-vlan-id ???
set vlans sales vlan-description “Sales VLAN”
set vlans support vlan-description “Support VLAN”
set vlans support l3–interface vlan.1
Step-by-Step Procedure To configure the distribution switch:
1. Configure the interface on the switch to be the trunk port that connects to the
access switch:

user@distribution-switch# set description “Connection to access switch”
user@distribution-switch# set ethernet-switching port-mode trunk
2. Specify the VLANs to be aggregated on the trunk port:

user@distribution-switch# set ethernet-switching vlan members [ sales
support ]
3. Configure the native VLAN ID [is this necessary?]
[edit interfaces]
user@distribution-switch# set ge-0/0/0 ethernet-switching native-vlan-id
???
4. Configure the sales VLAN:
[edit vlans sales]

user@distribution-switch# set vlan-description “Sales VLAN”
user@distribution-switch# set vlan-id 100
user@distribution-switch# set l3–interface vlan.0
5. Configure the support VLAN:
Configuring the Distribution Switch ■ 353

[edit vlans support]

user@distribution-switch# set vlan-description “Support VLAN”
user@distribution-switch# set vlan-id 200
user@distribution-switch# set l3–interface vlan.1
[edit interfaces]
user@distribution-switch# set vlan unit 0 family inet address 192.0.2.0/25
[edit interfaces]
user@distribution-switch# set vlan unit 1 family inet address
192.0.2.128/25
[edit]
interfaces {
ge-0/0/0 {
description “Connection to access switch”;
unit 0 {
port-mode trunk;
vlan members [ sales support ];
native-vlan-id ???;
}
}
}
vlan {
unit 0 {
family inet {
address 192.0.2.0/25;
}
unit 1 {
family inet {
address 192.0.2.128/25;
}
}
}
}
vlans {
sales {
vlan-id 100;
vlan-description “Sales VLAN”;
}
support {
vlan-id 200;
vlan-description “Support VLAN”;
354 ■ Configuring the Distribution Switch

}
}
Tip To quickly configure the distribution switch, issue the load merge terminal command,
then copy the hierarchy and paste it into the switch terminal window.
Verification
■ Verifying the VLAN Members and Interfaces on the Access Switch on page 355
■ Verifying the VLAN Members and Interfaces on the Distribution Switch on page 355
Verifying the VLAN Members and Interfaces on the Access Switch

Purpose
Action
What It Means
Verifying the VLAN Members and Interfaces on the Distribution

Switch
Purpose
Action
What It Means
Related Topics
Example: Configure Automatic VLAN Administration Using GVRP

As a network expands and the number of clients and VLANs increases, VLAN
administration becomes complex, and the task of efficiently configuring VLANs on
multiple switches becomes increasingly difficult. To automate VLAN administration,
you can enable Generic VLAN Registration Protocol (GVRP) on the network.
GVRP learns VLANs on a particular 802.1Q trunk port, and adds the corresponding
trunk port to the VLAN if the advertised VLAN is preconfigured or existing already
on the switch. For example, a VLAN named “sales” is advertised to trunk port 1 on
the GVRP-enabled switch. The switch adds trunk port 1 to the sales VLAN if the sales
VLAN already exists on the switch.
As individual ports become active and send a request to join a VLAN, the VLAN
configuration is updated and propagated among the switches. Limiting the VLAN
configuration to active participants reduces the network overhead. GVRP also provides
the benefit of pruning VLANs to limit the scope of broadcast, unknown unicast, and
multicast (BUM) traffic to interested devices only.
This example describes how to statically configure VLANs on a single switch, then
enable GVRP on all switches to dynamically propagate the configuration:
■ Configuring VLANs and GVRP on Switch 1 on page 357
■ Configuring GVRP on Switch 3 on page 359
Requirements
■ Two EX 4200 distribution switches
■ Two access switches: one EX 3200 and one EX 4200
Before you configure the GVRP network on the access and distribution switches, be
sure you have:
■ Installed the two access switches. See Installing and Connecting an EX-series
Switch.
■ Installed the two distribution switches. See Installing and Connecting an EX-series
Switch.
■ Performed the initial software configuration on all switches. See Connecting and
Configuring the EX-series Switch (J-Web Procedure).

five VLANs on a single distribution switch. After the static VLAN configuration is
created, GVRP is enabled on all the switches in the topology to dynamically distribute
the VLAN configuration.
Topology
The topology for this example consists of a GVRP network configured on two access
switches and two distribution switches.
Table 53: Components of the GVRP Network Topology
Property Settings
Table 53: Components of the GVRP Network Topology (continued)
Switch hardware ■ Switch 1–1 EX-series 4200 distribution switch

■ Switch 2–1 EX-series 4200 distribution switch
■ Switch 3–1 EX-series 3200 access switch
VLAN names and tag IDs voice-vlan, tag 10

employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
analyzer-vlan, tag 999
This configuration example creates a static VLAN configuration on an EX-series 4200

distribution switch (Switch 1). There are five VLANs in the configuration, each serving
a different purpose in the network.
After the VLANs are configured, GVRP is enabled on Switch 1, Switch 2, Switch 3,
and Switch 4. GVRP will dynamically distribute the VLAN configuration on Switch 1
to the other three switches.
Configuring VLANs and GVRP on Switch 1

To create a static VLAN configuration on a distribution switch, and enable GVRP on
all switches, perform these tasks:
CLI Quick Configuration To quickly configure the voice-vlan, employee-vlan, guest-vlan, camera-vlan, and
analyzer-vlan VLANs on Switch 1 and enable GVRP, copy the following commands
[edit]
set interfaces ge-0/0/0 family ethernet-switching vlan members voice-vlan
set interfacs ge-0/0/0 family ethernet-switching vlan members employee-vlan
set interfaces ge-0/0/0 family ethernet-switching vlan members guest-vlan
set interfaces ge-0/0/0 family ethernet-switching vlan members camera-vlan
set interfaces ge-0/0/0 family ethernet-switching vlan members analyzer-vlan
set vlans voice-vlan vlad-id 10
set vlans employee-vlan vlan—id 20
set vlans guest-vlan vlan-id 30
set vlans camera-vlan vlan-id 40
set vlans analyzer-vlan vlan-id 999
set protocols gvrp enable join-timer 40
set protocols gvrp enable leave-timer 120
Configuring VLANs and GVRP on Switch 1 ■ 357

set protocols gvrp enable leaveall-timer 2000

set protocols gvrp interface all enable
Step-by-Step Procedure To configure the VLANs and VLAN tag identifiers, then configure the VLANs on
interface ge-0/0/0, enable GVRP on all interfaces, and set the GVRP timers (optional):
1. Configure the VLANs voice-vlan, employee-vlan, guest-vlan, camera-vlan, and

analyzer-vlan:
[edit vlans]
user@switch# set voice-vlan vlan-id 10
user@switch# set employee-vlan vlan—id 20
user@switch# set guest-vlan vlan—id 30
user@switch# set camera-vlan vlan—id 40
user@switch# set analyzer-vlan vlan—id 999
2. Configure the voice-vlan, employee-vlan, guest-vlan, camera-vlan, and analyzer-vlan

VLANs on interface ge-0/0/0:
[edit interfaces ge-0/0/0 family ethernet-switching]

user@switch# set vlan members voice-vlan
user@switch# set vlan members employee—vlan
user@switch# set vlan members guest—vlan
user@switch# set vlan members camera—vlan
user@switch# set vlan-members analyzer—vlan
3. Globally enable GVRP networking:
[edit protocols gvrp]

user@switch# set enable
4. Set the join-timer to specify the maximum number of milliseconds the interfaces
wait before sending VLAN advertisements:

user@switch# set join-timer 40
5. Set the leave-timer to configure the number of milliseconds an interface must

wait after receiving a leave message to remove the interface from the VLAN
specified in the message:

user@switch# set leave-timer 120
6. Set the leaveall-timer to configure the interval at which Leave All messages are
sent on interfaces. Leave All messages help to maintain current GVRP VLAN
membership information in the network.:

user@switch# set leaveall-timer 2000
358 ■ Configuring VLANs and GVRP on Switch 1

NOTE: Default values are associated with each timer: 200 ms for the join-timer, 600
ms for the leave-timer, and 1000 ms for the leaveall-timer.. Modifying timers to
inappropriate values may cause and imbalance in the operation of GVRP. Refer to
IEEE 802.1D [2004] Clause 12 for more information.
7. Apply GVRP networking on all interfaces:

user@switch# set interface all enable
user@switch# show
interfaces {
ge-0/0/0 {
unit 0 {
vlan members voice-vlan;
vlan members employee-vlan;
vlan members guest-vlan;
vlan members camera-vlan;
vlan members analyzer-vlan;
}
}
}
}
protocols {
gvrp {
enable;
join-timer 40;
leave-timer 120;
leaveall-timer 2000;
interface all {
}
}
Configuring GVRP on Switch 3

Configuring GVRP on Switch 3 ■ 359

CLI Quick Configuration To quickly enable GVRP on Switch 3, copy the following commands and paste them
into the switch terminal window:
[edit]
Step-by-Step Procedure Enable GVRP networking on all interfaces on Switch 3 and set the GVRP timers:




membership information in the network:


user@switch# set interfaceall enable
user@switch# show configuration

protocols {
gvrp {
enable;
join-timer 40;
leave-timer 120;
360 ■ Configuring GVRP on Switch 3

interface all {
}
}
Configuring GVRP on Switch 4

CLI Quick Configuration To quickly enable GVRP on Switch 4, copy the following commands and paste them
[edit]
Step-by-Step Procedure Enable GVRP networking on all interfaces on Switch 4 and set the GVRP timers:




membership information in the network:
Configuring GVRP on Switch 4 ■ 361


user@switch# set interface all enable

protocols {
gvrp {
enable;
join-timer 40;
leave-timer 120;
interface all {
}
}
Verification
Verify that the voice-vlan, employee-vlan, guest-vlan, camera-vlan, and analyzer-vlan
VLANs have been created and are operating properly:
■ Verifying That the VLANs Have Been Created on page 362
■ Verifying the GVRP Configuration on the Distribution Switch on page 363
Verifying That the VLANs Have Been Created

Purpose Verify that the VLANs voice-vlan, employee-vlan, guest-vlan, camera-vlan, and
analyzer-vlan have been created on the switch and that all connected interfaces on
the switch are members of these VLANs.
user@switch# show vlans

Name Tag Protocol Addr Ports
Active/
Total
Default 1 ------------------ 0 /0
engr None 172.168.0.1 / 24 0 /4
Mgmt None 10.93.15.50 / 21 1 /1
nvlan None 192.168.11.1 / 24 0 /0
spirent1 None 90.0.0.100 / 24 0 /0
spirent2 None 91.0.0.100 / 24 0 /0
v0 None ------------------ 0 /2
v10 None ------------------ 0 /2
v11 None ------------------ 0 /2

v12 None ------------------ 0 /2
What It Means The show vlans command lists all VLANs configured on the switch and which interfaces
are members of each VLAN. For this configuration example, the output has five
entries, showing that the voice-vlan, employee-vlan, guest-vlan, camera-vlan, and
analyzer-vlan VLANs have been created.
Verifying the GVRP Configuration on the Distribution Switch

Purpose Verify that GVRP is enabled on all interfaces and that the timers have been properly
set.
Action Display the GVRP configuration on the switch:

user@switch# show gvrp
Global GVRP configuration
GVRP status : Enabled
GVRP timers (ms)
Join : 40
Leave : 120
Leaveall : 2000
Interface based configuration:

Interface GVRP status
---------- -----------
ge-0/0/0.0 Enabled
What It Means The show gvrp information command displays GVRP status globally and by interface.
For this configuration example, the output shows that GVRP is enabled globally and
also displays that GVRP is enabled on each interface. The command also displays
the settings for the GVRP timers.
Related Topics
Verifying the GVRP Configuration on the Distribution Switch ■ 363


Chapter 27
Configuring Layer 2 Bridging, VLANs, and
GVRP
■ Configuring VLANs for EX-Series Switches (J-Web Procedure) on page 365

■ Configuring Routed VLAN Interfaces for EX-series Switches (CLI
■ Configuring MAC Table Aging on EX-series Switches (CLI Procedure) on page 368
Configuring VLANs for EX-Series Switches (J-Web Procedure)

You can use the VLAN configuration page to add a new VLAN or to edit or delete an
existing VLAN.
To access the VLAN configuration page:

1. From the Configure menu, select Switching > VLAN.
The VLAN Configuration page displays a list of existing VLANs. If you select a
specific VLAN, the specific VLAN details are displayed in the Details section.
2. Click one:
■ Add — creates a VLAN.
■ Edit — edits an existing VLAN configuration.
■ Delete — deletes an existing VLAN.
NOTE: If you delete a VLAN, the VLAN configuration for all the associated interfaces
is also deleted.
When you are adding or editing a VLAN, enter information as described in

Configuring VLANs for EX-Series Switches (J-Web Procedure) ■ 365

Table 54: VLAN Configuration Details
General tab
VLAN Name Specifies a unique name for the VLAN. Enter a name.
VLAN ID The identifier for the VLAN. Type a unique identification number from 1 through
4094. If no value is specified, it defaults to 0.
VLAN Description Describes the VLAN. Enter a brief description for the VLAN.
MAC Table Aging Specifies the maximum time that an entry can Type the number of seconds from 60 through
Time remain in the forwarding table before it 'ages 1000000.
out'.
Filter Input Specifies the VLAN firewall filter that is applied To apply an input firewall filter, select the firewall
to incoming packets. filter from the list.
Filter Output Specifies the VLAN firewall filter that is applied To apply an output firewall filter, select the firewall
to outgoing packets. filter from the list.
Port Association tab
Ports Specifies the ports to be associated with this Click one:

VLAN for data traffic. You can also remove the
port association. ■ Add — Select the ports from the available list.
■ Remove — Select the port that you don't want
associated with the VLAN.
IP Address tab
Enable IP Address Specifies IP address options for the VLAN. Select to enable the IP address options.
IP Address Specifies the IP address of the VLAN. Enter the IP address.
Subnet Mask Specifies the range of logical addresses within Enter the address, for example, 255.255.255.0 You
the address space that is assigned to an can also specify the address prefix.
organization.
Filter Input Specifies the VLAN interface firewall filter that is To apply an input firewall filter to an interface,
applied to incoming packets. select the firewall filter from the list.
Filter Output Specifies the VLAN interface firewall filter that is To apply an output firewall filter to an interface,
applied to outgoing packets. select the firewall filter from the list.
ARP/MAC Details Specifies the details for configuring the static IP Click the ARP/MAC Details button. Enter the static
address and MAC. IP address and MAC address in the window that is
displayed.
VoIP tab
Ports Specifies the ports to be associated with this Click one:

VLAN for voice traffic. You can also remove the
port association. ■ Add — Select the ports from the available list.
■ Remove — Select the port that you don't want
associated with the VLAN.
366 ■ Configuring VLANs for EX-Series Switches (J-Web Procedure)

Chapter 27: Configuring Layer 2 Bridging, VLANs, and GVRP
Related Topics
■ Configuring Routed VLAN Interfaces for EX-series Switches (CLI Procedure)
Configuring Routed VLAN Interfaces for EX-series Switches (CLI Procedure)

Routed VLAN interfaces (RVI's) enable the switch to recognize which packets are
being sent to local addresses so that they are bridged whenever possible and are
routed only when needed. Whenever packets can be switched instead of routed,
several layers of processing are eliminated. Switching also reduces the number of
address look-ups. For redundancy purposes, RVI can be combined with
implementations of the Virtual Router Redundancy Protocol (VRRP) in both bridging
and VPLS environments.
To configure the routed VLAN interface:

1. Create the VLAN by assigning it a name and a VLAN ID:
[edit]
user@switch# set vlans support vlan-id 111
2. Assign an interface to the VLAN by specifying the logical interface (with the unit
statement) and specifying the VLAN name as the member:
[edit]
user@switch# set interfaces ge-0/0/18 unit 0 family ethernet-switching
vlan members support
3. Create the subnet for the VLAN’s broadcast domain:
[edit]
user@switch# set interfaces ge-0/0/18 vlan unit 0 family inet address
111.111.111.1/24
4. Layer 3 interfaces on trunk ports allow the interface to transfer traffic between
multiple VLANs. Within a VLAN, traffic is bridged, while across VLANs, traffic is
routed. Bind a Layer 3 interface with the VLAN:
[edit]
user@switch# set vlans support l3-interface vlan.111
You can display the configuration settings:
user@switch> show interfaces vlan terse

vlan up up
vlan.111 up up inet 111.111.111.1/24

-------------------------------------------------------
Name Tag Address Ports
Active/Total
-------------------------------------------------------
support 111 111.111.111.1/24 3/3
default None --------- 4/48
mgmt None --------- 0/0
Ethernet-switching table: 8 entries, 4 learned

default * Flood - All-members
support * Flood - All-members
support 00:19:e2:50:63:e0 Static - Router
Related Topics
Configuring MAC Table Aging on EX-series Switches (CLI Procedure)

The aging process ensures that the switch tracks only active nodes on the network
and that it is able to flush out network nodes that are no longer available.
To manage MAC entries more efficiently, you can configure an entry's aging time,
which is the maximum time that an entry can remain in the Ethernet Switching table
before it “ages out”.
1. To configure how long entries remain in the Ethernet Switching table before
expiring using the CLI:
[edit vlans support-vlan]

user@switch# set mac-table-aging-time 200
Related Topics

Chapter 28
Understanding Spanning Trees
■ Understanding RSTP for EX-series Switches on page 369

■ Understanding MSTP for EX-series Switches on page 370
■ Understanding STP for EX-series Switches on page 371
Understanding RSTP for EX-series Switches
EX-series switches use Rapid Spanning Tree Protocol (RSTP) to provide better
reconvergence time than the original STP. RSTP identifies certain links as point to
point. When a point-to-point link fails, the alternate link can transition to the
forwarding state.
Although STP provides basic loop prevention functionality, it does not provide fast
network convergence when there are topology changes. STP's process to determine
network state transitions is slower than RSTP's because it is timer-based. A device
must reinitialize every time a topology change occurs. The device must start in the
listening state and transition to the learning state and eventually to a forwarding or
blocking state. When default values are used for the maximum age (20 seconds) and
forward delay (15 seconds), it takes 50 seconds for the device to converge. RSTP
converges faster because it uses a handshake mechanism based on point-to-point
links instead of the timer-based process used by STP.
An RSTP domain running on an EX-series switch has the following components:

■ A root port, which is the “best path” to the root device.
■ A designated port, indicating that the switch is the designated bridge for the other
switch connecting to this port.
■ An alternate port, which provides an alternate root port.
■ A backup port, which provides an alternate designated port.
Port assignments change through messages exchanged throughout the domain. An

RSTP device generates configuration messages once every hello time interval. If an
RSTP device does not receive a configuration message from its neighbor after an
interval of three hello times, it determines it has lost connection with that neighbor.
When a root port or a designated port fails on a device, the device generates a
configuration message with the proposal bit set. Once its neighbor device receives
this message, it verifies that this configuration message is better than the one saved
Understanding RSTP for EX-series Switches ■ 369

for that port and then it starts a synchronizing operation to ensure that all of its ports
are in sync with the new information.
Similar waves of proposal agreement handshake messages propagate toward the

leaves of the network, restoring the connectivity very quickly after a topology change
(in a well-designed network that uses RSTP, network convergence can take as little
as 0.5 seconds). If a device does not receive an agreement to a proposal message it
has sent, it returns to the original IEEE 802.D convention.
RSTP was originally defined in the IEEE 802.1w draft specification and later
incorporated into the IEEE 802.1D-2004 specification.
Related Topics
■ Example: Configuring Faster Convergence and Improving Network Stability with
RSTP on EX-series Switches
rstp
■ Understanding STP for EX-series Switches
■ Understanding MSTP for EX-series Switches
Understanding MSTP for EX-series Switches

Although RSTP provides faster convergence time than STP, it still does not solve a
problem inherent in STP: All VLANs within a LAN must share the same spanning
tree. To solve this problem, EX-series switches use Multiple Spanning Tree Protocol
(MSTP) to create a loop-free topology in networks with multiple spanning-tree regions.
An MSTP region allows a group of bridges to be modeled as a single bridge. An MSTP

region contains multiple spanning tree instances (MSTIs). MSTIs provide different
paths for different VLANs. This functionality facilitates better load sharing across
redundant links.
MSTP region can support up to 64 MSTIs and each instance can support anywhere
from 1 through 4094 vlans.
MSTP was originally defined in the IEEE 802.1s draft specification and later
incorporated into the IEEE 802.1Q-2003 specification.
Related Topics
■ Example: Configuring Network Regions for VLANs with MSTP on EX-series
Switches
■ Understanding RSTP for EX-series Switches

Chapter 28: Understanding Spanning Trees
Understanding STP for EX-series Switches

EX-series switches provide Layer 2 loop prevention through Spanning Tree Protocol
(STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). RSTP and MSTP are both based upon STP. RSTP provides faster convergence
times than STP. MSTP is used to create a loop-free topology in networks with a
number of VLANs that require multiple spanning-tree regions to efficiently provide
a loop-free topology.
STP is the simplest loop prevention protocol. It is a Layer 2 protocol that calculates
the best path through a switched network that contains redundant paths. STP uses
bridge protocol data unit (BPDU) packets to exchange information with other switches.
There are two types of BPDUs: configuration BPDUs and topology change notification
(TCN) BPDUs. BPDUs send hello packets out at regular intervals to exchange
information across bridges and detect loops in a network topology. Configuration
BPDUs determine the tree topology of a LAN. STP uses the information provided by
the BPDUs to elect a root bridge, identify root ports for each switch, identify
designated ports for each physical LAN segment, and prune specific redundant links
to create a loop-free tree topology. All leaf devices calculate the best path to the root
device and place their ports in blocking or forwarding states based on the best path
to the root. The resulting tree topology provides a single active Layer 2 data path
between any two end stations.
The original Spanning Tree Protocol is defined in the IEEE 802.1D 1998 specification.
EX-series switches use a version of STP based on IEEE802.1D-2004, with a force
version of 0, running RSTP in STP mode. For EX-series switches, the configuration
command set protocol stp is equivalent to the configuration command set protocol
rstp force-version stp for MX-series switches. In this way, STP inherents RSTP features,
and commands available through CLI are identical to the RSTP CLI. .This version of
STP is compatible with the IEEE 802.1D 1998 specification.
RSTP was originally defined in the IEEE 802.1w draft specification and later
incorporated into the IEEE 802.1D-2004 specification.
MSTP was originally defined in the IEEE 802.1s draft specification and later
incorporated into the IEEE 802.1Q-2003 specification.
Related Topics
■ show spanning-tree bridge
■ show spanning-tree interface
Understanding STP for EX-series Switches ■ 371


Chapter 29
Examples of Configuring Spanning Trees

RSTP on EX-series Switches on page 373
Example: Configuring Faster Convergence and Improving Network Stability with

EX-series switches use Rapid Spanning Tree Protocol (RSTP) to provide a loop-free
topology. RSTP identifies certain links as point to point. When a point-to-point link
fails, the alternate link can transition to the forwarding state. RSTP provides better
reconvergence time than original STP because it uses protocol handshake messages
rather than fixed timeouts. Eliminating the need to wait for timers to expire makes
RSTP more efficient than STP.
This example describes how to configure RSTP on four EX-series switches:

Requirements
■ Four EX-series switches
Before you configure the switches for RSTP, be sure you have:
■ Installed the four switches. See Connecting and Configuring the EX-series Switch
(J-Web Procedure).
■ Performed the initial software configuration on all switches. See Installing and
Connecting an EX-series Switch.
Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX-series Switches ■ 373

In this example, four EX-series switches are connected in the topology displayed in
Figure 1. This topology is a an inverted “U” topology that creates a potential for loops.
Configuring RSTP on each switch will eliminate loops.
Figure 17: Network Topology for RSTP
The interfaces shown in Table 1 will be configured for RSTP.
Table 55: Components of the Topology for Configuring RSTP on EX-series Switches
Property Settings
Switch 1 The following ports on Switch 1 are connected in this way:

■ Connected to Switch 2 isge-0/0/9
■ Connected to Switch 4 is ge-0/0/11


Chapter 29: Examples of Configuring Spanning Trees
Table 55: Components of the Topology for Configuring RSTP on EX-series Switches (continued)
Property Settings

■ Connected to Switch 1 is ge-0/19

This configuration example creates a loop-free topology between four EX-series

switches using RSTP.
NOTE: You also can create a loop-free topology between the aggregation layer and
the distribution layer using redundant trunk links. For more information about
redundant trunk links, see [insert xref—TBD].
Configuration
To configure RSTP, perform these tasks:
Configuring RSTP on Switch 1

CLI Quick Configuration To quickly configure interfaces and RSTP on Switch 1, copy the following commands
[edit]
set interfaces ge-0/0/13 unit 0 family ethernet-switching
set protocols rstp
set protocols rstp interface ge-0/0/13.0 cost 29999
set protocols rstp interface ge-0/0/11.0
Step-by-Step Procedure To configure RSTP on Switch 1:
1. Configure the interfaces on the switch:
[edit interfaces]
user@switch1# set ge-0/0/13 unit 0 family ethernet-switching
user@switch1# set ge-0/0/9 unit0 family ethernet-switching
2. Configure RSTP on the interfaces:
[edit protocols]
user@switch1# set rstp
user@switch1# set rstp interface ge-0/0/13.0 cost 29999
user@switch1# set rstp interface ge-0/0/11.0

[edit]
set protocols rstp
[edit interfaces]
[edit protocols]
xuser@switch2# set rstp interface ge-0/0/18.0
376 ■ Configuring RSTP on Switch 2


[edit]
[edit interfaces]
[edit protocols]

[edit]
set protocols rstp
1. Configure the interfaces on the switch, including the encapsulation method:
[edit interfaces]
Configuring RSTP on Switch 3 ■ 377

[edit protocols]
user@switch4# set rstp interface


user@switch# run show spanning-tree bridge
STP bridge parameters
Routing instance name : vs1
Context ID : 1
Enabled protocol : MSTP
...
[Output truncated]
Verification
■ Verifying RSTP Configuration on Switch 1 on page 378
Verifying RSTP Configuration on Switch 1

Purpose Verify the RSTP configuration on Switch 1.
Action Use the operational mode command:

user@switch1> show spanning—tree bridge

Context ID : 0
Enabled protocol : RSTP
Root ID : 8192.00:1b:54:01:30:80
Root cost : 2000
Root port : ge-0/0/10.0
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 2
Number of topology changes : 2
Time since last topology change : 111 seconds
Local parameters
Bridge ID : 16384.00:19:e2:50:44:e0
Extended system ID : 0
Internal instance ID : 0
user@switch1> show spanning-tree interface

Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
em0.0 128:1 128:1 32768.00f01a0828d4 20000 FWD DESG
What It Means The show spanning-tree interface command displays the spanning-tree information
at either bridge level or interface level. If the optional interface name is omitted, all
interfaces in the spanning-tree domain are displayed. The output fields State and
Role show the state the port is in and its role in the domain.



Context ID : 0
Root ID : 8192.00:1b:54:01:30:80
Root cost : 2000
Message age : 2
Local parameters
Bridge ID : 16384.00:19:e2:50:44:e0


em0.0 128:1 128:1 32768.00f01a0828d4 20000 FWD DESG
Verifying RSTP Configuration on Switch 2 ■ 379


Action Writer, insert valid output when available.
Use the operational mode command:


Context ID : 0
Root ID : 8192.00:1b:54:01:30:80
Root cost : 2000
Message age : 2
Local parameters
Bridge ID : 16384.00:19:e2:50:44:e0


em0.0 128:1 128:1 32768.00f01a0828d4 20000 FWD DESG



Context ID : 0
Root ID : 8192.00:1b:54:01:30:80
Root cost : 2000
380 ■ Verifying RSTP Configuration on Switch 3

Message age : 2
Local parameters
Bridge ID : 16384.00:19:e2:50:44:e0


em0.0 128:1 128:1 32768.00f01a0828d4 20000 FWD DESG
Related Topics
Switches
Example: Configuring Network Regions for VLANs with MSTP on EX-series Switches
Multiple Spanning Tree Protocol (MSTP) is used to create a loop-free topology in
networks using multiple spanning tree regions, each region containing multiple
spanning-tree instances (MSTIs). MSTIs provide different paths for different VLANs.
This functionality facilitates better load sharing across redundant links.
MSTP supports up to 64 regions, each one capable of supporting 4094 MSTIs.
This example describes how to configure MSTP on four EX-series switches:

Requirements
■ Four EX-series switches

Before you configure the switches for MSTP, be sure you have:
■ Installed the four switches. See Connecting and Configuring the EX-series Switch
(J-Web Procedure).
■ Performed the initial software configuration on all switches. See Installing and
Connecting an EX-series Switch.

When the number of VLANs grows in a network, MSTP provides a more efficient
way of creating a loop-free topology using MSTIs. Each MSTI in the spanning tree
domain maintains their own tree. Each tree can be mapped to different links, utilizing
bandwidth that would be unavailable to a single tree. MSTIs reduce demand on
system resources.
Figure 18: Network Topology for MSTP
The interfaces shown in Table 1 will be configured for MSTP.

Table 56: Components of the Topology for Configuring MSTP on EX-series Switches
Property Settings

■ ge-0/0/9 is connected to Switch 2



VLAN names and tag IDs voice-vlan, tag 10

employee-vlan, tag 20
guest-vlan, tag 30
camera-vlan, tag 40
MSTIs 1
2
The topology in Figure 18 on page 382 shows a Common Internal Spanning Tree
(CIST). The CIST is a single spanning tree connecting all devices in the network. The
switch with the highest priority is elected as the root bridge of the CIST.
Also in an MSTP topology are ports that have specific roles:

■ The root port is responsible for forwarding data to the root bridge.
■ The alternate port is a standby port for the root port. When a root port goes
down, the alternate port becomes the active root port.
■ The designated port forwards data to the downstream network segment or
device.
■ The backup port is a backup port for the designated port. When a designated
port goes down, the backup port becomes the active designated port and starts
forwarding data.
In this example, one MSTP region, region1, contains Switch 1, Switch 2, Switch 3,
and Switch 4. Within the region, four VLANs are created:

■ The voice-vlan supports voice traffic and has a VLAN tag identifier of 10.
■ employee-vlan supports data traffic and has a VLAN tag identifier of 20.
■ The guest-vlan supports guest VLAN traffic (for supplicants that fail 802-1X
authentication) and has a VLAN tag identifier of 30.
■ The camera-vlan supports video traffic and has a VLAN tag identifier of 40.
The VLANs are associated with specific interfaces on each of the four switches. Two
MSTIs, 1 and 2, are then associated with the VLAN tag identifiers, and some MSTP
parameters, such as cost, are configured on each switch.
Configuration
To configure MSTP, perform these tasks:
Configuring MSTP on Switch 1

CLI Quick Configuration To quickly configure interfaces and MSTP on Switch 1, copy the following commands
[edit]
set vlans voice-vlan description “Voice VLAN”
set vlans voice-vlan vlan-id 10
set vlans employee-vlan description “Employee VLAN”
set vlans employee-vlan vlan-id 20
set vlans guest-vlan description “Guest VLAN”
set vlans camera-vlan description “Camera VLAN”
set vlans voice-vlan interface ge–0/0/13.0
set vlans employee-vlan interface ge-0/0/13.0
set vlans guest-vlan interface ge-0/0/13.0
set vlans camera-vlan interface ge-0/0/13.0
set vlans voice-vlan interface ge-0/0/9.0
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members [10 20 30
40]
set interfaces ge–0/0/9 unit 0 family ethernet-switching vlan members [10 20 30
40]
40]
set interfaces ge–0/0/13 unit 0 family ethernet-switching port-mode trunk

set protocols mstp configuration-name region1
set protocols mstp bridge-priority 16k
set protocols mstp interface all cost 1000
set protocols mstp interface ge-0/0/13.0 cost 1000
set protocols mstp interface ge-0/0/13.0 mode point-to-point
set protocols mstp msti 1 bridge-priority 16k
set protocols mstp msti 1 vlan [10 20]
set protocols mstp msti 1 interface ge-0/0/11.0 cost 4000
Step-by-Step Procedure To configure interfaces and MSTP on Switch 1:
1. Configure the VLANs voice-vlan, employee-vlan, guest-vlan, and camera-vlan:
[edit vlans]
user@switch1# set voice-vlan description “Voice VLAN”
user@switch1# set voice-vlan vlan-id 10
user@switch1# set employee-vlan description “Employee VLAN”
user@switch1# set employee-vlan vlan-id 20
user@switch1# set guest-vlan description “Guest VLAN”
user@switch1# set guest-vlan vlan-id 30
user@switch1# set camera-vlan description “Camera VLAN”
2. Configure the VLANs on the interfaces:
[edit vlans]
user@switch1# set voice-vlan interface ge-0/0/13.0
user@switch1# set employee-vlan interface ge-0/0/13.0
user@switch1# set guest-vlan interface ge-0/0/13.0
user@switch1# set camera-vlan interface ge-0/0/13.0
user@switch1# set camera-vlan interface ge-0/0/9
3. Configure the port mode for the interfaces:
[edit interfaces]
user@switch1# set ge–0/0/13 unit 0 family ethernet-switching port-mode
trunk
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching port-mode
trunk
trunk
Configuring MSTP on Switch 1 ■ 385

4. Configure the interfaces on the switch, including support for the Ethernet
Switching protocol and VLAN ID:
[edit interfaces]
user@switch1# set ge–0/0/13 unit 0 family ethernet-switching vlan members
[10 20 30 40]
user@switch1# set ge-0/0/9 unit 0 family ethernet-switching vlan members
[10 20 30 40]
[10 20 30 40]
5. Configure MSTP on the switch, including the two MSTIs:
[edit protocols]
user@switch1# mstp configuration-name region1
user@switch1# mstp bridge-priority 16k
user@switch1# mstp interface all cost 1000
user@switch1# mstp interface ge-0/0/13.0 cost 1000
user@switch1# mstp interface ge-0/0/13.0 mode point-to-point
user@switch1# mstp msti 1 bridge-priority 16k
user@switch1# mstp msti 1 vlan [10 20]
user@switch1# mstp msti 1 interface ge-0/0/11.0 cost 4000
[edit]
user@switch1> show configuration
interfaces {
ge-0/0/13 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/9 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
386 ■ Configuring MSTP on Switch 1

members 30;
members 40;
}
}
}
}
ge-0/0/11 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
configuration-name region1;
bridge-priority 16k;
interface ge-0/0/13.0 {
cost 1000;
mode point-to-point;
}
cost 1000;
}
cost 4000;
}
interface all {
cost 1000;
}
msti 1 {
vlan [ 10 20 ];
cost 4000;
}
}
msti 2 {
bridge-priority 8k;
vlan [ 30 40 ];
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {

vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

[edit]
set vlans voice-vlan vlan—id 10
set vlans voice-vlan interfaces ge-0/0/14.0
set vlans employee-vlan interfaces ge-0/0/14.0
set vlans guest-vlan interfaces ge-0/0/14.0
set vlans camera-vlan interfaces ge-0/0/14.0
set vlans voice-vlan interfaces ge–0/0/18.0
set vlans employee-vlan interfaces ge-0/0/18.0
set vlans guest-vlan interfaces ge-0/0/18.0
set vlans camera-vlan interfaces ge-0/0/18.0
40]
40]

[edit vlans]
user@switch2# set camera-vlan vlan-description “Camera VLAN”
[edit vlans]
[edit interfaces]
trunk
trunk
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
[edit protocols]


[edit]
interfaces {
ge-0/0/14 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/18 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
cost 1000;
}
cost 1000;
}
interface all {
cost 1000;
}
msti 1 {
vlan [ 10 20 ];

}
msti 2 {
bridge-priority 4k;
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}

[edit]
set vlans voice-vlan vlan-id 10
set vlans camera-vlan vlan—id 40
40]
40]
40]


[edit vlans]
[edit vlans]
[edit interfaces]
trunk
trunk
trunk

[edit interfaces]
[10 20 30 40]
[10 20 30 40]
[10 20 30 40]
[edit protocols]
[edit]
interfaces {
ge-0/0/26 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/28 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}

}
}
}
ge-0/0/24 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
}
protocols {
mstp {
bridge-priority 8k;
cost 1000;
}
cost 1000;
}
cost 1000;
}
interface all {
cost 1000;
}
msti 1 {
bridge-priority 4k;
vlan [ 10 20 ];
}
msti 2 {
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;

}
camera-vlan {
vlan-id 40;
}
}

[edit]
set vlans voice–vlan description “Voice VLAN”
set vlans voice-vlan vlan–id 10
set vlans employee—vlan description “Employee VLAN”
set vlans employee—vlan vlan—id 20
set vlans guest—vlan description “Guest VLAN”
set vlans guest—vlan vlan—id 30
set vlans camera—vlan description “Camera VLAN”
set vlans camera—vlan vlan—id 40
set vlans voice—vlan interface ge-0/0/23.0
set vlans employee—vlan interface ge-0/0/23.0
set vlans guest—vlan interface ge-0/0/23.0
set vlans camera—vlan interface ge-0/0/23.0
set vlans voice—vlan interface ge-0/0/19.0
set vlans employee—vlan interface ge-0/0/19.0
set vlans guest—vlan interface ge-0/0/19.0
set vlans camera—vlan interface ge-0/0/19.0
40]
40]
set interfaces ge—0/0/23 unit 0 family ethernet-switching port-mode trunk
set interfaces ge—0/0/19 unit 0 family ethernet-switching port-mode trunk
set protocols mstp interface ge—0/0/23.0 cost 1000
set protocols mstp interface ge—0/0/23.0 mode point-to-point
set protocols mstp interface ge—0/0/19.0 cost 1000
set protocols mstp interface ge—0/0/19.0 mode point-to-point

[edit vlans]
user@switch4# set voice-vlan vlan—id 10
user@switch4# set employee-vlan vlan—id 20
user@switch4# set guest-vlan vlan—id 30
user@switch4# set guest-vlan vlan—id 40
[edit vlans]
[edit interfaces]
user@switch4# set ge—0/0/23 unit 0 family ethernet-switching port-mode
trunk
user@switch4# set ge—0/0/19 unit 0 family ethernet-switching port-mode
trunk
[edit interfaces]
[10 20 30 40]
[10 20 30 40]
[edit protocols]
user@switch4# mstp interface ge—0/0/23.0 cost 1000
user@switch4# mstp interface ge—0/0/23.0 mode point-to-point
user@switch4# mstp interface ge—0/0/19.0 cost 1000
user@switch4# mstp interface ge—0/0/19.0 mode point-to-point


[edit]
interfaces {
ge-0/0/23 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
ge-0/0/19 {
unit 0 {
port-mode trunk;
vlan {
members 10;
members 20;
members 30;
members 40;
}
}
}
}
}
protocols {
mstp {
cost 1000;
}
cost 1000;
}
interface all {
cost 1000;
}
msti 1 {
vlan [ 10 20 ];

}
msti 2 {
vlan [ 30 40 ];
}
}
}
vlans {
voice-vlan {
vlan-id 10;
}
employee-vlan {
vlan-id 20;
}
guest-vlan {
vlan-id 30;
}
camera-vlan {
vlan-id 40;
}
}
Verification
■ Verifying MSTP Configuration on Switch 1 on page 398
Verifying MSTP Configuration on Switch 1

Purpose Verify the MSTP configuration on Switch 1.
Action Use the operational mode commands:


ge-0/0/13.0 128:527 128:525 16384.0019e25040e0 1000 FWD ROOT
ge-0/0/9.0 128:529 128:513 32768.0019e2503d20 1000 BLK ALT
ge-0/0/11.0 128:531 128:513 8192.0019e25051e0 4000 BLK ALT

ge-0/0/13.0 128:527 128:525 16385.0019e25040e0 1000 FWD ROOT
ge-0/0/9.0 128:529 128:513 32769.0019e2503d20 1000 BLK ALT
ge-0/0/11.0 128:531 128:513 4097.0019e25051e0 4000 BLK ALT

ge-0/0/13.0 128:527 128:527 8194.0019e25044e0 1000 FWD DESG
ge-0/0/9.0 128:529 128:513 4098.0019e2503d20 1000 FWD ROOT
ge-0/0/11.0 128:531 128:531 8194.0019e25044e0 1000 FWD DESG
user@switch1> show spanning-tree bridge

Context ID : 0
STP bridge parameters for CIST

Root ID : 8192.00:19:e2:50:51:e0
Root cost : 0
CIST regional root : 8192.00:19:e2:50:51:e0
CIST internal root cost : 2000
Hop count : 18
Message age : 0
Local parameters
Bridge ID : 16384.00:19:e2:50:44:e0
STP bridge parameters for MSTI 1

MSTI regional root : 4097.00:19:e2:50:51:e0
Root cost : 2000
Hop count : 18
Local parameters
Bridge ID : 16385.00:19:e2:50:44:e0

MSTI regional root : 4098.00:19:e2:50:3d:20
Root cost : 1000
Hop count : 19
Local parameters
Bridge ID : 8194.00:19:e2:50:44:e0
What It Means The operational mode command show spanning-tree interface displays spanning-tree
domain information such as the designated port and the port roles.
Verifying MSTP Configuration on Switch 1 ■ 399

The operational mode command show spanning-tree bridge displays the spanning-tree
domain information at either the bridge level or interface level. If the optional interface
name is omitted, all interfaces in the spanning-tree domain are displayed.



ge-0/0/14.0 128:513 128:513 32768.0019e2503d20 1000 FWD DESG
ge-0/0/18.0 128:519 128:515 8192.0019e25051e0 1000 FWD ROOT

ge-0/0/14.0 128:513 128:513 32769.0019e2503d20 1000 FWD DESG
ge-0/0/18.0 128:519 128:515 4097.0019e25051e0 1000 FWD ROOT

ge-0/0/14.0 128:513 128:513 4098.0019e2503d20 1000 FWD DESG
ge-0/0/18.0 128:519 128:519 4098.0019e2503d20 1000 FWD DESG

Context ID : 0

Root ID : 8192.00:19:e2:50:51:e0
Root cost : 0
Hop count : 19
Message age : 0
Local parameters
Bridge ID : 32768.00:19:e2:50:3d:20
400 ■ Verifying MSTP Configuration on Switch 2


Root cost : 1000
Hop count : 19
Local parameters
Bridge ID : 32769.00:19:e2:50:3d:20

Local parameters
Bridge ID : 4098.00:19:e2:50:3d:20



ge-0/0/26.0 128:513 128:513 8192.0019e25051e0 1000 FWD DESG
ge-0/0/28.0 128:515 128:515 8192.0019e25051e0 1000 FWD DESG
ge-0/0/24.0 128:517 128:517 8192.0019e25051e0 1000 FWD DESG

ge-0/0/26.0 128:513 128:513 4097.0019e25051e0 1000 FWD DESG
ge-0/0/28.0 128:515 128:515 4097.0019e25051e0 1000 FWD DESG
ge-0/0/24.0 128:517 128:517 4097.0019e25051e0 1000 FWD DESG


ge-0/0/26.0 128:513 128:531 8194.0019e25044e0 1000 BLK ALT
ge-0/0/28.0 128:515 128:519 4098.0019e2503d20 1000 FWD ROOT
ge-0/0/24.0 128:517 128:517 16386.0019e25051e0 1000 FWD DESG

Context ID : 0

Root ID : 8192.00:19:e2:50:51:e0
Local parameters
Bridge ID : 8192.00:19:e2:50:51:e0

Local parameters
Bridge ID : 4097.00:19:e2:50:51:e0

Root cost : 1000
Hop count : 19
Local parameters
Bridge ID : 16386.00:19:e2:50:51:e0

402 ■ Verifying MSTP Configuration on Switch 4



ge-0/0/23.0 128:523 128:517 8192.0019e25051e0 1000 FWD ROOT

ge-0/0/19.0 128:525 128:525 16384.0019e25040e0 1000 FWD DESG

ge-0/0/23.0 128:523 128:517 4097.0019e25051e0 1000 FWD ROOT
ge-0/0/19.0 128:525 128:525 16385.0019e25040e0 1000 FWD DESG

ge-0/0/23.0 128:523 128:517 16386.0019e25051e0 1000 BLK ALT
ge-0/0/19.0 128:525 128:527 8194.0019e25044e0 1000 FWD ROOT

Context ID : 0

Root ID : 8192.00:19:e2:50:51:e0
Root cost : 0
Hop count : 19
Message age : 0
Local parameters
Bridge ID : 16384.00:19:e2:50:40:e0

Root cost : 1000
Hop count : 19
Local parameters
Bridge ID : 16385.00:19:e2:50:40:e0


Root cost : 2000
Hop count : 18
Local parameters
Bridge ID : 32770.00:19:e2:50:40:e0
Related Topics

Chapter 30
Configuration Statements for Bridging,
VLANs, and Spanning Trees
■ [edit vlans] Configuration Statement Hierarchy on page 405

[edit vlans] Configuration Statement Hierarchy
vlans {
vlan-name {
bridging action;
description text-description;
mac-table-aging-time seconds;
vlan-id number;
}
}
Related Topics
interfaces {
ae-x {
lacp mode {
periodic interval;
}
}
}
interface-name {
description text;
mtu bytes;
[edit vlans] Configuration Statement Hierarchy ■ 405

ether-options {
802.3ad aex;
auto-negotiation;
flow-control;
link-mode mode;
}
port-mode mode;
vlan {
}
}
}
}
}
Related Topics

protocols {
dot1x {
authenticator {
static {
mac-address {
}
}
disable;
reauthentication {
interval seconds;
}

Chapter 30: Configuration Statements for Bridging, VLANs, and Spanning Trees
retries number;
}
}
gvrp {
<enable | disable>;
disable;
}
}
igmp-snooping {
forwarding-cache {
threshold {
reuse number;
}
timeout minutes;
}
traceoptions {
<match regex>;
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy-mode {
}
}
}
lldp {
disable;

disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;

priority priority;
}
}
}
rstp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
stp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
}

bridge-priority
Syntax bridge-priority priority;
Hierarchy Level [edit protocols mstp],

[edit protocols mstp msti msti-id],
[edit protocols rstp],
[edit protocols stp]
Description Configure the bridge priority. The bridge priority determines which bridge is elected
as the root bridge. If two bridges have the same path cost to the root bridge, the
bridge priority determines which bridge becomes the designated bridge for a LAN
segment.
Default 32,768
Options priority—Bridge priority. It can be set only in increments of 4096.

Default: 32,768
Related Topics
Switches
410 ■ bridge-priority
cost
Syntax cost integer;
Hierarchy Level [edit protocols mstp interface (all | interface-name)],

[edit protocols mstp msti msti-id interface interface-name],
[edit protocols rstp interface (all | interface-name)],
[edit protocols stp interface (all | interface-name)]
Description For Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), or Multiple
Spanning Tree Protocol (MSTP), configure link cost to control which bridge is the
designated bridge and which interface is the designated interface.
Default The link cost is determined by the link speed.
Options cost—Link cost associated with the port.

Range: 1 through 200,000,000
Default: Link cost is determined by the link speed.
Related Topics
cost ■ 411
description
Syntax description text-description;
Hierarchy Level [edit vlans vlan-name]
Description Provide a textual description of the VLAN. The text has no effect on the operation of
the VLAN or switch.
Options text-description—Text to describe the interface. It can contain letters, numbers, and
hyphens (-) and can be up to 255 characters long. If the text includes spaces,
enclose the entire text in quotation marks.

Related Topics
■ show vlans
disable
Syntax disable;
Hierarchy Level [edit protocols gvrp],

[edit protocols gvrp interface (all | [interface-name])
Description Disable the GVRP configuration on the switch on one or more interfaces.
Default If you do not configure GVRP, it is disabled on the switch and on specific switch
interfaces.

Related Topics
■ show gvrp
412 ■ description
disable
Syntax disable;

[edit protocols mstp interface interface-name],
[ edit protocols mstp msti msti-id vlan (vlan-id | vlan-name) interface interface-name,
[edit protocols rstp interface interface-name],
[edit protocols stp interface interface-name]
Description Disable STP, MSTP, or RSTP on the switch or on a specific interface.

Related Topics
Switches
disable ■ 413
edge
Syntax edge;

Spanning Tree Protocol (MSTP), configure interfaces as edge interfaces. Edge interfaces
immediately transition to a forwarding state and do not transmit BPDUs..
Default Edge interfaces are not enabled.

Related Topics
Switches
414 ■ edge
ethernet-switching-options
Syntax ethernet-switching-options {
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
group-name name {
}
}
allowed-mac {
mac-address-list;
}
(dhcp-trusted | no-dhcp-trusted );
mac-limit limit action action;
}
(arp-inspection | no-arp-inspection );
(examine-dhcp | no-examine-dhcp );
mac-move-limit limit action action;
}
voip{
interface (all | [interface-name | access-ports]) {
vlan vlan-name ;
forwarding-class <assured-forwarding | best-effort | expedited-forwarding |
network-control>;
}
}
}
}
ethernet-switching-options ■ 415
Description Configure Ethernet switching options.

routing–control—To add this statement to the configuration.
Related Topics
■ Port Mirroring on EX-switches Overview
filter
Description Apply a firewall filter to traffic coming into or exiting from the VLAN.
Default All incoming traffic is accepted unmodified to the VLAN, and all outgoing traffic is
sent unmodified from the VLAN.
Options filter-name—Name of a firewall filter defined in a filter statement.

■ input—Apply a firewall filter to VLAN ingress traffic.
■ output—Apply a firewall filter to VLAN egress traffic.

Related Topics
EX-series Switches

forward-delay
Syntax forward-delay seconds;

Spanning Tree Protocol (MSTP), specify how long a bridge interface remains in the
listening and learning states before transitioning to the forwarding state.
Default 15 seconds
Options seconds—Number of seconds the bridge interface remains in the listening and learning
states.
Range: 4 through 30 seconds
Default: 15 seconds
Related Topics
Switches
forward-delay ■ 417
group-name
Syntax group-name name {

}
Hierarchy Level [edit ethernet-switching-options redundant-trunk-group]
Description Create a redundant trunk group.
Options name—The name of the redundant trunk group. The group name must start with a
letter and can consist of letters, numbers, dashes, and underscores.
The remaining options are explained separately.

Related Topics
■ Example: Configuring Redundant Trunk Links for Faster Recovery
418 ■ group-name
gvrp
Syntax gvrp {
<enable | disable>;
disable;
}
join-timer milliseconds;
}
Hierarchy Level [edit protocols]
Description Configure Generic VLAN Registration Protocol (GVRP). GVRP configured in the network
allows switches to declare and register VLAN information. You can configure one
switch manually with all the VLANs needed in a network, and from that single switch,
all VLAN information will be learned dynamically by the other switches in the Layer 2
network.
Default GVRP is disabled by default.

Related Topics
■ show gvrp
gvrp ■ 419
hello-time
Syntax hello-time seconds;

Spanning Tree Protocol (MSTP), the time interval at which the root bridge transmits
configuration BPDUs.
Default 2 seconds
Options seconds—Number of seconds between transmissions of configuration BPDUs.

Default: 2 seconds
Related Topics
Switches
420 ■ hello-time
interface
Syntax interface (all | [interface-name]) {

<enable | disable>;
}
Hierarchy Level [edit protocols gvrp]
Description Configure Generic VLAN Registration Protocol (GVRP) for one or more interfaces.
Default By default, GVRP is disabled.
Options all—All interfaces.
interface-name—The list of interfaces to be configured for GVRP.

Related Topics
■ show gvrp
interface ■ 421
interface
Syntax interface interface-name <primary>;

Hierarchy Level [edit ethernet-switching-options redundant-trunk-group group-name name]
Description Configure a primary link and secondary link on trunk ports. If the primary link fails,
the secondary link automatically takes over as the primary link without waiting for
normal STP convergence.
Options interface interface-name—A logical interface or an aggregated interface containing

multiple ports.
primary—(Optional) Specify one of the interfaces in the redundant group as the

primary link. The interface without this option is the secondary link in the
redundant group. If a link is not specified as primary, the software compares the
two links and selects the link with the highest port number as the active link.
For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software
assigns ge-0/1/1 as the active link.

Related Topics
422 ■ interface
interface
Syntax interface interface-name {

disable;
cost cost;
edge;
mode mode;
priority priority;
}

[edit protocols mstp msti],
Spanning Tree Protocol (MSTP), configure an interface.
Options interface-name—Name of a Gigabit Ethernet interface.

Related Topics
Switches
interface ■ 423
join-timer
Syntax join-timer milliseconds;
Description For Generic VLAN Registration Protocol (GVRP), configure the maximum number of
milliseconds interfaces must wait before sending VLAN advertisements.
Default 20 centiseconds
Options milliseconds—Number of milliseconds.

Default: 20 centiseconds
Related Topics
■ show gvrp
l3-interface
Syntax l3-interface interface-name-logical-unit-number;

Description Associate a Layer 3 interface with the VLAN. Configure Layer 3 interfaces on trunk
ports to allow the interface to transfer traffic between multiple VLANs. Within a
VLAN, traffic is bridged, while across VLANs, traffic is routed.
Default No Layer 3 (routing) interface is associated with the VLAN.
Options interface-name–logical-unit-number—Name of a logical interface.

424 ■ join-timer
leaveall-timer
Syntax leaveall-timer milliseconds;
Description For Generic VLAN Registration Protocol (GVRP), configure the interval at which Leave
All messages are sent on the interfaces. Leave All messages maintain current GVRP
VLAN membership information in the network. A Leave All message instructs the
port to change the GVRP state for all its VLANs to a leaving state and remove them
unless a Join message is received before the leave timer expires.
Options milliseconds—Number of milliseconds.

Range: 5 times leave-timer value
Related Topics
■ show gvrp
leaveall-timer ■ 425
leave-timer
Syntax leave-timer milliseconds;
Description For Generic VLAN Registration Protocol (GVRP), configure the number of milliseconds
an interface must wait after receiving a leave message to remove the interface from
the VLAN specified in the message. If the interface receives a join message before
the timer expires, the software keeps the interface in the VLAN.
Options milliseconds—Number of milliseconds. At a minimum, the leave timer interval should

be twice the join timer interval.
Related Topics
■ show gvrp
426 ■ leave-timer
mac-table-aging-time
Syntax mac-table-aging-time seconds;
Description Define how long entries remain in the Ethernet switching table before expiring.
Default 300 seconds
Options seconds—Time that entries remain in the Ethernet switching table before being
removed.
■ Range—15 to 1,000,000 seconds.
■ Default—300 seconds.

Related Topics
mac-table-aging-time ■ 427
max-age
Syntax max-age seconds;

Spanning Tree Protocol (MSTP), specify the maximum age of received protocol
BPDUs.
Default 20 seconds
Options seconds—The maximum age of received protocol BPDUs.

Default: 20 seconds
Related Topics
Switches
428 ■ max-age
members
Syntax members [ (names | vlan-ids) ];

vlan]

Description For trunk interfaces, configure the VLANs for which the interface can carry traffic.
Options names—Name of one or more VLANs.
vlan-id—Numeric identifier of one or more VLANs.

Related Topics
■ JUNOS Network Interfaces Configuration Guide at JUNOS Network Interfaces
Configuration Guide at http://www.juniper.net/techpubs/software/junos/junos90/index.html
members ■ 429
mode
Syntax mode mode;

Spanning Tree Protocol (MSTP), configure the link mode to identify point-to-point
links.
Default For a full-duplex link, the default link mode is point-to-point. For a half-duplex link,
the default link mode is shared.
Options mode—Link mode:

■ point-to-point—Link is point to point.
■ shared—Link is shared media.

Related Topics
Switches
430 ■ mode
mstp
Syntax mstp {
disable;
configuration-name name;
hello-time seconds;
interface ( all | interface-name {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
priority priority;
}
traceoptions {
filefilename <filesnumber > <size size> <no-stamp | world-readable |
no-world-readable>;
flag flag;
}
}
}
Description Configure Multiple Spanning Tree Protocol (MSTP). MSTP is defined in the IEEE
802.1Q-2003 specification and is used to create a loop-free topology in networks
with multiple spanning tree regions.
Default MSTP is disabled.

Related Topics
mstp ■ 431

Switches
native-vlan-id
Syntax native-vlan-id vlan-id;
Hierarchy Level [edit interfaces ge-fpc/chassis/port unit 0 family ethernet-switching]
Description Configure the VLAN identifier to associate with untagged packets received on the
interface.
Options vlan-id—Numeric identifier of the VLAN.

Related Topics
■ show vlans
■ show ethernet-switching interfaces
432 ■ native-vlan-id
port-mode
Syntax port-mode mode;

Description Configure whether an interface on the switch operates in access or trunk mode.
Default All switch interfaces are in access mode.
Options access—Have the interface operate in access mode. In this mode, the interface can
be in a single VLAN only. Access interfaces typically connect to network devices
such as PCs, printers, IP telephones, and IP cameras.
trunk—Have the interface operate in trunk mode. In this mode, the interface can be
in multiple VLANs and can multiplex traffic between different VLANs. Trunk
interfaces typically connect to other switches and to routers on the LAN.

Related Topics
port-mode ■ 433
priority
Syntax priority priority;

Spanning Tree Protocol (MSTP), the interface priority to control which interface is
elected as the root port.
Default The default value is 128.
Options priority—Interface priority. The interface priority must be set in increments of 16.
Related Topics
Switches
434 ■ priority
redundant-trunk-group
Syntax redundant-trunk-group {
group-name name {
}
}
Hierarchy Level [edit ethernet-switching-options]
the secondary link automatically takes over without waiting for normal STP
convergence.
Options The options are explained separately.

Related Topics
redundant-trunk-group ■ 435
rstp
Syntax rstp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
Description Configure Rapid Spanning Tree Protocol (RSTP). RSTP is defined in the IEEE
802.1D-2004 specification and is used to prevent loops in Layer 2 networks, providing
shorter convergence times than those provided with basic STP.
Default RSTP is enabled on all Ethernet switching interfaces.

Related Topics
436 ■ rstp
stp
Syntax stp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
Description Configure Spanning Tree Protocol (STP). STP is used to prevent loops in Layer 2
networks and is defined in the specification IEEE 802.1D.
Default STP is enabled on all Ethernet switching ports.

Related Topics
Understanding STP for EX-series Switches
stp ■ 437
translate
Syntax translate vlan-id1 vlan-id2

vlan]

Description For trunk interfaces, have the interface change the VLAN identifier on received
packets to a different identifier.
Options vlan-id1—Number of the VLAN identifier in received packets. This identifier is removed
from packets received on the interface.
vlan-id2—New VLAN identifier. This identifier replaces the one removed from packets
received on the interface.

Related Topics
438 ■ translate
vlan
Syntax vlan {
}

Description For Gigabit Ethernet and Aggregated Ethernet interfaces, binds a 802.1Q VLAN tag
ID to a logical interface.
Default to be added.

Related Topics
vlan ■ 439
vlan-id
Syntax vlan-id number;
Description Configure an 802.1q tag to apply to all traffic that originates on the VLAN.
Default If you use the default factory configuration, all traffic originating on the VLAN is
untagged and has a VLAN identifier of 0.
Options number—VLAN tag identifier.

Range: 0 through 4093.
Related Topics
440 ■ vlan-id
vlans
Syntax vlans {
vlan-name {
descriptiontext-description;
mac-limit number;
mac-table-aging-timeseconds;
vlan-idnumber;
}
}
Description Configure VLAN properties on EX-series switches.
Default If you use the default factory configuration, all switch interfaces become part of the
VLAN default.
Options vlan-name—Name of the VLAN. The name can contain letters, numbers, and hyphens
(-) and can be up to 255 characters long.
The remaining options are described separately.

Related Topics
■ Configuring VLANs for EX-Series Switches (J-Web Procedure)
■ Configuring Routed VLAN Interfaces for EX-series Switches (CLI Procedure)
vlans ■ 441

Chapter 31
Operational Mode Commands for Bridging,
VLANs, and Spanning Trees
■ 443
clear gvrp statistics
Syntax clear gvrp statistics
Description Clear Generic VLAN Registration Protocol (GVRP) statistics.
Related Topics
■ show spanning-tree statistics
List of Sample Output clear gvrp statistics on page 444
clear gvrp statistics user@switch> clear gvrp statistics
444 ■ clear gvrp statistics

Chapter 31: Operational Mode Commands for Bridging, VLANs, and Spanning Trees
clear spanning-tree statistics
Syntax clear spanning-tree statistics

<interface interface-name unit logical-unit-number>;
Description Reset STP statistics for the all interfaces or a specified interface.
Options none—Reset STP counters for all interfaces.
interface-name—(Optional) The name of the interface for which statistics should be

reset.
logical-unit-number—(Optional) The logical unit number of the interface.
Related Topics
List of Sample Output clear spanning-tree statistics on page 445

Output Fields This command produces no output.
clear spanning-tree user@switch> clear spanning—tree statistics

statistics
clear spanning-tree statistics ■ 445

show ethernet-switching interfaces
Syntax show ethernet-switching interfaces

<brief | detail | summary>
<interface interface-name>
Release Information Command introduced in JUNOS for EX-series Release 9.0.

Description Display information about switching Ethernet interfaces.
Options none—(Optional) Display brief information for Ethernet-switching interfaces.
brief | detail | summary—(Optional) Display the specified level of output.
interface interface-name—(Optional) Display Ethernet-switching information for a

specific interface.

List of Sample Output show ethernet-switching interfaces on page 446
show ethernet-switching interfaces summary on page 447
show ethernet-switching interfaces brief on page 447
show ethernet-switching interfaces detail on page 447
show ethernet-switching interfaces ge-0/0/0.0 on page 448
Output Fields Table 57 on page 446 lists the output fields for the show ethernet-switching interfaces
Table 57: show vlans Output Fields
Interface Name of a switching interface. All levels
State Interface state. Values are up or down. none, brief, detail,

summary
VLAN members Name of a VLAN. none, brief, detail,

summary
Blocking The forwarding state of the interface: none, brief, detail,

summary
■ blocked—Traffic is not being forwarded on the interface.
■ unblocked—Traffic is forwarded on the interface.
Index The VLAN index internal to JUNOS software. detail
untagged | tagged Specifies whether the interface forwards 802.1Q-tagged or untagged traffic. detail
show ethernet-switching user@switch> show ethernet-switching interfaces

interfaces
446 ■ show ethernet-switching interfaces


ge-0/0/0.0 up T1122 unblocked
show ethernet-switching user@switch> show ethernet-switching interfaces summary

interfaces summary ge-0/0/0.0
ge-0/0/1.0
ge-0/0/2.0
ge-0/0/3.0
ge-0/0/8.0
ge-0/0/10.0
ge-0/0/11.0
show ethernet-switching user@switch> show ethernet-switching interfaces brief

interfaces brief Interface State VLAN members Blocking
ge-0/0/1.0 down employee-vlan unblocked
show ethernet-switching user@switch> show ethernet-switching interfaces detail

interfaces detail Interface: ge-0/0/0.0 Index: 65
State: down
VLANs:
default untagged unblocked
Interface: ge-0/0/1.0 Index: 66

State: down
VLANs:
employee-vlan untagged unblocked

State: down
VLANs:
show ethernet-switching interfaces ■ 447


State: down
VLANs:

State: down
VLANs:

State: down
VLANs:
default untagged unblocked

State: down
VLANs:
employee-vlan tagged unblocked
show ethernet-switching user@switch> show ethernet-switching interfaces ge-0/0/0.0

interfaces ge-0/0/0.0 Interface State VLAN members Blocking
448 ■ show ethernet-switching interfaces

show ethernet-switching mac-learning-log
Syntax show ethernet-switching mac-learning-log
Description Displays the event log of learned MAC addresses.

List of Sample Output show ethernet-switching table on page 449
show ethernet-switching user@switch> show ethernet-switching mac-learning-log

table Mon Feb 25 08:07:05 2008
vlan_idx 7 mac 00:00:00:00:00:00 was deleted
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
vlan_idx 4 mac 00:00:00:00:00:00 was added
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
vlan_idx 18 mac 00:00:05:00:00:05 was learned
Mon Feb 25 08:07:05 2008
show ethernet-switching mac-learning-log ■ 449

vlan_idx 5 mac 00:30:48:90:54:89 was learned

Mon Feb 25 08:07:05 2008
vlan_idx 6 mac 00:00:5e:00:01:00 was learned
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
Mon Feb 25 08:07:05 2008
vlan_idx 8 mac 00:19:e2:50:ac:00 was learned
Mon Feb 25 08:07:05 2008
[output truncated]
450 ■ show ethernet-switching mac-learning-log

show ethernet-switching table
Syntax show ethernet-switching table

<brief | detail | extensive>
<interface interface-name>
Description Displays the Ethernet switching table.
Options none—(Optional) Display brief information about the Ethernet-switching table.
brief | detail | extensive—(Optional) Display the specified level of output.
interface-name—(Optional) Display the Ethernet-switching table for a specific interface.
Related Topics
List of Sample Output show ethernet-switching table on page 452

show ethernet-switching table brief on page 452
show ethernet-switching table detail on page 453
show ethernet-switching table extensive on page 454
show ethernet-switching table interface ge-0/0/1 on page 455
Output Fields Table 58 on page 451 lists the output fields for the show ethernet-switching table
Table 58: show ethernet-switching table Output Fields
VLAN The name of a VLAN. All levels
MAC address The MAC address associated with the VLAN. All levels
Type The type of MAC address. Values are: All levels

■ static—The MAC address is manually created.
■ learn—The MAC address is learned dynamically from a packet's source
MAC address.
■ flood—The MAC address is unknown and flooded to all members.
Age The time remaining before the entry ages out and is removed from the Ethernet All levels
switching table.
show ethernet-switching table ■ 451

Table 58: show ethernet-switching table Output Fields (continued)
Interfaces Interface associated with learned MAC addresses or All-members (flood entry). All levels
Learned For learned entries, the time which the entry was added to the detail, extensive
Ethernet-switching table.
show ethernet-switching user@switch> show ethernet-switching table

table Ethernet-switching table: 57 entries, 17 learned
F2 * Flood - All-members
F2 00:00:05:00:00:03 Learn 0 ge-0/0/44.0
F2 00:19:e2:50:7d:e0 Static - Router
Linux * Flood - All-members
Linux 00:19:e2:50:7d:e0 Static - Router
Linux 00:30:48:90:54:89 Learn 0 ge-0/0/47.0
T1 * Flood - All-members
T1 00:00:05:00:00:01 Learn 0 ge-0/0/46.0
T1 00:00:5e:00:01:00 Static - Router
T1 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T1 00:19:e2:50:7d:e0 Static - Router
T10 00:00:5e:00:01:09 Static - Router
T10 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T111 00:19:e2:50:63:e0 Learn 0 ge-0/0/15.0
T111 00:19:e2:50:ac:00 Learn 0 ge-0/0/15.0
T2 00:00:5e:00:01:01 Static - Router
T2 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T3 00:00:5e:00:01:02 Static - Router
T3 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T4 00:00:5e:00:01:03 Static - Router
T4 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
[output truncated]
show ethernet-switching user@switch> show ethernet-switching table brief

table brief Ethernet-switching table: 57 entries, 17 learned
F2 * Flood - All-members
F2 00:00:05:00:00:03 Learn 0 ge-0/0/44.0
F2 00:19:e2:50:7d:e0 Static - Router
Linux * Flood - All-members
Linux 00:19:e2:50:7d:e0 Static - Router
Linux 00:30:48:90:54:89 Learn 0 ge-0/0/47.0
T1 00:00:05:00:00:01 Learn 0 ge-0/0/46.0
T1 00:00:5e:00:01:00 Static - Router
T1 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0


T10 00:00:5e:00:01:09 Static - Router
T10 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T111 00:19:e2:50:63:e0 Learn 0 ge-0/0/15.0
T111 00:19:e2:50:ac:00 Learn 0 ge-0/0/15.0
T2 00:00:5e:00:01:01 Static - Router
T2 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T3 00:00:5e:00:01:02 Static - Router
T3 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
T4 00:00:5e:00:01:03 Static - Router
T4 00:19:e2:50:63:e0 Learn 0 ge-0/0/46.0
[output truncated]
show ethernet-switching user@switch> show ethernet-switching table detail

table detail Ethernet-switching table: 57 entries, 17 learned
F2, *
Interface(s): ge-0/0/44.0
Type: Flood
F2, 00:00:05:00:00:03
Type: Learn, Age: 0, Learned: 2:03:09
F2, 00:19:e2:50:7d:e0
Interface(s): Router
Type: Static
Linux, *
Type: Flood
Linux, 00:19:e2:50:7d:e0
Type: Static
Linux, 00:30:48:90:54:89
T1, *
Type: Flood
T1, 00:00:05:00:00:01
T1, 00:00:5e:00:01:00
Type: Static
T1, 00:19:e2:50:63:e0

T1, 00:19:e2:50:7d:e0
Type: Static
T10, *
Type: Flood
T10, 00:00:5e:00:01:09
Type: Static
T10, 00:19:e2:50:63:e0
T10, 00:19:e2:50:7d:e0
Type: Static
T111, *
Type: Flood
[output truncated]
show ethernet-switching user@switch> show ethernet-switching table extensive

table extensive Ethernet-switching table: 57 entries, 17 learned
F2, *
Type: Flood
F2, 00:00:05:00:00:03
F2, 00:19:e2:50:7d:e0
Type: Static
Linux, *
Type: Flood
Linux, 00:19:e2:50:7d:e0
Type: Static
Linux, 00:30:48:90:54:89
T1, *
Type: Flood
T1, 00:00:05:00:00:01

T1, 00:00:5e:00:01:00
Type: Static
T1, 00:19:e2:50:63:e0
T1, 00:19:e2:50:7d:e0
Type: Static
T10, *
Type: Flood
T10, 00:00:5e:00:01:09
Type: Static
T10, 00:19:e2:50:63:e0
T10, 00:19:e2:50:7d:e0
Type: Static
T111, *
Type: Flood
[output truncated]
show ethernet-switching user@switch> show ethernet-switching table interface ge-0/0/1

table interface ge-0/0/1 Ethernet-switching table: 1 unicast entries
V1 * Flood - All-members
V1 00:00:05:00:00:05 Learn 0 ge-0/0/1.0

show gvrp
Syntax show gvrp
Description Display Generic VLAN Registration Protocol (GVRP) information.
Options none—Displays all GVRP configuration attributes.
interface interface-name—(Optional) Displays GVRP statistics for a specific interface

only.
Related Topics
■ show spanning-tree statistics
■ show gvrp
List of Sample Output show gvrp on page 456

Output Fields Table 59 on page 456 lists the output fields for the show gvrp command. Output fields
are listed in the approximate order in which they appear.
Table 59: show gvrp Output Fields
Global GVRP Displays global GVRP information:

Configuration
■ GVRP status—Displays whether GVRP is enabledor disabled.
■ Join—The maximum number of milliseconds the interfaces must wait before sending VLAN
advertisements.
■ Leave— The number of milliseconds an interface must wait after receiving a Leave message
to remove the interface from the VLAN specified in the message.
■ Leaveall—The interval at which Leave All messages are sent on interfaces. Leave all messages
maintain current GVRP VLAN membership information in the network.
Interface based Displays interface-specific GVRP information:

configuration
■ Interface—The interface on which GVRP is configured..
■ GVRP status—Displays whether GVRP is enabled or disabled.
show gvrp user@switch> show gvrp
Global GVRP configuration

GVRP status : Enabled
456 ■ show gvrp

GVRP timers (ms)

Join : 40
Leave : 120
Leaveall : 2000
Interface based configuration:

Interface GVRP status
---------- -----------
ge-0/0/0.0 Enabled

show gvrp statistics
Syntax show gvrp statistics
Description Display Generic VLAN Registration Protocol (GVRP) statistics.
Related Topics
■ show gvrp
List of Sample Output show gvrp statistics on page 459

Output Fields Table 60 on page 458 lists the output fields for the show gvrp statistics command.
Table 60: show gvrp statistics Output Fields
Join Empty received TBD All levels
Join In received TBD: All levels
Empty received TBD All levels
Leave In received TBD: All levels
Leave Empty received TBD: All levels
Leave All received TBD: All levels
Join Empty TBD: All levels

transmitted
Join In transmitted TBD: All levels
Empty transmitted TBD: All levels
Leave In transmitted TBD: All levels
Leave Empty TBD: All levels

transmitted
Leave All transmitted TBD: All levels
458 ■ show gvrp statistics

show gvrp statistics user@switch> show gvrp statistics

GVRP statistics
Join Empty received : 0
Join In received : 12
Empty received : 0
Leave In received : 0
Leave Empty received : 0
Leave All received : 0
Join Empty transmitted : 0
Join In transmitted : 48
Empty transmitted : 4
Leave In transmitted : 0
Leave Empty transmitted : 0
Leave All transmitted : 4

show redundant-trunk-group
Syntax show redundant-trunk-group <group-name group-name>
Description Display information about redundant trunk groups.
Options group-name group-name—Display information about the specified redundant truck

group.
Related Topics
List of Sample Output show redundant-trunk-group group-name Group1 on page 460

Output Fields Table 61 on page 518 lists the output fields for the show redundant-trunk-group
Table 61: show redundant-trunk-group Output Fields
Group Name Name of the redundant trunk port group.
Interface Name of an interface belonging to the trunk port group.

■ (P) denotes a primary interface.
■ (A) denotes an active interface.
■ Lack of (A) denotes a blocking interface.
State Operating state of the interface: UP or DOWN.
Last Time of Flap Date and time at which the advertised link became unavailable, and then, available again.
# Flaps Total number of flaps since the last switch reboot.
show user@switch> show redundant—trunk-group group-name Group1

redundant-trunk-group show redundant-trunk-group group-name Group1
group-name Group1
Group Name Interface State Last Time of Flap # Flaps
Group1 ge-0/0/45.0 (P) UP Fri Jan 2 04:10:58 0
ge-0/0/47.0 UP Fri Jan 2 04:10:58 0
460 ■ show redundant-trunk-group

show spanning-tree bridge
Syntax show spanning-tree bridge

<brief | detail>
<msti msti-id>
<vlan vlan-id>
Description Display the configured or calculated Spanning Tree Protocol (STP) parameters.
Options none—(Optional) Display brief STP bridge information for all Multiple Spanning Tree
Instances (MSTIs).
brief | detail—(Optional) Display the specified level of output.
msti msti-id—(Optional) Display STP bridge information for the specified MSTP instance
ID or Common and Internal Spanning Tree (CIST). Specify 0 for CIST. Specify a
value from 1 through 4094 for an MSTI.
vlan vlan-id—(Optional) Display STP bridge information for the specified VLAN. Specify
a VLAN tag identifier from 1 through 4094.
Related Topics
Switches
List of Sample Output show spanning-tree bridge on page 462

Output Fields Table 62 on page 461 lists the output fields for the show spanning-tree bridge command.
Table 62: show spanning-tree bridge Output Fields
Routing instance Name of the routing instance under which the bridging domain is configured.
name
Context ID An internally generated identifier.
Enabled protocol Spanning Tree Protocol type enabled.
Root ID Bridge ID of the elected spanning tree root bridge. The bridge ID consists of a
configurable bridge priority and the MAC address of the bridge.
show spanning-tree bridge ■ 461

Table 62: show spanning-tree bridge Output Fields (continued)
Root cost Calculated cost to reach the root bridge from the bridge where the command
is entered.
Root port Interface that is the current elected root port for this bridge.
CIST regional root Bridge ID of the elected MSTP regional root bridge.
CIST internal root Calculated cost to reach the regional root bridge from the bridge where the
cost command is entered.
Hello time Configured number of seconds between transmissions of configuration BPDUs.
Maximum age Maximum age of received protocol BPDUs.
Forward delay Configured time an STP bridge port remains in the listening and learning states
before transitioning to the forwarding state.
Hop count Configured maximum number of hops a BPDU can be forwarded in the MSTP
region.
Message age Number of elapsed seconds since the most recent BPDU was received.
Number of topology Total number of STP topology changes detected since the switch last booted.
changes
Time since last Number of elapsed seconds since the most recent topology change.
topology change
Bridge ID (Local) Locally configured bridge ID. The bridge ID consists of a configurable bridge
priority and the MAC address of the bridge.
Extended system ID Internally generated system identifier.
MSTI regional root Bridge ID of the elected MSTP regional root bridge.
show spanning-tree user@switch> show spanning-tree bridge

bridge STP bridge parameters
Context ID : 0

Root ID : 8192.00:19:e2:50:51:e0
Root cost : 0
Hop count : 18
Message age : 0


Local parameters
Bridge ID : 16384.00:19:e2:50:44:e0

Root cost : 2000
Hop count : 18
Local parameters
Bridge ID : 16385.00:19:e2:50:44:e0

Root cost : 1000
Hop count : 19
Local parameters
Bridge ID : 8194.00:19:e2:50:44:e0

show spanning-tree interface
Syntax show spanning-tree interface

<brief | detail>
<interface-name interface-name>
<msti msti-id>
<vlan-id vlan-id>
Description Display the configured or calculated interface-level STP parameters.
Options none—Display brief STP interface information.
interface-name interface-name—(Optional) Name of an interface.
msti msti-id—(Optional) Display STP interface information for the specified MSTP
instance ID. Specify a value from 0 through 64. Specify 0 for CIST.
vlan-id vlan-id—(Optional) Display STP interface information for the specified VLAN.
Specify a value from 0 through 4094.

List of Sample Output show spanning-tree interface on page 465
show spanning-tree interface detail on page 465
show spanning-tree interface msti on page 467
show spanning-tree interface msti on page 467
Output Fields Table 63 on page 464 lists the output fields for the show spanning-tree Interface
Table 63: show spanning-tree interface Output Fields
Interface name Interface configured to participate in the STP, RSTP, or MSTP instance.
Port ID Logical interface identifier configured to participate in the MSTP instance.
Designated port ID Port ID of the designated port for the LAN segment this interface is attached to.
Designated bridge ID Bridge ID of the designated bridge for the LAN segment this interface is attached to.
Port Cost Configured cost for the interface.
Port State STP port state. Forwarding (FWD), blocking (BLK), listening, learning, or disabled.
Port Role MSTP or RSTP port role. Designated (DESG), backup (BKUP), alternate (ALT), or root.
Link type MSTP or RSTP link type. Shared or point-to-point (pt-pt) and edge or non edge.
464 ■ show spanning-tree interface

Table 63: show spanning-tree interface Output Fields (continued)
Alternate Identifies the interface as an MSTP or RSTP alternate root port (yes) or nonalternate root
Boundary Port Identifies the interface as an MSTP regional boundary port (yes) or nonboundary port (
show spanning-tree user@host> show spanning-tree interface

interface

ge-0/0/0.0 128:513 128:513 8192.0019e2500340 1000 FWD DESG
ge-0/0/2.0 128:515 128:515 8192.0019e2500340 1000 BLK DIS
ge-0/0/4.0 128:517 128:517 8192.0019e2500340 1000 FWD DESG
ge-0/0/23.0 128:536 128:536 8192.0019e2500340 1000 FWD DESG

ge-0/0/0.0 128:513 128:513 8193.0019e2500340 1000 FWD DESG
ge-0/0/2.0 128:515 128:515 8193.0019e2500340 1000 BLK DIS
ge-0/0/4.0 128:517 128:517 8193.0019e2500340 1000 FWD DESG
ge-0/0/23.0 128:536 128:536 8193.0019e2500340 1000 FWD DESG

ge-0/0/0.0 128:513 128:1 8194.001b549fd000 1000 FWD ROOT
ge-0/0/2.0 128:515 128:515 32770.0019e2500340 4000 BLK DIS
ge-0/0/4.0 128:517 128:1 16386.001b54013080 1000 BLK ALT
ge-0/0/23.0 128:536 128:536 32770.0019e2500340 1000 FWD DESG
show spanning-tree TBD—writer, get output on EX-series box.

interface detail
user@host> show spanning-tree interface routing-instance vs1 detail
Interface name : ae1

Port identifier : 128.1
Designated port ID : 128.1
Port cost : 1000
Port state : Forwarding
Designated bridge ID : 32768.00:90:69:0b:47:d1
Port role : Designated
Link type : Pt-Pt/NONEDGE
Boundary port : No
Interface name : ge-2/1/2

Port cost : 20000
show spanning-tree interface ■ 465


Boundary port : No

Port cost : 29999
Boundary port : No

Port cost : 20000
Designated bridge ID : 32768.00:13:c3:9e:c8:80
Port role : Root
Boundary port : No
Interface name : xe-9/2/0

Port cost : 2000
Boundary port : No
Interface name : xe-9/3/0

Port cost : 2000
Boundary port : No
Interface name : ae1

Port cost : 1000
Boundary port : No

466 ■ show spanning-tree interface

Port cost : 20000

Boundary port : No

Port cost : 29999
Boundary port : No

Port cost : 20000
Designated bridge ID : 32768.00:13:c3:9e:c8:80
Port role : Root
Boundary port : No
...
show spanning-tree user@host> show spanning-tree interface msti 1 routing-instance vs1 detail
interface msti Spanning tree interface parameters for instance 1

xe-7/0/0 128:1 128:1 32769.0090690b4fd1 2000 FWD DESG
ge-5/1/0 128:2 128:2 32769.0090690b4fd1 20000 FWD DESG
ge-5/1/1 128:3 128:3 32769.0090690b4fd1 20000 FWD DESG
ae1 128:4 128:1 32769.0090690b47d1 10000 BLK ALT
ge-5/1/4 128:5 128:3 32769.0090690b47d1 20000 BLK ALT
xe-7/2/0 128:6 128:6 32769.0090690b47d1 2000 FWD ROOT
show spanning-tree user@host> show spanning-tree interface vlan-id 101 routing-instance vs1 detail
interface msti Spanning tree interface parameters for instance 0

ge-11/0/5 128:1 128:1 32768.0090690b7fd1 20000 FWD DESG
ge-11/0/6 128:2 128:1 32768.0090690b7fd1 20000 BLK BKUP
ge-11/1/0 128:3 128:2 32768.0090690b4fd1 20000 BLK ALT
ge-11/1/1 128:4 128:3 32768.0090690b4fd1 20000 BLK ALT
ge-11/1/4 128:5 128:1 32768.0090690b47d1 20000 BLK ALT
xe-10/0/0 128:6 128:5 32768.0090690b4fd1 2000 BLK ALT
xe-10/2/0 128:7 128:4 32768.0090690b47d1 2000 FWD ROOT
show spanning-tree interface ■ 467

show spanning-tree mstp configuration
Syntax show spanning-tree mstp configuration

<brief | detail>
Description Display the MSTP configuration.
Options none—Display MSTP configuration information.

List of Sample Output show spanning-tree mstp configuration on page 468
Output Fields Table 64 on page 468 lists the output fields for the show spanning-tree mstp configuration
Table 64: show spanning-tree mstp configuration Output Fields
Context identifier Internally generated identifier.
Region name MSTP region name carried in the MSTP BPDUs.
Revision Revision number of the MSTP configuration.
Configuration digest Numerical value derived from the VLAN-to-instance mapping table.
MSTI MSTI instance identifier.
Member VLANs Identifiers for VLANs associated with the MSTI.
show spanning-tree user@host> show spanning-tree mstp configuration

mstp configuration MSTP configuration information
Context identifier : 0
Region name : region1
Revision : 0
Configuration digest : 0xc92e7af9febb44d8df928b87f16b
MSTI Member VLANs

0 0-100,105-4094
1 101-102
2 103-104
468 ■ show spanning-tree mstp configuration

show spanning-tree statistics
Syntax show spanning-tree statistics

<brief | detail >
Description Display STP statistics.
Options none—Display brief STP statistics.
routing-instance routing-instance-name—Display STP statistics for the specified logical

router.

List of Sample Output show spanning-tree statistics interface on page 469
Output Fields Table 65 on page 469 lists the output fields for the show spanning-tree statistics
Table 65: show spanning-tree statistics Output Fields
BPDUs sent Total number of BPDUs sent.
BPDUs received Total number of BPDUs received.
Interface Interface for which the statistics are being displayed.
Next BPDU transmission Number of seconds until the next BPDU is scheduled to be sent.
show spanning-tree user@host> show spanning-tree statistics interface ge-0/0/4

statistics interface Interface BPDUs sent BPDUs received Next BPDU
transmission
ge-0/0/4 7 190 0
show spanning-tree statistics ■ 469

show vlans
Syntax show vlans

<brief | detail | extensive>
Description Display information about VLANs configured on bridged Ethernet interfaces.
Options none—Display information for all VLANs.
brief | detail | extensive—(Optional) Display the specified level of output.

List of Sample Output show vlans on page 471
show vlans brief on page 471
show vlans detail on page 471
show vlans extensive on page 472
Output Fields Table 66 on page 739 lists the output fields for the show vlans command. Output fields
Table 66: show vlans Output Fields
Name Name of a VLAN. All levels
Tag The 802.1Q tag applied to this VLAN. If none is displayed, no tag is applied. All levels
Interfaces Interface associated with learned MAC addresses or all-members (flood entry). All levels
Address The IP address. none, brief
Admin state The state of the interface. Values are: detail. extensive
enabled—The interface is turned on, and the physical link is operational and
can pass packets.
Description A description for the VLAN. detail. extensive
Primary IP Primary IP address associated with a VLAN. detail
STP The spanning tree associated with a VLAN. detail. extensive
RTG The redundant trunk group associated with a VLAN. detail. extensive
Tagged Interfaces The tagged interfaces to which a VLAN is associated. detail. extensive
Untagged Interfaces The untagged interfaces to which a VLAN is associated. detail. extensive
Interrnal Index VLAN index internal to JUNOS software. extensive
470 ■ show vlans

Table 66: show vlans Output Fields (continued)
Origin The manner in which the VLAN was created. Values are static or learn. extensive
Protocol Port-based VLAN. extensive
IP addresses IP address associated with a VLAN. extensive
show vlans user@switch> show vlans
Name Tag Interfaces

default None
ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,
ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0,
ge-0/0/26.0, ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0,
ge-0/0/17.0, ge-0/0/16.0, ge-0/0/15.0, ge-0/0/14.0,
ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0
v0001 1
ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0
v0002 2
None
v0003 3
None
v0004 4
None
v0005 5
None
show vlans brief user@switch>show vlans brief

Ports
Name Tag Address Active/Total
default None 0/23
v0001 1 0/4
v0002 2 0/0
v0003 3 0/0
v0004 4 0/0
v0005 5 0/0
v0006 6 0/0
v0007 7 0/0
v0008 8 0/0
v0009 9 0/0
v0010 10 0/2
v0011 11 0/0
v0012 12 0/0
v0013 13 0/0
v0014 14 0/0
v0015 15 0/0
v0016 16 0/0
show vlans detail user@switch>show vlans detail

VLAN: default, Tag: Untagged, Admin state: Enabled
Description: None
Primary IP: None, Number of interfaces: 23 (Active = 0)
STP: None, RTG: None
show vlans ■ 471

Untagged interfaces: ge-0/0/34.0, ge-0/0/33.0, ge-0/0/32.0, ge-0/0/31.0,

ge-0/0/30.0, ge-0/0/29.0, ge-0/0/28.0, ge-0/0/27.0, ge-0/0/26.0,
ge-0/0/25.0, ge-0/0/19.0, ge-0/0/18.0, ge-0/0/17.0, ge-0/0/16.0,
ge-0/0/15.0, ge-0/0/14.0, ge-0/0/13.0, ge-0/0/11.0, ge-0/0/9.0, ge-0/0/8.0,
ge-0/0/3.0, ge-0/0/2.0, ge-0/0/1.0,
Tagged interfaces: None
VLAN: v0001, Tag: 802.1Q Tag 1, Admin state: Enabled

Description: None
Untagged interfaces: None
Tagged interfaces: ge-0/0/24.0, ge-0/0/23.0, ge-0/0/22.0, ge-0/0/21.0,

Description: None

Description: None
show vlans extensive user@switch>show vlans extensive

VLAN: default, created at Mon Feb 4 12:13:47 2008
Tag: None, Internal index: 0, Admin state: Enabled, Origin: static
Description: None
Protocol: Port based, Layer 3 interface: None
IP addresses: None
STP: None, RTG: None.
Number of interfaces: Tagged 0 (Active = 0), Untagged 23 (Active = 0)
ge-0/0/34.0 (untagged, access)
VLAN: v0001, created at Mon Feb 4 12:13:47 2008
472 ■ show vlans

Tag: 1, Internal index: 1, Admin state: Enabled, Origin: static

Description: None
IP addresses: None
ge-0/0/24.0 (tagged, trunk)

Description: None
IP addresses: None
None

Description: None
IP addresses: None
None
show vlans ■ 473

474 ■ show vlans

Part 9
Layer 3 Protocols
■ Understanding Layer 3 Protocols on page 477
■ Configuring Layer 3 Protocols on page 479
■ Verifying Layer 3 Protocols on page 491
Layer 3 Protocols ■ 475

476 ■ Layer 3 Protocols

Chapter 32
Understanding Layer 3 Protocols
■ DHCP Services for EX-series Switches Overview on page 477
DHCP Services for EX-series Switches Overview

A Dynamic Host Configuration Protocol (DHCP) server can automatically allocate IP
addresses and also deliver configuration settings to client hosts on a subnet. DHCP
is particularly useful for managing a pool of IP addresses among hosts. An IP address
can be leased to a host for a limited period of time, allowing the DHCP server to
share a limited number of IP addresses among a group of hosts that do not need
permanent IP addresses.
To configure DHCP access service for an EX-series switch, you can use either the
JUNOS command line interface (CLI ) or the J-Web user interface.
For detailed information about configuring DHCP services, see the JUNOS Software
System Basics Configuration Guide at
http://www.juniper.net/techpubs/software/junos/junos90/index.html.The configuration for
DHCP service on the EX-series switch includes the dhcp statement at the [edit system
services] hierarchy level. The commands and statements are the same as those used
to configure DHCP for J-series Services Routers.
You can monitor DHCP services for the switch by using either operational-mode CLI
commands or the J-Web interface.
Related Topics
■ For information about configuring DHCP services with the CLI, see the JUNOS
Software System Basics Configuration Guide at
■ Configuring DHCP Services (J-Web Procedure)

■ Monitoring DHCP Services
DHCP Services for EX-series Switches Overview ■ 477


Chapter 33
Configuring Layer 3 Protocols
■ Configuring BGP Sessions (J-Web Procedure) on page 479

■ Configuring DHCP Services (J-Web Procedure) on page 480
■ Configuring an OSPF Network (J-Web Procedure) on page 483
■ Configuring a RIP Network (J-Web Procedure) on page 484
■ Configuring SNMP (J-Web Procedure) on page 485
■ Configuring Static Routing (CLI Procedure) on page 488
■ Configuring Static Routes (J-Web Procedure) on page 488
Configuring BGP Sessions (J-Web Procedure)

J-Web Configuration allows you to create BGP peering sessions.
To configure a BGP peering session :

1. In the J-Web user interface, select Configure> Routing >BGP Routing.
2. Enter information into the configuration page for BGP, as described in
3. To apply the configuration, click Apply.
Table 67: BGP Routing Configuration Summary
Router Identification
Router Identifier Uniquely identifies the device. Type the switch's 32-bit IP address, in dotted decimal
(required) notation.
BGP
Enable BGP Enables or disables BGP. ■ To enable BGP, select the check box.
■ To disable BGP, clear the check box.
Configuring BGP Sessions (J-Web Procedure) ■ 479

Table 67: BGP Routing Configuration Summary (continued)
Autonomous System Sets the unique numeric identifier of the Type the switch's 32-bit AS number, in dotted decimal
Number AS in which the switch is configured. notation.
If you enter an integer, the value is converted to a 32-bit

equivalent. For example, if you enter 3, the value
assigned to the AS is 0.0.0.3.
Peer Autonomous Sets the unique numeric identifier of the Type the peer host's 32-bit AS number, in dotted
System Number AS in which the peer host resides. decimal notation.
If you enter an integer, the value is converted to a 32-bit

equivalent. For example, if you enter 3, the value
assigned to the AS is 0.0.0.3.
Peer Address Specifies the IP address of the peer host's Type the IP address of the peer host's adjacent interface,
interface to which the BGP session is being in dotted decimal notation.
established.
Local Address Specifies the IP address of the local host's Type the IP address of the local host's adjacent interface,
interface from which the BGP session is in dotted decimal notation.
being established.
Related Topics
■ Monitoring BGP Routing Information
Configuring DHCP Services (J-Web Procedure)

Use the J-Web DHCP Configuration pages to configure DHCP pools for subnets and
static bindings for DHCP clients. If DHCP pools or static bindings are already
configured, use the Configure Global DHCP Parameters Configuration page to add
settings for these pools and static bindings. Settings that have been previously
configured for DHCP pools or static bindings are not overridden when you use the
Configure Global DHCP Parameters Configuration page.
To configure the DHCP server:

1. Select Configure>Services>DHCP.
2. Access a DHCP Configuration page:
■ To configure a DHCP pool for a subnet, click Add in the DHCP Pools box.
■ To configure a static binding for a DHCP client, click Add in the DHCP Static
Binding box.
■ To globally configure settings for existing DHCP pools and static bindings,
click Configure Global DHCP Parameters.

Chapter 33: Configuring Layer 3 Protocols
3. Enter information into the DHCP Configuration pages, as described in

Table 68: DHCP Server Configuration Pages Summary
DHCP Pool Information

DHCP Subnet (required) Specifies the subnet on which DHCP is Type an IP address prefix.
configured.
Address Range (Low) Specifies the lowest address in the IP address Type an IP address that is part of the subnet
(required) pool range. specified in DHCP Subnet.
Address Range (High) Specifies the highest address in the IP address Type an IP address that is part of the subnet
(required) pool range. specified in DHCP Subnet. This address must
be greater than the address specified in Address
Range (Low).
Exclude Addresses Specifies addresses to exclude from the IP ■ To add an excluded address, type the
address pool. address next to the Add button, and click
Add.
■ To delete an excluded address, select the
address in the Exclude Addresses box, and
click Delete.
Lease Time
Maximum Lease Time Specifies the maximum length of time a client Type a number from 60 through 4,294,967,295
(Seconds) can hold a lease. (Dynamic BOOTP lease (seconds). You can also type infinite to specify
lengths can exceed this maximum time.) a lease that never expires.
Default Lease Time Specifies the length of time a client can hold a Type a number from 60 through 2,147,483,647
(Seconds) lease for clients that do not request a specific (seconds). You can also type infinite to specify
lease length. a lease that never expires.
Server Information
Server Identifier Specifies the IP address of the DHCP server Type the IP address of the server. If you do not
reported to a client. specify a server identifier, the primary address
of the interface on which the DHCP exchange
occurs is used.
Domain Name Specifies the domain name that clients must Type the name of the domain.
use to resolve hostnames.
Domain Search Specifies the order—from top to bottom—in ■ To add a domain name, type the name
which clients must append domain names next to the Add button, and click Add.
when resolving hostnames using DNS. ■ To delete a domain name, select the name
in the Domain Search box, and click
Delete.
Configuring DHCP Services (J-Web Procedure) ■ 481

Table 68: DHCP Server Configuration Pages Summary (continued)
DNS Name Servers Defines a list of DNS servers the client can use, ■ To add a DNS server, type an IP address
in the specified order—from top to bottom. next to the Add button, and click Add.
■ To remove a DNS server, select the IP
address in the DNS Name Servers box,
and click Delete.
Gateway Routers Defines a list of relay agents on the subnet, in ■ To add a relay agent, type an IP address
the specified order—from top to bottom. next to the Add button, and click Add.
■ To remove a relay agent, select the IP
address in the Gateway Routers box, and
click Delete.
WINS Servers Defines a list of NetBIOS name servers, in the ■ To add a NetBIOS name server, type an
specified order—from top to bottom. IP address next to the Add button, and
click Add.
■ To remove a NetBIOS name server, select
the IP address in the WINS Servers box,
and click Delete.
Boot Options
Boot File Specifies the path and filename of the initial Type a path and filename.
boot file to be used by the client.
Boot Server Specifies the TFTP server that provides the Type the IP address or hostname of the TFTP
initial boot file to the client. server.
DHCP Static Binding Information

DHCP MAC Address Specifies the MAC address of the client to be Type the hexadecimal MAC address of the
(required) permanently assigned a static IP address. client.
Fixed IP Addresses Defines a list of IP addresses permanently ■ To add an IP address, type it next to the
(required) assigned to the client. A static binding must Add button, and click Add.
have at least one fixed address assigned to it, ■ To remove an IP address, select it in the
but multiple addresses are also allowed. Fixed IP Addresses box, and click Delete.
Host Name Specifies the name of the client used in DHCP Type a client hostname.
messages exchanged between the server and
the client. The name must be unique to the
client within the subnet on which the client
resides.
Client Identifier Specifies the name of the client used by the Type a client identifier in string form.
DHCP server to index its database of address
bindings. The name must be unique to the
client within the subnet on which the client
resides.
Hexadecimal Client Specifies the name of the client, in hexadecimal Type a client identifier in hexadecimal form.
Identifier form, used by the DHCP server to index its
database of address bindings. The name must
be unique to the client within the subnet on
which the client resides.
482 ■ Configuring DHCP Services (J-Web Procedure)

Related Topics
■ DHCP Services for EX-series Switches Overview
■ Monitoring DHCP Services
Configuring an OSPF Network (J-Web Procedure)

J-Web Configuration allows you to create single-area OSPF networks.
To configure a single-area OSPF network:

1. In the J-Web user interface, select Configure> Routing>OSPF Routing.
2. Enter information into the Configuration Routing page for OSPF, as described
in Table 69 on page 483.
Table 69: OSPF Routing Configuration Summary
Router Identification
Router Uniquely identifies the Type the switch's 32-bit IP address, in dotted decimal notation.
Identifier device.
(required)
OSPF
Enable OSPF Enables or disables OSPF. ■ To enable OSPF, select the check box.
■ To disable OSPF, clear the check box.
OSPF Area ID Uniquely identifies the Type a 32-bit numeric identifier for the area, or type an integer.
area within its AS.
If you enter an integer, the value is converted to a 32-bit equivalent. For example,
if you enter 3, the value assigned to the area is 0.0.0.3.
Area Type Designates the type of Select the type of OSPF area you are creating from the list :
OSPF area.
■ regular—A regular OSPF area, including the backbone area
■ stub—A stub area
■ nssa—A not-so-stubby area (NSSA)

Table 69: OSPF Routing Configuration Summary (continued)
OSPF-Enabled Designates one or more The first time you configure OSPF, the Logical Interfaces box displays a list of
Interfaces interfaces on which OSPF all the logical interfaces configured on the switch. Do any of:
is enabled.
■ To enable OSPF on an interface, click the interface name to highlight it,
and click the left arrow to add the interface to the OSPF interfaces list.
■ To enable OSPF on multiple interfaces at once, press Ctrl while you click
multiple interface names to highlight them. Then click the left arrow to add
the interfaces to the OSPF interfaces list.
■ To enable OSPF on all logical interfaces except the special me0 management
interface, select All Interfaces in the Logical Interfaces list and click the
left arrow.
■ To enable OSPF on all the interfaces displayed in the Logical Interfaces list,
click All to highlight every interface. Then click the left arrow to add the
interfaces to the OSPF interfaces list.
■ To disable OSPF on one or more interfaces, highlight the interface or
interfaces in the OSPF interfaces box and click the right arrow to move
them back to the Logical Interfaces list.
Related Topics
■ Monitoring OSPF Routing Information
Configuring a RIP Network (J-Web Procedure)

J-Web allows you to create RIP networks.
To configure a RIP network:

1. In the J-Web user interface, select Configure> Routing > RIP Routing.
2. Enter information into the Configuration page for RIP, as described in
Table 70: RIP Routing Configuration Summary
RIP
Enable RIP Enables or disables RIP. ■ To enable RIP, select the check box.
■ To disable RIP, clear the check box.
Advertise Default Route Advertises the default route using RIPv2. ■ To advertise the default route using
RIPv2, select the check box.
■ To disable the default route
advertisement, clear the check box.

Table 70: RIP Routing Configuration Summary (continued)
RIP-Enabled Interfaces Designates one or more interfaces on which The first time you configure RIP, the Logical
RIP is enabled. Interfaces box displays a list of all the logical
interfaces configured on the switch. Do any of
the following:
■ To enable RIP on an interface, click the
interface name to highlight it, and click
the left arrow to add the interface to the
RIP interfaces list.
■ To enable RIP on multiple interfaces at
once, press Ctrl while you click multiple
interface names to highlight them. Then
click the left arrow to add the interfaces
to the RIP interfaces list.
■ To disable RIP on one or more interfaces,
highlight the interface or interfaces in the
RIP interfaces box and click the right
arrow to move them back to the Logical
Interfaces list.
Related Topics
■ Monitoring RIP Routing Information
Configuring SNMP (J-Web Procedure)

You can use the J-Web interface to define system identification information, create
SNMP communities, create SNMP trap groups, and configure health monitor options.
To configure SNMP features:

1. Select Configure>Services>SNMP.
2. Enter information into the Configuration page for SNMP, as described in
3. To apply the configuration click Apply.
Table 71: SNMP Configuration Page
Identification
Contact Free-form text string that specifies an administrative Type contact information for the administrator
Information contact for the system. of the system (such as name and phone number).
System Free-form text string that specifies a description for the Type information that describes the system
Description system.

Table 71: SNMP Configuration Page (continued)
Local Engine ID Provides an administratively unique identifier of an Type the MAC address of Ethernet management
SNMPv3 engine for system identification. port 0.
The local engine ID contains a prefix and a suffix. The

prefix is formatted according to specifications defined
in RFC 3411. The suffix is defined by the local engine
ID. Generally, the local engine ID suffix is the MAC
address of Ethernet management port 0.
System Location Free-form text string that specifies the location of the Type location information for the system (lab
system. name or rack name, for example).
System Override Free-form text string that overrides the system Type the hostname of the system.
Name hostname.
Communities
To add a community, click Add
Community Specifies the name of the SNMP community. . Type the name of the community being added.
Name
Authorization Specifies the type of authorization (either read-only or Select the desired authorization (either read-only
read-write) for the SNMP community being configured. or read-write) from the list.
Traps
To add a trap group, click Add.
Trap Group Specifies the name of the SNMP trap group being Type the name of the group being added.
Name configured.
Categories Specifies which trap categories are added to the trap ■ To generate traps for authentication failures,
group being configured. select Authentication.
■ To generate traps for chassis and
environment notifications, select Chassis.
■ To generate traps for configuration changes,
select Configuration.
■ To generate traps for link-related
notifications (up-down transitions), select
Link.
■ To generate traps for remote operation
notifications, select Remote operations.
■ To generate traps for remote network
monitoring (RMON), select RMON alarm.
■ To generate traps for routing protocol
notifications, select Routing.
■ To generate traps on system warm and cold
starts, select Startup.
■ To generate traps on Virtual Router
Redundancy Protocol (VRRP) events (such
as new-master or authentication failures),
select VRRP events.
486 ■ Configuring SNMP (J-Web Procedure)

Table 71: SNMP Configuration Page (continued)
Targets Specifies one or more hostnames or IP addresses for 1. Enter the hostname or IP address, in dotted
the systems to receive SNMP traps generated by the decimal notation, of the target system to
trap group being configured. receive the SNMP traps.
2. Click Add.
Health Monitoring
Enable Health Enables the SNMP health monitor on the switch. The Select the check box to enable the health monitor
Monitoring health monitor periodically (over the time you specify and configure options. Clear the check box to
in the interval field) checks the following key indicators disable the health monitor.
of switch health:
NOTE: If you select the Enable Health Monitoring
■ Percentage of file storage used check box and do not specify options, then SNMP
■ Percentage of Routing Engine CPU used health monitoring is enabled with default values.
■ Percentage of Routing Engine memory used
■ Percentage of memory used for each system
process
■ Percentage of CPU used by the forwarding process
■ Percentage of memory used for temporary storage
by the forwarding process
Interval Specifies the sampling frequency, in seconds, over Enter an interval time, in seconds, from 1 through
which the key health indicators are sampled and 2147483647.
compared with the rising and falling thresholds.
The default value is 300 seconds (5 minutes).
For example, if you configure the interval as 100
seconds, the values are checked every 100 seconds.
Rising Threshold Specifies the value at which SNMP generates an event Enter a value from 0 through 100. The default
(trap and system log message) when the value of a value is 90.
sampled indicator is increasing.
For example, if the rising threshold is 90 (the default),

SNMP generates an event when the value of any key
indicator reaches or exceeds 90 percent.
Falling Specifies the value at which SNMP generates an event Enter a value from 0 through 100. The default
Threshold (trap and system log message) when the value of a value is 80.
sampled indicator is decreasing.
NOTE: The falling threshold value must be less
For example, if the falling threshold is 80 (the default), than the rising threshold value.
SNMP generates an event when the value of any key
indicator falls back to 80 percent or less.
Related Topics
■ Monitoring System Process Information
■ Monitoring System Properties

Configuring Static Routing (CLI Procedure)

Static routes are routes that are manually configured and entered into the routing
table instead of dynamic routes that are learned and added to the routing table using
a protocol such as Open Shortest Path First (OSPF) or Routing Information Protocol
(RIP).
The switch uses static routes when it does not have a route to a destination that has
a better (lower) preference value, when it cannot determine the route to a destination,
or when it is forwarding unroutable packets.
To configure basic static route options using the CLI:

1. From the [edit] hierarchy level, enter:
user@switch# set routing—options static
2. To configure the switch's default gateway:
user@switch# set routing-options static route a.b.c.d next-hop k.l.m.n

retain n-advertise
3. To configure a static route and specify the next address to be used when routing
traffic to the static route:
user@switch# set route 109.109.109.0/24 next-hop 99.99.99.3
4. To always keep the static route in the forwarding table:
user@switch# set route 109.109.109.0/24 retain:
5. To prevent the static route from being readvertised:
user@switch# set route 109.109.109.0/24 no-readvertise
6. To remove inactive routes from forwarding table:
user@switch# set route 109.109.109.0/24 active
Related Topics
■ Configuring Static Routes (J-Web Procedure)
■ Monitoring Routing Information
Configuring Static Routes (J-Web Procedure)

J-Web configuration allows you to configure static routes.
To configure static routes:
488 ■ Configuring Static Routing (CLI Procedure)

1. In the J-Web user interface, select Configure>Routing.

2. Enter information into the routing page, as described in Table 72 on page 489.
Table 72: Static Routing Configuration Summary
Default Route
Default Route Specifies the default gateway for the Type the 32-bit IP address of the switch's
switch. default route in dotted decimal notation.
Static Routes
Static Route Address (required) Specifies the static route to add to the 1. On the main static routing
routing table. Configuration page, click Add.
2. In the Static Route Address box,
type the 32-bit IP address of the
static route in dotted decimal
notation.
Next-Hop Addresses Specifies the next-hop address or 1. In the Add box, type the 32-bit IP
addresses to be used when routing address of the next-hop host.
traffic to the static route.
2. Click Add.
3. Add more next-hop addresses as
necessary.
NOTE: If a route has multiple next-hop

addresses, traffic is routed across each
address in round-robin fashion.
4. When you have finished adding

next-hop addresses, click OK.
Related Topics
■ Configuring Static Routing (CLI Procedure)
■ Monitoring Routing Information


Chapter 34
Verifying Layer 3 Protocols
■ Monitoring BGP Routing Information on page 491

■ Monitoring DHCP Services on page 493
■ Monitoring OSPF Routing Information on page 494
■ Monitoring RIP Routing Information on page 497
■ Monitoring Routing Information on page 498
Monitoring BGP Routing Information

Purpose Use the monitoring functionality to monitor BGP routing information.
Action To view BGP routing information in the J-Web interface, select

Monitor>Routing>BGP Information.
To view BGP routing information in the CLI, enter the following commands:
■ show bgp summary
■ show bgp neighbor
What It Means Table 73 on page 491 summarizes key output fields in the BGP routing display.
Table 73: Summary of Key BGP Routing Output Fields
BGP Summary
Total Number of BGP groups.
Groups
Total Peers Number of BGP peers.
Down Number of unavailable BGP peers.

Peers
Peer Address of each BGP peer.
InPkt Number of packets received from the peer.
OutPkt Number of packets sent to the peer.
Monitoring BGP Routing Information ■ 491

Table 73: Summary of Key BGP Routing Output Fields (continued)
Flaps Number of times a BGP session has changed state from A high number of flaps might indicate a problem with
Down to Up. the interface on which the BGP session is enabled.
Last Last time that a session became available or If the BGP session is unavailable, this time might be
Up/Down unavailable, since the neighbor transitioned to or from useful in determining when the problem occurred.
the established state.
State A multipurpose field that displays information about

BGP peer sessions. The contents of this field depend
upon whether a session is established.
■ If a peer is not established, the field shows the
state of the peer session: Active, Connect, or Idle.
■ If a BGP session is established, the field shows the
number of active, received, and damped routes
that are received from a neighbor. For example,
2/4/0 indicates two active routes, four received
routes, and no damped routes.
BGP Neighbors
Peer Address of the BGP neighbor.
Address
Autonomous AS number of the peer.

System
Type Type of peer: Internal or External.
State Current state of the BGP session: Generally, the most common states are Active, which
indicates a problem establishing the BGP conenction,
■ Active—BGP is initiating a TCP connection in an
and Established, which indicates a successful session
attempt to connect to a peer. If the connection is
setup. The other states are transition states, and BGP
successful, BGP sends an open message.
sessions normally do not stay in those states for
■ Connect—BGP is waiting for the TCP connection extended periods of time.
to become complete.
■ Established—The BGP session has been
established, and the peers are exchanging BGP
update messages.
■ Idle—This is the first stage of a connection. BGP
is waiting for a Start event.
■ OpenConfirm—BGP has acknowledged receipt of
an open message from the peer and is waiting to
receive a keepalive or notification message.
■ OpenSent—BGP has sent an open message and is
waiting to receive an open message from the peer.
Export Names of any export policies configured on the peer.
Import Names of any import policies configured on the peer.
Number of Number of times the BGP sessions has changed state A high number of flaps might indicate a problem with
flaps from Down to Up. the interface on which the session is established.
492 ■ Monitoring BGP Routing Information

Chapter 34: Verifying Layer 3 Protocols
Related Topics
■ Configuring BGP Sessions (J-Web Procedure)
■ Layer 3 Protocols Supported on EX-series Switches
Monitoring DHCP Services

Purpose A switch can operate as a DHCP server. When it is a DHCP server, use the monitoring
functionality to view information about dynamic and static DHCP leases, conflicts,
pools, and statistics.
Action To monitor the DHCP server in the J-Web interface, select Monitor>Services >DHCP.
To monitor the DHCP server in the CLI, enter the following CLI commands:
■ show system services dhcp binding
■ show system services dhcp conflict
■ show system services dhcp pool
■ show system services dhcp statistics
What It Means Table 74 on page 493 summarizes the output fields in DHCP displays.
Table 74: Summary of DHCP Output Fields
DHCP Leases
Allocated List of IP addresses the DHCP server has assigned to
Address clients.
MAC Corresponding media access control (MAC) address

Address of the client.
Binding Type of binding assigned to the client: dynamic or DHCP servers can assign a dynamic binding from a pool
Type static. of IP addresses or a static binding to one or more
specific IP addresses.
Lease Date and time the lease expires, or never for leases
Expires that do not expire.
DHCP Conflicts
Detection Date and time the client detected the conflict.
Time
Detection How the conflict was detected. Only client-detected conflicts are displayed.
Method
Address IP address where the conflict occurs. The addresses in the conflicts list remain excluded until
you use the clear system services dhcp conflict command
to manually clear the list.

Table 74: Summary of DHCP Output Fields (continued)
DHCP Pools
Pool Name Subnet on which the IP address pool is defined.
Low Lowest address in the IP address pool.

Address
High Highest address in the IP address pool.

Address
Excluded Addresses excluded from the address pool.

Addresses
DHCP Statistics
Default Lease time assigned to clients that do not request a
lease time specific lease time.
Minimum Minimum time a client can retain an IP address lease

lease time on the server.
Maximum Maximum time a client can retain an IP address lease

lease time on the server.
Packets Total number of packets dropped and the number of

dropped packets dropped due to a particular condition.
Messages Number of BOOTREQUEST, DHCPDECLINE,

received DHCPDISCOVER, DHCPINFORM, DHCPRELEASE,
and DHCPREQUEST messages sent from DHCP clients
and received by the DHCP server.
Messages Number of BOOTREPLY, DHCPACK, DHCPOFFER,

sent and DHCPNAK messages sent from the DHCP server
to DHCP clients.
Related Topics
■ DHCP Services for EX-series Switches Overview
■ Configuring DHCP Services (J-Web Procedure)
Monitoring OSPF Routing Information

Purpose Use the monitoring functionality to monitor OSPF routing information.
Action To view OSPF routing information in the J-Web interface, select

Monitor>Routing>OSPF Information.
To view OSPF routing information in the CLI, enter the following CLI commands:

■ show ospf neighbor

■ show ospf interface
■ show ospf statistics
What It Means Table 75 on page 495 summarizes key output fields in the OSPF routing display.
Table 75: Summary of Key OSPF Routing Output Fields
OSPF Neighbors
Address Address of the neighbor.
Interface Interface through which the neighbor is reachable.

Name
State State of the neighbor: Attempt, Down, Exchange, ExStart, Generally, only the Down state, indicating a failed OSPF
Full, Init, Loading, or 2way. adjacency, and the Full state, indicating a functional
adjacency, are maintained for more than a few
seconds. The other states are transitional states that a
neighbor is in only briefly while an OSPF adjacency is
being established.
ID ID of the neighbor.
Priority Priority of the neighbor to become the designated

switch.
OSPF Interfaces
Interface Name of the interface running OSPF.
State State of the interface: BDR, Down, DR, DRother, Loop, The Down state, indicating that the interface is not
PtToPt, or Waiting. functioning, and PtToPt state, indicating that a
point-to-point connection has been established, are the
most common states.
Area Number of the area that the interface is in.
DR ID Address of the area's designated device.
BDR ID Address of the area's backup designated device.
Neighbors Number of neighbors on this interface.
Adjacency Number of devices in the area using the same area

Count identifier.
Stub Type The areas into which OSPF does not flood AS external
advertisements
Passive In this mode the interface is present on the network

Mode but does not transmit or receive packets.
Authentication The authentication scheme for the backbone or area.

Type
Monitoring OSPF Routing Information ■ 495

Table 75: Summary of Key OSPF Routing Output Fields (continued)
Interface The IP address of the interface.

Address
Address The subnet mask or address prefix.

Mask
MTU The maximum transmission unit size.
Interface The path cost used to calculate the root path cost from
Cost any given LAN segment is determined by the total cost
of each link in the path.
Hello Displays how often the switch sends hello packets out
Interval of the interface.
Dead The interval during which the switch receives no hello

Interval packets from the neighbor.
Retransmit The interval for which the switch waits to receive a

Interval link-state acknowledgment packet before retransmitting
link-state advertisements to an interface’s neighbors.
OSPF Statistics
Packet Type of OSPF packet.
Type
Packets Total number of packets sent.

Sent
Packets Total number of packets received.

Received
Depth of Number of entries in the extended queue.

flood
Queue
Total Number of retransmission entries enqueued.

Retransmits
Total Total number of database description packets.

Database
Summaries
Related Topics
■ Configuring an OSPF Network (J-Web Procedure)

Monitoring RIP Routing Information

Purpose Use the monitoring functionality to monitor RIP routing.
Action To view RIP routing information in the J-Web interface, select Monitor>Routing>RIP
Routing.
To view RIP routing information in the CLI, enter the following CLI commands:
■ show rip statistics
■ show rip neighbor
What It Means Table 76 on page 497 summarizes key output fields in the RIP routing display.
Table 76: Summary of Key RIP Routing Output Fields
RIP Statistics
RIP The RIP protocol name.
Protocol
Name
RIP Port The port on which RIP is enabled.
Hold Down The interval during which routes are neither advertised
nor updated.
Routes Number of RIP routes learned on the logical interface.

Learned
Routes Number of RIP routes that are not advertised or

Held Down updated during hold-down.
Requests Number of requests dropped.

Dropped
Responses Number of responses dropped.

Dropped
RIP Neighbors
Neighbor Name of the RIP neighbor. This value is the name of the interface on which RIP
is enabled. Click the name to see the details for this
neighbor.
State State of the RIP connection: Up or Dn (Down).
Source Local source address. This value is the configured address of the interface on
Address which RIP is enabled.
Destination Destination address. This value is the configured address of the immediate
Address RIP adjacency.
Send Mode The mode of sending RIP messages.
Monitoring RIP Routing Information ■ 497

Table 76: Summary of Key RIP Routing Output Fields (continued)
Receive The mode in which messages are received.

Mode
In Metric Value of the incoming metric configured for the RIP

neighbor.
Related Topics
■ Configuring a RIP Network (J-Web Procedure)
Monitoring Routing Information

Purpose Use the monitoring functionality to view inet.0 routing table.
Action To view the routing tables in the J-Web interface, select Monitor>Routing>Static
Routing
To view the routings table in the CLI, enter the following commands in the CLI
interface:
■ show route terse
■ show route detail
What It Means Table 77 on page 498 summarizes key output fields in the routing information display.
Table 77: Summary of Key Routing Information Output Fields
n Number of destinations for which there are routes in

destinations the routing table.
n routes Number of routes in the routing table:

■ active—Number of routes that are active.
■ hold down—Number of routes that are in
hold-down state (neither advertised nor updated)
before being declared inactive.
■ hidden—Number of routes not used because of
routing policies configured on the switching
platform.
Destination Destination address of the route.

Table 77: Summary of Key Routing Information Output Fields (continued)
Protocol/ Protocol from which the route was learned: Static, The route preference is used as one of the route
Preference Direct, Local, or the name of a particular protocol. selection criteria.
The preference is the individual preference value for

the route.
Next-Hop Network layer address of the directly reachable If a next hop is listed as Discard, all traffic with that
neighboring system (if applicable) and the interface destination address is discarded rather than routed.
used to reach it. This value generally means that the route is a static
route for which the discard attribute has been set.
If a next hop is listed as Reject, all traffic with that

destination address is rejected. This value generally
means that the address is unreachable. For example,
if the address is a configured interface address and the
interface is unavailable, traffic bound for that address
is rejected.
If a next hop is listed as Local, the destination is an

address on the host (either the loopback address or
Ethernet management port 0 address, for example).
Age How long the route has been known.
State Flags for this route. There are many possible flags.
AS Path AS path through which the route was learned. The

letters of the AS path indicate the path origin:
■ I — IGP.
■ E — EGP.
■ ? — Incomplete. Typically, the AS path was
aggregated.
Related Topics
■ Configuring Static Routes (J-Web Procedure)
■ Configuring Static Routing (CLI Procedure)


Part 10
Redundant Trunk Groups
■ Understanding Redundant Trunk Groups on page 503
■ Examples of Configuring Redundant Trunk Groups on page 507
■ Configuration Statements for Redundant Trunk Groups on page 513
■ Operational Mode Commands for Redundant Trunk Groups on page 517
Redundant Trunk Groups ■ 501

502 ■ Redundant Trunk Groups

Chapter 35
Understanding Redundant Trunk Groups
■ Understanding Redundant Trunk Links on EX-series Switches on page 503
Understanding Redundant Trunk Links on EX-series Switches

In a typical enterprise network comprised of distribution and access layers, a
redundant trunk link provides a simple solution for network recovery when a trunk
port goes down. Traffic is routed to another trunk port, keeping network convergence
time to a minimum. You can configure a maximum of 16 redundant trunk groups
on a standalone switch or on a virtual chassis.
To configure a redundant trunk link, create a redundant trunk group. The redundant
trunk group is configured on the access switch, and contains two links: a primary or
active link, and a secondary link. If the active link fails, the secondary link
automatically starts forwarding data traffic without waiting for normal STP
convergence.
Data traffic is forwarded only on the active link. Data Traffic on the secondary link
is dropped and shown as dropped packets when you issue the operational mode
command show interfaces interface-name extensive.
While data traffic is blocked on the secondary link, Layer 2 control traffic is still
permitted. For example, an LLDP session can be run between two EX-series switches
on the secondary link.
STP is enabled by default on EX-series switches to create a loop-free topology. When

trunk links are placed in a redundant group, they cannot be part of an STP topology.
The JUNOS software for EX-series switches does not allow an interface to be in a
redundant trunk group and in an STP topology at the same time. However, STP can
continue operating in other parts of the network. For example, STP may continue
operating between the distribution switches and linking them to the enterprise core.
Figure 19 on page 504 shows three switches in a basic topology for redundant trunk
links. Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up
the access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2). Link 1 and Link 2 are in a redundant
trunk group called group1. Link 1 is designated as the primary link. Traffic flows
between Switch 3 in the access layer and Switch 1 in the distribution layer through
Link 1. While Link 1 is active, Link 2 blocks traffic.
Understanding Redundant Trunk Links on EX-series Switches ■ 503

Figure 19: Redundant Trunk Group, Link 1 Active
ERROR: Unresolved graphic fileref="" not found in

"\\teamsite1\default\main\TechPubsWorkInProgress\STAGING\images\".
Figure 20 on page 505 illustrates how the redundant trunk link topology works when
the primary link goes down.
504 ■ Understanding Redundant Trunk Links on EX-series Switches

Chapter 35: Understanding Redundant Trunk Groups
Figure 20: Redundant Trunk Group, Link 2 Active
Link 1 is down between Switch 3 and Switch 1. Link 2 takes over as the active link.
Traffic between the access layer and the distribution layer is automatically switched
to Link 2 between Switch 1 and Switch 2.
Related Topics
■ redundant-trunk-group


Chapter 36
Examples of Configuring Redundant Trunk
Groups
■ Example: Configuring Redundant Trunk Links for Faster Recovery on page 507
Example: Configuring Redundant Trunk Links for Faster Recovery

Simplify the convergence configuration in a typical enterprise network by configuring
a primary link and a secondary link on trunk ports. If the primary link fails, the
secondary link automatically takes over without waiting for normal STP convergence.
This example describes how to create a redundant trunk group:

Requirements
■ Two EX-series 4200 distribution switches.
■ One EX-series 3200 access switch.
Before you configure the redundant trunk links network on the access and distribution
switches, be sure you have:
■ Installed the access switch. See Installing and Connecting an EX-series Switch.
■ Installed the two distribution switches. See Installing and Connecting an EX-series
Switch.
Example: Configuring Redundant Trunk Links for Faster Recovery ■ 507


a redundant trunk group.
Configuring redundant trunk links places the primary link and the secondary link in
a redundant group. However, a primary link need not be configured. If a primary
link is not specified, the software compares the two links and selects the link with
the highest port number as the active link. For example, if the two interfaces are
ge-0/1/0 and ge-0/1/1, the software assigns ge-0/1/1 as the active link..
Whether a primary link is specified as the active link, or whether it is calculated by

the software, traffic is handled in the same manner. Traffic passes through the active
link but is blocked on the secondary link. If the active link goes down or is disabled
administratively, the secondary link becomes active and begins forwarding traffic.
However, there is a difference between the behavior of a primary, active link and
an active link that is calculated to be active by the software. If an active link goes
down, the secondary link begins forwarding traffic. If the old, active link comes up
again, the following occurs:
■ If the old, active link was configured as the primary link, then it resumes the role
of active link and the other link is blocked. An interface configured as primary
continues to carry with it the primary role whenever it becomes active.
■ If no primary link was configured, and the active link was calculated by the
software when the redundant group was formed, then the old, active link will
not preempt the other interface (new active).
Configuring redundant trunk links places the primary link and the secondary link in
a redundant group. However, a primary link need not be configured. If a primary
link is not specified, the software calculates and assigns the lexically higher interface
from the redundant group as the active link.
Whether a primary link is the active link, or whether it is calculated by the software,
traffic is handled in the same manner. Traffic passes through the active link, but is
blocked on the secondary link. If the active link goes down, or is disabled
administratively, the secondary link becomes active and begins forwarding traffic.
However, there is a difference between the behavior of a primary, active link and
the behavior of an active link that is calculated to be active by the software. If an
active link goes down, the secondary link begins forwarding traffic. If the old, active
link comes up again, the following occurs:
■ If the old, active link was configured as the primary link, then it resumes the role
of active link and the other link is blocked. An interface configured as primary
continues to carry with it the primary role whenever it becomes active.
■ If no primary link was configured, and the active link was calculated by the
software when the redundant group was formed, then the old, active link will
not preempt the other interface (new active).

Chapter 36: Examples of Configuring Redundant Trunk Groups
NOTE: The JUNOS software for EX-series switches does not allow an interface to be
in a redundant trunk group and in an STP topology at the same time.
Figure 21 on page 509 displays an example topology containing three switches.

Switch 1 and Switch 2 make up the distribution layer, and Switch 3 makes up the
access layer. Switch 3 is connected to the distribution layer through trunk ports
ge-0/0/9.0 (Link 1) and ge-0/0/10.0 (Link 2).
Table 78 on page 509 lists the components used in this redundant trunk group.
Figure 21: Topology for Configuring the Redundant Trunk Links
ERROR: Unresolved graphic fileref="" not found in

"\\teamsite1\default\main\TechPubsWorkInProgress\STAGING\images\".
Table 78: Components of the Redundant Trunk Link Topology
Property Settings
Switch hardware ■ Switch 1–1 EX-series 4200 distribution switch
■ Switch 2–1 EX-series 4200 distribution switch
Trunk port interfaces On Switch 3 (access switch): ge-0/0/9.0 and ge-0/0/10.0
Redundant trunk group group1

This configuration example creates a redundant trunk group called group1 on Switch 3.
The trunk ports ge-0/0/9.0 and ge-0/0/10.0 are the two links in group1. The trunk
port ge-0/0/9.0 will be configured administratively as the primary link. The trunk
port ge-0/0/10.0 will be the secondary link.
Configuration
CLI Quick Configuration To quickly configure the redundant trunk group group1 on Switch 3, copy the following
[edit]
set ethernet—switching—options redundant-trunk-group group-name group1
set ethernet-switching-options redundant-trunk-group group-name group1 interface
ge-0/0/9.0 primary
set ethernet-switching-options redundant-trunk-group group-name group1 interface
ge-0/0/10.0
Step-by-Step Procedure Configure the redundant trunk group group1 on Switch 3 and specify the primary
and secondary links.
1. Configure the redundant trunk group group1:
[edit ethernet-switching-options]
user@switch# set redundant-trunk-group group-name group1
2. Configure the trunk port ge-0/0/9.0 as the primary link and ge-0/0/10 as the
secondary link:
user@switch# set redundant—trunk—group group-name group1 interface
ge-0/0/9.0 primary
user@switch# set redundant—trunk—group group-name group1 interface
ge-0/0/10.0
user@switch# show
group-name group1 {
interface ge-0/0/9.0 primary;
interface ge-0/0/10.0;
}
}
}
Chapter 36: Examples of Configuring Redundant Trunk Groups
Verification
Verify that the redundant trunk group group1 has been created and is operating
properly:
■ Verifying That the Redundant Group Has Been Created on page 511
Verifying That the Redundant Group Has Been Created

Purpose Verify that the redundant trunk group group1 has been created on the switch and
that trunk ports are members of the redundant trunk group.
Action List all redundant trunk groups configured on the switch:
user@switch> show redundant-trunk-group group1

Redundant-trunk-group: group1
Interfaces : ge-0/0/9.0 (P) , DOWN
: ge-0/0/10.0 (A) , UP
Bandwidth : 1000 Mbps, 1000 Mbps
Last Time of Flap : 1970-01-01 00:19:12 UTC (00:00:06 ago), Never
#Flaps : 1, 0
What It Means The show redundant-trunk-group command lists all redundant trunk groups configured
on the switch and which trunk links are members of the group. For this configuration
example, the output shows that the redundant trunk group group1 is configured on
the switch. The (P) beside trunk port ge-0/0/9.0 indicates that it is configured as the
primary link. The (A) beside the ge-0/0/10.0 trunk port indicates that it is the active
link.
Related Topics

Chapter 37
Configuration Statements for Redundant
Trunk Groups
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
group-name name {
}
}
allowed-mac {
mac-address-list;
}
mac-limit action;
}
[edit ethernet-switching-options] Configuration Statement Hierarchy ■ 513

}
}
}
Related Topics
group-name
Syntax group-name name {

}
Hierarchy Level [edit ethernet-switching-options redundant-trunk-group]
Description Create a redundant trunk group.
Options name—The name of the redundant trunk group. The group name must start with a
letter and can consist of letters, numbers, dashes, and underscores.
The remaining options are explained separately.

Related Topics

Chapter 37: Configuration Statements for Redundant Trunk Groups
interface
Syntax interface interface-name <primary>;

Hierarchy Level [edit ethernet-switching-options redundant-trunk-group group-name name]
the secondary link automatically takes over as the primary link without waiting for
normal STP convergence.
Options interface interface-name—A logical interface or an aggregated interface containing

multiple ports.
primary—(Optional) Specify one of the interfaces in the redundant group as the

primary link. The interface without this option is the secondary link in the
redundant group. If a link is not specified as primary, the software compares the
two links and selects the link with the highest port number as the active link.
For example, if the two interfaces are ge-0/1/0 and ge-0/1/1, the software
assigns ge-0/1/1 as the active link.

Related Topics
interface ■ 515
redundant-trunk-group
Syntax redundant-trunk-group {
group-name name {
}
}
the secondary link automatically takes over without waiting for normal STP
convergence.
Options The options are explained separately.

Related Topics
516 ■ redundant-trunk-group
Chapter 38
Operational Mode Commands for
Redundant Trunk Groups
■ 517
show redundant-trunk-group
Syntax show redundant-trunk-group <group-name group-name>
Description Display information about redundant trunk groups.
Options group-name group-name—Display information about the specified redundant truck

group.
Related Topics
List of Sample Output show redundant-trunk-group group-name Group1 on page 518

Output Fields Table 61 on page 518 lists the output fields for the show redundant-trunk-group
Table 79: show redundant-trunk-group Output Fields
Group Name Name of the redundant trunk port group.
Interface Name of an interface belonging to the trunk port group.

■ (P) denotes a primary interface.
■ (A) denotes an active interface.
■ Lack of (A) denotes a blocking interface.
State Operating state of the interface: UP or DOWN.
Last Time of Flap Date and time at which the advertised link became unavailable, and then, available again.
# Flaps Total number of flaps since the last switch reboot.
show user@switch> show redundant—trunk-group group-name Group1

redundant-trunk-group show redundant-trunk-group group-name Group1
group-name Group1
Group Name Interface State Last Time of Flap # Flaps
Group1 ge-0/0/45.0 (P) UP Fri Jan 2 04:10:58 0
ge-0/0/47.0 UP Fri Jan 2 04:10:58 0
518 ■ show redundant-trunk-group

Part 11
802.1X, Port Security, and VoIP
■ Understanding 802.1X, Port Security, and VoIP on page 521
■ Examples of Configuring 802.1X, Port Security, and VoIP on page 549
■ Configuring 802.1X, Port Security, and VoIP on page 613
■ Verifying 802.1X, Port Security, and VoIP on page 647
■ Configuration Statements for 802.1X, Port Security, and VoIP on page 659
■ Operational Mode Commands for 802.1X, Port Security, and VoIP on page 717
802.1X, Port Security, and VoIP ■ 519

520 ■ 802.1X, Port Security, and VoIP

Chapter 39
Understanding 802.1X, Port Security, and
VoIP
■ 802.1X for EX-series Switches Overview on page 521

■ Understanding 802.1X Authentication on EX-series Switches on page 523
■ Understanding Guest VLANs for 802.1X on EX-series Switches on page 527
■ Understanding 802.1X and LLDP and LLDP-MED on EX-series
■ Understanding 802.1X and VoIP on EX-series Switches on page 530
■ Understanding 802.1X and VSAs on EX-series Switches on page 533
■ Understanding Dynamic VLANs for 802.1X on EX-series Switches on page 535
for EX-series Switches Overview on page 536
■ Understanding How to Protect Access Ports on EX-series Switches from Common
Attacks on page 537
■ Understanding DHCP Snooping for Port Security on EX-series Switches on page 539
■ Understanding DAI for Port Security on EX-series Switches on page 543
■ Understanding MAC Limiting and MAC Move Limiting for Port Security on
EX-series Switches on page 545
■ Understanding Trusted DHCP Servers for Port Security on EX-series
802.1X for EX-series Switches Overview

IEEE 802.1X provides network edge security, protecting Ethernet LANs from Denial
of Service (DoS) attacks and preventing unauthorized user access.
802.1X works by using an Authenticator Port Access Entity (the switch) to block all
traffic to and from a supplicant (client) at the port until the supplicant's credentials
are presented and matched on the Authentication server (a RADIUS server). When
authenticated, the switch stops blocking traffic and opens the port to the supplicant.
The supplicant is authenticated in either single mode, single-secure mode, or multiple

mode:
802.1X for EX-series Switches Overview ■ 521

■ single—Authenticates only the first supplicant. All other supplicants who connect
later to the port are allowed full access without any further authentication. They
effectively “piggyback” on the first supplicant’s authentication.
■ single-secure—Allows only one supplicant to connect to the port. No other
supplicant is allowed to connect until the first supplicant logs out.
■ multiple—Allows multiple supplicants to connect to the port. Each supplicant will
be authenticated individually.
Network access can be further defined using VLANs and Access Control Lists (ACLs).
VLANs and ACLs act as filters to separate and match groups of supplicants to the
areas of the LAN they require.
802.1X does not replace other security technologies. 802.1X works together with
port security features, such as DHCP snooping, Dynamic ARP Inspection (DAI), and
MAC limiting, to guard against DoS attacks and spoofing.
802.1X features on EX-series switches are:

■ Guest VLAN—Provides limited access to a LAN, typically just to the Internet, for
supplicants that fail 802.1X authentication.
■ Dynamic VLAN—Enables a supplicant, after authentication, to be a member of
a VLAN dynamically.
■ MAC-based Authentication—Provides MAC-based authentication as a bypass
mechanism to authenticate non-responsive hosts (such as printers) that are not
802.1X-enabled. MAC-based authentication connects the non-responsive hosts
to 802.1X-enabled ports, bypassing 802.1X authentication.
■ Dynamic changes to a user session—Lets the switch administrator terminate an
already authenticated session. This feature is based on support of the RADIUS
Disconnect Message defined in RFC 3576.
■ Support for VoIP—Supports IP telephones. If the phone is 802–1X enabled, it is
authenticated like any other supplicant. When it is authenticated, the RADIUS
server returns the Voice VLAN ID and other parameters for managing VoIP traffic.
If the phone is not 802.1X-enabled, but has another 802.1X-compatible device
connected to its data port, that device is authenticated, and then VoIP traffic can
flow to and from the phone.
If the IP phone supports Link Layer Discovery Protocol (LLDP) or Link Layer
Discovery Protocol Media Endpoint Discovery (LLDP-MED), the RADIUS server
can send VoIP parameters to the IP telephone through these protocols. The VoIP
parameters ensure that voice traffic gets tagged and prioritized with the correct
values at the source itself. If the phone does not support LLDP or LLDP-MED,
then the packets will be put in the VoIP VLAN configured on the switch.
■ RADIUS Accounting—Sends accounting information to the RADIUS accounting
server. Accounting information is sent to the server whenever a subscriber logs
in or logs out and whenever a subscriber activates or deactivates a subscription.
This feature is based on RFC 2866, RADIUS Accounting.
■ Vendor Specific Attributes (VSAs)—Supports a new set of filtering attributes that
are applied on the RADIUS authentication server. These filtering attributes further
define a supplicant's access during the 802.1X authentication process. Centrally
522 ■ 802.1X for EX-series Switches Overview

Chapter 39: Understanding 802.1X, Port Security, and VoIP
configuring VSAs on the authentication server does away with the need to
configure these same attributes in the form of firewall filters on every switch in
the LAN to which the supplicant may connect to the LAN. This feature is based
on RLI 4583, AAA RADIUS BRAS VSA Support.
Related Topics
■ Understanding 802.1X MAC-Based Authentication on EX-series Switches
■ Understanding 802.1X Authentication on EX-series Switches
■ Understanding 802.1X and VoIP on EX-series Switches
■ Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches
■ Understanding 802.1X and AAA Accounting on EX-series Switches
■ Understanding Guest VLANs for 802.1X on EX-series Switches
■ Understanding 802.1X and VSAs on EX-series Switches
■ Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch
■ Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant
Configurations on an EX-series Switch
■ Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access
to Corporate Visitors on an EX-series Switch
■ Example: Setting Up VoIP with 802.1X, LLDP, and LLDP-MED on an EX-series
Switch
■ Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch
Understanding 802.1X Authentication on EX-series Switches

EX-series switches use 802.1X authentication to implement access control in an
enterprise network. Supplicants (hosts) are authenticated at the initial connection to
your LAN. By authenticating supplicants before they receive an IP address from a
DHCP server, unauthorized supplicants are prevented from gaining access to your
LAN.
The 802.1X standard is based on EAP (Extensible Authentication Protocol), a universal

authentication framework. EAP is not an authentication mechanism by itself. Instead,
EAP provides some common functions and a negotiation method to determine the
authentication mechanism (EAP method) used between the supplicant and the
authentication server. EAP methods include IETF standards and proprietary standards.
EAP methods supported on EX-series switches are:

■ EAP-MD5
■ EAP-TLS
■ EAP-TTLS
■ EAP-PEAP

A LAN network configured for 802.1X authentication contains three basic components:
■ Supplicant—The IEEE term for a host that requests to join the network. The host
can be responsive or nonresponsive. A responsive host is one on which 802.1X
is enabled and provides authentication credentials; specifically, a username and
password for EAP MD5, or a username and client certificates for EAP-TLS,
EAP-TTLS, and EAP-PEAP. A nonresponsive host is one on which 802.1X is not
enabled, but can be authenticated using a MAC-based authentication method.
■ Authenticator Port Access Entity—The IEEE term for the authenticator. The
EX-series switch is the authenticator and. It controls access by blocking all traffic
to and from supplicants until they are authenticated.
■ Authentication server— The authentication server contains the backend database
that makes authentication decisions. It contains credential information for each
supplicant that can connect to the network. The authenticator forwards credentials
supplied by the supplicant to the authentication server. If the credentials
forwarded by the authenticator match the credentials in the authentication server
database, access is granted. If the credentials forwarded do not match, access
is denied. The EX-series switches support RADIUS authentication servers.
Figure 22 on page 525 illustrates the basic deployment topology for 802.1X on an
EX-series switch:
524 ■ Understanding 802.1X Authentication on EX-series Switches

Figure 22: Example 802.1X Topology
Understanding 802.1X Authentication on EX-series Switches ■ 525

The communication protocol between the supplicant and the EX-series switch is
Extensible Authentication Protocol Over LAN (EAPOL). EAPOL is a version of EAP
designed to work with Ethernet networks. The communication protocol between the
authentication server and the switch is RADIUS.
The authentication process requires multiple message exchanges between the

supplicant and the authentication server. The switch that is in between the supplicant
and the authentication server is the authenticator. It acts as an intermediary,
converting EAPOL messages to RADIUS messages and vice versa.
Figure 23 on page 526 illustrates the authentication process:
Figure 23: Authentication Process
The basic authentication process works like this:
526 ■ Understanding 802.1X Authentication on EX-series Switches

1. Authentication is initiated by the client or the switch. The client initiates

authentication by sending an EAPOL-start message, or the switch initiates
authentication when it receives the first data packet from the client.
2. When the switch port (authenticator) detects a new supplicant connecting to the
LAN network, the port on the authenticator is enabled and set to the initialized
state. In this state, only 802.1X traffic is allowed. Other traffic, such as DHCP
and HTTP, is blocked at the data link layer.
3. The authenticator sends a RADIUS access request message to the RADIUS server
to allow the supplicant access to the LAN.
4. The authentication server accepts or rejects the access request. If it accepts the
request, the authentication server sends a RADIUS access challenge. If the
challenge is met by the supplicant, the authenticator sets the port to the
authorized state and normal traffic is then accepted to pass through the port. If
the authentication server rejects the RADIUS access request, the authenticator
sets the port to the unauthorized state, blocking all traffic.
5. When the supplicant disconnects from the network, the supplicant sends an
EAP-logoff message to the authenticator. The authenticator then sets the port to
the unauthorized state, once again blocking all non-EAP traffic.
The 802.1X authentication feature on an EX-series switch is based upon the IEEE
802.1D standard Port-Based Network Access Control.
Related Topics
■ Configuring 802.1X Authentication on EX-series Switches (CLI Procedure)
Understanding Guest VLANs for 802.1X on EX-series Switches

Guest VLANs, in conjunction with 802.1X authentication, provide secure access to
the LAN for corporate guests and for supplicants who fail the 802.1X authentication
process.
When a corporate visitor attempts to authenticate on the LAN, and authentication

fails, the visitor is moved to a guest VLAN. A guest VLAN typically provides access
only to the Internet.
A guest VLAN can also provide limited access to the LAN in cases when authentication
fails for supplicants that are not visitors. When authentication fails, the switch receives
an Access-Reject message for the client, and checks if a guest VLAN is configured on
that port. If so, it moves that user alone to the guest VLAN. If the Access-reject
message contains optional VLAN information, then the user is moved to the VLAN
specified by the RADIUS server and not to the locally configured guest-VLAN.
Authentication can fail for many reasons:

■ The supplicant machine does not have supplicant software on it (for example,
the supplicant is a non-responsive host, such as a printer).
■ The supplicant provided invalid credentials—a username or password that were
not authenticated by the authentication server.
For non-responsive hosts, the guest VLAN could allow limited access to a server from
which the non-responsive host can download the supplicant software and attempt
authentication again.
Related Topics
■ Understanding Dynamic VLANs for 802.1X on EX-series Switches
Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches

EX-series switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
Protocol Media Endpoint (LLDP-MED) to learn and distribute device information on
network links. The information allows the switch to quickly identify a variety of
devices, resulting in a LAN that interoperates smoothly and efficiently.
LLDP-capable devices transmit information in Type Length Value (TLV) messages to

neighbor devices. Device information can include specifics, such as chassis and port
identification and system name and system capabilities. The TLVs leverage this
information from parameters that have already been configured in the JUNOS
software.
LLDP-MED goes one step further, exchanging IP-telephony messages between the
switch and the IP telephone. These TLV messages provide detailed information on
PoE policy. The PoE Management TLVs let the switch ports advertise the power level
and power priority needed. For example, the switch can compare the power needed
by an IP telephone running on a PoE interface with available resources. If the switch
cannot meet the resources required by the IP telephone, the switch could negotiate
with the telephone until a compromise on power is reached.
The switch also uses these protocols to ensure that voice traffic gets tagged and
prioritized with the correct values at the source itself. For example, 802.1p CoS and
802.1q tag information can be sent to the IP telephone.
EX-series switches support the following basic TLVs:

■ Chassis Identifier—The MAC address associated with the local system.

■ Port identifier—The port identification for the specified port in the local system.
■ Port Description—The user– configured port description. The port description
can be a maximum of 256 characters.
■ System Name—The user– configured name of the local system. The system name
■ System Description—The system description containing information about the
software and current image running on the system. This information is not
configurable, but taken from the software.
■ System Capabilities—The primary function performed by the system. The
capabilities that system supports are defined; for example, bridge or router. This
information is not configurable, but based on the model of the product.
■ Management Address—The IPv4 management address of the local system.
EX–series switches support the following 802.3 TLVs:

■ Power via MDI—A TLV that advertises MDI power support, PSE power pair, and
power class information.
■ MAC/PHY Configuration Status—A TLV that advertises information about the
physical interface, such as autonegotiation status and support and MAU type.
The information is not configurable, but based on the physical interface structure.
■ Link Aggregation—A TLV that advertises if the port is aggregated and its aggregated
port ID.
■ Maximum Frame Size—A TLV that advertises the Maximum Transmission Unit
(MTU) of the interface sending LLDP frames.
■ Port Vlan—A TLV that advertises the VLAN name configured on the interface.
NOTE: If the IP address isn't configured on the Avaya IP phone, the phone sends an
ARP request to the DHCP server and references the VLAN ID for the VLAN on which
it is a member. If the VLAN ID is incorrect, the IP phone’s request for an IP address
is denied. To bypass this issue, configure the voip statement on the interface. With
the interface designated as a VoIP interface, the switch can forward the VLAN name
and VLAN ID for the voice VLAN to the IP telephone. The IP telephone then uses the
voice VLAN (that is, it references the voice VLAN’s ID) to make an ARP request and
receive an IP address.
EX-series switches support the following LLDP-MED TLVs:

■ LLDP MED Capabilities—A TLV that advertises the primary function of the port.
The capabilities values range 0 through 15:
Understanding 802.1X and LLDP and LLDP-MED on EX-series Switches ■ 529

■ 0— Capabilities
■ 1— Network Policy
■ 2— Location Identification
■ 3— Extended Power via MDI-PSE
■ 4— Inventory
■ 5–15— Reserved
■ LLDP-MED Device Class Values:

■ 0— Class not defined.
■ 1— Class 1 Device.
■ 4— Network Connectivity Device
■ 5–255— Reserved.
■ Network Policy—A TLV that advertises the port VLAN configuration and associated
Layer 2 and Layer 3 attributes. Attributes include the policy identifier, application
types, such as voice or streaming video, 802.1q VLAN tagging, and 802.1p priority
bits and Diffserv code points.
■ Endpoint Location— A TLV that advertises the physical location of the endpoint.
■ Extended Power via MDI— A TLV that advertises the power type, power source,
power priority, and power value of the port. It is the responsibility of the PSE
device (network connectivity device) to advertise the power priority on a port.
Related Topics
Switch
■ Configuring LLDP-MED on EX-series Switches (CLI Procedure)
■ Configuring LLDP on EX-series Switches (CLI Procedure)
Understanding 802.1X and VoIP on EX-series Switches

When you use VoIP and connect IP telephones to the switch, you configure 802.1X
authentication for 802.1X-compatible IP telephones, for IP telephones connected to
another 802.1X -compatible device, or IP telephones that are not connected to an
802.1X-compatible host or device.
Upon successful authentication, the RADIUS server returns the voice VLAN ID and
other parameters applicable to VoIP traffic.

Figure 24: VoIP Multiple Supplicant Topology
If an 802.1X compatible IP telephone does not have an 802.1X host, but has another
802.1X-compatible device connected to its data port, you can connect the phone to
an authenticator port in single-supplicant mode. The connected data device is first
authenticated through the RADIUS server using 802.1X, and then VoIP traffic can go
through without any authentication.
Understanding 802.1X and VoIP on EX-series Switches ■ 531

Figure 25: VoIP Single Supplicant Topology
The MAC address of the IP telephone is sent to the RADIUS server for authentication
and for determining the voice VLAN ID and other VoIP parameters. The VoIP
parameters sent by the RADIUS server can be forwarded to the phone through LLDP
or LLDP-MED if the phone supports these protocols. If the phone does not support
LLDP or LLDP-MED, then the packets are put in the VoIP VLAN, based on the switch
configuration.
Related Topics
■ Example: Setting Up VoIP with 802.1x, LLDP, and LLDP-MED on an EX-series
Switch
■ Configuring VoIP on EX-series Switches (CLI Procedure)

Understanding 802.1X and VSAs on EX-series Switches

EX-series switches support the configuration of Juniper Networks-specific RADIUS
attributes. These attributes are known as vendor-specific attributes (VSAs) and are
described in RFC 2138, Remote Authentication Dial In User Service (RADIUS) and
RLI 4583, AAA RADIUS BRAS VSA Support. These Juniper Networks-specific attributes
are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the
Juniper Networks ID number, 2636.
EX-series switches support a new set of VSAs that are used in conjunction with 802.1X
authentication. This set of filtering attributes further defines a supplicant's access to
the LAN. It is called the Juniper-Switching-Filter and is listed under attribute ID number
48 in the dictionary.juniper found on your RADIUS server.
802.1X authentication prevents unauthorized user access by blocking a supplicant

at the port until the supplicant is authenticated by the RADIUS server. Once the
supplicant is authenticated, the switch stops blocking and opens the port.
To further define access for a supplicant, Port Access Control List (PACL) attributes
can be applied through VSAs on the RADIUS server. The PACL is a subset of match
and action conditions that are sent from the RADIUS server as a result of 802.1X
authentication success. Applying PACLs from the RADIUS server provides a centralized
database of filters per supplicant. To replicate this level of filtering support on the
switch, the network administrator would need to configure the same ACL for each
supplicant on every switch from which the supplicant could potentially authenticate.
The following guidelines apply when configuring VSAs:

■ Both match and action statements are mandatory.
■ Any or all options (separated by commas) may be included in each match and
action statement.
■ Fields separated by commas will be ANDed if they are of a different type. The
same types may not be repeated.
■ For OR cases (e.g. match 10.1.1.0/24 OR 11.1.1.0/24), multiple VSAs must be
entered and applied to the supplicant.
■ In order to apply the forwarding-class option, the forwarding class must be
configured on the switch. If it is not configured on the switch, this option is
ignored.
To configure VSAs, enter one or more match conditions and a resulting action:
user@radius# match [destination-mac mac-address, source-vlan vlan-name,

source-dot1q-tag tag, destination-ip ip-address, ip-protocol protocol-id,
[source-port port, destination-port port]
user@radius# action [(allow | deny), forwarding-class class-of-service,
loss-priority (low | medium | high)]
Table 80 on page 534 defines the conditions that can be used with the match
command.
Understanding 802.1X and VSAs on EX-series Switches ■ 533

Table 80: match conditions
Option Description
destination-mac port Destination media access control (MAC) address of the packet.
source-vlan port Name of the source VLAN.
source-dot1q-tag port The tag value in dot1q header, in the range from 0 through 4095.
destination-ip port IP Address of the final destination node.
ip-protocol protocol Destination media access control (MAC) address of the packet.
source-port port TCP or User Datagram Protocol (UDP) source port field. Normally, you specify
this match in conjunction with the protocol match statement to determine
which protocol is being used on the port. In place of the numeric field, you
can specify one of the text options listed under destination-port.
destination-port port TCP or UDP destination port field. Normally, you specify this match in
conjunction with the protocol match statement to determine which protocol
is being used on the port. In place of the numeric value, you can specify one
of the following text synonyms (the port numbers are also listed): afs (1483),
bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401),
dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger
(79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143),
kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate
(760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn
(435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139),
nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723),
printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp
(25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc
(111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed
(525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104). The
range (X-Y) is not supported.
Table 81 on page 534 defines the action options that can be applied to a resulting
match.
Table 81: action Options
Option Description
(allow | deny) Accept a packet or discard a packet silently, without sending an Internet
Control Message Protocol (ICMP) message.
forwarding-class class-of-service Classify packet to one of the following forwarding classes:

■ as
■ assured-forwarding
■ best-effort
■ expedited-forwarding
■ network-control
534 ■ Understanding 802.1X and VSAs on EX-series Switches

Table 81: action Options (continued)
Option Description
loss-priority Set the packet loss priority (PLP) to low, medium, or high. Both the forwarding
class and loss priority should be specified.
When VSAs are configured on the RADIUS server and ACLs are configured locally
on the switch:
■ If they do not conflict with each other, VSAs and local ACLs are merged, with
VSA attributes preceding local ACL attributes.
■ If they conflict with each other, VSAs take precedence over ACLsr.
Related Topics
■ Filtering 802.1X Supplicants using Vendor Specific Attributes (CLI Procedure)
Understanding Dynamic VLANs for 802.1X on EX-series Switches

Dynamic VLANs, in conjunction with the 802.1X authentication process, provide
secure access to the LAN for supplicants belonging to different VLANs on a single
port.
When this feature is configured, a supplicant becomes a member of a VLAN

dynamically after 802.1X authentication is successful. Successful authentication
requires that the VLAN ID or VLAN name exist on the switch and match the VLAN
ID or VLAN name sent by the RADIUS server during authentication.
If the VLAN does not exist, the supplicant is unauthenticated. If a guest VLAN is
established, the unauthenticated supplicant is automatically moved to the guest
VLAN.
Related Topics

Port Security with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting for
EX-series Switches Overview
Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial
of service (DoS) on network devices. Port security features such as DHCP snooping,
DAI (dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as
trusted DHCP server, help protect the access ports on your switch against the losses
of information and productivity that can result from such attacks.
JUNOS software on EX-series switches provides features to help secure ports on the
switch. The ports can be categorized as either trusted or untrusted. You apply policies
appropriate to those categories to protect against various types of attacks.
Port security features can be turned on to obtain the most robust port security level.
Basic port security features are enabled in the switch's default configuration. You
can configure additional features with minimal configuration steps.
Port security features on EX-series switches are:

■ DHCP snooping—Filters and blocks ingress DHCP server messages on untrusted
ports; builds and maintains an IP-address/MAC-address binding database (called
the DHCP snooping database). You enable this feature on VLANs.
■ Dynamic ARP inspection (DAI)—Prevents ARP spoofing attacks. ARP requests
and replies are compared against entries in the DHCP snooping database, and
filtering decisions are made based on the results of those comparisons. You
enable this feature on VLANs.
■ MAC limiting—Protects against flooding of the Ethernet switching table (also
known as the MAC forwarding table or Layer 2 forwarding table). You enable
this feature on interfaces (ports).
■ MAC move limiting—Detects MAC movement and MAC spoofing on access ports.
Prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network. You enable this feature on VLANs.
■ Trusted DHCP server—With a DHCP server on a trusted port, protects against
rogue DHCP servers sending leases. You enable this feature on interfaces (ports).
By default, access ports are untrusted and trunk ports are trusted. (Access ports
are the switch ports that connect to Ethernet endpoints such as user PCs and
laptops, servers, and printers. Trunk ports are the switch ports that connect to
other Ethernet switches or to routers.)
536 ■ Port Security with DHCP Snooping, DAI, MAC Limiting, and MAC Move Limiting for EX-series Switches Overview
Related Topics
■ Understanding DHCP Snooping for Port Security on EX-series Switches
■ Understanding DAI for Port Security on EX-series Switches
EX-series Switches
■ Understanding How to Protect Access Ports on EX-series Switches from Common
Attacks
■ Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting,
and MAC Move Limiting, on an EX-series Switch
■ Configuring Port Security (CLI Procedure)
■ Configuring Port Security (J-Web Procedure)
Understanding How to Protect Access Ports on EX-series Switches from Common

Attacks
Port security features can protect the EX-series switch against various types of attacks.
Protection methods against some common attacks are:
■ Mitigation of Ethernet Switching Table Overflow Attacks on page 537
■ Mitigation of Rogue DHCP Server Attacks on page 538
■ Protection Against ARP Spoofing Attacks on page 538
■ Protection Against DHCP Snooping Database Alteration Attacks on page 538
■ Protection Against DHCP Starvation Attacks on page 539
Mitigation of Ethernet Switching Table Overflow Attacks

In an overflow attack on the Ethernet switching table, an intruder sends so many
requests from new MAC addresses that the table cannot learn all the addresses. When
the switch can no longer use information in the table to forward traffic, it is forced
to broadcast messages. Traffic flow on the switch is disrupted, and packets are sent
to all hosts on the network. In addition to overloading the network with traffic, the
attacker might also be able to sniff that broadcast traffic.
To mitigate such attacks, configure both a MAC limit for learned MAC addresses and
some specific allowed MAC addresses. Use the MAC limit feature to control the total
number of MAC addresses that can be added to the Ethernet switching table for the
specified interface or interfaces. By setting the MAC addresses that are explicitly
allowed, you ensure that the addresses of network devices whose network access is
critical are guaranteed to be included in the Ethernet switching table. See Example:
Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect
the Switch from Ethernet Switching Table Overflow Attacks.

Mitigation of Rogue DHCP Server Attacks

If an attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server
on the LAN, the rogue server can start issuing leases to the network's DHCP clients.
The information provided to the clients by this rogue server can disrupt their network
access, causing DoS. The rogue server might also assign itself as the default gateway
device for the network. The attacker can then sniff the network traffic and perpetrate
a man-in-the-middle attack—that is, it misdirects traffic intended for a legitimate
network device to a device of its choice.
To mitigate a rogue DHCP server attack, set the interface to which that rogue server
is connected as untrusted. That action will block all ingress DHCP server messages
from that interface. See Example: Configuring a DHCP Server Interface as Untrusted
to Protect the Switch from Rogue DHCP Server Attacks.
Protection Against ARP Spoofing Attacks

In ARP spoofing, an attacker sends faked ARP messages on the network. The attacker
associates its own MAC address with the IP address of a network device connected
to the switch. Any traffic sent to that IP address is instead sent to the attacker. Now
the attacker can create various types of mischief, including sniffing the packets that
were meant for another host and perpetrating man-in-the middle attacks. (In a
man-in-the-middle attack, the attacker intercepts messages between two hosts, reads
them, and perhaps alters them, all without the original hosts knowing that their
communications have been compromised. )
To protect against ARP spoofing on your switch, enable both DHCP snooping and
dynamic ARP inspection (DAI). DHCP snooping builds and maintains the DHCP
snooping table. That table contains the MAC addresses, IP addresses, lease times,
binding types, VLAN information, and interface information for the untrusted
interfaces on the switch. DAI uses the information in the DHCP snooping table to
validate ARP packets. Invalid ARP packets are blocked.
See Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks.
Protection Against DHCP Snooping Database Alteration Attacks

In an attack designed to alter the DHCP snooping database, an intruder introduces
a DHCP client on one of the switch's untrusted access interfaces that has a MAC
address identical to that of a client on another untrusted port. The intruder acquires
the DHCP lease, which results in changes to the entries in the DHCP snooping table.
Subsequently, what would have been valid ARP requests from the legitimate client
are blocked.
To protect against this type of alteration of the DHCP snooping database, configure
MAC addresses that are explicitly allowed on the interface. See Example: Configuring
Allowed MAC Addresses to Protect the Switch from DHCP Snooping Database
Alteration Attacks.
538 ■ Mitigation of Rogue DHCP Server Attacks

Protection Against DHCP Starvation Attacks

In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses so that the switch's trusted DHCP servers
cannot keep up with requests from legitimate DHCP clients on the switch. The address
space of those servers is completely used up, so they can no longer assign IP addresses
and lease times to clients. DHCP requests from those clients are either dropped—that
is, the result is a denial of service (DoS)—or directed to a rogue DHCP server set up
by the attacker to impersonate a legitimate DHCP server on the LAN.
To protect the switch from DHCP starvation attacks, use the MAC limiting feature.
Specify the maximum number of MAC addresses that the switch can learn on the
access interfaces to which those clients connect. The switch's DHCP server or servers
will then be able to supply the specified number of IP addresses and leases to those
clients and no more. If a DHCP starvation attack occurs after the maximum number
of IP addresses has been assigned, the attack will fail. See Example: Configuring MAC
Limiting to Protect the Switch from DHCP Starvation Attacks.
Related Topics
EX-series Switches
■ Understanding Trusted DHCP Servers for Port Security on EX-series Switches
Understanding DHCP Snooping for Port Security on EX-series Switches

DHCP snooping allows the switch to monitor and control DHCP messages received
from untrusted devices connected to the switch. It builds and maintains a database
of valid IP-address/MAC-address (IP-MAC) bindings called the DHCP snooping
database.
■ DHCP Snooping Basics on page 539
■ DHCP Snooping Process on page 540
■ DHCP Server Access on page 541
■ DHCP Snooping Table on page 542
DHCP Snooping Basics

Dynamic Host Configuration Protocol (DHCP) allocates IP addresses dynamically,
“leasing” addresses to devices so that the addresses can be reused when no longer
needed. Hosts and end devices that require IP addresses obtained through DHCP
must communicate with a DHCP server across the LAN. The JUNOS for EX-series
Protection Against DHCP Starvation Attacks ■ 539

software provides the option to apply all access-port security features by VLAN or
by port (interface).
DHCP snooping acts a guardian of network security by keeping track of valid IP

addresses assigned to downstream network devices by a trusted DHCP server (the
server is connected to a trusted network port).
DHCP snooping reads the lease information from the switch (which is a DHCP client)
and from this information creates the DHCP snooping database. This database is a
mapping between IP address and VLAN-MAC pair. For each VLAN-MAC address pair,
the database stores the corresponding IP address.
When a DHCP client releases an IP address (sends a DHCPRELEASE message), the

associated mapping entry is deleted from the database.
You can configure the switch to snoop DHCP server responses only from particular
VLANs. Doing this prevents spoofing of DHCP server messages.
By default, all trunk ports on the switch are trusted and all access ports are untrusted
for DHCP snooping. You can modify these defaults on each of the switch's interfaces.
You configure DHCP snooping for each VLAN, not for each interface (port). By default,
DHCP snooping is disabled for all VLANs.
If you move a network device from one VLAN to another, typically the device has to
acquire a new IP address, so its entry in the database, including the VLAN ID, is
updated.
The Ethernet switching process, ESWD, maintains the timeout (lease time) value for
each IP-MAC binding in its database. The lease time is assigned by the DHCP server.
The software reads the DHCP messages to obtain the lease time and deletes the
associated entry from the database when the lease time expires.
If the switch is rebooted, DHCP bindings are lost. The DHCP clients (the network
devices, or hosts) must reacquire the bindings.
DHCP Snooping Process

The basic process of DHCP snooping is shown in Figure 26 on page 541.
540 ■ DHCP Snooping Process

Figure 26: DHCP Snooping
For general information about the messages that the DHCP client and DHCP server
exchange during the assignment of an IP address for the client, see the JUNOS Software
System Basics Configuration Guide at
DHCP Server Access

The DHCP server can be connected to the switch in one of two ways:
■ The server is directly connected to the same switch as the one connected to the
DHCP clients (the hosts, or network devices, that are requesting IP addresses
from the server). You must configure the port that connects the server to the
switch as a trusted port.
■ The server is directly connected to a switch that is itself directly connected
through a trunk port to the switch that the DHCP clients are connected to. The
trunk port is configured by default as a trusted port. The switch that the DHCP
server is connected to is not configured for DHCP snooping.
In both scenarios, the server and clients are members of the same VLAN.
Figure 27 on page 542 shows the DHCP server connected directly to the switch.
DHCP Server Access ■ 541

Figure 27: DHCP Server Connected to Switch
DHCP Snooping Table

The software creates a DHCP snooping information table that displays the content
of the DHCP snooping database. The table shows current MAC address-IP address
bindings, as well as lease time, type of binding, names of associated VLANs, and
associated interface. To view the table, type show dhcp snooping binding at the
operational mode prompt:
user@switch> show dhcp snooping binding

DHCP Snooping Information:
MAC Address IP Address Lease Type VLAN Interface
----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 192.0.2.17 600 dynamic employee—vlan ge-0/0/1.0
NOTE: If DHCP leases are sent from a DHCP server that is local (on the switch itself)
or on a VLAN other than the one the DHCP client is on, those entries in the DHCP
snooping table will be incorrect. They might display the interface as unknown (shown
as “unknown” in the Interface column) or show the lease as unknown or unleased
(both are represented by a dash, “–”, in the Lease column).
542 ■ DHCP Snooping Table

Related Topics
■ Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series
Switch with Access to a DHCP Server Through a Second Switch
■ Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks
■ Enabling DHCP Snooping on a VLAN (CLI Procedure)
■ Enabling DHCP Snooping on a VLAN (J-Web Procedure)
Understanding DAI for Port Security on EX-series Switches

Dynamic ARP inspection (DAI) protects EX-series switches against ARP spoofing.
DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping
database on the switch to validate ARP packets and to protect against ARP cache
poisoning. ARP requests and replies are compared against entries in the DHCP
snooping database, and filtering decisions are made based on the results of those
comparisons. When an attacker tries to use a forged ARP packet to spoof an address,
the switch compares the address to entries in the database. If the MAC address or
IP address in an ARP packet does not match a valid entry in the DHCP snooping
database, the packet is dropped.
ARP packets are trapped to the Routing Engine and are rate-limited to protect the
switch from CPU overload.
■ Address Resolution Protocol on page 543
■ ARP Spoofing on page 544
■ DAI on EX-series Switches on page 544
Address Resolution Protocol

Sending IP packets on a multiaccess network requires mapping an IP address to an
Ethernet media access control (MAC) address.
Ethernet LANs use Address Resolution Protocol (ARP) to map MAC addresses to IP
addresses.
The switch maintains this mapping in a cache that it consults when forwarding
packets to network devices. If the ARP cache does not contain an entry for the
destination device, the host (the DHCP client) broadcasts an ARP request for that
device's address and stores the response in the cache.

ARP Spoofing
ARP spoofing (also known as ARP poisoning or ARP cache poisoning) is one way to
initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the
MAC address of another device on the LAN. Instead of the switch sending traffic to
the proper network device, it sends it to the device with the spoofed address that is
impersonating the proper device. If the impersonating device is the attacker's
machine, the attacker receives all the traffic from the switch that should have gone
to another device. The result is that trafic from the switch is misdirected and cannot
reach its proper destination.
One type of ARP spoofing is gratuitous ARP, which is when a network device sends
an ARP request to resolve its own IP address. In normal LAN operation, gratuitous
ARP messages indicate that two devices have the same MAC address. They are also
broadcast when a network interface card (NIC) in a device is changed and the device
is rebooted, so that other devices on the LAN update their ARP caches. In malicious
situations, an attacker can poison the ARP cache of a network device by sending an
ARP response to the device that directs all packets destined for a certain IP address
to go to a different MAC address instead.
To prevent MAC spoofing through gratuitous ARP and through other types of spoofing,
EX-series switches examine ARP responses through DAI.
DAI on EX-series Switches

DAI examines ARP requests and responses on the LAN and validates ARP packets.
The switch intercepts ARP packets from an access port and validates them against
the DHCP snooping database. If no IP-MAC entry in the database corresponds to the
information in the ARP packet, DAI drops the ARP packet and the local ARP cache
is not updated with the information in that packet. DAI also drops ARP packets when
the IP address in the packet is invalid.
JUNOS for EX-series software uses DAI for ARP packets received on access ports
because these ports are untrusted by default. Trunk ports are trusted by default, so
ARP packets bypass DAI on them.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is
disabled for all VLANs. You can set an interface to be trusted for ARP packets by
setting dhcp-trusted on that port.
For packets directed to the switch to which a network device is connected, ARP
queries are broadcast on the VLAN. The ARP responses to those queries are subjected
to the DAI check.
For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU
overloading, ARP packets destined for the Routing Engine are rate-limited.
If the DHCP server goes down and the lease time for an IP-MAC entry for a previously
valid ARP packet runs out, that packet is blocked.
544 ■ ARP Spoofing

Related Topics
Spoofing Attacks
■ Enabling DAI on a VLAN (CLI Procedure)
■ Enabling DAI on a VLAN (J-Web Procedure)
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX-series
Switches
MAC limiting protects against flooding of the Ethernet switching table (also known
as the MAC forwarding table or Layer 2 forwarding table). You enable this feature
on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing
on access interfaces. It prevents hosts whose MAC addresses have not been learned
by the switch from accessing the network. You enable this feature on VLANs.
■ MAC Limiting on page 545
■ MAC Move Limiting on page 546
■ Actions for MAC Limiting and MAC Move Limiting on page 546
■ MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 546
MAC Limiting
MAC limiting sets a limit on the number of MAC addresses that can be learned on a
single Layer 2 access interface. JUNOS software provides two MAC limiting methods:
■ Maximum number of MAC addresses—You configure the maximum number of
dynamic MAC addresses allowed per interface. As soon as the limit is reached,
incoming packets with new MAC addresses are dropped. The MAC limit value
in the EX-series switch default configuration is five MAC addresses.
■ Allowed MAC—You configure specific “allowed” MAC addresses for the access
interface. Any MAC address that is not in the list of configured addresses is not
learned. Allowed MAC binds MAC addresses to a VLAN so that the address does
not get registered outside the VLAN. If an allowed MAC setting conflicts with a
dynamic MAC setting, the allowed MAC setting takes precedence.

MAC Move Limiting

MAC move limiting prevents hosts whose MAC addresses have not been learned by
the switch from accessing the network. Initial learning results when the host sends
DHCP requests. If a new MAC address is detected on an interface, the packet is
trapped to the switch. In general, when a host moves from one interface to another,
the host has to renegotiate its IP address and lease (or be reauthenticated if 802.1X
is configured on the switch). The DHCP request sent by the host can be one for a
new IP address or one to validate the old IP address. If 802.1X is not configured, the
Ethernet switching table entry is flushed from the original interface and added to the
new interface. These MAC movements are tracked, and if more than the configured
number of moves happens within one second, the configured action is performed.
Actions for MAC Limiting and MAC Move Limiting

You can choose to have one of the following actions performed when the limit of
MAC addresses or the limit of MAC moves is reached:
■ drop—Drop the packet and generate an alarm, an SNMP trap, or a system log
entry.
■ log—Do not drop the packet but generate an alarm, an SNMP trap, or a system
log entry.
■ none—Take no action.
■ shutdown—Block data traffic on the interface and generate an alarm.
If you do not set an action, then the action is none. You can also explicitly set none
as the action.
See results of these various action settings in Verifying That MAC Limiting Is Working
Correctly.
If you set a MAC limit to apply to all interfaces on the switch, you can override that
setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces.
MAC Addresses That Exceed the MAC Limit or MAC Move Limit
If you view log messages that indicate the MAC limit or MAC move limit is exceeded,
you can view the offending MAC addresses that have exceeded the limit. See
Troubleshooting Port Security for details.
546 ■ MAC Move Limiting

Related Topics
■ Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
Snooping Database Alteration Attacks
■ Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC
Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
■ Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks
■ Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, on
an Interface (CLI Procedure)
an Interface (J-Web Procedure)
Understanding Trusted DHCP Servers for Port Security on EX-series Switches

Any interface on the switch that connects to a DHCP server can be configured as a
trusted port. Configuring a DHCP server on a trusted port protects against rogue
DHCP servers sending leases.
Ensure that the DHCP server interface is physically secure—that is, that access to
the server is monitored and controlled at the site—before you configure the port as
trusted.
Related Topics
■ Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch
from Rogue DHCP Server Attacks
■ Enabling a Trusted DHCP Server on an Interface (CLI Procedure)
■ Enabling a Trusted DHCP Server on an Interface (J-Web Procedure)


Chapter 40
Examples of Configuring 802.1X, Port
Security, and VoIP
■ Example: Connecting a RADIUS Server for 802.1X to an EX-series

Switch on page 549
to Corporate Visitors on an EX-series Switch on page 554
Configurations on an EX-series Switch on page 559
■ Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series
Switch on page 564
■ Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series
Switch on page 571
and MAC Move Limiting, on an EX-series Switch on page 576
Addresses, to Protect the Switch from Ethernet Switching Table Overflow
Attacks on page 584
from Rogue DHCP Server Attacks on page 588
Attacks on page 591
Spoofing Attacks on page 595
Snooping Database Alteration Attacks on page 599
Switch with Access to a DHCP Server Through a Second Switch on page 603
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch

802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use
802.1X to control network access. Only users and devices providing credentials that
have been verified against a user database are allowed access to the network. You
can use a RADIUS server as the user database.
Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch ■ 549

This example describes how to connect a RADIUS server to an EX-series switch. and
configure it for 802.1X:
Requirements
■ One EX 4200 switch acting as an authenticator port access entity (PAE). The
ports on the authenticator PAE form a control gate that blocks all traffic to and
from supplicants until they are authenticated.
■ One RADIUS authentication server that supports 802.1X. The authentication
server acts as the backend database and contains credential information for
hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the switch, be sure you have:
■ Performed basic bridging and VLAN configuration on the switch. See Example:
Setting Up Basic Bridging and a VLAN for an EX-series Switch.
■ Configured users on the authentication server.

The EX-series switch acts as an authenticator Port Access Entity (PAE). It blocks all
traffic and acts as a control gate until the supplicant (client) is authenticated by the
server. All other users and devices are denied access.
Figure 28 on page 551 shows one EX 4200 switch that is connected to the devices
listed in Table 82 on page 552.
Chapter 40: Examples of Configuring 802.1X, Port Security, and VoIP
Figure 28: Topology for Configuration

Table 82: Components of the Topology
Property Settings
Switch hardware EX 4200 access switch, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0 through
ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name default
One RADIUS server Backend database with an address of 10.0.0.100 connected to the switch at port
ge-0/0/10
In this example, connect the RADIUS server to access port ge-0/0/10 on the EX 4200
switch. The switch acts as acting as the authenticator and forwards credentials from
the supplicant to the user database on the RADIUS server. You must configure
connectivity between the EX 4200 and the RADIUS server by specifying the address
of the server and configuring the secret password. This information is configured in
an access profile on the switch.
NOTE: For more information about authentication, authorization, and accounting

(AAA) services, please refer to JUNOS Software System Basics Configuration Guide.
Configuration
CLI Quick Configuration To quickly connect the RADIUS server to the switch, copy the following commands
[edit]
set access radius-server 10.0.0.100 secret juniper
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.0.0.100 10.2.14.200
Step-by-Step Procedure To connect the RADIUS server to the switch:
1. Define the address of the server, and configure the secret password. The secret
password on the switch must match the secret password on the server:
[edit access profile]

user@switch# set access radius-server 10.0.0.100 secret juniper
2. Configure the authentication order, making radius the first method of

authentication:
[edit system]
user@switch# set profile1 authentication-order radius
3. Configure a list of server IP addresses to be tried in order to authenticate the

supplicant:
[edit system]
user@switch# set access profile profile1 radius authentication-server
10.0.0.100 10.2.14.200
user@switch> show configuration access

radius-server {
10.0.0.100
port 1812;
secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA
}
}
profile profile1{
authentication-order radius;
radius {
authentication-server 10.0.0.100 10.2.14.200;
}
}
}
Verification
■ Verify That the Switch and RADIUS Server are Properly Connected on page 553
Verify That the Switch and RADIUS Server are Properly Connected
Purpose Verify that the RADIUS server is connected to the switch on the specified port.
Action Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes
64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms
64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms
What It Means ICMP echo request packets are sent from the switch to the target server at 10.0.0.100
to test whether it is reachable across the IP network. ICMP echo responses are being
returned from the server, verifying that the switch and the server are connected.
Related Topics
Switch
■ Configuring 802.1X RADIUS Accounting (CLI Procedure)
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to

Corporate Visitors on an EX-series Switch
802.1X on EX-series switches provides LAN access to users who do not have
credentials in the RADIUS database. These users, referred to as guests, are
authenticated and typically provided with access to the Internet.
This example describes how to create a guest VLAN and configure 802.1X
authentication for it.
■ Configuration of a Guest VLAN That Includes 802.1X Authentication on page 557
Requirements
■ One EX-series 4200 switch acting as an authenticator interface access entity
(PAE). The interfaces on the authenticator PAE form a control gate that blocks
all traffic to and from supplicants until they are authenticated.
■ One RADIUS authentication server that supinterfaces 802.1X. The authentication
Before you configure guest VLAN authentication, be sure you have:



As part of IEEE 802.1X interface-Based Network Access Control (PNAC), you can
provide limited network access to supplicants who do not belong to a VLAN
authentication group by configuring authentication to a guest VLAN. Typically, guest
VLAN access is used to provide Internet access to visitors to a corporate site. However,
you can also use the guest VLAN feature to provide supplicants that fail 802.1X
authentication to a corporate LAN with access to a VLAN with limited resources.
Figure 29 on page 556 shows the conference room connected to the switch at interface
ge-0/0/1.

Figure 29: Topology for Guest VLAN Example

Table 83: Components of the Guest VLAN Topology
Property Settings
Switch hardware EX 4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0 through
ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23)

supinterface, tag 200
guest-vlan, tag 300
One RADIUS server Backend database connected to the switch through interface ge-0/0/10
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference
room. Configure this access interface to provide LAN connectivity to visitors in the
conference room who are not authenticated by the corporate VLAN.
Configuration of a Guest VLAN That Includes 802.1X Authentication

To create a guest VLAN and configure 802.1X authentication, perform these tasks:
■ Configuration of a Guest VLAN That Includes 802.1X Authentication on page 557
CLI Quick Configuration To quickly configure a guest VLAN, with 802.1X authentication, copy the following
[edit]
set vlans guest-vlan vlan-id 300 interface all
set protocols dot1x authenticator interface ge-0/0/1 guest-vlan guest-vlan
Step-by-Step Procedure To configure a guest VLAN that includes 802.1X authentication on an EX-series switch:
1. Configure the guest VLAN for all interfaces:
[edit]
user@switch# set vlans guest-vlan vlan-id 300 interface all
user@switch# set protocols dot1x authenticator interface all guest-vlan

guest-vlan
2. Commit the configuration and activate the configuration on the switch:
[edit]
user@switch# commit
Configuration of a Guest VLAN That Includes 802.1X Authentication ■ 557


protocols {
dot1x {
authenticator {
interface {
all,
}
}
}
}
}
vlans {
guest-vlan {
interfaces {
vlan-id 300;
}
}
}
Verification
■ Verifying That an interface Is an Authenticator interface on page 558
Verifying That an interface Is an Authenticator interface

Purpose Verify the operational state of an interface.

user@switch> show dot1x interface ge-0/0/1.0 detail
ge-0/0/1.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Guest VLAN membership: guest-vlan
Reauthentication: Enabled Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Supplicant: user1, 00:00:00:00:13:23
Operational state: Authenticated
Reauthentication due in 3307 seconds
What It Means The output field Role shows that the interface is configured as and operating as an
802.1X authenticator interface.
The output field Guest VLAN membership shows that supplicants can connect to this
interface over the guest-vlan.
Related Topics
■ Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant

802.1x Port-Based Network Access Control (PNAC) authentication on EX-series
switches provides three types of authentication to meet the access needs of your
enterprise LAN:
■ Authenticate the first host (supplicant) on an authenticator port, and allow all
others also connecting to have access
■ Authenticate only one supplicant on an authenticator port at one time.
■ Authenticate multiple supplicants on an authenticator port. Multiple supplicant
mode is used in VoIP configurations.
This example configures an EX-series 4200 switch to use IEEE 802.1X to authenticate
supplicants that use three different administrative modes:
■ Configuration of 802.1X to Support Multiple Supplicant Modes on page 562
Requirements
■ One EX-series 4200 switch acting as an authenticator port access entity (PAE).
The ports on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.
■ One RADIUS authentication server that supports 802.1X. The authentication
Before you configure the ports for 802.1X authentciation, be sure you have:

■ Configured users on the authentication server.

This example uses an EX-series 4200 access switch connected to the authentication
server on port ge-0/0/10. The LAN requires authentication for three different
administrative modes:
■ Single supplicant mode—Authenticates only the first supplicant that connects to
an authenticator port. All other supplicants connecting to the authenticator port
after the first supplicant has connected successfully, whether they are
802.1X-enabled or not, are permitted free access to the port without further
authentication. If the first authenticated supplicant logs out, all other supplicants
are locked out until a supplicant authenticates.
■ Single-secure supplicant mode—Authenticates only one supplicant to connect
to an authenticator port. No other supplicant can connect to the authenticator
port until the first supplicant logs out.
■ Multiple supplicant mode—Authenticates multiple supplicants individually on
one authenticator port. You can configure the up to “x” supplicants per port. If
you configure a maximum number of devices that can be connected to a port
through port security, the lesser of the configured values is used to determine
the maximum number of supplicants allowed per port.

Figure 30: Topology for Configuring Multiple Supplicant Modes

Table 84: Components of the Basic Bridging Configuration Topology
Property Settings
Switch hardware EX-series 4200 access switch, 24 Gigabit Ethernet ports: 8
PoE ports (ge-0/0/0 through ge-0/0/7) and 16 non-PoE
ports (ge-0/0/8 through ge-0/0/23)
VLAN name default
Connection to WAP (requires PoE) ge-0/0/0
Connections to Avaya phone—with integrated hub, to connect ge-0/0/1 through ge-0/0/7

phone and desktop PC to a single port; (requires PoE)
Direct connections to desktop PCs (no PoE required) ge-0/0/8 through ge-0/0/12
Connections to file servers (no PoE required) ge-0/0/17 and ge-0/0/18
Connections to integrated printer/fax/copier machines (no PoE ge-0/0/19 through ge-0/0/20

required)
Unused ports (for future expansion) ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through
ge-0/0/23
Three access ports need to be configured to support supplicants in different areas of

the Enterprise network:
■ Configure access port ge-0/0/8 for single supplicant mode authentication.
■ Configure access port ge-0/0/9 for single secure supplicant mode authentication.
■ Configure access port ge-0/0/11 for multiple supplicant mode authentication.
Configuration of 802.1X to Support Multiple Supplicant Modes

To configure 802.1X authentication to support multiple supplicants, perform these
tasks:
■ Configuration of 802.1X to Support Multiple Supplicant Modes on page 562
CLI Quick Configuration To quickly configure the ports with different 802.1X authentication modes, copy the
following commands and paste them into the switch terminal window:
[edit]
set protocols dot1x authenticator interface ge-0/0/8 supplicant single
set protocols dot1x authenticator interface ge-0/0/9 supplicant single-secure
set protocols dot1x authenticator interface all supplicant multiple
commit
562 ■ Configuration of 802.1X to Support Multiple Supplicant Modes

Step-by-Step Procedure Configure the ports ge-0/0/8 and ge-0/0/9:
1. Configure the supplicant mode as single on the ports:
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/8 supplicant single
user@switch# set dot1x authenticator interface ge-0/0/9 supplicant
single-secure
user@switch#
commit
2. Globally configure multiple supplicant mode on all other ports:
[edit protocols]
user@switch# set dot1x authenticator interface all supplicant multiple
user@switch#
commit
3. Commit the configuration and activate it on the switch:
[edit]
user@switch# commit

Check the results of the configuration:
[edit protocols]
protocols {
dot1x {
authenticator {
interface {
ge-0/0/8.0 {
supplicant single;
)
ge-0/0/9.0 {
supplicant single-secure;
all {
supplicant multiple;
}
}
}
}
}
Configuration of 802.1X to Support Multiple Supplicant Modes ■ 563

Verification
■ Verifying the 802.1X Configuration on page 564
Verifying the 802.1X Configuration

Purpose Verify the 802.1X configuration on ports ge-0/0/8 , ge-0/0/9 , and ge-0/0/5.
Action Verify the 802.1X configuration with the operational mode command show dot1x
interface:
user@switch> show dot1x interface

802.1X Information:
Interface Role State MAC address User
ge-0/0/8.0 Authenticator Authenticated 00:00:00:12:00:21 abc
ge-0/0/9.0 Authenticator Authenticated 00:30:48:8D:7B:AD abc
What It Means TheMAC address output field displays the MAC address of connected supplicants to
the authentication port.
Related Topics
Switch
Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX-series Switch

You can configure voice over IP (VoIP) to support IP telephones. VoIP is a protocol
used for the transmission of voice through packet-switched networks. VoIP transmits
voice calls using a network connection instead of an analog phone line. Instead of
using a regular telephone, you connect an IP telephone directly to the switch. An IP
phone has all the hardware and software needed to handle VoIP. You also can power
an IP telephone by connecting it to one of the Power over Ethernet (PoE) interfaces
on the switch.
This example describes how to configure VoIP on the switch to support an Avaya
telephone, as well as the LLDP-MED protocol. This protocol forwards VoIP parameters
from the switch to the phone. You also configure 802.1X authentication to allow the
telephone access to the LAN. Authentication is done through a backend RADIUS

server.
Requirements
The interfaces on the authenticator PAE form a control gate that blocks all traffic
to and from supplicants until they are authenticated.
■ An Avaya 9620 IP telephone (supports LLDP-MED and 802.1X)
Before you configure VoIP, be sure you have:

■ Configured the RADIUS server for 802.1X authentication and set up the access
profile. See Example: Connecting a RADIUS Server for 802.1X to an EX-series
Switch
■ Configured interface ge-0/0/2 for Power over Ethernet (PoE). For information
about configuring PoE, see Configuring PoE on an EX-series Switch (CLI
Procedure).
NOTE: The PoE configuration is not necessary if a VoIP supplicant is using a power
adapter.

Access interface ge-0/0/2 on the EX-series 4200 switch is connected to an Avaya
9620 IP telephone. Avaya phones have a built-in bridge that allows you to connect
a desktop PC to the phone, so the desktop and phone in a single office require only
one interface on the switch. The EX-series switch is connected to a RADIUS server
on interface ge-0/0/10.
Figure 31: VoIP Topology
In this example, you configure VoIP parameters and specify the forwarding class
assured-forward for voice traffic to provide the highest quality of service.
Table 85: Components of the VoIP Configuration Topology
Property Settings
Switch hardware EX-series 4200 access switch

Table 85: Components of the VoIP Configuration Topology (continued)
VLAN names data1

voice-vlan
Connection to Avaya phone—with integrated hub, to connect ge-0/0/2

phone and desktop PC to a single interface (requires PoE)
One RADIUS server Provides backend database connected to the switch

through interface ge-0/0/10.
As well as configuring VoIP for interface ge-0/0/2, you configure:

■ 802.1X authentication. Authentication is set to multiple supplicant to support
more than one supplicant access to the LAN through interface ge-0/0/2.
■ LLDP-MED protocol information. The switch uses LLDP-MED to forward VoIP
parameters to the phone. Using LLDP-MED ensures that voice traffic gets tagged
and prioritized with the correct values at the source itself. For example, 802.1p
CoS and 802.1q tag information can be sent to the IP telephone.
NOTE: A PoE configuration is not necessary if an IP telephone is using a power

adapter.
Configuration
To configure VoIP to support and Avaya phone, as well as the LLDP-MED protocol:
CLI Quick Configuration To quickly configure VoIP, LLDP–MED, and 802.1X for an interface, copy the following
[edit]
set vlans data1 description data-vlan
set vlans voice-vlan description voice-vlan
set vlans data1 interface ge-0/0/2.0
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members data1
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface ge-0/0/2.0 vlan voice-vlan
set ethernet-switching-options voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
set protocols lldp-med interface ge-0/0/2.0
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
Step-by-Step Procedure To configure VoIP, LLDP, LLDP–MED, and 802.1X authentication:
1. Configure the VLANs for voice and data:
[edit vlans]
user@switch# set data1 description data-vlan
user@switch# set vlans voice-vlan description voice-vlan
2. Configure the VLAN data1 on the interface:
[edit vlans]
user@switch# set data1 interface ge-0/0/2.0
3. Configure the maximum transmission unit for the media:
[edit interfaces]
user@switch# set ge-0/0/2 mtu 1518
4. Configure the interface as an access interface, configure support for the Ethernet
switching protocol, and add the data1 VLAN:
[edit interfaces]
user@switch# set ge-0/0/2 unit 0 family ethernet-switching vlan members
data1
user@switch# set ge-0/0/2 unit 0 family ethernet-switching port-mode access
5. Add the VoIP configuration for the interface and specify the assured-forwarding
forwarding class to provide the most dependable class of Sservice:
[edit ethernet—switching—options]
user@switch# set voip interface ge-0/0/2.0 vlan voice-vlan
user@switch# set voip interface ge-0/0/2.0 forwarding-class
assured-forwarding
6. Configure LLDP-MED protocol support:
[edit protocols]
user@switch# set lldp–med interface ge-0/0/2.0
7. Configure 802.1X protocol support and specify multiple supplicants to allow

more than one supplicant to be authenticated on the interface:
[edit protocols]
user@switch# set dot1x authenticator interface ge-0/0/2.0 supplicant
multiple
[edit]
user@switch# show configuration
interfaces {
ge-0/0/2 {
mtu 1518;
unit 0 {
family ethrnet-switching {
port-mode access;
vlan {
members data1;
}
}
}
}
}
protocols {
lldp-med {
}
dot1x {
authenticator {
interface {
ge-0/0/2.0 {
supplicant multiple;
}
}
}
}
}
vlans {
data1 {
description data-vlan;
interface {
ge-0/0/2.0;
}
}
voice-vlan {
description voice-vlan;
}
}
Verification
■ Verifying LLDP-MED Configuration on page 569
■ Verifying 802.1X Authentication on page 570
■ Verifying the Interface on page 571
Verifying LLDP-MED Configuration

Purpose Verify that LLDP-MED is enabled on the interface.
Action user@switch> show lldp detail

LLDP : Enabled
Advertisement interval : 30 Second(s)
Transmit delay : 2 Second(s)

Hold timer : 2 Second(s)
Config Trap Interval : 300 Second(s)
Connection Hold timer : 60 Second(s)
LLDP MED : Enabled

MED fast start count : 3 Packet(s)
Interface LLDP LLDP-MED Neighbor count

all Enabled - 0
ge-0/0/2.0 - Enabled 0
Interface VLAN-id VLAN-name

ge-0/0/0.0 0 default
ge-0/0/1.0 0 employee-vlan
ge-0/0/2.0 0 data1
ge-0/0/11.0 0 __juniper_vlan_internal__
LLDP basic TLVs supported:

Chassis identifier, Port identifier, Port description, System name, System
description, System capabilities, Management address.
LLDP 802 TLVs supported:

Power via MDI, Link aggregation, Maximum frame size, Port VLAN tag, Port
VLAN name.
LLDP MED TLVs supported:

LLDP MED capabilities, Network policy, Endpoint location, Extended power
Via MDI.
What It Means The show lldp detail output shows that both LLDP and LLDP-MED are configured on
the ge-0/0/2.0 interface. The end of the output shows the list of supported LLDP
basic TLVs, 802.3 TLVs, and LLDP-MED TLVs that are supported.
Verifying 802.1X Authentication

Purpose Display the 802.1X configuration to confirm that the VoIP interface has access to
the LAN.
Action user@switch> show dot1x interface ge/0/0/2.0 detail

ge-0/0/2.0
Role: Authenticator
Supplicant mode: Multiple
Server timeout: 30 seconds
570 ■ Verifying 802.1X Authentication

Maximum EAPOL requests: 2

Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
What It Means The field Role shows that the ge-0/0/2.0 interface is in the authenticator state. The
Supplicant field shows that the interface is configured in multiple supplicant mode,
permitting multiple supplicants to be authenticated on this interface. The MAC
addresses of the supplicants currently connected are displayed at the bottom of the
output.
Verifying the Interface

Purpose Display the interface state and VLAN membership.
Action user@switch> show ethernet-switching interfaces


ge-0/0/2.0 up voice-vlan unblocked
data1 unblocked
What It Means The field VLAN members shows that the ge-0/0/2.0 interface supports both the data1
VLAN and voice-vlan VLAN. The State field shows that the interface up.
Related Topics
■ Configuring CoS Forwarding Classes (CLI Procedure)
■ Defining Forwarding Classes (J-Web Procedure)
Example: Setting Up 802.1X for Nonresponsive Hosts on an EX-series Switch

As part of IEEE 802.1X Port-Based Network Access Control (PNAC), you can configure
access through 802.1X-configured ports to your LAN for devices that are not
802.1X-enabled. These devices, typically printers, are known as nonresponsive hosts.
Nonresponsive hosts are authenticated by means of their MAC address. If a
Verifying the Interface ■ 571

nonresponsive host's MAC address is compared and matched against a

user-configured static MAC address list, the nonresponsive host is authenticated and
a port opened for it.
This example describes how to configure MAC-based authentication for a

nonresponsive host.
Requirements
The ports on the authenticator PAE form a control gate that blocks all traffic to
and from supplicants until they are authenticated.
■ One RADIUS authentication server. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have
permission to connect to the network.
Before you configure 802.1X authentication for nonresponsive hosts, be sure you
have:

A printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface
ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected
to access interface ge-0/0/20. Both printers will be added to the static list. At the
end of the configuration, one printer will be removed from the static list.
Figure 32: Topology for MAC-based Authentication Configuration

Table 86: Components of the MAC-based Authentication Configuration Topology
Property Settings
Switch hardware Java Espresso E-24T, 24 Gigabit Ethernet ports: 8 PoE ports (ge-0/0/0
through ge-0/0/7) and 16 non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name default
Connections to integrated printer/fax/copier ge-0/0/19, MAC address 00:04:0f:fd:ac:fe

machines (no PoE required) ge-0/0/20, MAC address 00:04:ae:cd:23:5f
Unused ports (for future expansion) ge-0/0/13 through ge-0/0/16, and ge-0/0/21 through ge-0/0/23
Configuration
To configure MAC-based authentication, perform these tasks:
Configuring MAC-Based Authentication

CLI Quick Configuration To quickly configure MAC-based authentication, copy the following commands and
paste them into the switch terminal window:
Reviewer, I removed the old configuration that wasn't valid, but what
other statements should I add?
[edit]
set protocol dot1x authenticator profile1 static [00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f]
commit
Step-by-Step Procedure Configure ports ge-0/0/19 and ge-0/0/20 for MAC-based authentication:
1. Configure ports in authenticator mode and specify the static MAC addresses:
[edit protocol]
user@switch# set dot1x authenticator profile1 static [00:04:0f:fd:ac:fe
00:04:ae:cd:23:5f]
2. Configure 802.1X authentication on the switch:
[edit protocol]
user@switch# set protocol dot1x interface all supplicant multiple
user@switch# commit
Writer needs to get sample config output.,

user@switch# show
interfaces {
ge-0/0/19 {
unit 0 {
vlan members default;
}
}
}
interfaces {
ge-0/0/20 {
unit 0 {
vlan members default;
}
}
}
protocols {
dot1x {
authenticator {
static [[00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
}
}
}
[Output Truncated]
Removing a NonResponsive Host MAC Address from the MAC Static List
Step-by-Step Procedure The printer attached to port ge–0/0/20 has been removed from the LAN network.
The printer is identified with the MAC address 00:04:ae:cd:23:5f. Remove this printer
from the static MAC list:
1. Delete MAC address 00:04:ae:cd:23:5f from the static MAC:
[edit protocol]
user@switch# set dot1x 802.1x authenticator profile1 static
00:04:ae:cd:23:5f delete
2. Commit the configuration and activate it on the switch:
[edit]
user@switch# commit
Verification
■ Verifying Authenticator Ports on page 576
■ Verifying the Removal of a Nonresponsive Host on page 576
Removing a NonResponsive Host MAC Address from the MAC Static List ■ 575
Verifying Authenticator Ports

Purpose Verify the current operational state of all authenticator ports and display a list of
connected supplicants.
Reviewer, I'm not sure what commands we use here: this is a topic that
was written months ago, but not reviewed. Please advise.

user@switch> show dot1x detail authenticator
TBD
Reviewer, will replace with valid output.
What It Means The output field Number of connected supplicants shows the MAC addresses of the
two printers.
The output field Operational State shows the operational state of the authenticator
ports.
Verifying the Removal of a Nonresponsive Host

Purpose Verify the removal of the nonresponsive from the software configuration on an
EX-series switch.
Reviewer, not sure which oper. mode command best shows this—I see
this as a test item in the test plan.

user@switch> show dot1x detail authenticator
TBD
Reviewer, will replace with valid output.
What It Means The output field Number of connected supplicants no longer displays the MAC address
00:04:ae:cd:23:5f.
The output field Operational State shows the operational state of the authenticator
ports.
Related Topics
■ Configuring 802.1X Authentication (J-Web Procedure)
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and
MAC Move Limiting, on an EX-series Switch
You can configure DHCP snooping, dynamic ARP inspection (DAI), MAC limiting,
and MAC move limiting on the access ports of EX-series switches to protect the switch
576 ■ Verifying Authenticator Ports

and the Ethernet LAN against address spoofing and Layer 2 denial-of-service (DoS)
attacks. You can also configure a trusted DHCP server and specific (allowed) MAC
addresses for the switch interfaces.
This example describes how to configure basic port security features—DHCP snooping,
DAI, MAC limiting, and MAC move limiting, as well as a trusted DHCP server and
allowed MAC addresses—on a switch. The DHCP server and its clients are all members
of a single VLAN on the switch.
Requirements
■ One EX-series EX 3200-24P switch
■ A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:
■ Connected the DHCP server to the switch.
■ Configured the VLAN employee-vlan on the switch. See Example: Setting Up
Bridging with Multiple VLANs for EX-series Switches.

Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
To protect the devices from such attacks, you can configure DHCP snooping to
validate DHCP server messages, DAI to protect against MAC spoofing, and MAC cache
limiting to constrain the number of MAC addresses the switch adds to its MAC address
cache.
This example shows how to configure these security features on an EX 3200-24P

switch. The switch is connected to a DHCP server.
The setup for this example includes the VLAN employee-vlan on the switch. The
procedure for creating that VLAN is described in the topic Example: Setting Up
Bridging with Multiple VLANs for EX-series Switches. That procedure is not repeated
here. Figure 33 on page 600 illustrates the topology for this example.
Figure 33: Network Topology for Basic Port Security
The components of the topology for this example are shown in Table 87 on page 600.
Table 87: Components of the Port Security Topology
Properties Settings
Switch hardware One EX 3200-24P, 24 ports (8 PoE ports)
VLAN name and ID employee-vlan, tag 20
VLAN subnets 192.0.2.16/28

192.0.2.17 through 192.0.2.30
192.0.2.31 is subnet's broadcast address
Interfaces in employee-vlan ge-0/0/1, ge-0/0/2, ge-0/0/3, ge-0/0/8
Interface for DHCP server ge-0/0/8
In this example, the switch is initially configured with the default port security setup.
In the default configuration on the switch:

■ Secure port access is activated on the switch.

■ A dynamic limit on the maximum number of MAC addresses to be “learned”
per port by the switch is already set in the default configuration. The default limit
is 5.
■ The switch does not drop any packets, which is the default setting.
■ DHCP snooping and DAI are disabled on all VLANs.
■ All access ports are untrusted and all trunk ports are trusted for DHCP snooping,
which is the default setting.
In the configuration tasks for this example, you set the DHCP server first as untrusted
and then as trusted; you enable DHCP snooping, DAI, and MAC move limiting on a
VLAN; you modify the value for MAC limit; and you configure some specific (allowed)
MAC addresses on an interface.
Configuration
To configure basic port security on a switch whose DHCP server and client ports are
in a single VLAN:
CLI Quick Configuration To quickly configure basic port security on the switch, copy the following commands
[edit ethernet-switching-options secure-access-port]

set interface ge-0/0/1 mac-limit 4 action drop
set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80
set interface ge-0/0/8 dhcp-trusted
set vlan employee–vlan arp-inspection
set vlan employee-vlan examine-dhcp
set vlan employee-vlan mac-move-limit 5 action drop
Step-by-Step Procedure Configure basic port security on the switch:
1. Enable DHCP snooping on the VLAN:

user@switch# set vlan employee-vlan examine-dhcp
2. Specify the interface (port) from which DHCP responses are allowed:

user@switch# set interface ge-0/0/8 dhcp-trusted
3. Enable dynamic ARP inspection (DAI) on the VLAN:

user@switch# set vlan employee-vlan arp-inspection
4. Configure the MAC limit of 4 and specify that packets with new addresses be
dropped if the limit has been exceeded on the interfaces:

user@switch# set interface ge-0/0/1 mac-limit 4 action drop
5. Configure a MAC move limit of 5 and specify that packets with new addresses
be dropped if the limit has been exceeded on the VLAN:

user@switch# set vlan employee-vlan mac-move-limit 5 action drop
6. Configure the allowed MAC addresses:

user@switch# set interface ge-0/0/2 allowed-mac 00:05:85:3A:82:80

Check the results of the configuration:

user@switch# show
mac-limit 4 action drop;
}
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83
00:05:85:3a:82:85 00:05:85:3a:82:88 ];
}
dhcp-trusted;
}
vlan employee-vlan {
arp-inspection
examine-dhcp;
mac-move-limit 5 action drop;
}
Verification
To confirm that the configuration is working properly:
■ Verifying That DHCP Snooping Is Working Correctly on the Switch on page 581
■ Verifying That DAI Is Working Correctly on the Switch on page 582
■ Verifying That MAC Limiting and MAC Move Limiting Are Working Correctly on
the Switch on page 582
■ Verifying That Allowed MAC Addresses Are Working Correctly on the
Switch on page 583
Verifying That DHCP Snooping Is Working Correctly on the Switch

Purpose Verify that DHCP snooping is working on the switch.
Action Send some DHCP requests from network devices (here they are DHCP clients)
connected to the switch.
Display the DHCP snooping information when the interface on which the DHCP
server connects to the switch is trusted. The following output results when requests
are sent from the MAC addresses and the server has provided the IP addresses and
leases:
----------------- ---------- ----- ---- ---- ---------
00:05:85:27:32:88 192.0.2.22 3200 dynamic employee—vlan ge-0/0/2.0
What It Means When the interface on which the DHCP server connects to the switch has been set
to trusted, the output (see preceding sample) shows, for each MAC address, the
assigned IP address and lease time—that is, the time, in seconds, remaining before
the lease expires.
If the DHCP server had been configured as untrusted, the output would look like this:

----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 0.0.0.0 - dynamic employee—vlan ge-0/0/1.0
00:05:85:27:32:88 0.0.0.0 - dynamic employee—vlan ge-0/0/2.0
In the preceding output sample, IP addresses and lease times are not assigned because
the DHCP clients do not have a trusted server to which they can send requests. In
the database, the clients' MAC addresses are shown with no assigned IP addresses
(hence the 0.0.0.0 content in the IP Address column) and no leases (the lease time
is shown as a dash – in the Lease column).
Verifying That DAI Is Working Correctly on the Switch

Purpose Verify that DAI is working on the switch.
Action Send some ARP requests from network devices connected to the switch.
Display the DAI information:

user@switch> show arp inspection statistics
ARP inspection statistics:
Interface Packets received ARP inspection pass ARP inspection failed
--------------- --------------- -------------------- ---------------------
ge-0/0/1.0 7 5 2
ge-0/0/2.0 10 10 0
ge-0/0/3.0 12 12 0
What It Means The sample output shows the number of ARP packets received and inspected per
interface, with a listing of how many packets passed and how many failed the
inspection on each interface. The switch compares the ARP requests and replies
against the entries in the DHCP snooping database. If a MAC address or IP address
in the ARP packet does not match a valid entry in the database, the packet is dropped.
Verifying That MAC Limiting and MAC Move Limiting Are Working
Correctly on the Switch
Purpose Verify that MAC limiting and MAC move limiting are working on the switch.
Action Suppose that two DHCP requests have been sent from hosts on ge-0/0/1 and five
DHCP requests from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4
with the action drop.
Display the MAC addresses learned:

employee-vlan * Flood - ge-0/0/2.0

employee-vlan 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0
582 ■ Verifying That DAI Is Working Correctly on the Switch

Note that one of the MAC addresses on ge-0/0/2 was not learned because the limit
of 4 MAC addresses for that interface had been exceeded.
Now suppose that DHCP requests have been sent from two of the hosts on ge-0/0/2
after they have been moved to other interfaces more than 5 times in 1 second, with
employee-vlan set to a MAC move limit of 5 with the action drop.
Display the MAC addresses in the table:



What It Means The first sample output shows that with a MAC limit of 4 for each interface, the DHCP
request for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit. The second sample output shows that DHCP requests for two of the hosts
on ge-/0/0/2 were dropped when the hosts had been moved back and forth from
various interfaces more than 5 times in one second.
Verifying That Allowed MAC Addresses Are Working Correctly on

the Switch
Purpose Verify that allowed MAC addresses are working on the switch.
Action Display the MAC cache information after 5 allowed MAC addresses have been
configured on interface ge/0/0/2:

What It Means Because the MAC limit value for this interface has been set to 4, only 4 of the 5
configured allowed addresses are learned.
Verifying That Allowed MAC Addresses Are Working Correctly on the Switch ■ 583
Related Topics
Spoofing Attacks
Attacks
Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses,
to Protect the Switch from Ethernet Switching Table Overflow Attacks
In an Ethernet switching table overflow attack, an intruder sends so many requests
from new MAC addresses that the Ethernet switching table fills up and then overflows,
forcing the switch to broadcast all messages.
This example describes how to configure MAC limiting and allowed MAC addresses,
two port security features, to protect the switch from Ethernet switching table attacks:
Requirements
Before you configure specific port security features to mitigate common

access-interface attacks, be sure you have:



This example describes how to protect the switch from an attack on the Ethernet
switching table that causes the table to overflow and thus forces the switch to
broadcast all messages.
This example shows how to configure port security features on an EX 3200-24P

switch. The switch is connected to a DHCP server.
Properties Settings

Table 88: Components of the Port Security Topology (continued)

192.0.2.17 through 192.0.2.30
In this example, use the MAC limit feature to control the total number of MAC
addresses that can be added to the Ethernet switching table for the specified interface.
Use the allowed MAC addresses feature to ensure that the addresses of network
devices whose network access is critical are guaranteed to be included in the Ethernet
switching table.
In this example, the switch has already been configured as follows:

■ No MAC limit is set on any of the interfaces.
■ All access interfaces are untrusted, which is the default setting.
Configuration
To configure MAC limiting and some allowed MAC addresses to protect the switch
against Ethernet switching table overflow attacks:
CLI Quick Configuration To quickly configure MAC limiting and some allowed MAC addresses, copy the

Step-by-Step Procedure Configure MAC limiting and some allowed MAC addresses:
1. Configure a MAC limit of 4 on ge-0/0/1 and specify that incoming packets with
different addresses be dropped once the limit is exceeded on the interface:

2. Configure the allowed MAC addresses on ge-0/0/2:


user@switch# show
}
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 ];
}
Verification
■ Verifying That MAC Limiting Is Working Correctly on the Switch on page 587
Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose Verify that MAC limiting is working on the switch.
Action Display the MAC cache information after DHCP requests have been sent from hosts
on ge-0/0/1, with the interface set to a MAC limit of 4 with the action drop, and after
four allowed MAC addresses have been configured on interface ge/0/0/2:

employee-vlan * Flood 0 ge-0/0/1.0
What It Means The sample output shows that with a MAC limit of 4 for the interface, the DHCP
MAC limit and that only the specified allowed MAC addresses have been learned on
the ge-0/0/2 interface.
Related Topics
Example: Configuring a DHCP Server Interface as Untrusted to Protect the Switch

In a rogue DHCP server attack, an attacker has introduced a rogue server into the
network, allowing it to give IP address leases to the network's DHCP clients and to
assign itself as the gateway device.
This example describes how to configure a DHCP server interface as untrusted to

protect the switch from a DHCP rogue server:
Requirements
Before you configure an untrusted DHCP server interface to mitigate rogue DHCP
server attacks, be sure you have:
■ Enabled DHCP snooping on the VLAN.


This example describes how to protect the switch from rogue DHCP server attacks.
This example shows how to explicitly configure an untrusted interface on an

EX 3200-24P switch. Figure 33 on page 600 illustrates the topology for this example.
Properties Settings

192.0.2.17 through 192.0.2.30
192.0.2.31 is the subnet's broadcast address


■ DHCP snooping is enabled on the VLAN employee-vlan.
■ The interface (port) where the rogue DHCP server has connected to the switch
is currently trusted.
Configuration
To configure the DHCP server interface as untrusted because the interface is being
used by a rogue DHCP server:
CLI Quick Configuration To quickly set the rogue DHCP server interface as untrusted, copy the following
command and paste it into the switch terminal window:

set interface ge-0/0/8 no-dhcp-trusted
Step-by-Step Procedure To set the DHCP server interface as untrusted:Specify the interface (port) from which
DHCP responses are not allowed:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/8 no–dhcp-trusted

user@switch# show
no-dhcp-trusted;
}
Verification
■ Verifying That the DHCP Server Interface Is Untrusted on page 590
Verifying That the DHCP Server Interface Is Untrusted

Purpose Verify that DHCP snooping is working on the switch. See what happens when the
DHCP server is untrusted.
Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is not trusted. The following output results when requests are
sent from the MAC addresses but no server has provided IP addresses and leases:
----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 0.0.0.0 - dynamic employee-vlan ge-0/0/1.0
00:05:85:27:32:88 0.0.0.0 - dynamic employee-vlan ge-0/0/2.0
What It Means In the sample output from the database, the clients' MAC addresses are shown with
no assigned IP addresses (hence the 0.0.0.0 content in the IP Address column) and
no leases (the lease time is shown as a dash – in the Lease column).
Related Topics
Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation
Attacks
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses. The switch's trusted DHCP server or
servers cannot keep up with the requests and can no longer assign IP addresses and
lease times to legitimate DHCP clients on the switch. Requests from those clients
are either dropped or directed to a rogue DHCP server set up by the attacker.
This example describes how to configure MAC limiting, a port security feature, to
protect the switch against DHCP starvation attacks:
Requirements

Before you configure MAC limiting, a port security feature, to mitigate DHCP starvation
attacks, be sure you have:

This example describes how to protect the switch against one common type of attack,
a DHCP starvation attack.

switch that is connected to a DHCP server.

Properties Settings
VLAN name and ID default

■ No MAC limit is set on any of the interfaces.
■ DHCP snooping is disabled on the VLAN employee-vlan.
■ All access interfaces are untrusted, which is the default setting.
Configuration
To configure the MAC limiting port security feature to protect the switch against
DHCP starvation attacks:
CLI Quick Configuration To quickly configure MAC limiting, copy the following commands and paste them

Step-by-Step Procedure Configure MAC limiting:
1. Configure a MAC limit of 3 on ge-0/0/1 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:

user@switch# set interface ge–0/0/1 mac-limit 3 action drop
2. Configure a MAC limit of 3 on ge-0/0/2 and specify that packets with new
addresses be dropped if the limit has been exceeded on the interface:

user@switch# show
}
}
Verification
■ Verifying That MAC Limiting Is Working Correctly on the Switch on page 594
Verifying That MAC Limiting Is Working Correctly on the Switch

Purpose Verify that MAC limiting is working on the switch.
Display the MAC addresses learned when DHCP requests are sent from hosts on
ge-0/0/1 and from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 3 with
the action drop:
default * Flood - ge-0/0/2.0

default 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0
What It Means The sample output shows that with a MAC limit of 3 for each interface, the DHCP
request for a fourth MAC address on ge-0/0/2 was dropped because it exceeded the
MAC limit.
Because only 3 MAC addresses can be learned on each of the two interfaces,
attempted DHCP starvation attacks will fail.
Related Topics
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks
In an ARP spoofing attack, the attacker associates its own MAC address with the IP
address of a network device connected to the switch. Traffic intended for that IP
address is now sent to the attacker instead of being sent to the intended destination.
The attacker can send faked, or “spoofed,” ARP messages on the LAN.
This example describes how to configure DHCP snooping and dynamic ARP inspection
(DAI), two port security features, to protect the switch against ARP spoofing attacks:
Requirements
Before you configure DHCP snooping and DAI, two port security features, to mitigate
ARP spoofing attacks, be sure you have:
■ Configured the VLAN employee-vlan on the switch.

This example describes how to protect the switch against one common type of attack,
an ARP spoofing attack.

In an ARP spoofing attack, the attacker sends faked ARP messages, thus creating
various types of mischief on the LAN—for example, the attacker might launch a
man-in-the middle attack.

switch that is connected to a DHCP server. The setup for this example includes the
VLAN employee-vlan on the switch. The procedure for creating that VLAN is described
in the topic Example: Setting Up Bridging with Multiple VLANs for EX-series Switches.
That procedure is not repeated here. Figure 33 on page 600 illustrates the topology
for this example.
Properties Settings

192.0.2.17 through 192.0.2.30
Interfaces in employee-vlan ge-0/0/1,ge-0/0/2, ge-0/0/3, ge-0/0/8


■ DHCP snooping is disabled on the VLAN employee-vlan.
■ All access ports are untrusted, which is the default setting.
Configuration
To configure DHCP snooping and dynamic ARP inspection (DAI) to protect the switch
against ARP attacks:
CLI Quick Configuration To quickly configure DHCP snooping and dynamic ARP inspection (DAI), copy the

set interface ge-0/0/8 dhcp-trusted
set vlan employee-vlan examine-dhcp
set vlan employee-vlan arp-inspection
Step-by-Step Procedure Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN:
1. Set the ge-0/0/8 interface as trusted:

user@switch# set interface ge-0/0/8 dhcp-trusted

user@switch# set vlan employee-vlan examine-dhcp
3. Enable DAI on the VLAN:


user@switch# show
dhcp-trusted;
}
arp-inspection
examine-dhcp;
}
Verification
■ Verifying That DHCP Snooping Is Working Correctly on the Switch on page 598
■ Verifying That DAI Is Working Correctly on the Switch on page 598
Verifying That DHCP Snooping Is Working Correctly on the Switch

Display the DHCP snooping information when the port on which the DHCP server
connects to the switch is trusted. The following output results when requests are sent
from the MAC addresses and the server has provided the IP addresses and leases:
----------------- ---------- ----- ---- ---- ---------
00:05:85:3A:82:77 192.0.2.17 600 dynamic employee-vlan ge-0/0/1.0
00:05:85:27:32:88 192.0.2.22 3200 dynamic employee-vlan ge-0/0/3.0
the lease expires.
Verifying That DAI Is Working Correctly on the Switch

Purpose Verify that DAI is working on the switch.

--------------- --------------- -------------------- ---------------------
ge-0/0/1.0 7 5 2
ge-0/0/2.0 10 10 0
ge-0/0/3.0 12 12 0
Related Topics
Example: Configuring Allowed MAC Addresses to Protect the Switch from DHCP
In one type of attack on the DHCP snooping database, an intruder introduces a DHCP
client on an untrusted access interface with a MAC address identical to that of a client
on another untrusted interface. The intruder then acquires the DHCP lease of that
other client, thus changing the entries in the DHCP snooping table. Subsequently,
what would have been valid ARP requests from the legitimate client are blocked.
This example describes how to configure allowed MAC addresses, a port security
feature, to protect the switch from DHCP snooping database alteration attacks:
Requirements

Before you configure specific port security features to mitigate common

access-inteface attacks, be sure you have:

This example describes how to protect the switch from an attack on the DHCP
snooping database that alters the MAC addresses assigned to some clients.

switch that is connected to a DHCP server.
Properties Settings

Table 92: Components of the Port Security Topology (continued)

192.0.2.17 through 192.0.2.30

■ DHCP snooping is enabled on the VLAN employee-vlan.
■ All access ports are untrusted, which is the default setting.
Configuration
To configure allowed MAC addresses to protect the switch against DHCP snooping
database alteration attacks:
CLI Quick Configuration To quickly configure some allowed MAC addresses on an interface, copy the following

Step-by-Step Procedure To configure some allowed MAC addresses on an interface:Configure the five allowed
MAC addresses on an interface:[edit ethernet-switching-options
secure-access-port]user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:80user@switch# set interface ge-0/0/2 allowed-mac
00:05:85:3A:82:88

user@switch# show
allowed-mac [ 00:05:85:3a:82:80 00:05:85:3a:82:81 00:05:85:3a:82:83 00:05:85
:3a:82:85 00:05:85:3a:82:88 ];
}
Verification
■ Verifying That Allowed MAC Addresses Are Working Correctly on the
Switch on page 602
Verifying That Allowed MAC Addresses Are Working Correctly on

the Switch
Action Display the MAC cache information:


What It Means The output shows that the five MAC addresses configured as allowed MAC addresses
have been learned and are displayed in the MAC cache. The last MAC address in the
list, one that had not been configured as allowed, has not been added to the list of
learned addresses.
Related Topics
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series

You can configure DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting
on the access interfaces of EX-series switches to protect the switch and the Ethernet
LAN against address spoofing and Layer 2 denial-of-service (DoS) attacks. To obtain
those basic settings, you can use the switch's default configuration for port security,
configure an action for the MAC limit, and enable DHCP snooping and DAI on a
VLAN. You can configure those features when the DHCP server is connected to a
different switch from the one to which the DHCP clients (network devices) are
connected.
This example describes how to configure port security features on an EX-series switch
whose hosts obtain IP addresses and lease times from a DHCP server attached to a
second switch:
■ Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 on page 605
■ Configuring a VLAN and Interfaces on Switch 2 on page 608
Requirements
■ One EX 3200-24P switch—“Switch 1” in this example.
■ An additional EX-series switch—”Switch 2” in this example. You will not configure
port security on this switch.
■ JUNOS Release 9.0 or later for EX-series switches.
■ A DHCP server connected to Switch 2. You will use the server to provide IP
addresses to network devices connected to Switch 1.
■ At least two network devices (hosts) that you will connect to access interfaces
on Switch 1. These devices will be DHCP clients.
Before you configure DHCP snooping, DAI, and MAC limiting port security features,
be sure you have:
■ Connected the DHCP server to Switch 2.

To protect the devices from such attacks, you can configure:
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX-series Switch with Access to a DHCP Server Through a Second
Switch ■ 603
■ DHCP snooping to validate DHCP server messages

■ DAI to protect against ARP spoofing
■ MAC limiting to constrain the number of MAC addresses the switch adds to its
MAC address cache
This example shows how to configure these port security features on an EX 3200
switch, which is Switch 1 in this example. (You could also use an EX 4200 switch for
this example.) Switch 1 is attached to a switch that is not configured with port security
features. That second switch (Switch 2) is connected to a DHCP server. (See
Figure 39 on page 604. ) Network devices (hosts) that are connected to Switch 1 will
send requests for IP addresses (that is, the devices will be DHCP clients). Those
requests will be transmitted from Switch 1 to Switch 2 and then to the DHCP server
connected to Switch 2. Responses to the requests will be transmitted along the reverse
path from the one followed by the requests.
The setup for this example includes the VLAN employee-vlan on both switches.
Figure 39 on page 604 shows the network topology for the example.
Figure 39: Network Topology for Port Security Setup with Two Switches on Same
VLAN
Table 93: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2
Properties Settings

Table 93: Components of Port Security Setup on Switch 1 with a DHCP Server Connected to Switch 2 (continued)
Switch hardware One EX 3200-24P (Switch 1), and an additional EX-series switch
(Switch 2)

192.0.2.17 through 192.0.2.30
Trunk interface on both switches ge-0/0/11
Access interfaces on Switch 1 ge-0/0/1, ge-0/0/2, and ge-0/0/3
Access interface on Switch 2 ge-0/0/1
Interface for DHCP server ge-0/0/1 on Switch 2
Switch 1 is initially configured with the default port security setup. In the default
configuration on the switch:
■ The switch does not drop any packets, which is the default setting.
■ A dynamic limit on the maximum number of MAC addresses to be “learned”
per port by the switch is already set in the default configuration. The default limit
is 5.
■ DHCP snooping and dynamic ARP inspection (DAI) are disabled on all VLANs.
■ All access interfaces are untrusted and trunk interfaces are trusted; these are the
default settings.
In the configuration tasks for this example, you configure a VLAN on both switches.
In addition to configuring the VLAN, you enable DHCP snooping on Switch 1. In this
example, you'll also enable DAI and a MAC limit of 5 on Switch 1.
Because the interface that connects Switch 2 to Switch 1 is a trunk interface, you do
not have to configure this interface to be trusted. As noted above, trunk interfaces
are automatically trusted, so DHCP messages coming from the DHCP server to Switch
2 and then on to Switch 1 are trusted.
Configuring a VLAN, Interfaces, and Port Security Features on Switch 1

To configure a VLAN, interfaces, and port security features on Switch 1:
Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 ■ 605


CLI Quick Configuration To quickly configure a VLAN, interfaces, and port security features, copy the following
[edit]
set ethernet-switching-options secure-access-port interface ge-0/0/1 mac–limit 5
action drop
set ethernet-switching-options secure-access-port vlan employee-vlan arp–inspection
set ethernet-switching-options secure-access-port vlan employee-vlan examine–dhcp
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 20
set vlans employee–vlan vlan-id 20
Step-by-Step Procedure To configure MAC limiting, a VLAN, and interfaces on Switch 1 and enable DAI and
DHCP on the VLAN :
1. Configure the VLAN employee-vlan with VLAN ID 20:
[edit vlans]
2. Configure an interface on Switch 1 as a trunk interface:
[edit interfaces]
trunk
3. Associate the VLAN with interfaces ge-0/0/1, ge-0/0/2, ge-0/0/3, and ge-0/0/11:
[edit interfaces]
20
20
20
20

user@switch1# set vlan employee-vlan examine-dhcp
5. Enable DAI on the VLAN:
606 ■ Configuring a VLAN, Interfaces, and Port Security Features on Switch 1

user@switch1# set vlan employee-vlan arp-inspection
6. Configure a MAC limit of 5 on ge-0/0/1 and specify that the address be dropped
if the limit has been exceeded:

user@switch1# set interface ge-0/0/1 mac-limit 5 action drop
[edit]
user@switch1# show
interface ge-0/0/1.0{
}
arp-inspection;
examine-dhcp;
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/3 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
Configuring a VLAN, Interfaces, and Port Security Features on Switch 1 ■ 607

unit 0 {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}
Configuring a VLAN and Interfaces on Switch 2

To configure the VLAN and interfaces on Switch 2:
CLI Quick Configuration To quickly configure the VLAN and interfaces on Switch 2, copy the following
[edit]
Step-by-Step Procedure To configure the VLAN and interfaces on Switch 2:
1. Configure an interface on Switch 2 as a trunk interface:
[edit interfaces]
user@switch2# set ge-0/0/11 unit 0 ethernet-switching port-mode trunk
2. Associate the VLAN with interfaces ge-0/0/1 and ge-0/0/11:
[edit interfaces]
20
20
608 ■ Configuring a VLAN and Interfaces on Switch 2

[edit]
user@switch2# show
interfaces {
ge-0/0/1 {
unit 0 {
vlan {
members 20;
}
}
}
}
ge-0/0/11 {
unit 0 {
port-mode trunk;
vlan {
members 20;
}
}
}
}
}
vlans {
employee-vlan {
vlan-id 20;
}
}
Verification
■ Verifying That DHCP Snooping Is Working Correctly on Switch 1 on page 609
■ Verifying That DAI Is Working Correctly on Switch 1 on page 610
■ Verifying That MAC Limiting Is Working Correctly on Switch 1 on page 610
Verifying That DHCP Snooping Is Working Correctly on Switch 1

Purpose Verify that DHCP snooping is working on Switch 1.
Display the DHCP snooping information when the interface through which Switch 2
sends the DHCP server replies to clients connected to Switch 1 is trusted. The server
has provided the IP addresses and leases:
user@switch1> show dhcp snooping binding
----------------- ---------- ----- ---- ---- ---------

What It Means The output shows, for each MAC address, the assigned IP address and lease time—that
is, the time, in seconds, remaining before the lease expires.
Verifying That DAI Is Working Correctly on Switch 1

Purpose Verify that DAI is working on Switch 1.

user@switch1> show arp inspection statistics
--------------- --------------- -------------------- ---------------------
ge-0/0/1.0 7 5 2
ge-0/0/2.0 10 10 0
ge-0/0/3.0 18 15 3
Verifying That MAC Limiting Is Working Correctly on Switch 1

Purpose Verify that MAC limiting is working on Switch 1.
Action Display the MAC addresses that are learned when DHCP requests are sent from hosts
on ge-0/0/1:
user@switch1> show ethernet-switching table


What It Means The sample output shows that five MAC addresses have been learned for interface
ge-0/0/1, which corresponds to the MAC limit of 5 set in the configuration. The last
610 ■ Verifying That DAI Is Working Correctly on Switch 1

line of the output shows that a sixth MAC address request was dropped, as indicated
by the asterisk (*) in the MAC address column.
Related Topics


Chapter 41
Configuring 802.1X, Port Security, and
VoIP
■ Configuring 802.1X Authentication on EX-series Switches (CLI

■ Configuring 802.1X Authentication (J-Web Procedure) on page 616
■ Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 619
■ Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI
■ Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI
■ Configuring LLDP on EX-series Switches (CLI Procedure) on page 625
■ Configuring LLDP (J-Web Procedure) on page 626
■ Configuring LLDP-MED on EX-series Switches (CLI Procedure) on page 627
■ Configuring VoIP on EX-series Switches (CLI Procedure) on page 629
■ Configuring Port Security (CLI Procedure) on page 630
■ Configuring Port Security (J-Web Procedure) on page 632
■ Enabling DHCP Snooping on a VLAN (CLI Procedure) on page 634
■ Enabling DHCP Snooping on a VLAN (J-Web Procedure) on page 635
■ Enabling a Trusted DHCP Server on an Interface (CLI Procedure) on page 636
■ Enabling a Trusted DHCP Server on an Interface (J-Web Procedure) on page 636
■ Enabling DAI on a VLAN (CLI Procedure) on page 638
■ Enabling DAI on a VLAN (J-Web Procedure) on page 639
an Interface (CLI Procedure) on page 640
an Interface (J-Web Procedure) on page 641
■ Configuring MAC Move Limiting on a VLAN (CLI Procedure) on page 643
■ Configuring MAC Move Limiting on a VLAN (J-Web Procedure) on page 643
■ Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces on page 644
■ 613
Configuring 802.1X Authentication on EX-series Switches (CLI Procedure)

IEEE 802.1X authentication provides network edge security, protecting Ethernet
LANs from denial-of-service (DoS) attacks and preventing unauthorized user access.
802.1X works by using an Authenticator Port Access Entity (the switch) to block all
traffic to and from a supplicant (client) at the port until the supplicant's credentials
are presented and matched on the Authentication server (a RADIUS server). When
authenticated, the switch stops blocking and opens the port to the supplicant.
To configure 802.1X authentication:

■ Specify the RADIUS server to be used as the authentication server.
■ Specify the 802.1X exclusion list, used to specify which supplicants can bypass
802.1X authentication and be automatically connected to the LAN.
■ Specify 802.1X port settings on the switch.
1. Configuring the RADIUS Server on page 614

2. Configuring the 802.1X Exclusion List on page 615
3. Configuring 802.1X Port Settings on page 615
Configuring the RADIUS Server
To configure a RADIUS server:

1. Define the address of the server, and configure the secret password. The secret
password on the switch must match the secret password on the server:

user@switch# set access radius 10.0.0.100 secret juniper
2. Configure the authentication order, making radius the first method of

authentication:

user@switch# set profile1 authentication-order radius
3. Configure a list of server IP addresses to be tried in order to authenticate the

supplicant:

user@switch# set profile1 radius authentication-server 10.0.0.100
10.2.14.200
614 ■ Configuring 802.1X Authentication on EX-series Switches (CLI Procedure)

Chapter 41: Configuring 802.1X, Port Security, and VoIP
Configuring the 802.1X Exclusion List

Configure any MAC addresses, supplicants, or interfaces to be excluded from 802.1X
authentication—that is, they will be authenticated.
To configure the 802.1X exclusion:

1. Specify a MAC address to be excluded from 802.1X authentication:
[edit dot1x]
user@switch# set authenticator static 00:04:0f:fd:ac:fe
2. Configure a supplicant to bypass authentication if connected through a particular

interface:
[edit dot1x]
user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
3. Once a supplicant is authenticated, configure a supplicant to be moved to a

specific VLAN:
[edit dot1x]
user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
vlan-assignment default-vlan
Configuring 802.1X Port Settings

Configure the supplicant mode, reauthentication, the administrative mode, and
timeout values.
To configure the port settings:

1. Configure the supplicant mode as single (authenticates the first supplicant),
single-secure (authenticates only one supplicant), or multiple (authenticates
multiple supplicants):
[edit dot1x]
user@switch# set authenticator interface ge-0/0/5 supplicant multiple
2. Enable reauthentication:
[edit dot1x]
user@switch# set authenticator interface ge-0/0/5/0 reauthentication
interval 5
3. Specify the action to be taken in case of an authentication failure:

4. Configure the port timeout value for the response from the supplicant:
[edit dot1x]
user@switch# set authenticator interface ge-0/0/5 supplicant-timeout 5
Configuring the 802.1X Exclusion List ■ 615

5. Configure the timeout for the port before it resends an authentication request
to the RADIUS server:
[edit dot1x]
user@switch# set authenticator interface ge-0/0/5 server-timeout 5
6. Configure how long the interface waits before retransmitting the initial EAPOL
PDUs to the supplicant:
[edit dot1x]
user@switch# set authenticator interface ge-0/0/5 transmit-period 5
Related Topics
Switch
■ Monitoring 802.1X Authentication
■ Configuring VoIP on EX-series Switches
Configuring 802.1X Authentication (J-Web Procedure)

To configure 802.1X settings using J-Web:
1. From the Configure menu, select Security > 802.1X.
The 802.1X screen displays a list of interfaces, whether 802.1X security has been
enabled, and the assigned port role.
When you select a particular interface, the Details section displays 802.1X details
for the selected interface.
2. Click one:
■ RADIUS Servers—Specifies the RADIUS server to be used for authentication.
Select the checkbox to select the required server. Click Add or Edit to add or
modify the RADIUS server settings. Enter information as specified in
■ Exclusion List — Excludes hosts from the 802.1X authentication list by
specifying the MAC address. Click Add or Edit in the Exclusion list screen to
include or modify the MAC addresses. Enter information as specified in
■ Edit— Specifies 802.1X settings for the selected interface

■ Apply 802.1X Profile—Applies a pre-defined 802.1X profile based on

the port role. If a message appears asking if you want to configure a
RADIUS server, click Yes.
■ 802.1X Configuration—Configures custom 802.1X settings for the
selected interface. If a message appears asking if you want to configure
a RADIUS server, click Yes. Enter information as specified in
Table 94 on page 617. To configure 802.1X settings enter information
as specified in Table 96 on page 618.
■ Delete — Deletes 802.1X authentication configuration on the selected

interface.
Table 94: RADIUS Server Settings
IP Address Specifies the IP address of the server. Enter the IP address in dotted decimal
notation.
Password Specifies the login password. Enter the password.
Confirm Password Verifies the login password for the server. Reenter the password.
Server Port Number Specifies the port with which the server is associated. Type the port number.
Source Address Specifies the source address of the server. Type the server’s 32-bit IP address, in
dotted decimal notation.
Retry Attempts Specifies the number of login retries allowed after a Type the number.
login failure.
Timeout Specifies the time interval to wait before the Type the interval in seconds.
connection to the server is closed.
Table 95: 802.1X Exclusion List
MAC Address Specifies the MAC address to be excluded from Enter the MAC address.
802.1X authentication.
Exclude if connected Specifies that the host can bypass authentication Select to enable the option. Select the port
through the port if it is connected through a particular interface. through which the host is connected.
Move the host to the VLAN Specifies moving the host to a specific VLAN once Select to enable the option. Select the
the host is authenticated. VLAN from the list.
Configuring 802.1X Authentication (J-Web Procedure) ■ 617

Table 96: 802.1X Port Settings
Supplicant Mode
Supplicant Mode Specifies the mode to be adopted for supplicants: Select the required mode.
■ Single — allows only one host for
authentication.
■ Multiple — allows multiple hosts for
authentication. Each host is checked before
being admitted to the network.
■ Single authentication for multiple hosts —
Allows multiple hosts but only the first is
authenticated.
Authentication
Enable Specifies enabling reauthentication on the 1. Select to enable reauthentication.

re-authentication selected interface.
2. Enter the timeout for reauthentication in
seconds.
Action on Specifies the action to be taken in case of an Select one:

authentication authentication failure.
failure ■ Move to the Guest VLAN — Select the VLAN
to move the interface to.
■ Deny — the host is not permitted access.
Timeouts Specifies timeout values for each action. Enter the value in seconds for:
■ Port waiting time after an authentication failure
■ EAPOL re-transmitting interval
■ Max. EAPOL requests
■ Maximum number of retries
■ Port timeout value for the response from the
supplicant
■ Port timeout value for the response from the
RADIUS server
Related Topics

Configuring 802.1X RADIUS Accounting (CLI Procedure)

RADIUS accounting permits statistical data about users logging onto or off a LAN to
be collected and sent to a RADIUS accounting server. The statistical data gathered
can be used for general network monitoring, to analyze and track usage patterns, or
to bill a user based upon the amount of time or type of services accessed.
To configure basic RADIUS accounting using the CLI:

1. Specify the accounting servers to which the switch will forward accounting
statistics:
[edit access]
user@switch# set profile profile1 radius accounting-server [122.69.1.250
122.69.1.252]
2. Define the RADIUS accounting servers:
[edit access]
user@switch# set radius 122.69.1.250 secret juniper
user@switch# set radius 122.69.1.252 secret juniper1
3. Enable accounting for an access profile:
[edit access]
user@switch# set profile profile 1 accounting
4. Configure the RADIUS servers to use while sending accounting messages and
updates:
[edit access]
user@switch# set profile profile 1 accounting order radius none
5. Configure the statistics to be collected on the switch and forwarded to the

accounting server:
[edit access]
user@switch# set profile profile 1 accounting order stop-on-access-deny
user@switch# set profile profile 1 accounting order stop-on-failure
6. Display accounting statistics collected on the switch:
user@switch> show network-access aaa statistics accounting
Accounting module statistics

Requests received: 1
Accounting Response failures: 0
Accounting Response Success: 1
Requests timedout: 0
7. Display accounting statistics on the accounting server:
Configuring 802.1X RADIUS Accounting (CLI Procedure) ■ 619

[root@freeradius]# <REVIEWER< WHAT WOULD BE THE COMMAND ON RADIUS SERVER?

Is this a portion of the display log?
Accounting-ON
rad_recv: Accounting-Request packet from host 10.93.32.128:55575, id=152,
length=48
Acct-Status-Type = Accounting-On
NAS-Identifier = "ex–sereis–24t-2a-02"
NAS-Port-Type = Virtual
rlm_radutmp: NAS latte24t-2a-02 restarted (Accounting-On packet seen)
Sending Accounting-Response of id 152 to 10.93.32.128 port 55575
Accounting-Start
-------------------------
length=72
User-Name = "def"
NAS-Port = 4259840
Acct-Status-Type = Start
Acct-Session-Id = "8O2.1x80310"
NAS-Identifier = "ex–series–24t-2a-02"
Accounting-Stop
-------------------------
length=120
User-Name = "def"
NAS-Port = 4259840
Acct-Status-Type = Stop
Acct-Session-Id = "8O2.1x80310"
Acct-Input-Octets = 60
Acct-Output-Octets = 72
Acct-Session-Time = 120
Acct-Input-Packets = 1
Acct-Output-Packets = 1
Acct-Terminate-Cause = User-Request
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
NAS-Identifier = "ex–series–24t-2a-02"
Related Topics
Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure)

EX-series switches support a new set of filtering attributes that are used in conjunction
with 802.1X authentication to further define access to a LAN.

The following procedure uses FreeRADIUS to configure a RADIUS server. For specifics
on configuring your server, consult the accompanying AAA documentation that was
included with your server.
This topic includes the following tasks:
1. Load the Juniper Dictionary on page 621
2. Configuring Match Conditions and Actions on page 622
3. Combining a Filter-ID with a VSA on page 622
Load the Juniper Dictionary
Load the Juniper Dictionary containing the set of filtering attributes: called
Juniper-Switching-Filter, attribute ID 48.
1. Load the Juniper Dictionary:
[root@freeradius]# cd usr/share/freeradius/dictionary.juniper
# dictionary.juniper
#
# As posted to the list by Eric Kilfoil ekilfoil #
# Version: $Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
# VENDOR Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE Juniper-Local-User-Name 1 string
ATTRIBUTE Juniper-Allow-Commands 2 string
ATTRIBUTE Juniper-Deny-Commands 3 string
ATTRIBUTE Juniper-Allow-Configuration 4 string
ATTRIBUTE Juniper-Deny-Configuration 5 string
ATTRIBUTE Juniper-Firewall-Filter 44 string
ATTRIBUTE Juniper-Switching-Filter 48 string
<—
2. If the attribute Juniper-Switching-Filter is not displayed in the dictionary, you can

copy and paste it under the dictionary, and save the file:
#
aland Exp
$
Load the Juniper Dictionary ■ 621


copy and paste the entire string here
<—
Configuring Match Conditions and Actions

Configure the match conditions and the associated action that should be applied.
For information about options used with the match and action command, see
Understanding 802.1X and VSAs on EX-series Switches.
1. Configure the match conditions and the action:
What would the actual command be to configure the user displayed in
step 2?
[root@freeradius]# cat dictionary.juniper

Juniper-Switching-Filter = "Match Destination-mac 00:01:02:AB:CD:EF, Ip-
protocol 100 Action Loss-priority high"
2. Display the configuration results:

Reviewer, what would be the command to do this?
[root@freeradius]# REVIEWER, what would the command be to do this?

user3 Auth-Type := EAP, User-Password == "password3"
Juniper-Switching-Filter = "Match Destination-mac
00:01:02:AB:CD:EF, Ip-
protocol 100 Action Loss-priority high",
Combining a Filter-ID with a VSA

To centralize an ACL and avoid configuring it on multiple switches in the LAN, the
filter ID (the name of the ACL) can be added to the RADIUS server and associated
with a supplicant. Whenever a supplicant attempts to authenticate through 802.1X,
the ACL will also be applied using the filter-id.
To add a filter ID to a VSA:

Reviewer, I thought this was combining a VSA and an ACL, but is it really
like that? Seems like it is just centralizing the ACL.
1. Configure the filter ID to be applied:
Filter-Id == "access-eng"

622 ■ Configuring Match Conditions and Actions


Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure)

EX-series switches support a new set of filtering attributes that are used in conjunction
with 802.1X authentication to further define access to a LAN.
The following procedure uses FreeRADIUS to configure a RADIUS server. For specifics
on configuring your server, consult the accompanying AAA documentation that was
included with your server.
This topic includes the following tasks:
1. Load the Juniper Dictionary on page 623
2. Configuring Match Conditions and Actions on page 624
3. Combining a Filter-ID with a VSA on page 624
Load the Juniper Dictionary
Load the Juniper Dictionary containing the set of filtering attributes: called
Juniper-Switching-Filter, attribute ID 48.
1. Load the Juniper Dictionary:
#
aland Exp
$
ATTRIBUTE Juniper-Switching-Filter 48 string
<—
2. If the attribute Juniper-Switching-Filter is not displayed in the dictionary, you can

copy and paste it under the dictionary, and save the file:
Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure) ■ 623

#
aland Exp
$
copy and paste the entire string here
<—
Configuring Match Conditions and Actions

Configure the match conditions and the associated action that should be applied.
For information about options used with the match and action command, see
Understanding 802.1X and VSAs on EX-series Switches.
1. Configure the match conditions and the action:
What would the actual command be to configure the user displayed in
step 2?
[root@freeradius]# cat dictionary.juniper

Juniper-Switching-Filter = "Match Destination-mac 00:01:02:AB:CD:EF, Ip-
protocol 100 Action Loss-priority high"


Juniper-Switching-Filter = "Match Destination-mac
00:01:02:AB:CD:EF, Ip-
protocol 100 Action Loss-priority high",
Combining a Filter-ID with a VSA

To centralize an ACL and avoid configuring it on multiple switches in the LAN, the
filter ID (the name of the ACL) can be added to the RADIUS server and associated
with a supplicant. Whenever a supplicant attempts to authenticate through 802.1X,
the ACL will also be applied using the filter-id.
624 ■ Configuring Match Conditions and Actions

To add a filter ID to a VSA:

Reviewer, I thought this was combining a VSA and an ACL, but is it really
like that? Seems like it is just centralizing the ACL.
1. Configure the filter ID to be applied:


Configuring LLDP on EX-series Switches (CLI Procedure)

EX-series switches use Link Layer Discovery Protocol (LLDP) and Link Layer Discovery
Protocol Media Endpoint Discovery (LLDP-MED) to learn and distribute device
information on network links. The information allows the switch to quickly identify
a variety of devices, resulting in a LAN that interoperates smoothly and efficiently.
To configure basic LLDP options using the CLI:

1. Configure the advertisement interval in seconds to specify the frequency at which
LLDP advertisements are sent:
[edit protocols lldp]

user@switch# set advertisement-interval 45
2. Configure the frequency in seconds at which LLDP advertisements are sent from
the switch in the first second after it has detected an LLDP-capable device:

user@switch# set lldp 45
3. Specify the multiplier used in combination with the advertisement-interval value

to determine the length of time LLDP information is held before it is discarded:

user@switch# set hold-multiplier 5
4. Configure the delay between 2 successive LLDP advertisements:
Configuring LLDP on EX-series Switches (CLI Procedure) ■ 625


user@switch# set transmit-delay 5
5. Configure LLDP on all interfaces or on a specific interface:

user@switch# set interface all
6. Configure tracing operations for the LLDP protocol:

user@switch# set traceoptions file lldptrace
Related Topics
Switch
■ Configuring LLDP (J-Web Procedure)
Configuring LLDP (J-Web Procedure)

Use the LLDP Configuration page to configure LLDP global and port settings.
To configure LLDP:
1. From the Configure menu, select the option Switching > LLDP.
The LLDP Configuration page displays LLDP Global Settings and Port Settings.
The second half of the screen displays operational details for the selected port.
2. To modify LLDP Global Settings, click Global Settings.
Enter information as described in Table 97 on page 626.

3. To modify Port Settings, click Edit in the Port Settings section.
Enter information as described in Table 98 on page 627.
Table 97: Global Settings
Advertising interval Specifies the frequency of outbound LLDP advertisements. You can Type the number of seconds.
increase or decrease this interval.

Table 97: Global Settings (continued)
Transmit delay Specifies a delay-interval setting that the switch uses to delay transmitting Type the delay time in
successive advertisements. You can increase this interval to reduce the seconds.
frequency of successive advertisements.
Hold multiplier Specifies the multiplier factor to be used by an LLDP-enabled switch to Type the required number in
calculate the time-to-live (TTL) value for the LLDP advertisements it the field.
generates and transmits to LLDP neighbors.
Fast start count Specifies the LLDP refresh-interval setting (default: 3 seconds) for Type the Fast start count
transmitting advertisements. It can cause an unacceptable delay in MED interval.
device configuration. You can temporarily override the refresh-interval
setting. This results in the port initially advertising LLD–MED at a faster
rate for a limited time.
Table 98: Edit Port Settings
LLDP Status Specifies whether LLDP has been enabled on the port. Select one: Enabled, Disabled, or None.
LLDP-MED Status Specifies whether LLDP–MED has been enabled on Select Enable from the list.
the port.
Related Topics
Configuring LLDP-MED on EX-series Switches (CLI Procedure)

Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED) is an extension
of LLDP. The switch uses LLDP-MED to support device discovery of VoIP telephones
and to create location databases for these telephone locations for emergency services.
The location information configured is used during emergency calls to identify the
location of the LLDP-MED device.
To configure basic LLDP-MED options using the CLI:

1. Configure the frequency at which LLDP-MED advertisements are sent from the
switch in the first second after it has detected an LLDP-MED device:
[edit protocols lldp-med]

user@switch# set fast-start 6
2. Configure LLDP-MED on all interfaces or on a specific interface:


user@switch# set interface ge-0/0/2.0
3. Configure the location information that is advertised from the switch to the
LLDP-MED device. You can specify a civic-based location (geographic location)
or a location based on an elin (emergency location identification string):
■ To specify a civic-based location:
user@switch# set protocols lldp-med interface ge—0/0/2.0 location

civic-based ca-type 1 ca-value “El Dorado County”

civic-based ca-type 2 ca-value CA

civic-based ca-type 3 ca-value Somerset

civic-based ca-type 6 ca-value “Mount Aukum Road”

civic-based ca-type 19 ca-value 6450

civic-based ca-type 21 ca-value “Holiday Market”
■ To specify location using an elin string:
user@switch# set protocols lldp-med interface ge—0/0/2.0 location elin

4085551212
You can display the configuration settings using the show lldp command:

user@switch> show lldp
LLDP : Enabled
Advertisement interval : 30 seconds
Transmit delay : 2 seconds
Hold timer : 2 seconds
Config Trap Interval : 60 seconds
Connection Hold timer : 300 seconds
LLDP MED : Enabled

MED fast start count : 6 Packets
Interface LLDP LLDP-MED
628 ■ Configuring LLDP-MED on EX-series Switches (CLI Procedure)

all Enabled -
ge-0/0/2.0 - Enabled
Related Topics
■ Configuring LLDP (J-Web Procedure)
Switch
■ Configuring VoIP on EX-series Switches
Configuring VoIP on EX-series Switches (CLI Procedure)

EX-series switches support Voice over IP (VoIP). Configuring VoIP on your switch
enables you to establish telephone calls over the internet. VoIP is configured on
Power over Ethernet (PoE) interfaces.
VoIP is configured on Power over Ethernet interfaces. See Configuring PoE on an

EX-series Switch (CLI Procedure) for more information about configuring PoE
interfaces.
VoIP also uses uses LLDP and LLDP-MED protocol information to forward VoIP
parameters from the RADIUS server to the phone. for more information about
configuring PoE interfaces. See Configuring LLDP-MED on EX-series Switches (CLI
Procedure) and Configuring LLDP on EX-series Switches (CLI Procedure) for more
information about configuring these protocols.
NOTE: The PoE configuration is not necessary if a VoIP supplicant is using a power
adapter.
To configure basic VoIP options using the CLI:

1. Configure the VLAN tag associated with the voice-vlan:
2. Configure the VLAN on the logical interface:
[edit]
set interface ge-0/0/2 unit 0 family ethernet-switching vlan members
voice-vlan
3. Configure the voice-vlan on the interface:
[edit ethernet—switching—options voip interface ge-0/0/2]

user@switch# set vlan voice-vlan
4. Specify the forwarding class assured-forwarding for the most dependable service:

[edit ethernet—switching—options voip interface ge-0/0/2]

user@switch# set voice-vlan forwarding-class assured-forwarding
Related Topics
Switch
■ Understanding 802.1X and VoIP on EX-series Switches
Configuring Port Security (CLI Procedure)

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial
of service (DoS) on network devices. Port security features such as DHCP snooping,
DAI (dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as
trusted DHCP server, help protect the access ports on your switch against the losses
of information and productivity that can result from such attacks.
To configure port security features using the CLI:

1. Enable DHCP snooping:
■ On a specific VLAN:
[edit ethernet-switching-options secure-access port]

user@switch# set vlan default examine-dhcp
■ On all VLANs:

user@switch# set vlan all examine-dhcp
2. Enable DAI:
■ On a single VLAN (here, the VLAN is employee-vlan):

user@switch# set vlan employee–vlan arp-inspection
■ On all VLANs:

user@switch# set vlan all arp-inspection
3. Limit the number of dynamic MAC addresses and specify the action to take if
the limit is exceeded—for example, set a MAC limit of 5 with an action of drop:
■ On a single interface (here, the interface is ge-0/0/1):


■ On all interfaces:

user@switch# set interface all mac–limit 5 action drop
4. Specify allowed MAC addresses:


user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:80

user@switch# set interface all allowed-mac 00:05:85:3A:82:80
5. Limit the number of times a MAC address can move from its original interface
in one second—for example, set a MAC move limit of 5 with an action of drop
if the limit is exceeded:

user@switch# set vlan employee–vlan mac-move-limit 5 action drop
■ On all VLANs:

set vlan all mac–move-limit 5 action drop
6. Configure a trusted DHCP server on an interface (here, the interface is ge-0/0/8):

user@switch# set interface ge–0/0/8 dhcp-trusted
Configuring Port Security (CLI Procedure) ■ 631

Related Topics
■ Monitoring Port Security
Configuring Port Security (J-Web Procedure)

To configure port security using the J-Web interface:
1. From the Configure menu select the option Security > Port Security.
The first part of the screen displays a VLAN list with the VLAN name, VLAN
identifier, port members, and port security VLAN features.
The second part of the screen displays a list of all ports and whether security
features have been enabled on the ports.
2. Click one:
■ Edit — Click this option to modify the security features for the selected port
or VLAN.
Enter information as specified in Table 99 on page 632 to modify Port Security

settings on VLANs.
Enter information as specified in Table 100 on page 633 to modify Port

Security settings on interfaces.
■ Activate/Deactivate — Click this option to enable or disable security on the
switch.
Table 99: Port Security Settings on VLANs
DHCP Snooping Allows the switch to monitor and control DHCP Select to enable DHCP snooping on a specified
messages received from untrusted devices connected VLAN or all VLANs.
to the switch. Builds and maintains a database of valid
IP addresses/MAC address bindings. (By default, access
ports are untrusted and trunk ports are trusted.)
ARP Inspection Uses information in the DHCP snooping database to Select to enable ARP inspection on a specified
validate ARP packets on the LAN and protect against VLAN or all VLANs. (Configure any port on which
ARP cache poisoning. you do not want ARP inspection to occur as a
trusted DHCP server port.)

Table 99: Port Security Settings on VLANs (continued)
MAC Movement Prevents hosts whose MAC addresses have not been Enter the required number.
learned by the switch from accessing the network.
Specifies the number of times per second that a MAC
address can move to a new interface.
MAC Movement Specifies the action to be taken if the MAC move limit Select one:
Action is exceeded.
■ Log—Generate a system log entry, an SNMP
trap, or an alarm.
■ Drop—Drop the packets and generate a
system log entry, an SNMP trap, or an alarm.
■ Shutdown—Block data traffic on the
interface and generate an alarm.
■ None— No action to be taken.
Table 100: Port Security on Interfaces
Trust DHCP Specifies trusting DHCP packets on the selected Select to enable DHCP trust.
interface. By default trunk ports are dhcp-trusted.
MAC Limit Specifies the number of MAC addresses that can Enter the required number.
be learned on a single Layer 2 access port. This
option is not valid for trunk ports.
MAC Limit Action Specifies the action to be taken if the MAC limit is Select one:
exceeded. This option is not valid for trunk ports.
■ Log—Generate a system log entry, an SNMP
trap, or an alarm.
■ Drop—Drop the packets and generate a system
log entry, an SNMP trap, or an alarm.
■ Shutdown—Block data traffic on the interface
and generate an alarm.
■ None— No action to be taken.
Allowed MAC List Specifies the MAC addresses that are allowed for To add a MAC address:
the interface.
1. Click Add.
2. Enter the MAC address.
3. Click OK.
Configuring Port Security (J-Web Procedure) ■ 633

Related Topics
Enabling DHCP Snooping on a VLAN (CLI Procedure)

database.
To enable DHCP snooping on a VLAN or all VLANs by using the CLI:

■ On a specific VLAN (here, the VLAN is default):

user@switch# set vlan default examine-dhcp
■ On all VLANs:

user@switch# set vlan all examine-dhcp
Related Topics
Spoofing Attacks
■ Verifying That DHCP Snooping Is Working Correctly

Enabling DHCP Snooping on a VLAN (J-Web Procedure)

database.
To enable DHCP snooping on one or more VLANs by using the J-Web interface:
1. Select Configure>Security>Port Security.
2. Select one or more VLANs from the VLAN list.
3. Click the Edit button. If a message appears asking if you want to enable port
security, click Yes.
4. Select the Enable DHCP Snooping on VLAN check box and then click OK.
5. Click OK after the command has been successfully delivered.
NOTE: You can enable or disable port security on the switch at any time by clicking
the Activate or Deactivate button on the Port Security Configuration page. If security
status is shown as Disabled when you try to edit settings for any VLANs or interfaces
(ports), the message asking if you want to enable port security appears.
Related Topics
Spoofing Attacks
Enabling DHCP Snooping on a VLAN (J-Web Procedure) ■ 635

Enabling a Trusted DHCP Server on an Interface (CLI Procedure)

You can configure any interface on the switch that connects to a DHCP server as a
trusted interface (port). Configuring a DHCP server on a trusted interface protects
against rogue DHCP servers sending leases.
You configure a trusted DHCP server on an interface, not on a VLAN. By default, all
access interfaces are untrusted and all trunk interfaces are trusted.
To configure a trusted interface for a DHCP server by using the CLI (here, the interface
is ge-0/0/8):

user@switch# set interface ge–0/0/8 dhcp-trusted
Related Topics
■ Verifying That a Trusted DHCP Server Is Working Correctly
Enabling a Trusted DHCP Server on an Interface (J-Web Procedure)

You can configure any interface on the switch that connects to a DHCP server as a
trusted interface (port). Configuring a DHCP server on a trusted interface protects
against rogue DHCP servers sending leases.
You configure a trusted DHCP server on an interface, not on a VLAN. By default, all
access interfaces are untrusted and all trunk interfaces are trusted.
To enable a trusted DHCP server on one or more interfaces by using the J-Web
interface:
2. Select one or more interfaces from the Port list.
4. Select the Trust DHCP check box and then click OK.
636 ■ Enabling a Trusted DHCP Server on an Interface (CLI Procedure)

Related Topics
■ Verifying That a Trusted DHCP Server Is Working Correctly

Enabling DAI on a VLAN (CLI Procedure)

poisoning.
disabled for all VLANs.
To enable dynamic ARP inspection (DAI) on a VLAN or all VLANs using the CLI:

■ On all VLANs:

user@switch# set vlan all arp-inspection
Related Topics
Spoofing Attacks
■ Verifying That DAI Is Working Correctly
638 ■ Enabling DAI on a VLAN (CLI Procedure)

Enabling DAI on a VLAN (J-Web Procedure)

poisoning.
disabled for all VLANs.
To enable DAI on one or more VLANs by using the J-Web interface:

4. Select the Enable ARP Inspection on VLAN check box and then click OK.
Related Topics
Spoofing Attacks
Enabling DAI on a VLAN (J-Web Procedure) ■ 639

Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, on an

Interface (CLI Procedure)
MAC limiting protects against flooding of the Ethernet switching table. MAC limiting
sets a limit on the number of MAC addresses that can be learned on a single Layer
2 access interface (port).
JUNOS software provides two MAC limiting methods:

■ Maximum number of dynamic MAC addresses allowed per interface—As soon
as the limit is reached, incoming packets with new MAC addresses are dropped.
■ Specific “allowed” MAC addresses for the access interface—Any MAC address
that is not in the list of configured addresses is not learned.
You configure MAC limiting for each interface, not for each VLAN. In the default
configuration, the limit for dynamically learned MAC addresses for each interface is
5 and the action that the switch will take if that limit is exceeded is none.
To configure MAC limiting on a specific interface or on all interfaces, using the CLI:
1. For limiting the number of dynamic MAC addresses, set a MAC limit of 5 with
an action of drop if the limit is exceeded:


user@switch# set interface all mac–limit 5 action drop
2. For specifying specific allowed MAC addresses:



640 ■ Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, on an Interface (CLI Procedure)
Related Topics
Attacks
■ Verifying That MAC Limiting Is Working Correctly
Interfaces
EX-series Switches
Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, on an

Interface (J-Web Procedure)

You configure MAC limiting for each interface, not for each VLAN. In the default
configuration, the limit for dynamically learned MAC addresses for each interface is
5 and the action that the switch will take if that limit is exceeded is none.
To enable MAC limiting on one or more interfaces using the J-Web interface:
2. Select one or more interfaces from the Port list.
4. To set a dynamic MAC limit:
1. Type a limit value in the MAC Limit box.
2. Select an action from the MAC Limit Action box. The switch takes this action
when the limit is exceeded.
5. To set allowed MAC addresses:

1. Click Add.
2. Type the allowed MAC address and click OK.
Repeat this step to add more allowed MAC addresses.

6. Click OK when you have finished setting MAC limits.
Related Topics
Attacks
Interfaces
EX-series Switches

Configuring MAC Move Limiting on a VLAN (CLI Procedure)

MAC move limiting detects MAC address movement and MAC address spoofing on
access ports. It prevents hosts whose MAC addresses have not been learned by the
switch from accessing the network.
You configure MAC move limiting for each VLAN, not for each interface (port). In
the default configuration, the MAC move limit for each VLAN is unlimited. The default
action that the switch will take if a limit is set and then that limit is exceeded is none.
To configure a MAC move limit on a specific VLAN or on all VLANs, using the CLI:

user@switch# set vlan employee–vlan mac-move-limit 5 action drop
■ On all VLANs:

set vlan all mac–move-limit 5 action drop
Related Topics
■ Configuring MAC Move Limiting on a VLAN (J-Web Procedure)
■ Verifying That MAC Move Limiting Is Working Correctly
EX-series Switches
Configuring MAC Move Limiting on a VLAN (J-Web Procedure)

MAC move limiting detects MAC movement and MAC spoofing on access ports. It
prevents hosts whose MAC addresses have not been learned by the switch from
accessing the network.
You configure MAC move limiting for each VLAN, not for each interface (port). In
the default configuration, the MAC move limit for each VLAN is unlimited; the default
action that the switch will take if a limit is set and then that limit is exceeded is none.
To enable MAC move limiting on one or more VLANs by using the J-Web interface:
Configuring MAC Move Limiting on a VLAN (CLI Procedure) ■ 643

4. To set a MAC move limit:
1. Type a limit value in the MAC Movement box.
2. Select an action from the MAC Movement Action box. The switch takes this
action when the limit is exceeded.
3. Click OK.
Related Topics
■ Configuring MAC Move Limiting on a VLAN (CLI Procedure)
■ Verifying That MAC Move Limiting Is Working Correctly
EX-series Switches
Setting the none Action on an Interface to Override a MAC Limit Applied to All
Interfaces
If you set a MAC limit in your port security settings to apply to all interfaces on the
switch, you can override that setting for a particular interface by specifying action
none.
To use the none action to override a MAC limit setting:

1. Set the MAC limit—for example, a limit of 5 with action drop:

user@switch# set interface all mac-limit 5 action drop
2. Then change the action for one interface (here, ge-0/0/2) with this command.
You don't need to specify a limit value.

user@switch# set interface ge–0/0/2 mac-limit action none

Related Topics


Chapter 42
Verifying 802.1X, Port Security, and VoIP
■ Monitoring 802.1X Authentication on page 647

■ Monitoring Port Security on page 648
■ Verifying That DHCP Snooping Is Working Correctly on page 649
■ Verifying That a Trusted DHCP Server Is Working Correctly on page 650
■ Verifying That DAI Is Working Correctly on page 651
■ Verifying That MAC Limiting Is Working Correctly on page 652
■ Verifying That MAC Move Limiting Is Working Correctly on page 656
Monitoring 802.1X Authentication

Purpose Use the monitoring feature to display details of authenticated users and users who
have failed authentication.
Action To display authentication details in the J-Web interface, select Monitoring > Security
> 802.1X.
To display authentication details in the CLI, enter the following commands:

■ show dot1x interface detail | display xml
■ show dot1x interface detail <interface> | display xml
■ show dot1x auth-failed-users
What It Means The details displayed include:

■ A list of authenticated users.
■ The number of bypassed users and the total number of users connected.
■ A list of users who have failed authentication
You can also specify an interface for which the details must be displayed.
Related Topics
Monitoring 802.1X Authentication ■ 647


Monitoring Port Security

Purpose Use the monitoring functionality to view these port security details:
■ DHCP snooping database for a VLAN or all VLANs
■ ARP inspection details for all interfaces
Action To monitor port security in the J-Web interface, select Monitor > Security > Port
Security.
To monitor and manipulate the DHCP snooping database and ARP inspection statistics
in the CLI, enter the following commands:
■ show dhcp snooping binding
■ clear dhcp snooping binding—In addition to clearing the whole database, you can
clear database entries for specified VLANs or MAC addresses.
■ show arp inspection statistics
■ clear arp inspection statistics
What It Means The J-Web Port Security Monitoring page comprises two sections:
■ DHCP Snooping—Displays the DHCP snooping database for all the VLANs for
which DHCP snooping is enabled. To view the DHCP snooping database for a
specific VLAN, select the specific VLAN from the list.
■ ARP Inspection—Displays the ARP inspection details for all interfaces. The
information includes details of the number of packets that passed ARP inspection
and the number of packets that failed the inspection. The pie chart graphically
represents these statistics when you select an interface. To view ARP inspection
statistics for a specific interface, select the interface from the list.
You have the following options on the page:

■ Clear ALL—Clears the DHCP snooping database, either for all VLANs if the option
ALL has been selected in the Select VLANs list or for the specific VLAN that has
been selected in that list.
■ Clear—Deletes a specific IP address from the DHCP snooping database.
To clear ARP statistics on the page, click Clear All in the ARP Statistics section.
Use the CLI commands to show and clear DHCP snooping database and ARP
inspection statistics details.
Related Topics
648 ■ Monitoring Port Security

Chapter 42: Verifying 802.1X, Port Security, and VoIP

Verifying That DHCP Snooping Is Working Correctly

leases:
----------------- ---------- ----- ---- ---- ---------
the lease expires.

----------------- ---------- ----- ---- ---- ---------
Verifying That DHCP Snooping Is Working Correctly ■ 649

Related Topics
Spoofing Attacks
■ Troubleshooting Port Security
Verifying That a Trusted DHCP Server Is Working Correctly

Purpose Verify that a DHCP trusted server is working on the switch. See what happens when
the DHCP server is trusted and then untrusted.
leases:
----------------- ---------- ----- ---- ---- ---------
the lease expires.

----------------- ---------- ----- ---- ---- ---------


Related Topics
■ Troubleshooting Port Security
Verifying That DAI Is Working Correctly

Purpose Verify that dynamic ARP inspection (DAI) is working on the switch.

--------------- --------------- -------------------- ---------------------
ge-0/0/1.0 7 5 2
ge-0/0/2.0 10 10 0
ge-0/0/3.0 12 12 0

Related Topics
Spoofing Attacks
Verifying That MAC Limiting Is Working Correctly


To verify MAC limiting configurations:

1. Verifying That MAC Limiting for Dynamic MAC Addresses Is Working
Correctly on page 652
2. Verifying That Allowed MAC Addresses Are Working Correctly on page 653
3. Verifying Results of Various Action Settings When the MAC Limit Is
Exceeded on page 653
4. Customizing the Ethernet Switching Table Display to View Information for a
Specific Interface on page 655
Verifying That MAC Limiting for Dynamic MAC Addresses Is

Working Correctly
Purpose Verify that MAC limiting for dynamic MAC addresses is working on the switch.
Action Display the MAC addresses that have been learned. The following sample output
shows the results when two DHCP requests were sent from hosts on ge-0/0/1 and
five DHCP requests were sent from hosts on ge-0/0/2, with both interfaces set to a
MAC limit of 4 with the action drop:



What It Means The sample output shows that with a MAC limit of 4 for each interface, the DHCP
MAC limit. The address was not learned, and thus an asterisk (*) rather than an
address appears in the MAC address column in the first line of the sample output.
Verifying That Allowed MAC Addresses Are Working Correctly

Action Display the MAC cache information after allowed MAC addresses have been configured
on an interface. The following sample shows the MAC cache after 5 allowed MAC
addresses had been configured on interface ge/0/0/2. In this instance, the interface
was also set to a dynamic MAC limit of 4 with action drop.

What It Means Because the MAC limit value for this interface had been set to 4, only four of the five
configured allowed addresses were learned and thus added to the MAC cache. Because
that fifth address was not learned, an asterisk (*) rather than an address appears in
the MAC address column in the last line of the sample output.
Verifying Results of Various Action Settings When the MAC Limit

Is Exceeded
Purpose Verify the results provided by the various action settings for MAC limits—drop, log,
and shutdown—when the limits are exceeded.
Action Display the results of the various action settings.
Verifying That Allowed MAC Addresses Are Working Correctly ■ 653

NOTE: You can view log messages by using the show log messages command. You
can also have the log messages displayed by configuring the monitor start messages
with the monitor start messages command.
■ drop action—For MAC limiting configured with a drop action and with the MAC
limit set to 5:

employee—vlan * Flood - ge-0/0/2.0
employee—vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0
■ log action—For MAC limiting configured with a log action and with MAC limit
set to 5:

. . .
654 ■ Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
■ shutdown action—For MAC limiting configured with a shutdown action and with
MAC limit set to 3:

What It Means For the drop action results—The sixth MAC address exceeded the MAC limit. The
request packet for that address was dropped. Only five MAC addresses have been
learned on ge-0/0/2.
For the log action results—The sixth MAC address exceeded the MAC limit. No MAC
addresses were blocked.
For the shutdown action results—The fourth MAC address exceeded the MAC limit.
The request packet for that address was dropped. Only three MAC addresses have
been learned on ge-0/0/2. Data traffic on ge-0/0/2 is blocked.
NOTE: With action set to shutdown, the show ethernet-switching interfaces detail
command shows the interface as blocked.
If you set a MAC limit to apply to all interfaces on the switch, you can override that
setting for a particular interface by specifying action none. See Setting the none
Action on an Interface to Override a MAC Limit Applied to All Interfaces.
Customizing the Ethernet Switching Table Display to View

Information for a Specific Interface
Purpose You can use the show ethernet-switching table interface command to view information
for a specific interface.
Action For example, to view information for just the ge-0/0/2 interface, type:
user@switch> show ethernet-switching table interface ge-0/0/2.0
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface ■ 655
Related Topics
Attacks
Verifying That MAC Move Limiting Is Working Correctly

Purpose Verify that MAC move limiting is working on the switch.
Action Display the MAC addresses in the Ethernet switching table when MAC move limiting
has been configured for a VLAN. The following sample shows results after two of the
hosts on ge-0/0/2 sent DHCP requests after the MAC addresses for those hosts had
moved to other interfaces more than five times in 1 second. The VLAN, employee-vlan,
was set to a MAC move limit of 5 with the action drop:


What It Means The last two lines of the sample output show that DHCP requests for two hosts on
ge-/0/0/2 were dropped when the hosts had been moved back and forth from the
original interfaces more than five times in 1 second. The MAC addresses for those
hosts were not learned.
NOTE: For descriptions of the results of the various action settings—drop, log, and
shutdown—see Verifying That MAC Limiting Is Working Correctly

Related Topics


Chapter 43
Configuration Statements for 802.1X,
Port Security, and VoIP
■ [edit access] Configuration Statement Hierarchy on page 659

[edit access] Configuration Statement Hierarchy
access {
profile profile-name {
accounting {
order [ radius | none ];
stop-on-f;
}
authentication-order [ authentication-method ];
radius {
accounting-server [ server-address ];
authentication-server [ server-address ];
}
}
}
Related Topics

protocols {
dot1x {
authenticator {
static {
mac-address {
[edit access] Configuration Statement Hierarchy ■ 659

}
}
disable;
reauthentication {
interval seconds;
}
retries number;
}
}
gvrp {
<enable | disable>;
disable;
}
}
igmp-snooping {
forwarding-cache {
threshold {
reuse number;
}
timeout minutes;
}
traceoptions {
<match regex>;
}
immediate-leave;
group-limit limit;
static {
group ip-address;
}
}
proxy-mode {

Chapter 43: Configuration Statements for 802.1X, Port Security, and VoIP
}
}
}
lldp {
disable;
disable;
}
traceoptions {
<match regex>;
}
}
lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
mstp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;

}
max-age seconds;
max-hops hops;
msti msti-id {
disable;
cost cost;
edge;
mode mode;
priority priority;
}
}
}
rstp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
stp {
disable;
hello-time seconds;
disable;
cost cost;
edge;
mode mode;
priority priority;
}
max-age seconds;
}
}
analyzer {
name {
662 ■ [edit ethernet-switching-options] Configuration Statement Hierarchy

ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
group-name name {
}
}
allowed-mac {
mac-address-list;
}
mac-limit action;
}
}
}
}
Related Topics

access
Syntax access {
profile {
authentication-order [ldap radius | none];
accounting {
order [radius | none];
stop-on-failure;
}
radius {
accounting-server [server-addresses];
authentication-server [server-addresses];
}
}
}
Description Configure authentication, authorization, and accounting (AAA) services.
Default Not enabled
Required Privilege Level admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.
Related Topics
664 ■ access
accounting-server
Syntax accounting-server [server-addresses];
Hierarchy Level [edit access profile profile-name radius]
Description Configure the Remote Authentication Dial-In User Service (RADIUS) server for
authentication. To configure multiple RADIUS servers, include multiple server
addresses. The servers are tried in order and in a round-robin fashion until a valid
response is received from one of the servers or until all the configured retry limits
are reached.
Default Not enabled
Options server-addresses—One or more addresses of RADIUS authentication servers.

Related Topics
■ show network-access aaa statistics authentication
accounting-server ■ 665
advertisement-interval
Syntax advertisement-interval seconds;
Hierarchy Level [edit protocols lldp]
Description For switches configured for Link Layer Discovery Protocol, configure the frequency
at which LLDP advertisements are sent.
Default default information (optional)
Options seconds—(Optional) The number of seconds.

Range: 5 through 32,768 seconds
Default: 30 seconds
Related Topics
■ show lldp
■ Configuring LLDP on EX-series Switches
666 ■ advertisement-interval
allowed-mac
Syntax allowed-mac {
mac-address-list;
}
Hierarchy Level [edit ethernet-switching-options secure-access-port interface (all | interface-name)]
Description Specify particular MAC addresses to be added to the MAC address cache.
Default Allowed MAC addresses take precedence over dynamic MAC values that have been
applied with the mac-limit statement.
Options mac-address-list—One or more MAC addresses configured as allowed MAC addresses

for a specified interface or all interfaces.

Related Topics
■ mac-limit
Attacks
allowed-mac ■ 667
arp-inspection
Syntax (arp-inspection | no-arp-inspection);
Hierarchy Level [edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Description Perform dynamic ARP inspection on all VLANs or on the specified VLAN.
■ arp-inspection—Enable ARP inspection.
■ no-arp-inspection—Disable ARP inspection.
Default Disabled.

Related Topics
Spoofing Attacks
668 ■ arp-inspection
authentication-order
Syntax authentication-order [ldap radius | none];
Hierarchy Level [edit access profile profile-name]
Description Configure the order of authentication, authorization, and accounting (AAA) servers
to use while sending authentication messages.
Default Not enabled
Options ldap—Lightweight Directory Access Protocol.
none—No authentication for specified subscribers.
radius—Remote Authentication Dial-In User Service authentication.

Related Topics
authentication-order ■ 669
authenticator
Syntax authenticator {
static {
mac-address {
vlan-assignment (vlan-id |vlan-name);
interface interface-names;
}
}
}
Hierarchy Level [edit protocols dot1x]
Description Configure an authenticator for 802.1X authentication.
Default No static MAC address or VLAN is configured.

Related Topics
670 ■ authenticator
authenticator-profile-name
Syntax authenticator-profile-name access-profile-name;
Hierarchy Level [edit protocols dot1x authenticator]
Description Specify the name of the access profile to be used for 802.1X authentication.
Default No access profile is specified.
Options access-profile-name—Name of the access profile. The access profile is configured at

the [edit access profile] hierarchy level and contains the RADIUS server IP address
and other information used for 802.1X authentication.

Related Topics
authenticator-profile-name ■ 671
authentication-server
Syntax authentication-server [server-addresses];
Hierarchy Level [edit access profile profile-name radius]
Description Configure the Remote Authentication Dial-In User Service (RADIUS) server for
authentication. To configure multiple RADIUS servers, include multiple server
addresses. The servers are tried in order and in a round-robin fashion until a valid
response is received from one of the servers or until all the configured retry limits
are reached.
Default Not enabled
Options server-addresses—Configure one or more RADIUS server addresses.

Related Topics
672 ■ authentication-server
ca-type
Syntax ca-type {
number {
ca-value value;
}
}
Hierarchy Level [edit protocols lldp-med interface (all | interface-name location civic-based)]

Description For Link Layer Discovery Protocol Media Endpoint Device (LLDP-MED), configure
the address elements. These elements are included in the location information to be
advertised from the switch to the MED. This information is used during emergency
calls to identify the location of the MED.
For further information about the values that can be used to comprise the location,,
refer to RFC 4776, Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option
for Civic Addresses Configuration Information. A subset of those values is provided
below.
The ca-value statement is explained separately.
Default Disabled.
Options value—Civic address elements that represent the civic or postal address. Values are:
■ 0—A code that specifies the language used to describe the location.
■ 16—The leading-street direction, such as “N”.
■ 17—A trailing street suffix, such as “SW”.
■ 18—A street suffix or type, such as “Ave” or “Platz”.
■ 19—A house number, such as “6450”.
■ 20—A house-number suffix, such as “A” or “1/2”.
■ 21—A landmark, such as “Stanford University”.
■ 22—Additional location information, such as “South Wing”.
■ 23—The name and occupant of a location, such as “Carrillo's Holiday Market”.
■ 24—A house-number suffix, such as “95684”.
■ 25—A building structure, such as “East Library”.

Related Topics
ca-type ■ 673
■ show lldp
Switch
ca-value
Syntax ca-value value;
Hierarchy Level [edit protocols lldp-med interface (all | interface-name ) location civic-based ca-type
number]

location information, such as street address and city, that is indexed by the ca-type
code. This information is advertised from the switch to the MED and is used during
emergency calls to identify the location of the MED.
Default Disabled.
Options value—Specify a value that correlates to the ca-type. See ca-type for a list of codes
and suggested values.

Related Topics
■ show lldp
Switch
674 ■ ca-value
civic-based
Syntax civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
Hierarchy Level [edit protocols lldp-med interface (all | interface-name) location]

the geographic location to be advertised from the switch to the MED. This information
is used during emergency calls to identify the location of the MED.
Default Disabled.

Related Topics
■ show lldp
civic-based ■ 675
country-code
Syntax country-code code;
Hierarchy Level [edit protocols lldp-med interface (all | interface-name)]

the two-letter country code to include in the location information. Location information
is advertised from the switch to the MED, and is used during emergency calls to
identify the location of the MED.
Default Disabled.
Options code—Two-letter ISO 3166 country code in capital ASCII letters; for example, US or
DE.

Related Topics
■ show lldp
Switch
676 ■ country-code
dhcp-trusted
Syntax (dhcp-trusted | no-dhcp-trusted);
Description Allow DHCP responses from the specified interfaces (ports) or all interfaces.
■ dhcp-trusted—Allow DHCP responses.
■ no-dhcp-trusted—Deny DHCP responses.
Default Trusted for trunk ports, untrusted for access ports.

Related Topics
dhcp-trusted ■ 677
disable
Syntax disable;
Hierarchy Level [edit protocols dot1x authenticator interface (all | [interface-names])]
Description Disable 802.1X authentication on a specified interface or all interfaces.
Default 802.1X authentication is disabled on all interfaces.

Related Topics
■ show dot1x
Switch
678 ■ disable
disable
Syntax disable;
Hierarchy Level [edit protocols lldp],

[edit protocols interface lldp]
Description Disable the LLDP configuration on the switch or on one or more interfaces.
Default If you do not configure LLDP, it is disabled on the switch and on specific switch
interfaces.

Related Topics
■ show lldp
disable
Syntax disable;
Hierarchy Level [edit protocols lldp-med],

[edit protocols lldp-med interface]
Description Disable the LLDP-MED configuration on the switch or on one or more interfaces.
Default If you do not configure LLDP-MED, it is disabled on the switch and on specific switch
interfaces.

Related Topics
■ show lldp
disable ■ 679
dot1x
Syntax dot1x {
authenticator {
static {
mac-address {
interface interface-names;
}
}
interface (all | [ interface-names ]) {
disable;
maximum-requests number;
reauthentication {
interval seconds;
}
retries number;
}
}
Description Configure 802.1X authentication for Port-Based Network Access Control.
Default 802.1X is disabled.

Related Topics
■ show dot1x
■ clear dot1x
680 ■ dot1x

Switch
elin
Syntax elin number;
Hierarchy Level [edit protocols lldp-med interface (all | interface-name location)]

the Emergency Line Identification Number (ELIN) as location information. Location
information is advertised from the switch to the MED and is used during emergency
calls to identify the location of the MED.
Default Disabled.
Options number—Configure a 10-digit number (area code and telephone number).

Related Topics
■ show lldp
elin ■ 681
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
group-name name {
}
}
allowed-mac {
mac-address-list;
}
}
}
voip{
vlan vlan-name ;
network-control>;
}
}
}
}
682 ■ ethernet-switching-options

Related Topics
examine-dhcp
Syntax (examine-dhcp | no-examine-dhcp);
Description Enable DHCP snooping on all VLANs or on the specified VLAN.
■ examine-dhcp—Enable DHCP snooping.
■ no-examine-dhcp—Disable DHCP snooping.
Default Disabled.

Related Topics
Spoofing Attacks

fast-start
Syntax fast-start number;
Description Configure the frequency at which Link Layer Discovery Protocol advertisements are
sent from the switch in the first second after it has detected an LLDP-capable device.
Options seconds—Number of advertisements.

Range: 1 through 10
Default: 3
Related Topics
fast-start
Syntax fast-start seconds;
Hierarchy Level [edit protocols lldp-med]
Description Configure the frequency at which Link Layer Discovery Protocol Media Endpoint
(LLDP-MED) advertisements are sent from the switch in the first second after it has
detected an LLDP-MED device (such as an IP telephone).
Options count seconds—Number of advertisements.

Range: 1 through 10
Default: 3
Related Topics
■ show lldp
684 ■ fast-start
forwarding-class
Syntax forwarding-class < assured-forwarding | best-effort | expedited-forwarding |network-control

>;
Hierarchy Level [edit ethernet-switching-options voip interface <all | interface-name | access-ports]>

vlan (vlan-id | vlan-name | untagged)]

Description For EX-series switches, configure the forwarding class used to handle packets on the
VoIP interface.
Default not enabled
Options class—Forwarding class:

■ assured-forwarding— Assured forwarding (AF)—Provides a group of values you
can define and includes four subclasses: AF1, AF2, AF3, and AF4, each with
three drop probabilities: low, medium, and high.
■ best-effort—Provides no service profile. For the best effort forwarding class, loss
priority is typically not carried in a class-of-service (CoS) value, and random early
detection (RED) drop profiles are more aggressive.
■ expedited-forwading—Provides a low loss, low latency, low jitter, assured
bandwidth, end-to-end service.
■ network-control—Provides a typically high priority because it supports protocol
control.

Related Topics
Switch
forwarding-class ■ 685
guest-vlan
Syntax guest-vlan (vlan-id | vlan-name);
Description Specify the VLAN to which an interface is moved when no 802.1X supplicants are
connected on the interface. The VLAN specified must already exist on the switch.
Default None
Options vlan-id—VLAN tag identifier of the guest VLAN.
vlan-name—Name of the guest VLAN.

Related Topics
686 ■ guest-vlan
hold-multiplier
Syntax hold-multiplier number;
Description Specify the multiplier used in combination with the advertisement-interval value to
determine the length of time LLDP information is held before it is discarded. The
default value is 4 (or 120 seconds).
Default Disabled.
Options number—A number used as a multiplier.

Range: 2 through 10
Default: 4 (or 120 seconds)
Related Topics
■ show lldp
hold-multiplier ■ 687
interface
Syntax interface (all | interface-name) {

allowed-mac {
mac-address-list;
}
}
Hierarchy Level [edit ethernet-switching-options secure-access-port]
Description Apply port security features to all interfaces or to the specified interface.
Options all—Apply port security features to all interfaces.
interface-name—Apply port security features to the specified interface.

Related Topics
Attacks
688 ■ interface
interface
Syntax interface (all | [interface-name] | access-ports) {

vlan vlan-name );
network-control>;
}
Hierarchy Level [edit ethernet-switching-optionsvoip]
Description Enable voice over IP (VoIP) for all interfaces or specific interfaces.
Options all | interface-name | access-ports—Enable VoIP on all interfaces, on a specific interface,

or on all access ports.

Related Topics
Switch
interface ■ 689
interface
Syntax interface (all | [ interface-names ]) {

disable;
maximum-requests number;
reauthentication {
interval seconds;
}
retries number;
}
Hierarchy Level [edit protocols dot1x authenticator]
Description Configure 802.1X authentication for Port-Based Network Access Control for all
interfaces or for specific interfaces.
Options all—Configure all interfaces for 802.1X authentication.
[interface-names ]— List of interfaces to configure for 802.1X authentication.

Related Topics
■ show dot1x
■ clear dot1x
690 ■ interface
lldp
Syntax lldp {
disable;
fast-start number;
disable;
}
traceoptions {
regex>;
}
}

Description Configure Link Layer Discovery Protocol (LLDP). The switch uses LLDP to advertise
its identity and capabilities on a LAN, as well as receive information about other
network devices. LLDP is defined in the IEEE standard 802.1AB-2005.
Default to be added

Related Topics
■ show lldp
■ Configuring LLDP-MED on EX-series Switches
lldp ■ 691
lldp-med
Syntax lldp-med {
disable;
fast-start number;
disable;
location {
elin number;
civic-based {
what number;
country-code code;
ca-type {
number {
ca-value value;
}
}
}
}
}
}
Description Configure Link Layer Discovery Protocol Media Endpoint Discovery. LLDP-MED is
an extension of LLDP. The switch uses LLDP-MED to support device discovery of
VoIP telephones and to create location databases for these telephone locations for
emergency services. LLDP-MED is defined in the standard ANSI/TIA-1057 by the
Telecommunications Industry Association (TIA).
Default Disabled.

Related Topics
■ show lldp
Switch
692 ■ lldp-med
location
Syntax location {
elin number;
civic-based {
what number;
country-code code;
ca-type{
number {
ca-value value;
}
}
}
}
Hierarchy Level [edit protocols lldp-med interface (all | interface-name)]

the Location information. Location information is advertised from the switch to the
MED. This information is used during emergency calls to identify the location of the
MED.
The statements are explaine separately.
Default Disabled.

Related Topics
■ show lldp
Switch
location ■ 693
mac-limit
Syntax mac-limit;
limit action action;
Description Number of MAC addresses to dynamically add to the MAC address cache for this
interface (port) and action to be taken by the switch if the MAC address learning limit
is reached on the interface (port).
Default The default limit is 5 MAC addresses for each interface (port). The default action is
no action (none).
Options limit—Maximum number of MAC addresses.
action—Action to take when the MAC address limit is reached:

■ none—No action. This is the default.
entry .
log entry.

Related Topics
■ allowed-mac
Attacks
694 ■ mac-limit
mac-move-limit
Syntax mac-move-limit;
limit action action;
Description Number of times a MAC address can move to a new interface (port) in 1 second, and
the action to be taken by the switch if the MAC address move limit is reached.
Default The default move limit is unlimited. The default action is no action (none).
Options limit—Maximum number of moves to a new interface per second.
action—Action to take when the MAC address move limit is reached:

■ none—No action. This is the default.
entry.
log entry.

Related Topics
■ mac-limit
mac-move-limit ■ 695
maximum-requests
Syntax maximum-requests number;
Description For 802.1X authentication, configure the maximum number of times an EAPOL
request packet is retransmitted to the supplicant before the authentication session
times out.
Default Two retransmission attempts
Options number—Number of retransmission attempts.

Range: 1 through 10
Default: 2
Related Topics
no-reauthentication
Syntax no-reauthentication;
Description For 802.1X authentication, disables reauthentication.
Default Not disabled

Related Topics
696 ■ maximum-requests
profile
Syntax profile profile-name {

accounting {
order [radius | none];
stop-on-failure;
}
authentication-order [authentication-method];
radius {
}
}
Hierarchy Level [edit access]
Description Configure an access profile. The access profile contains the entire authentication,
authorization, and accounting (AAA) configuration that aids in handling AAA requests,
including the authentication method and order, AAA server addresses, and AAA
accounting.
Default Not enabled
Options profile-name—Profile name of up to 32 characters.

Related Topics
profile ■ 697
quiet-period
Syntax quiet-period seconds;
Description For 802.1X authentication, configure the number of seconds the interface remains
in the wait state following a failed authentication attempt by a supplicant before
reattempting authentication.
Default 60 seconds
Options seconds—Number of seconds the interface remains in the wait state.

Default: 60 seconds
Related Topics
698 ■ quiet-period
radius
Syntax radius {
}
Hierarchy Level [edit access profile profile-name]
Description Configure the Remote Authentication Dial-In User Service (RADIUS) servers for
authentication and for accounting. To configure multiple RADIUS servers, include
multiple radiusstatements. The servers are tried in order and in a round-robin fashion
until a valid response is received from one of the servers or until all the configured
retry limits are reached.

Related Topics
radius ■ 699
reauthentication
Syntax reauthentication {
interval seconds;
}
Description For 802.1X authentication, specify reauthentication parameters.
Default 3600 seconds.
Options disable—Disables the periodic reauthentication of the supplicant.
interval seconds—Sets the periodic reauthentication time interval. The range is 1

through 65,535 seconds.

Related Topics
700 ■ reauthentication
retries
Syntax retries number;
Description For 802.1X authentication, configure the number of times the switch attempts to
authenticate the port after an initial failure. The port remains in a wait state during
the quiet period after the authentication attempt.
Default 3 retries
Options number—Number of retries.

Range: 1 through 10
Default: 3
Related Topics
retries ■ 701
secure-access-port
Syntax secure-access-port {
allowed-mac {
mac-address-list;
}
}
}
}
Description Configure port security features, including MAC limiting and whether interfaces can
receive DHCP responses, and apply dynamic ARP inspection, DHCP snooping, and
MAC move limiting to no VLANs, specific VLANs, or all VLANs.

Related Topics
Attacks
Spoofing Attacks
702 ■ secure-access-port
server-timeout
Syntax server-timeout seconds;
Hierarchy Level [edit protocols dot1x authenticator interface (all | [interface-name])

Description For 802.1X authentication, configure the amount of time a port will wait for a reply
when relaying a response from the supplicant to the authentication server before
timing out and invoking the server-fail action.
Default 30 seconds
Options seconds—Number of seconds.

Default: 30 seconds
Related Topics
■ show dot1x
■ clear dot1x
server-timeout ■ 703
static
Syntax static {
[mac-address] {
vlan-assignment (vlan-name | vlan-id);
interface [interface-names];
}
}
}
Hierarchy Level [edit protocols dot1x authenticator authenticator-profile-name]
Description Configure MAC addresses to exclude from 802.1X authentication. The static MAC
list provides an authentication bypass mechanism for supplicants connecting to a
port, permitting devices such as printers that are not 802.1X-enabled to be connected
to the network on 802.1X-enabled ports.
Using this 802.1X authentication-bypass mechanism, the supplicant connected to

the MAC address is assumed to be successfully authenticated and the port is opened
for it. No further authentication is done for the supplicant.
You can optionally configure the VLAN that the supplicant is moved to or the interfaces
on which the MAC address can gain access from.
Options mac-address—The MAC address of the device for which 802.1X authentication should
be bypassed and the device permitted access to the port.

Related Topics
■ show dot1x static-mac-address
■ Understanding 802.1X Static MAC on EX-series Switches
704 ■ static
stop-on-access-deny
Syntax stop-on-access-deny;
Hierarchy Level [edit access profile profile-name accounting]
Description Configures the authentication order for authentication, authorization, and accounting
(AAA) services to send an Acct-Stop message if the AAA server denies access to a
supplicant.
Default Not enabled

Related Topics
stop-on-failure
Syntax stop-on-failure;
Hierarchy Level [edit access profile profile-name accounting]
Description Configure authentication order for authentication, authorization, and accounting
(AAA) services to send an Acct-Stop message if a supplicant fails AAA authorization,
but the RADIUS server grants access. For example, a supplicant might fail AAA
authentication due to an internal error such as a timeout.
Default Not enabled

Related Topics
■ Configuring 802.1X RADIUS Accounting (CLI Procedure),
■ Understanding 802.1X and AAA Accounting on EX-series Switches,
stop-on-access-deny ■ 705
supplicant
Syntax supplicant (single | single-secure | multiple);

Description For 802.1X authentication, configure the method used to authenticate supplicants.
Default Single.
Options single—Authenticates only the first supplicant that connects to an authenticator port.
All other supplicants connecting to the authenticator port after the first supplicant,
regardless if they are 802.1X-enabled or not, are permitted free access to the
port without further authentication. If the first authenticated supplicant logs out,
all other supplicants are locked out until a supplicant authenticates again.
single-secure—Authenticates only one supplicant to connect to an authenticator port.

No other supplicants can connect to the authenticator port until the first supplicant
logs out.
multiple—Authenticates multiple supplicants individually on one authenticator port.

You can configure the number of supplicants per port, up to (a maximum value,
to be determined). If you configure a maximum number of devices that can be
connected to a port through port security settings, the lower of the configured
values is used to determine the maximum number of supplicants allowed per
port.

Related Topics
■ supplicant-timeout
706 ■ supplicant
supplicant-timeout
Syntax supplicant-timeout seconds;

Description For 802.1X authentication, configure how long the port waits for a response when
relaying a request from the authentication server to the supplicant before resending
the request.
Default 30 seconds
Options seconds—Number of seconds.

Default: 30 seconds
Related Topics
■ supplicant
supplicant-timeout ■ 707
traceoptions
regex>;
flag flag ;
}
Hierarchy Level [edit protocols dot1x]

Description Define tracing operations for the 802.1X protocol.
file number—(Optional) Maximum number of trace files. When a trace file named
gigabytes number of trace files is reached. Then the oldest trace file is overwritten.
If you specify a maximum number of files, you also must specify a maximum
file size with the sizeoption.
Default: 3 files
■ config-internal—Trace internal configuration operations.
■ general—Trace general operations.
■ normal—Trace normal operations.
■ parse—Trace reading of the configuration.
■ regex-parse—Trace regular-expression parsing operations.
■ state—Trace protocol state changes.
■ task—Trace protocol task operations.
■ timer—Trace protocol timer operations.
expression.
no-world-readable—(Optional) Restricted file access to the user who created the file.
(MB), or gigabytes. When a trace file named trace-file reaches its maximum size,
it is renamed trace-file.0, then trace-file.1, and so on, until the maximum number
of trace files is reached. Then the oldest trace file is overwritten. If you specify
a maximum number of files, you also must specify a maximum file size with
the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify gigabyte
Range: 10 KB through 1gigabyte
Default: 128 KB

Related Topics
■ show lldp

traceoptions
regex>;
}
Description Define tracing operations for the LLDP protocol.
files number—(Optional) Maximum number of trace files. When a trace file named
GB number of trace files is reached. Then the oldest trace file is overwritten. If
you specify a maximum number of files, you also must specify a maximum file
size with the size option.
Default: 3 files
■ config—Trace configuration operations.
■ packet—Trace packet events.
■ rtsock—Trace routing socket operations.
expression.
no-world-readable—(Optional) Restrict file access to the user who created the file.
(MB), or gigabytes (GB). When a trace file named trace-file reaches its maximum
size, it is renamed trace-file.0, then trace-file.1, and so on, until the maximum
number of trace files is reached. Then the oldest trace file is overwritten. If you
specify a maximum number of files, you also must specify a maximum file size
with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB

Related Topics
■ Configuring LLDP-MED on EX-series Switches
transmit-delay
Syntax transmit-delay seconds;
Description Configure the delay between 2 successive LLDP advertisements.
Default Disabled.
Options seconds—Number of seconds between two successive LLDP advertisements.

Default: 2
Related Topics
■ show lldp

transmit-period
Syntax transmit-period seconds;

Description For 802.1X authentication, how long the port waits before retransmitting the initial
EAPOL PDUs to the supplicant.
Default 30 seconds
Options seconds—Number of seconds the port waits before retransmitting the initial EAPOL
PDUs to the supplicant.
Default: 30 seconds
Related Topics
712 ■ transmit-period
vlan
Syntax vlan (all | vlan-name) {

}
Hierarchy Level [edit ethernet-switching-options secure-access-port]
Description Apply DHCP snooping, dynamic ARP inspection (DAI), and MAC move limiting.
Options all—Apply DHCP snooping, DAI, and MAC move limiting to all VLANs.
vlan-name—Apply DHCP snooping, DAI, and MAC move limiting to the specified
VLAN.

Related Topics
Spoofing Attacks
vlan ■ 713
vlan-assignment
Syntax vlan-assignment (vlan-id | vlan-name);
Hierarchy Level [edit protocols dot1x authenticator authenticator-profile-name static mac-address]
Description For MAC addresses that are on the static MAC list and excluded from 802.1X
authentication, configure the VLAN that is associated with the device.
Options vlan-id | vlan-name—The name of the VLAN or the VLAN tag identifier to associate
with the device. The VLAN already exists on the switch.

Related Topics
■ show dot1x static-mac-address
714 ■ vlan-assignment
voip
Syntax voip {
vlan vlan-name );
network-control>;
}
}

Description Configure voice over IP (VoIP) interfaces.

Related Topics
Switch
voip ■ 715
what
Syntax what value;
Hierarchy Level [edit protocols lldp-med interface (all | interface-name) location civic-based]

the location to which the DHCP entry refers. This information is advertised, along
with other location information, from the switch to the MED. It is used during
emergency calls to identify the location of the MED.
Options 0 and 1 should not be used unless it is known that the DHCP client is in
close physical proximity to the server or network element.
Default Disabled.
Options value—Location:
■ 0—Location of the DHCP server.
■ 1—Location of a network element believed to be closest to the client.
■ 2—Location of the client.

Related Topics
■ show lldp
Switch
716 ■ what
Chapter 44
Operational Mode Commands for 802.1X,
Port Security, and VoIP
■ 717
clear arp inspection statistics
Syntax clear arp inspection statistics
Description Clear ARP inspection statistics.
Related Topics
■ show arp inspection statistics
List of Sample Output clear arp inspection statistics (summary) on page 718
clear arp inspection user@switch> clear arp inspection statistics

statistics (summary)
718 ■ clear arp inspection statistics

Chapter 44: Operational Mode Commands for 802.1X, Port Security, and VoIP
clear dhcp snooping binding
Syntax clear dhcp snooping binding

<mac (all | mac-address)>
<vlan (all | vlan-name)>
<vlan (all | vlan-name) mac (all | mac-address)>
Description Clear the DHCP snooping database information.
Options mac (all | mac-address)—(Optional) Clear DHCP snooping information for the specified
MAC address or all MAC addresses.
vlan (all | vlan-name)—(Optional) Clear DHCP snooping information for the specified
VLAN or all VLANs.
Related Topics
■ show dhcp snooping binding
clear dhcp snooping binding ■ 719

clear dot1x
Syntax clear dot1x

(interface (all | [interface-names]) | mac-address [mac-addresses])
Description Reset the authentication state of a port. When you reset a port, reauthentication on
the port is also triggered. The switch sends out a multicast message on the port to
restart the authentication of all connected supplicants. If a MAC address is reset, then
the switch sends out a unicast message to that specific MAC address to restart
authentication.
If a supplicant is sending traffic when the clear dot1x interface command is issued,
the authenticator immediately initiates reauthenticataion. This process happens very
quickly, and it may seem that reauthentication did not occur. To verify that
reauthentication has happened, issue the operational mode command show dot1x
interface detail. The value for Reauthentication due and Reauthentication interval will
be about the same.
Options all—(Optional) Clears all ports, or specific ports or specific MAC addresses.
interface interface-names—(Optional) Resets the authentication state of all supplicants

connected to the specified ports (when the port is an authenticator) or for itself
(when the port is a supplicant).
mac-address mac-addresses—Resets the authentication state only for the specified

MAC addresses.
Related Topics
■ show dot1x
List of Sample Output clear dot1x interface on page 720

clear dot1x mac-address on page 720
clear dot1x interface user@switch> clear dot1x interface ge-1/0/0 ge-2/0/0 ge-2/0/0 ge5/0/0]
clear dot1x mac-address user@switch> clear dot1x mac—address 00:04:ae:cd:23:5f
720 ■ clear dot1x

clear lldp neighbors
Syntax clear lldp neighbors

<interface interface>
Description Clear the learned remote neighbor information on all or selected interfaces.
Options none—Clear the remote neighbor information on all interfaces.
interface interface—(Optional) Clear the remote neighbor information from one or

more selected interfaces.
Related Topics
■ show lldp
List of Sample Output clear lldp neighbors on page 721

clear lldp neighbors interface ge-0/1/1.0 on page 721
clear lldp neighbors user@switch> clear lldp neighbors
clear lldp neighbors user@switch> clear lldp neighbors interface ge-0/1/1.0

interface ge-0/1/1.0
clear lldp neighbors ■ 721

clear lldp statistics
Syntax clear lldp statistics

<interface interface>
Description Clear LLDP statistics on one or more interfaces.
Options none—Clears LLDP statistics on all interfaces.
interface interface-names—(Optional) Clear LLDP statistics on one or more interfaces.
Related Topics
List of Sample Output clear lldp statistics on page 722

clear lldp statistics interface ge-0/1/1.0 on page 722
clear lldp statistics user@switch> clear lldp statistics
clear lldp statistics user@switch> clear lldp statistics interface ge-0/1/1.0

722 ■ clear lldp statistics

show arp inspection statistics
Syntax show arp inspection statistics
Description Display ARP inspection statistics.
Related Topics
■ clear arp inspection statistics
List of Sample Output show arp inspection statistics on page 723

Output Fields Table 101 on page 723 lists the output fields for the show arp inspection statistics
Table 101: show arp inspection statistics Output Fields
Interface Interface on which ARP inspection has been applied. All levels
Packets received Total number of packets total that underwent ARP inspection. All levels
ARP inspection pass Total number of packets that passed ARP inspection. All levels
ARP inspection failed Total number of packets that failed ARP inspection. All levels
show arp inspection user@switch> show arp inspection statistics

statistics
--------- ----------------- ------------------- ---------------------
ge-0/0/0 0 0 0
ge-0/0/1 0 0 0
ge-0/0/2 0 0 0
ge-0/0/3 0 0 0
ge-0/0/4 0 0 0
ge-0/0/5 0 0 0
ge-0/0/6 0 0 0
ge-0/0/7 703 701 2
show arp inspection statistics ■ 723

show dhcp snooping binding
Syntax show dhcp snooping binding
Description Display the DHCP snooping database information.
Related Topics
■ clear dhcp snooping binding
List of Sample Output show dhcp snooping binding on page 724

Output Fields Table 102 on page 724 lists the output fields for the show dhcp snooping binding
Table 102: show dhcp snooping binding Output Fields
MAC Address MAC address of the network device; bound to the IP address. All levels
IP Address IP address of the network device; bound to the MAC address. All levels
Lease Lease granted to the IP address. All levels
Type How the MAC address was acquired. All levels
VLAN VLAN name of the network device whose MAC address is shown. All levels
Interface Interface address (port). All levels
show dhcp snooping user@switch> show dhcp snooping binding

binding
----------------- ---------- ----- ------- ---- ---------
00:00:01:00:00:03 192.0.2.0 640 dynamic guest ge-0/0/12.0
00:00:01:00:00:04 192.0.2.1 720 dynamic guest ge-0/0/12.0
00:00:01:00:00:05 192.0.2.5 800 dynamic guest ge-0/0/13.0
724 ■ show dhcp snooping binding

show dot1x
Syntax show dot1x

<brief | detail>
authentication-failed-users
<interface [interface-names]>
static-mac-address (interface [interface-names])
Description Display the current operational state of all ports with the list of connected users.
Options none—Display information for all authenticator ports.
authentication-failed-users—Displays information for supplicants that failed

authentication.
interface interface-names—Display information for the specified port with a list of

connected supplicants.
static-mac-address—Displays information for the static MAC addresses for which

authentication has been bypassed
Related Topics
■ clear dot1x
Switch
List of Sample Output show dot1x interface detail on page 727

show dot1x interface summary on page 727
Output Fields Table 103 on page 726 lists the output fields for the show dot1x command. Output
show dot1x ■ 725

Table 103: show dot1x statistics Output Fields
interface Name of a port. All levels
MAC address The MAC address of the connected supplicant on the port. All levels
role description. level-of-output none
Admin-state The administrative state of the port: detail

■ auto—Traffic is allowed through the port based on the authentication
result. (Default)
■ force-authorize—All traffic flows through the port irrespective of the
authentication result. This state is not allowed on an interface whose VLAN
membership has been set to dynamic.
■ force-unauthorize—All traffic drops on the port irrespective of the
authentication result. This state is not allowed on an interface whose VLAN
membership has been set to dynamic.
Supplicant The mode for the supplicant: detail

■ single—Authenticates only the first supplicant. All other supplicants who
connect later to the port are allowed full access without any further
authentication. They effectively “piggyback” on the first supplicant’s
authentication.
■ single-secure—Allows only one supplicant to connect to the port. No other
supplicant is allowed to connect until the first supplicant logs out.
■ multiple—Allows multiple supplicants to connect to the port. Each
supplicant is authenticated individually.
Quiet period The number of seconds the port remains in the wait state following a failed detail
authentication exchange with the supplicant before reattempting the
authentication. The default value is 60 seconds. The range is 0 through 65,535
seconds.
Transmit period The number of seconds the port waits before retransmitting the initial EAPOL detail
PDUs to the supplicant. The default value is 30 seconds. The range is 1 through
65,535 seconds.
Reauthentication The reauthentication state: detail

■ disable—Periodic reauthentication of the client is disabled.
■ interval—Sets the periodic reauthentication time interval. The default value
is 3600 seconds. The range is 1 through 65,535 seconds.
Supplicant timeout The number of seconds the port waits for a response when relaying a request detail
from the authentication server to the supplicant before resending the request.
The default value is 30 seconds. The range is 1 through 60 seconds.
Server timeout The number of seconds the port waits for a reply when relaying a response detail
from the supplicant to the authentication server before timing out. The default
value is 30 seconds. The range is 1 through 60 seconds.
Maximum EAPOL The maximum number of retransmission times of an EAPOL request packet detail
requests to the supplicant before the authentication session times out. The default value
is 2. The range is 1 through 10.

Table 103: show dot1x statistics Output Fields (continued)
Number of connected The number of supplicants connected to a port. detail

supplicants
show dot1x interface user@switch> show dot1x interface ge-0/0/1.0 detail

detail ge-0/0/2.0
Role: Authenticator
Supplicant mode: Single
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Number of connected supplicants: 1
Supplicant: abc, 00:00:00:00:22:22
show dot1x interface user@switch> show dot1x interface [ge-0/0/1 ge-0/0/2 ge0/0/3] brief
summary
Interface Role State MAC address
--------- ---- ----- ------------------
ge-0/0/1 Authenticator Authenticated 00:a0:d2:18:1a:c8
Authenticating 00:a0:e5:32:97:af
ge-0/0/2 Authenticator Connecting -
ge-0/0/3 Supplicant Authenticated 00:a6:55:f2:94:ae
-

show dot1x static-mac-address
Syntax show dot1x static-mac-address (interface [interface-name])
Description Displays all the static MAC addresses that are configured to bypass 802.1X
authentication on the switch.
Options interface [interface-name]—(Optional) Display static MAC addresses for a specific

interface.
Related Topics
■ clear dot1x
■ Understanding 802.1X Static MAC on EX-series Switches
List of Sample Output show dot1x static-mac-address on page 728

Output Fields Table 104 on page 728 lists the output fields for the show dot1x static-mac-address
Table 104: show dot1x static-mac-address Output Fields
MAC address The MAC address of the device that is configured to bypass 802.1X all
authentication.
VLAN-Assignment The name of the VLAN to which the device is assigned. all
Interface The name of the interface on which authentication is bypassed for a given MAC all
address.
show dot1x user@switch> show dot1x static-mac-address

static-mac-address
MAC address VLAN-Assignment Interface
00:00:00:11:22:33
00:00:00:00:12:12 ge-0/0/3.0
00:00:00:02:34:56 facilities ge-0/0/1.0
728 ■ show dot1x static-mac-address

show lldp
Syntax show lldp

<detail >
Description Display information about Link Layer Discovery Protocol (LLDP). LLDP is used to
learn and distribute device information on network links.
Options none—Display LLDP information for all interfaces.
detail—(Optional) Display detailed LLDP information for all interfaces.
Related Topics
List of Sample Output show lldp on page 731

show lldp (detail) on page 732
Output Fields Table 105 on page 729 lists the output fields for the show lldp command. Output fields
Table 105: show lldp Output Fields
LLDP The LLDP operating state. The state can be enabled or disabled. All levels
Advertisement Interval The frequency, in seconds, at which LLDP advertisements are sent. The default All levels
value is 30 seconds.
Transmit Delay The delay between two successive LLDP advertisements. The default value is All levels
2 seconds.
Hold Timer The multiplier used in combination with the advertisement-interval value All levels
to determine the length of time LLDP information is held before it is discarded.
The default value is 4 (or 120 seconds).
LLDP-MED The Link Level Discovery Protocol Media Endpoint Discovery (LLDP-MED) All levels
operating state. The state can be enabled or disabled.
LLDP-MED fast start count The number of advertisements sent from a switch to a device, such as a VoIP All levels
telephone, when the device is first detected by the switch. These increased
advertisements are temporary. After a device and a switch exchange
information and can communicate, advertisements are reduced to one per
second. The default value is 3. The range is from 1 through 10.
show lldp ■ 729

Table 105: show lldp Output Fields (continued)
LLDP Port Configuration The LLDP Port Configuration: All Levels

■ Port—The port number.
■ LLDP—The LLDP operating state. The state can be enabled or disabled.
■ LLDP-MED—The LLDP–MED operating state. The state can be enabled or
disabled.
■ Neighbor Count—(detail) The total number of new LLDP neighbors detected
since the last switch reboot.
LLDP Vlan export details The LLDP VLAN information that is advertised: detail
■ Port—The interface on which LLDP is configured.
■ Vlan-id—The VLAN tag associated with the interface sending LLDP frames.
If a port is not a member of a VLAN, the VLAN ID is advertised as 0.
■ Vlan-name—The VLAN name associated with the VLAN ID.
NotificationEnabled The LLDP event notification information: detail

■ R—Received .
■ T—Transmitted .
LLDP Basic TLVs The basic TLVs supported on the switch: detail
Supported
■ Chassis Identifier—The MAC address associated with the local system.
■ Port identifier—The port identification for the specified port in the local
system.
■ Port Description—The user– configured port description. The port
description can be a maximum of 256 characters.
■ System Name—The user– configured name of the local system. The system
name can be a maximum of 256 characters.
■ System Description—The system description containing information about
the software and current image running on the system. This information
is not configurable, but taken from the software.
■ System Capabilities—The primary function performed by the system. The
capabilities that system supports are defined; for example, bridge or
router. This information is not configurable, but based on the model of
the product.
■ Management Address—The IPv4 management address of the local system.

Table 105: show lldp Output Fields (continued)
LLDP 802.3 TLVs The 802.3 TLVs supported on the switch: detail
Supported
■ Power via MDI—A TLV that advertises MDI power support, PSE power pair,
and power class information.
■ MAC/PHY Configuration Status—A TLV that advertises information about
the physical interface, such as autonegotiation status and support and
MAU type. The information is not configurable, but based on the physical
interface structure.
■ Link Aggregation—A TLV that advertises if the interface is aggregated and
its aggregated interface ID.
■ Maximum Frame Size—A TLV that advertises the Maximum Transmission
Unit (MTU) of the interface sending LLDP frames.
■ Port Vlan—A TLV that advertises the VLAN name configured on the
interface.
LLDP-MED TLVs Enabled The LLDP-MED TLVs supported on the switch: detail
■ LLDP MED Capabilities—A TLV that advertises the primary function of the
port. The capabilities values range from 0 through 15:
■ 0— Capabilities
■ 1— Network Policy
■ 2— Location Identification
■ 3— Extended Power via MDI-PSE
■ 4— Inventory
■ 5–15— Reserved
■ LLDP-MED Device Class Values:
■ 0— Class not defined.
■ 4— Network Connectivity Device
■ 5–255— Reserved.
■ Network Policy—A TLV that advertises the port VLAN configuration and
associated Layer 2 and Layer 3 attributes. Attributes include the policy
identifier, application types, such as voice or streaming video, 802.1q
VLAN tagging, and 802.1p priority bits and Diffserv code points.
■ Endpoint Location— A TLV that advertises the physical location of the
endpoint.
■ Extended Power via MDI— A TLV that advertises the power type, power
source, power priority, and power value of the port. It is the responsibility
of the PSE device (network connectivity device) to advertise the power
priority on a port.
show lldp user@host> show lldp
LLDP : Enabled

Transmit Delay : 2 seconds

LLDP-MED : Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:

Port LLDP LLDP-MED
---- ------- --------
All Enabled Disabled
ge-0/1/0.0 Enabled Enabled
ge-0/1/1.0 Enabled Enabled
ge-0/1/2.0 Enabled Disabled
ge-0/1/7.0 Disabled Disabled
show lldp (detail) user@switch> show lldp detail
LLDP : Enabled
Transmit Delay : 2 seconds
LLDP-MED : Enabled
LLDP-MED fast start count: 3
LLDP Port Configuration:

Port LLDP LLDP-MED Neighbor count
---- ------- -------- --------------
All Enabled Disabled 11
ge-0/1/0.0 Enabled Enabled 1
ge-0/1/1.0 Enabled Enabled 2
ge-0/1/2.0 Enabled Disabled 2
ge-0/1/7.0 Disabled Disabled 0
LLDP Vlan export details:

Port Vlan-id Vlan-name
---- ------- ---------
ge-0/0/0.0 100 Voice
ge-0/0/1.0 200 Voice
NotificationEnabled:
-------------------
R(lldpRemTablesChange),T(lldpXMEDTopologyChangeDetected)
LLDP Basic TLVs Supported:

-------------------------
Chassis identifier, Port identifier, Port Description , System Name , System
Description, System Capabilities, Management Address.
LLDP 802.3 TLVs Supported:

-------------------------
Power via MDI, MAC/PHY Configuration Status, Link Aggregation,

Maximum Frame Size, Port Vlan, Port and Protocol Vlan ID,
Protocol Identity.
LLDP-MED TLVs Enabled:

---------------------
LLDP MED Capabilities, Network Policy, Endpoint Location,
Extended Power Via MDI.

show lldp local-info
Syntax show lldp local-info
Description Displays learned information about Link Layer Discovery Protocol (LLDP) on local
interfaces.
Options none—Display learned LLDP information on all local interfaces and devices.
Related Topics
List of Sample Output show lldp local-info on page 734

Output Fields Table 106 on page 734 lists the output fields for the show lldp local-info command.
Table 106: show lldp local-info Output Fields
LLDP Local MIB LLDP local details: All levels

Details
■ Chassis ID —The MAC address associated with the local system.
■ System name —The user configured name of the local system.
■ Sytem descr— The system description containing information about the
software and current image running on the system. This information is
not configurable, but taken from the software.
■ Interface Name—The name of the interface.
■ Interface ID—The port component of the MAC Service Access Point (MSAP)
identified associated with the transmitting LLDP agent.
■ Interface Descr—The port description. The port description is the value
entered at the [edit interfaces interface-name unit unit-number description ]
hierarchy level.
show lldp local-info user@host> show lldp local-info
LLDP Local MIB details

----------------------
Chassis ID : 00:19:e2:50:4a:c0
System name : sw-java-u
System descr : Juniper Networks, Inc. olive internet router, Version
734 ■ show lldp local-info

8.5I0 [mgprasad] Build date: 2007-08-02 22:00:31 UTC
Interface Name Interface ID Interface Descr

-------------- ------------ ---------------
ge-0/1/0.0 18 Avaya Port
ge-0/1/1.0 27 -
ge-0/1/2.0 13 Port for Hub

show lldp neighbors
Syntax show lldp neighbors

<interface interface-ids>
Description Display learned information about Link Layer Discovery Protocol (LLDP) on all
neighboring interfaces or on selected interfaces.
Options none—Display learned LLDP information on all neighboring interfaces and devices.
interface interface-ids—(Optional) Display learned LLDP information on the selected

interface or device.
Related Topics
List of Sample Output show lldp neighbors on page 737

show lldp neighbors interface ge-0/0/4.0 on page 738
Output Fields Table 107 on page 736 lists the output fields for the show lldp neighbors command.
Table 107: show lldp neighbors Output Fields
LLDP Remote Devices LLDP Remote devices information: All levels

Information
■ LocalPort—The local port number.
■ ChassisId—The MAC address associated with the local system.
■ PortInfo—Port Info is either PortID or PortDescr, whichever is available.
■ PortID: — The port identification associated with the transmitting
LLDP agent.
■ PortDescr: The user-configured port description. Port description can
be a maximum of 256 characters.
■ SysName: The user-configured name of the local system. System name
index Juniper Networks internal index. interface level
Time to Live The age of the information propagated in LLDP frames. Time to live (TTL) value interface level
is between 0 and 65,535 seconds.
Time mark Time filter for an entry. interface level
736 ■ show lldp neighbors

Table 107: show lldp neighbors Output Fields (continued)
Chassis type The value used to identify a chassis. For an EX-series switch, this is the MAC interface level
address. However, this value is vendor-specific. The value for chassis type is
used by LLDP to identify a device.
Port type The neighbor's unique SNMP index for a port in our case. interface level
System descr The system description containing information about the software and current interface level
image running on the system. This information is not configurable, but taken
from the software.
System capabilities The primary function performed by the system. The capabilities that the system interface level
supports are defined; for example, bridge. This information is not configurable,
but based on the model of the product.
■ Supported— The capabilities the system supports.
■ Enabled— The capabilities enabled on the system.
Remote Management The IPV4 management address of the system. interface level
Address
■ Type—The possible management address subtypes; for example IPv4,
802 media.
■ Address—The management address of the subtype system.
MED Information The LLDP MED Information: interface level

Detail
■ EndpointClass: A set of mandatory and optional TLVs . There are three
classes:
■ Class 1 (Generic Endpoints) —Apply to all endpoints that require base
LLDP discovery services.
■ Class 2 (Media Endpoint ) —Apply to endpoints that have IP Media
Capabilities.
■ Class 3 (Communication Endpoint ) —Apply to endpoints that support
IP Media (IP Phones, and so on).
■ Media Policy Vlan Id —The configured VLAN ID for an application type
running on a port.
■ Media Policy Priority— The media policy priority, defined in the VLAN tag,
to mark a packet with priority.
■ Media Policy Dscp —The DSCP prioritization, used if an untagged VLAN is
advertised.
■ Media Policy Tagged — Set based on the VLAN (tagged or untagged) used
by an application type.
show lldp neighbors user@switch> show lldp neighbors
LLDP Remote Devices Information
LocalPort ChassisId PortInfo SysName

--------- --------- --------- -------
ge-0/0/0.0 10.209.192.12 00 19 bb 20 de 80 AVA4C357D
ge-0/0/1.0 10.209.192.12 00 19 bb 20 de 80 AVA4C357D
ge-0/0/1.0 10.209.192.13 00 19 bb 20 de 81 AVA4C357E

ge-0/0/3.0 00 19 bb 20 de 79 5 apg-hp1
ge-0/0/3.0 00 19 bb 20 de 80 3 apg-hp1
ge-0/0/4.0 00 19 bb 20 de 79 5 apg-hp1
ge-0/0/4.0 00 19 bb 20 de 80 3 apg-hp1
ge-0/0/5.0 00 19 bb 20 de 81 ge-0/0/3 Java1
ge-0/0/6.0 00 19 bb 20 de 82 ge-0/0/4 Java2
show lldp neighbors user@switch>show lldp neighbors interface ge-0/0/4.0

interface ge-0/0/4.0 LLDP Remote Device Information Detail
Index 6 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port : ge-0/0/4.0
ChassisType : mac-address
ChassisId : 00 19 bb 20 de 80
PortType : local
PortId : 3
SysName : apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr : 3
.
.
.
System Capabilities Supported : bridge, router

System Capabilities Enabled : bridge
Remote Management Address

Type : ipv4
Address : 10.204.34.35
Index 7 Time Mark Wed Jun 20 07:34:11 2007 Time To Live 120 seconds
Local Port : ge-0/0/4.0
ChassisType : mac-address
ChassisId : 00 19 bb 20 de 79
PortType : local
PortId : 5
SysName : apg-hp1
System Descr : ProCurve J9049A Switch 2900-24G, revision T.11.X1, ROM K....
PortDescr : 3
.
.
.
System Capabilities Supported : bridge, router

System Capabilities Enabled : bridge
Remote Management Address

Type : ipv4
Address : 10.204.34.35

show lldp statistics
Syntax show lldp statistics

<interface interface-ids>
Description Display LLDP statistics on all or selected interfaces.
Options none—Display LLDP statistics on all interfaces and devices.
interface interface-ids—(Optional) Display LLDP statistics on the selected devices.

List of Sample Output show lldp statistics on page 739
show lldp statistics interface ge-0/1/1.0 on page 739
Output Fields Table 66 on page 739 lists the output fields for the show lldp statistics command.
Table 108: show lldp statistics Output Fields
Interface Name of an interface. All levels
Received The total number of LLDP frames received on an interface. All levels
Transmitted The total number of LLDP frames transmitted on an interface. All levels
Unknown-TLVs The number of unrecognized LLDP TLVs received on an interface. All levels
With-Errors The number of invalid LLDP TLVs received on an interface. All levels
Discarded The number of LLDP TLVs received and then discarded on an interface. All levels
show lldp statistics user@switch> show lldp statistics
Interface Received Transmitted Unknown-TLVs With-Errors Discarded

--------- -------- ---------- ------------ ----------- ---------
ge-0/1/1.0 544 540 0 0 0
ge-0/1/2.0 540 500 0 0 0
ge-0/1/3.0 544 540 0 0 0
ge-0/1/4.0 544 540 0 0 0
ge-0/1/5.0 544 540 0 0 0
ge-0/1/6.0 544 540 0 0 0
ge-0/1/7.0 0 0 0 0 0
show lldp statistics user@switch> show lldp statistics interface ge-0/1/1.0

show lldp statistics ■ 739

Interface Received Transmitted Unknown-TLVs With-Errors Discarded

--------- -------- ---------- ------------ ----------- ---------
ge-0/1/1.0 544 540 0 0 0
740 ■ show lldp statistics

show network-access aaa statistics accounting
Syntax show network-access aaa statistics accounting
Description Display authentication, authorization, and accounting (AAA) accounting statistics.
Related Topics
■ accounting-server
■ stop-on-access-deny
List of Sample Output show network-access aaa statistics accounting on page 741
Output Fields Table 109 on page 741 lists the output fields for the show network-access aaa statistics
accounting command. Output fields are listed in the approximate order in which they
appear.
Table 109: show network-access aaa statistics accounting Output Fields
Requests received The number of accounting-request packets sent from a switch to a RADIUS accounting server.
Accounting Response The number of accounting-response failure packets sent from the RADIUS accounting server to the
failures switch.
Accounting Response The number of accounting-response success packets sent from the RADIUS accounting server to the
Success switch.
Requests timedout The number of requests-timedout packets sent from the RADIUS accounting server to the switch.
show network-access user@switch> show network-access aaa statistics accounting

aaa statistics Accounting module statistics
accounting Requests received: 1
Accounting Response failures: 0
Accounting Response Success: 1
Requests timedout: 0
show network-access aaa statistics accounting ■ 741

show network-access aaa statistics authentication
Syntax show network-access aaa statistics authentication
Description Display authentication, authorization, and accounting (AAA) authentication statistics.
Related Topics
■ authentication-server
List of Sample Output show network-access aaa statistics authentication on page 742
authentication command. Output fields are listed in the approximate order in which
they appear.
Table 110: show network-access aaa statistics authentication Output Fields
Requests received The number of authentication requests received by the switch.
Accepts The number of authentication accepts received by the RADIUS server.
Rejects The number authentication rejects sent by the RADIUS server.
Challenges The number of authentication challenges sent by the RADIUS server.
show network-access user@switch> show network-access aaa statistics authentication

aaa statistics Authentication module statistics
authentication Requests received: 2
Accepts: 1
Rejects: 0
Challenges: 1
742 ■ show network-access aaa statistics authentication

show network-access aaa statistics dynamic-requests
Syntax show network-access aaa statistics dynamic-requests;
Description Display authentication, authorization, and accounting (AAA) authentication statistics
for disconnects.
Related Topics
■ authentication-server
List of Sample Output show network-access aaa statistics authentication on page 743
dynamic-requests command. Output fields are listed in the approximate order in
which they appear.
Table 111: show network-access aaa statistics dynamic-requests Output Fields
Requests received The number of dynamic requests received by the RADIUS server.
Processed The number of dynamic requests successfully processed by the RADIUS server.
successfully
Errors during The number of errors that occurred while the RADIUS server was processing the dynamic request.
processing
Silently dropped The number of silently dropped requests.
show network-access user@switch> show network-access aaa statistics dynamic-requests

aaa statistics Dynamic-requests module statistics
authentication Requests received: 0
Processed successfully: 0
Errors during processing: 0
Silently dropped: 0
show network-access aaa statistics dynamic-requests ■ 743


Part 12
Packet Filtering
■ Understanding Packet Filtering on page 747
■ Examples of Configuring Packet Filtering on page 773
■ Configuring Packet Filtering on page 795
■ Verifying Packet Filtering on page 809
■ Troubleshooting Packet Filtering on page 813
■ Configuration Statements for Packet Filtering on page 817
■ Operational Mode Commands for Packet Filtering on page 833
Packet Filtering ■ 745

746 ■ Packet Filtering

Chapter 45
Understanding Packet Filtering
■ Firewall Filters for EX-series Switches Overview on page 747

■ Understanding Planning of Firewall Filters on page 749
■ Understanding Firewall Filter Processing Points for Bridged and Routed Packets
on EX-series Switches on page 751
■ Understanding How Firewall Filters Control Packet Flows on page 753
■ Firewall Filter Match Conditions and Actions for EX-series Switches on page 754
■ Understanding How Firewall Filters Are Evaluated on page 764
■ Understanding Firewall Filter Match Conditions on page 766
■ Understanding How Firewall Filters Test a Packet's Protocol on page 770
■ Understanding the Use of Policers in Firewall Filters on page 771
Firewall Filters for EX-series Switches Overview

Firewall filters provide rules that define whether to permit or deny packets that are
transiting an interface on a switch from a source address to a destination address.
You configure firewall filters to determine whether to permit or deny traffic before
it enters or exits a port, VLAN, or Layer 3 (routed) interface to which the firewall filter
is applied. An ingress firewall filter is a filter that is applied to packets that are entering
a network. An egress firewall filter is a filter is applied to packets that are exiting a
network. You can configure firewall filters to subject packets to filtering,
class-of-service (CoS) marking (grouping similar types of traffic together and treating
each type of traffic as a class with its own level of service priority), and traffic policing
(controlling the maximum rate of traffic sent or received on an interface).
■ Firewall Filter Types on page 747
■ Firewall Filter Components on page 748
■ Firewall Filter Processing on page 748
Firewall Filter Types

The following firewall filter types are supported for EX-series switches:
■ Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports.
You can apply port firewall filters only in the ingress direction on a physical port.
Firewall Filters for EX-series Switches Overview ■ 747

■ VLAN firewall filter—VLAN firewall filters provide access control for packets that
enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN
firewall filters in both ingress and egress directions on a VLAN. VLAN firewall
filters are applied to all packets that are forwarded to or forwarded from the
VLAN.
■ Router (Layer 3) firewall filter—You can apply a router firewall filter in both
ingress and egress directions on Layer 3 (routed) interfaces.
NOTE: Firewall filters are not supported on aggregated Ethernet interfaces.
To apply a firewall filter, you must:

1. Configure the firewall filter.
2. Apply the firewall filter to a port, VLAN, or router interface.
Firewall Filter Components
In a firewall filter, you first define the family address type, (ethernet-switching or inet),
and then you define one or more terms that specify the filtering criteria and the
action to take if a match occurs.
Each term consists of the following components:

■ Match conditions—Specifies the values or fields that the packet must contain.
You can define various match conditions, including the IP source address field,
IP destination address field, Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source port field, IP protocol field, Internet Control
Message Protocol (ICMP) packet type, TCP flags, and interfaces.
■ Action—Specifies what to do if a packet matches the match conditions. Possible
actions are to accept or discard a packet. In addition, packets can be counted to
collect statistical information. If no action is specified for a term, the default
action is to accept the packet.
Firewall Filter Processing

The order of the terms within a firewall filter is important. Packets are tested against
each term in the order in which the terms are listed in the firewall filter configuration.
When a firewall filter contains multiple terms, the switch takes a top-down approach
and compares a packet against the first term in the firewall filter. If the packet matches
the first term, the switch executes the action defined by that term to either permit
or deny the packet, and no other terms are evaluated. If the switch does not find a
match between the packet and first term, it then compares the packet to the next
term in the firewall filter by using the same match process. If no match occurs
between the packet and the second term, the switch continues to compare the packet
to each successive term defined in the firewall filter until a match is found. If a packet
does not match any terms in a firewall filter, the default action is to discard the
packet.
748 ■ Firewall Filter Components

Chapter 45: Understanding Packet Filtering
Related Topics
on EX-series Switches
■ Understanding How Firewall Filters Are Evaluated
■ Understanding Planning of Firewall Filters
EX-series Switches
Understanding Planning of Firewall Filters

Before you create a firewall filter and apply it to an interface, determine what you
want the firewall filter to accomplish and how to use its match conditions and actions
to achieve your goals. It is important that you understand how packets are matched
to match conditions, the default and configured actions of the firewall filter, and
proper placement of the firewall filter.
You can configure and apply no more than one firewall filter per port, VLAN, or
router interface, per direction. The number of firewall filter terms allowed per filter
cannot exceed 2048. In addition, you should try to be conservative in the number
of terms (rules) that you include in each firewall filter because a large number of
terms requires longer processing time during a commit and also can make firewall
filter testing and troubleshooting more difficult. Similarly, applying firewall filters
across many switch and router interfaces can make testing and troubleshooting the
rules of those filters difficult.
Before you configure and apply firewall filters, answer the following questions for
each of those firewall filters:
1. What is the purpose of the firewall filter?
For example, you can use a firewall filter to limit traffic to source and destination
MAC addresses, specific protocols, or certain data rates or to prevent denial of
service (DoS) attacks.
2. What are the appropriate match conditions?
a. Determine the packet header fields that the packet must contain for a match.
Possible fields include:
■ Layer 2 header fields—Source and destination MAC addresses, dot1q
tag, Ethernet type, VLAN
■ Layer 3 header fields—Source and destination IP addresses, protocols,
and IP options (IP precedence, IP fragmentation flags, TTL type)
■ TCP header fields—Source and destination ports and flags
■ ICMP header fields—Packet type and code

b. Determine the port, VLAN, or router interface on which the packet was
received.
3. What are the appropriate actions to take if a match occurs?
Possible actions to take if a match occurs are accept and discard.

4. What additional action modifiers might be required?
Determine if additional actions are required if a packet matches a match

condition; for example, you can specify an action modifier to count, analyze, or
police packets.
5. On what interface should the firewall filter be applied?
Start with the following basic guidelines:

■ If all the packets entering a port need to be exposed to filtering, then use
port firewall filters.
■ If all the packets that are bridged need filtering, then use VLAN firewall filters.
■ If all the packets that are routed need filtering, then use router firewall filters.
Before you choose the interface at which to apply a firewall filter, understand
how that placement can impact traffic flow to other interfaces. In general, apply
a firewall filter that filters on source and destination IP addresses, IP protocols,
or protocol information—such as ICMP message types, and TCP and UDP port
numbers—nearest to the source devices. However, typically apply a firewall filter
that filters only on a source IP address nearest to the destination devices. When
applied too close to the source device, a firewall filter that filters only on a source
IP address could potentially prevent that source device from accessing other
services that are available on the network.
NOTE: Firewall filters are not supported on aggregated Ethernet interfaces.
NOTE: Egress firewall filters do not affect the flow of locally generated control packets
from the Routing Engine.
6. In which direction should the firewall filter be applied?
You can apply firewall filters to ports on the switch to filter packets that are
entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed)
interfaces to filter packets that are entering or exiting a VLAN or routed interface.
Typically, you configure different sets of actions for traffic entering an interface
than you configure for traffic exiting an interface.
750 ■ Understanding Planning of Firewall Filters

Related Topics
EX-series Switches
Understanding Firewall Filter Processing Points for Bridged and Routed Packets
EX-series switches are multilayered switches that provide Layer 2 switching and
Layer 3 routing. You apply firewall filters at multiple processing points in the packet
forwarding path on EX-series switches. At each processing point, the action to be
taken on a packet is determined based on the results of the lookup in the switch's
forwarding table. A table lookup determines which exit port on the switch to use to
forward the packet.
For both bridged unicast packets and routed unicast packets, firewall filters are
evaluated and applied hierarchically. First, a packet is checked against the port firewall
filter, if present. If the packet is permitted, it is then checked against the VLAN firewall
filter, if present. If the packet is permitted, it is then checked against the router
firewall filter, if present. The packet must be permitted by the router firewall filter
before it is processed.
Figure 40 on page 752 shows the various firewall filter processing points in the packet
forwarding path in a multilayered switching platform.

Figure 40: Firewall Filter Processing Points in the Packet Forwarding Path
For a multicast packet that results in replications, an egress firewall filter is applied
to each copy of the packet based on its corresponding egress VLAN.
For Layer 2 (bridged) unicast packets, the following firewall filter processing points
apply:
■ Ingress port firewall filter
■ Ingress VLAN firewall filter
■ Egress VLAN firewall filter
For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall
filter processing points apply:
■ Ingress port firewall filter
■ Ingress VLAN firewall filter (Layer 2 CoS)
■ Ingress router firewall filter (Layer 3 CoS)
■ Egress router firewall filter
■ Egress VLAN firewall filter
752 ■ Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX-series Switches
Related Topics
■ Understanding How Firewall Filters Control Packet Flows
EX-series Switches
Understanding How Firewall Filters Control Packet Flows

EX-series switches support firewall filters that allow you to control flows of data
packets and local packets. Data packets are chunks of data that transit the switch as
they are forwarded from a source to a destination. Local packets are chunks of data
that are destined for or sent by the switch. Local packets usually contain routing
protocol data, data for IP services such as Telnet or SSH, and data for administrative
protocols such as the Internet Control Message Protocol (ICMP).
You create firewall filters to protect your switch from excessive traffic transiting the
switch to a network destination or destined for the Routing Engine on the switch.
Firewall filters that control local packets can also protect your switch from external
incidents such as denial-of-service (DoS) attacks.
Firewall filters affect packet flows entering in to or exiting from the switch's interfaces:
■ Ingress firewall filters affect the flow of data packets that are received by the
switch's interfaces. The Packet Forwarding Engine (PFE) handles this flow. When
a switch receives a data packet on an interface, the switch determines where to
forward the packet by looking in the forwarding table for the best route (Layer 2
switching, Layer 3 routing) to a destination. Data packets are forwarded to their
destination through an outgoing interface. Locally destined packets are forwarded
to the Routing Engine.
■ Egress firewall filters affect the flow of data packets that are transmitted from
the switch's interfaces but do not affect the flow of locally generated control
packets from the Routing Engine. The Packet Forwarding Engine handles the
flow of data packets that are transmitted from the switch, and egress firewall
filters are applied here. The Packet Forwarding Engine also handles the flow of
control packets from the Routing Engine.
Figure 41 on page 754 illustrates the application of ingress and egress firewall filters
to control the flow of packets through the switch.

Figure 41: Application of Firewall Filters to Control Packet Flow
1. Ingress firewall filter applied to control locally destined packets that are received
on the switch's interfaces and are destined for the Routing Engine.
2. Ingress firewall filter applied to control incoming packets on the switch's
interfaces.
3. Egress firewall filter applied to control packets that are transiting the switch's
interfaces.
Related Topics
Firewall Filter Match Conditions and Actions for EX-series Switches

Each term in a firewall filter consists of match conditions and an action. Match
conditions are the values or fields that the packet must contain. You can define
multiple, single, or no match conditions. If no match conditions are specified for the
term, the packet is accepted by default. The action is the action that the switch takes
if a packet matches the match conditions for the specific term. Allowed actions are
accept a packet or discard a packet. In addition, you can specify action modifiers to
count, mirror, rate limit and classify packets.
For each firewall filter, you define the terms that specify the filtering criteria (match
conditions) to apply to packets and the action for the switch to take if a match occurs.
Table 112 on page 755 describes the match conditions you can specify when
configuring a firewall filter. The string that defines a match condition is called a match
statement. All match conditions are applicable to IPv4 traffic.

Table 112: Supported Match Conditions for Firewall Filters on EX-series Switches
Match Condition Description Direction/Interface
destination-address IP destination address field, which is the Ingress ports, VLANs, and router
ip-address address of the final destination node. interfaces.
Egress VLANs and router interfaces.
destination-mac-address mac-address Destination media access control (MAC) Ingress ports, VLANs, and router
address of the packet. interfaces.
Egress VLANs.
Firewall Filter Match Conditions and Actions for EX-series Switches ■ 755
Table 112: Supported Match Conditions for Firewall Filters on EX-series Switches (continued)
destination-port number Ingress ports, VLANs, and router

interfaces.
756 ■ Firewall Filter Match Conditions and Actions for EX-series Switches
TCP or User Datagram Protocol (UDP)

destination port field. Typically, you
specify this match in conjunction with the
protocol match statement to determine
which protocol is used on the port. In
place of the numeric value, you can
specify one of the following text
synonyms (the port numbers are also
listed):
afs (1483), bgp (179), biff (512), bootpc

(68), bootps (67),
cmd (514), cvspserver (2401),
dhcp (67), domain (53),
eklogin (2105), ekshell (2106), exec (512),
finger (79), ftp (21), ftp-data (20),
http (80), https (443),
ident (113), imap (143),
kerberos-sec (88), klogin (543), kpasswd

(761), krb-prop (754), krbupdate (760),
kshell (544),
ldap (389), login (513),
mobileip-agent (434), mobilip-mn (435),

msdp (639),
netbios-dgm (138), netbios-ns (137),

netbios-ssn (139), nfsd (2049), nntp (119),
ntalk (518), ntp (123),
pop3 (110), pptp (1723), printer (515),
radacct (1813),radius (1812), rip (520),

rkinit (2108),
smtp (25), snmp (161), snmptrap (162),

snpp (444), socks (1080), ssh (22), sunrpc
(111), syslog (514),
tacacs-ds (65), talk (517), telnet (23), tftp

(69), timed (525),
who (513),
xdmcp (177),
zephyr-clt (2103), zephyr-hm (2104)
dot1q-tag number The tag field in the ethernet header. The Ingress ports and VLANs.
tag values can be 1–4095.
Egress VLANs.
dot1q-user-priority number User-priority field of the tagged Ethernet Ingress ports and VLANs.
packet. User-priority values can be 0–7.
Egress VLANs.
In place of the numeric value, you can
synonyms (the field values are also listed):
■ background (1)—Background
■ best-effort (0)—Best effort
■ controlled-load (4)—Controlled load
■ excellent-load (3)—Excellent load
■ network-control (7)—Network control
reserved traffic
■ standard (2)—Standard or Spare
■ video (5)—Video
■ voice (6)—Voice
dscp number Differentiated Services code point (DSCP). Ingress ports, VLANs, and router
The DiffServ protocol uses the interfaces.
type-of-service (ToS) byte in the IP header.
The most significant six bits of this byte Egress VLANs and router interfaces.
form the DSCP.
You can specify DSCP in hexadecimal,

binary, or decimal form.

■ ef (46)—as defined in RFC 2598, An
Expedited Forwarding PHB.
■ af11 (10), af12 (12), af13 (14);
af21 (18), af22 (20), af23 (22);
af31 (26), af32 (28), af33 (30);
af41 (34), af42 (36), af43 (38)
These four classes, with three drop
precedences in each class, for a total
of 12 code points, are defined in RFC
2597, Assured Forwarding PHB.
ether-type [ipv4 | arp | mpls | dot1q | value] Ethernet type field of a packet. The Ingress ports and VLANs.
EtherType value specifies what protocol is
being transported in the Ethernet frame. Egress VLANs.
synonyms:
■ arp—EtherType value ARP (0x0806)
■ dot1q—EtherType value 802.1Q
(0x8100)
■ ipv4—EtherType value IPv4 (
0x0800)
■ mpls—EtherType value MPLS
(0x8847)
fragment-flags [ IP fragmentation flags. fragment-flags [is-fragment] supported

is-fragment | for: Ingress ports, VLANs, and router
more-fragment | interfaces. Egress VLANs and router
dont-fragment] interfaces.
fragment-flags [more-fragment |
dont-fragment] supported for: Ingress
ports, VLANs, and router interfaces.
icmp-code number ICMP code field. This value or keyword Ingress ports, VLANs, and router
provides more specific information than interfaces.
icmp-type. Because the value’s meaning
depends upon the associated icmp-type, Egress VLANs and router interfaces.
you must specify icmp-type along with
icmp-code. In place of the numeric value,
you can specify one of the following text
synonyms (the field values are also listed).
The keywords are grouped by the ICMP
type with which they are associated:
■ parameter-problem—ip-header-bad (0),
required-option-missing (1)
■ redirect—redirect-for-host (1),
redirect-for-network (0),
redirect-for-tos-and-host (3),
redirect-for-tos-and-net (2)
■ time-exceeded—ttl-eq-zero-during-reassembly
(1), ttl-eq-zero-during-transit (0)
■ unreachable—communication-prohibited-by-filtering
(13), destination-host-prohibited (10),
destination-host-unknown (7),
destination-network-prohibited (9),
destination-network-unknown (6),
fragmentation-needed (4),
host-precedence-violation (14),
host-unreachable (1),
host-unreachable-for-TOS (12),
network-unreachable (0),
network-unreachable-for-TOS (11),
port-unreachable (3),
precedence-cutoff-in-effect (15),
protocol-unreachable (2),
source-host-isolated (8),
source-route-failed (5)
icmp-type number ICMP packet type field. Typically, you Ingress ports, VLANs, and router
specify this match in conjunction with the interfaces.
protocol match statement to determine
which protocol is being used on the port. Egress VLANs and router interfaces.
echo-reply (0), echo-request (8), info-reply

(16), info-request (15),
mask-request (17), mask-reply (18),

parameter-problem (12),
redirect (5), router-advertisement (9),

router-solicit (10), source-quench (4),
time-exceeded (11), timestamp (13),

timestamp-reply (14), unreachable (3)
interface interface-name Interface on which the packet is received. Ingress ports, VLANs, and router
You can specify the wildcard character * interfaces.
as part of an interface name.
NOTE: An interface from which a packet
is sent cannot be used as a match
condition.
packet-length bytes Length of the received packet, in bytes. Ingress router interfaces.
precedence precedence IP precedence. In place of the numeric Ingress ports, VLANs, and router
value, you can specify one of the following interfaces.
text synonyms (the field values are also
listed): Egress VLANs and router interfaces.
■ critical-ecp (5)
■ flash (3)
■ flash-override (4)
■ immediate (2)
■ internet-control (6)
■ net-control (7)
■ priority (1)
■ routine (0)
protocol list of protocols IPv4 protocol value. In place of the Ingress ports, VLANs, and router
numeric value, you can specify one of the interfaces.
following text synonyms:
egp (8), esp (50), gre (47), icmp (1), igmp
(2), ipip (4),
ospf (89), pim (103), rsvp (46), tcp (6), udp

(17)
source-address IP source address field, which is the Ingress ports, VLANs, and router
ip-address address of the source node sending the interfaces.
packet.
source-mac-address mac-address Source MAC address. Ingress ports and VLANs.
Egress VLANs.
source-port number TCP or UDP source-port field. Typically, Ingress ports, VLANs, and router
you specify this match in conjunction with interfaces.
the protocol match statement to determine
which protocol is being used on the port. Egress VLANs and router interfaces.
In place of the numeric field, you can
specify one of the text synonyms listed
under destination-port.
packet-length bytes Length of the received packet, in bytes. Ingress ports, VLANs, and router
interfaces.
tcp-flags [flags tcp-initial] One or more TCP flags: Ingress ports, VLANs, and router
interfaces.
■ bit-name—fin, syn, rst, push, ack,
urgent
■ logical operators—& (logical AND), !
(negation)
■ numerical value— 0x01 through
0x20
■ text synonym—tcp-initial
tcp-initial Matches the first TCP packet of a Ingress ports, VLANs, and router
connection. tcp-initial is a synonym for the interfaces.
bit names ""(syn & !ack)".
tcp-initial does not implicitly check that

the protocol is TCP. To do so, specify the
protocol tcp match condition.
ttl value TTL type to match. The value range is 1 Ingress router interfaces.
through 255.
vlan [vlan-name | vlan-id] The VLAN that is associated with the Ingress ports and VLANs.
packet.
Egress VLANs.
Some of the numeric range and bit-field match conditions allow you to specify a text
synonym. For a list of all the synonyms for a match condition, do any of the following:
■ If you are using the J-Web Configuration page, select the synonym from the
appropriate list.
■ If you are using the CLI, type a question mark (?) after the from statement.
To specify the bit-field value to match, you must enclose the values in quotations
marks (" "). For example, a match occurs if the RST bit in the TCP flags field is set:
tcp-flags "rst”;
For information about logical operators and how to use bit-field logical operations
to create expressions that are evaluated for matches, see Understanding Firewall
Filter Match Conditions.
When you define one or more terms that specify the filtering criteria, you also define
the action to take if the packet matches all criteria. Table 113 on page 763 shows the
actions that you can specify in a term.
Table 113: Actions for Firewall Filters
Action Description
accept Accept a packet.
discard Discard a packet silently without sending an Internet Control Message

Protocol (ICMP) message.
In addition to the actions, you can specify action modifiers. Table 114 on page 763
shows the action modifers that you can specify in a term.
Table 114: Action Modifiers for Firewall Filters
Action Modifier Description
analyzer analyzer-name Mirror port traffic to a specified destination port or VLAN that is
connected to a protocol analyzer application. Mirroring copies all packets
seen on one switch port to a network monitoring connection on another
switch port. The analyzer-name must be configured under [edit
ethernet-switching-actions analyzer].
You can specify mirroring for ingress port, VLAN and router firewall
filters only.
count counter-name Count the number of packets that pass this filter, term, or policer.
forwarding-class class Classify packet in one of the following forwarding classes:

■ best-effort
■ network-control
loss-priority [low | high] Set the Packet Loss Priority (PLP).
policer policer-name Apply rate limits to the traffic.
You can specify a policer for ingress port, VLAN and router firewall filters
only.
Related Topics
■ Understanding Firewall Filter Match Conditions
■ Understanding How Firewall Filters Test a Packet's Protocol
■ Firewall Filter Configuration Statements Supported by JUNOS for EX-series
Software
EX-series Switches
Understanding How Firewall Filters Are Evaluated

A firewall filter consists of one or more terms, and the order of the terms within a
firewall filter is important. Before you configure firewall filters, you should understand
how EX-series switches evaluate the terms within a firewall filter and how packets
are evaluated against the terms.
When a firewall filter consists of a single term, the filter is evaluated as follows:
■ If the packet matches all the conditions, the action in the then statement is taken.
■ If the packet matches all the conditions, and no action is specified in the then
statement, the default action accept is taken.
When a firewall filter consists of more than one term, the firewall filter is evaluated
sequentially:
1. The packet is evaluated against the conditions in the from statement in the first
term.
2. If the packet matches all the conditions in the term, the action in the then
statement is taken and the evaluation ends. Subsequent terms in the filter are
not evaluated.
3. If the packet does not match all the conditions in the term, the packet is evaluated
against the conditions in the from statement in the second term.
This process continues until either the packet matches the conditions in the from
statement in one of the subsequent terms or there are no more terms in the
filter.
4. If a packet passes through all the terms in the filter without a match, the packet
is discarded.
Figure 42 on page 765 shows how an EX-series switch evaluates the terms within a
firewall filter.

Figure 42: Evaluation of Terms within a Firewall Filter
If a term does not contain a from statement, the packet is considered to match and
the action in the then statement of the term is taken.
If a term does not contain a then statement, or if an action has not been configured
in the then statement, and the packet matches the conditions in the from statement
of the term, the packet is accepted.
Every firewall filter contains an implicit deny statement at the end of the filter, which
is equivalent to the following explicit filter term:
term implicit-rule {
then discard;
}
Consequently, if a packet passes through all the terms in a filter without matching
any conditions, the packet is discarded. If you configure a firewall filter that has no
terms, all packets that pass through the filter are discarded.
NOTE: Firewall filtering is supported on packets that are at least 48 bytes long.
Related Topics

Understanding Firewall Filter Match Conditions

Before you define terms for firewall filters, you must understand how the conditions
that you specify in a term are handled and how to specify interface filter, numeric
filter, address filter, and bit-field filter match conditions to achieve the desired filtering
results.
■ Filter Match Conditions on page 766
■ Numeric Filter Match Conditions on page 766
■ Interface Filter Match Conditions on page 767
■ IP Address Filter Match Conditions on page 767
■ MAC Address Filter Match Conditions on page 768
■ Bit-Field Filter Match Conditions on page 768
Filter Match Conditions
In the from statement of a firewall filter term, you specify the conditions that the
packet must match for the action in the then statement to be taken. All conditions
in the from statement must match for the action to be taken. The order in which you
specify match conditions is not important, because a packet must match all the
conditions in a term for a match to occur.
If you specify no match conditions in a term, that term matches all packets.
An individual condition in a from statement cannot contain a list of values. For

example, you cannot specify numeric ranges or multiple source or destination
addresses.
Individual conditions in a from statement cannot be negated. A negated condition is

an explicit mismatch.
Numeric Filter Match Conditions

Numeric filter conditions match packet fields that are identified by a numeric value,
such as port and protocol numbers. For numeric filter match conditions, you specify
a keyword that identifies the condition and a single value that a field in a packet
must match.
You can specify the numeric value in one of the following ways:
■ Single number—A match occurs if the value of the field matches the number.
For example:
source-port 25;
■ Text synonym for a single number— A match occurs if the value of the field
matches the number that corresponds to the synonym. For example:
source-port http;
766 ■ Understanding Firewall Filter Match Conditions

To specify more than one value in a filter term, you enter each value in its own match
statement. For example, a match occurs in the following term if the value of vlan
field is 10 or 30.
[edit firewall family family-name filter filter-name term term-name from]

vlan 10;
vlan 30;
The following restrictions apply to numeric filter match conditions:

■ You cannot specify a range of values.
■ You cannot specify a list of comma-separated values.

■ You cannot exclude a specific value in a numeric filter match condition. For
example, you cannot specify a condition that would match only if the match
condition was not equal to a given value.
Interface Filter Match Conditions

Interface filter match conditions can match interface name values in a packet. For
interface filter match conditions, you specify the name of the interface, for example:

user@host# set interface ge-0/0/1
Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter
that is applied to a router interface can specify the logical unit number in the interface
filter match condition, for example:

user@host# set interface ge-0/1/0.0
You can include the * wildcard as part of the interface name, for example:

user@host# set interface ge-0/*/1
user@host# set interface ge-0/1/*
user@host# set interface ge-*
IP Address Filter Match Conditions

Address filter match conditions can match prefix values in a packet, such as IP source
and destination prefixes. For address filter match conditions, you specify a keyword
that identifies the field and one prefix of that type that a packet must match.
You specify the address as a single prefix. A match occurs if the value of the field
matches the prefix. For example:

user@host# set destination-address 10.2.1.0/28;
Interface Filter Match Conditions ■ 767

Each prefix contains an implicit 0/0 except statement, which means that any prefix
that does not match the prefix that is specified is explicitly considered not to match.
To specify the address prefix, use the notation prefix/prefix-length. If you omit
prefix-length, it defaults to /32. For example:

user@host# set destination-address 10
user@host# show
destination-address {
10.0.0.0/32;
}
To specify more than one IP address in a filter term, you enter each address in its
own match statement. For example, a match occurs in the following term if the value
of the source-address field matches either of the following source-address prefixes:

user@host# set source-address 10.0.0.0/8
user@host# set source-address 10.1.0.0/16
MAC Address Filter Match Conditions

MAC address filter match conditions can match source and destination MAC address
values in a packet. For MAC address filter match conditions, you specify a keyword
that identifies the field and one value of that type that a packet must match.
You can specify the MAC address as six hexadecimal bytes in the following formats:

user@host# set destination-mac-address 0011.2233.4455

user@host# set destination-mac-address 00:11:22:33:44:55

user@host# set destination-mac-address 001122334455
To specify more than one MAC address in a filter term, you enter each MAC address
in its own match statement. For example, a match occurs in the following term if
the value of the source-mac-address field matches either of the following addresses.

user@host# set source-mac-address 00:11:22:33:44:55
user@host# set source-mac-address 00:11:22:33:20:15
Bit-Field Filter Match Conditions

Bit-field filter conditions match packet fields if particular bits in those fields are or
are not set. You can match the IP options, TCP flags, and IP fragmentation fields.
For bit-field filter match conditions, you specify a keyword that identifies the field
and tests to determine that the option is present in the field.
768 ■ MAC Address Filter Match Conditions

To specify the bit-field value to match, enclose the value in double quotation marks.
For example, a match occurs if the RST bit in the TCP flags field is set:

user@host# set tcp-flags "rst"
Typically, you specify the bits to be tested by using keywords. Bit-field match
keywords always map to a single bit value. You also can specify bit fields as
hexadecimal or decimal numbers.
To match multiple bit-field values, use the logical operators, which are described in
Table 115 on page 769. The operators are listed in order from highest precedence to
lowest precedence. Operations are left-associative.
Table 115: Actions for Firewall Filters
Logical Operators Description
! Negation.
& or + Logical AND.
To negate a match, precede the value with an exclamation point. For example, a
match occurs only if the RST bit in the TCP flags field is not set:

user@host# set tcp-flags "!rst"
In the following example of a logical AND operation, a match occurs if the packet is
the initial packet on a TCP session:

user@host# set tcp-flags "syn" & "!ack"
You can use text synonyms to specify some common bit-field matches. You specify
these matches as a single keyword. In the following example of a text synonym, a
match occurs if the packet is the initial packet on a TCP session:

user@host# set tcp-flags tcp-initial
Logical OR operations are not supported; however you can specify the equivalent
OR functionality by specifying two of the same match conditions in a single term or
in two consecutive terms. For example, in the following term, a match occurs if the
packet in a TCP session is urgent or has priority :

user@host# set tcp-flags "urgent"
user@host# set tcp-flags "push"
Bit-Field Filter Match Conditions ■ 769

Related Topics
■ Understanding How Firewall Filters Test a Packet's Protocol
EX-series Switches
Understanding How Firewall Filters Test a Packet's Protocol

When examining match conditions, JUNOS software for EX-series switches tests only
the field that is specified. The software does not implicitly test the IP header to
determine whether a packet is an IP packet. Therefore, in some cases, you should
specify protocol field match conditions in conjunction with other match conditions
to ensure that the filters are performing the expected matches.
If you specify a protocol match condition or a match of the ICMP type or TCP flags
field, there is no implied protocol match. For the following match conditions, you
should explicitly specify the protocol match condition in the same term:
■ destination-port—Specify the match protocol tcp or protocol udp.
■ source-port—Specify the match protocol tcp or protocol udp.
If you do not specify the protocol when using the preceding fields, design your filters
carefully to ensure that they perform the expected matches. For example, if you
specify a match of destination-port ssh, the switch deterministically matches any
packets that have a value of 22 in the two-byte field that is two bytes beyond the
end of the IP header without ever checking the IP protocol field.
Related Topics
EX-series Switches

Understanding the Use of Policers in Firewall Filters

Policing, or rate limiting, is an important component of firewall filters that lets you
control the amount of traffic that enters an interface. A firewall filter configured with
a policer permits only traffic at specified data rates to provide protection from
denial-of-service (DOS) attacks. Traffic that exceeds the rate limits specified by the
policer can be discarded. Discard is the only supported policer action.
A policer applies two types of rate limits on traffic:

■ Bandwidth—The number of bits per second permitted, on average.
■ Maximum burst size—The maximum size permitted for bursts of data that exceed
the given bandwidth limit.
Policing uses an algorithm to enforce a limit on average bandwidth while allowing

bursts up to a specified maximum value.
After you name and configure a policer, it is stored as a template. You can then use
a policer in a firewall filter configuration.
Each policer that you configure includes an implicit counter that counts the number
of packets that exceed the rate limits that are specified for the policer. To get filter
or term-specific packets counts, you must configure a new policer for each filter or
term that requires policing.
Related Topics
EX-series Switches
Understanding the Use of Policers in Firewall Filters ■ 771


Chapter 46
Examples of Configuring Packet Filtering
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series
Switches
This example shows how to configure and apply firewall filters to control traffic that
is entering or exiting a port on the switch, a VLAN on the network, and a Layer 3
interface on the switch. Firewall filters define the rules that determine whether to
forward or deny packets at specific processing points in the packet flow.
■ Overview on page 774
■ Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit
TCP and ICMP Traffic on page 777
■ Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from
Disrupting VoIP Traffic on page 783
■ Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic
on the Employee VLAN on page 786
■ Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and
Peer-to-Peer Applications on the Guest VLAN on page 788
■ Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined
for the Corporate Subnet on page 790
Requirements
■ JUNOS Release 9.0 or later for EX-series switches.
■ Two Juniper Networks EX 3200-48T switches: one to be used as an access switch,
the other to be used as a distribution switch
■ One Juniper Networks EX-UM-4SFP uplink module
■ One Juniper Networks J-series router
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX-series Switches ■ 773
Before you configure and apply the firewall filters in this example, be sure you have:
■ An understanding of firewall filter concepts, policers, and CoS
■ Installed the uplink module in the distribution switch. See Installing an Uplink
Module in an EX-series Switch.
Overview
This configuration example show how to configure and apply firewall filters to provide
rules to evaluate the contents of packets and determine when to discard, forward,
classify, count, and analyze packets that are destined for or originating from the
EX-series switches that handle all voice-vlan, employee-vlan, and guest-vlan traffic.
Table 116 on page 774 shows the firewall filters that are configured for the EX-series
switches in this example.
Table 116: Configuration Components: Firewall Filters
Component Purpose/Description
Port firewall filter, This firewall filter performs two functions:
ingress-port-voip-class-limit-tcp-icmp
■ Assigns priority queueing to packets with a source MAC address that matches the
phone MAC addresses. The forwarding class expedited-forwarding provides low loss,
low delay, low jitter, assured bandwidth, and end-to-end service for all voice-vlan
traffic.
■ Performs rate limiting on packets that enter the ports for employee-vlan. The traffic
rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000
bytes.
This firewall filter is applied to port interfaces on the access switch.
VLAN firewall filter, Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device that
ingress-vlan-rogue-block manages call registration, admission, and call status for VoIP calls. Only TCP or UDP
ports should be used; and only the gatekeeper uses HTTP. That is, all voice-vlan traffic on
TCP ports should be destined for the gatekeeper device. This firewall filter applies to all
phones on voice-vlan, including communication between any two phones on the VLAN
and all communication between the gatekeeper device and VLAN phones.
This firewall filter is applied to VLAN interfaces on the access switch.
VLAN firewall filter, Accepts employee-vlan traffic destined for the corporate subnet, but does not monitor this
egress-vlan-watch-employee traffic. Employee traffic destined for the Web is counted and analyzed.
This firewall filter is applied to vlan interfaces on the access switch.
VLAN firewall filter, Prevents guests (non-employees) from talking with employees or employee hosts on
ingress-vlan-limit-guest employee-vlan. Also prevents guests from using peer-to-peer applications on guest-vlan,
but allows guests to access the Web.
This firewall filter is applied to VLAN interfaces on the access switch.
Router firewall filter, Prioritizes employee-vlan traffic, giving highest forwarding-class priority to employee traffic
egress-router-corp-class destined for the corporate subnet.
This firewall filter is applied to a routed port (Layer 3 uplink module) on the distribution
switch.
774 ■ Overview
Chapter 46: Examples of Configuring Packet Filtering
Figure 43 on page 775 shows the application of port, VLAN, and Layer 3 routed firewall
filters on the switch.
Figure 43: Application of Port, VLAN, and Layer 3 Routed Firewall Filters
Network Topology
The topology for this configuration example consists of one EX-3200-48T switch at
the access layer, and one EX-3200-48T switch at the distribution layer. The distribution
switch's uplink module is configured to support a Layer 3 connection to a J-series
router.
The EX-series switches are configured to support VLAN membership.

Table 117 on page 775 shows the VLAN configuration components for the VLANs.
Table 117: Configuration Components: VLANs
VLAN Name VLAN ID VLAN Subnet and Available VLAN Description

IP Addresses
voice-vlan 10 192.0.2.0/28 192.0.2.1 Voice VLAN used for

through 192.0.2.14 employee VoIP traffic
192.0.2.15 is subnet’s
broadcast address
Network Topology ■ 775

Table 117: Configuration Components: VLANs (continued)

IP Addresses
employee-vlan 20 192.0.2.16/28 192.0.2.17 VLAN standalone PCs, PCs

through 192.0.2.30 connected to the network
192.0.2.31 is subnet’s through the hub in VoIP
broadcast address telephones, wireless access
points, and printers. This
VLAN completely includes the
voice VLAN. Two VLANs
(voice-vlan and employee-vlan)
must be configured on the
ports that connect to the
telephones.
guest-vlan 30 192.0.2.32/28 192.0.2.33 VLAN for guests’ data devices

through 192.0.2.46 (PCs). The scenario assumes
192.0.2.47 is subnet’s that the corporation has an
broadcast address area open to visitors, either
in the lobby or in a
conference room, that has a
hub to which visitors can plug
in their PCs to connect to the
Web and to their company’s
VPN.
camera-vlan 40 192.0.2.48/28 192.0.2.49 VLAN for the corporate

through 192.0.2.62 security cameras.
192.0.2.63 is subnet’s
broadcast address
Ports on the EX-series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports.
Table 118 on page 776 shows the switch ports that are assigned to the VLANs and
the IP and MAC addresses for devices connected to the switch ports:
Table 118: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Switch and Port Number VLAN Membership IP and MAC Addresses Port Devices
ge-0/0/0, ge-0/0/1 voice-vlan, employee-vlan IP addresses: 192.0.2.1 Two VoIP telephones, each
through 192.0.2.2 connected to one PC.
MAC addresses:
00.05.85.00.00.01,
00.05.85.00–00.02
ge-0/0/2, ge-0/0/3 employee-vlan 192.0.2.17 through Printer, wireless access points

192.0.2.18
776 ■ Network Topology

Table 118: Configuration Components: Switch Ports on a 48-Port All-PoE Switch (continued)
Switch and Port Number VLAN Membership IP and MAC Addresses Port Devices
ge-0/0/4, ge-0/0/5 guest-vlan 192.0.2.34 through Two hubs into which visitors
192.0.2.35 can plug in their PCs. Hubs
are located in an area open
to visitors, such as a lobby or
conference room
ge-0/0/6, ge-0/0/7 camera-vlan 192.0.2.49 through Two security cameras

192.0.2.50
ge-0/0/9 voice-vlan IP address: 192.0.2.14 Gatekeeper device. The

gatekeeper manages call
MAC registration, admission, and
address:00.05.85.00.00.0E call status for VoIP phones.
ge-0/1/0 IP address: 192.0.2.65 Layer 3 connection to a

router; note that this is a port
on the switch’s uplink module
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP
and ICMP Traffic
To configure and apply firewall filters for port, VLAN, and router interfaces, perform
these tasks:
CLI Quick Configuration To quickly configure and apply a port firewall filter to prioritize voice traffic and
rate-limit packets that are destined for the employee-vlan subnet, copy the following
[edit]
set firewall policer tcp-connection-policer if-exceeding burst-size-limit 30k
bandwidth-limit 1m
set firewall policer tcp-connection-policer then discard
Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic ■ 777
set firewall policer icmp-connection-policer if-exceeding burst-size-limit 30k

bandwidth-limit 1m
set firewall policer icmp-connection-policer then discard
set firewall family ethernet-switching filter
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.01
ingress-port-voip-class-limit-tcp-icmp term voip-high from source-mac-address
00.05.85.00.00.02
ingress-port-voip-class-limit-tcp-icmp term voip-high from protocol udp
ingress-port-voip-class-limit-tcp-icmp term voip-high then forwarding-class
expedited-forwarding
ingress-port-voip-class-limit-tcp-icmp term voip-high then loss-priority low
ingress-port-voip-class-limit-tcp-icmp term network-control from precedence
net-control
ingress-port-voip-class-limit-tcp-icmp term network-control then forwarding-class
network-control
ingress-port-voip-class-limit-tcp-icmp term network-control then loss-priority
low
ingress-port-voip-class-limit-tcp-icmp term tcp-connection from destination-address
192.0.2.16/28
ingress-port-voip-class-limit-tcp-icmp term tcp-connection from protocol tcp
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then policer
tcp-connection-policer
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then count tcp-counter
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then forwarding-class
best-effort
ingress-port-voip-class-limit-tcp-icmp term tcp-connection then loss-priority
high
ingress-port-voip-class-limit-tcp-icmp term icmp-connection from
destination-address 192.0.2.16/28
ingress-port-voip-class-limit-tcp-icmp term icmp-connection from protocol icmp
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then policer
icmp-connection-policer
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then count icmp-counter
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then forwarding-class
best-effort
ingress-port-voip-class-limit-tcp-icmp term icmp-connection then loss-priority
high
ingress-port-voip-class-limit-tcp-icmp term best-effort then forwarding-class
best-effort
778 ■ Configuring an Ingress Port Firewall Filter to Prioritize Voice Traffic and Rate-Limit TCP and ICMP Traffic

ingress-port-voip-class-limit-tcp-icmp term best-effort then loss-priority high
set interfaces ge-0/0/0 description "voice priority and tcp and icmp traffic
rate-limiting filter at ingress port"
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input
set interfaces ge-0/0/1 description "voice priority and tcp and icmp traffic
rate-limiting filter at ingress port"
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input
set class-of-service schedulers voice-high buffer-size percent 15
set class-of-service schedulers voice-high priority high
set class-of-service schedulers net-control buffer-size percent 10
set class-of-service schedulers net-control priority high
set class-of-service schedulers best-effort buffer-size percent 75
set class-of-service schedulers best-effort priority low
set class-of-service scheduler-maps ethernet-diffsrv-cos-map forwarding-class
expedited-forwarding scheduler voice-high
network-control scheduler net-control
best-effort scheduler best-effort
Step-by-Step Procedure To configure and apply a port firewall filter to prioritize voice traffic and rate-limit
packets that are destined for the employee-vlan subnet:
1. Define the policers tcp-connection-policer and icmp-connection-policer:
[edit]
user@switch# set firewall policer tcp-connection-policer if-exceeding
burst-size-limit 30k bandwidth-limit 1m
user@switch# set firewall policer tcp-connection-policer then discard
user@switch# set firewall policer icmp-connection-policer if-exceeding
burst-size-limit 30k bandwidth-limit 1m
user@switch# set firewall policer icmp-connection-policer then discard
2. Define the firewall filter ingress-port-voip-class-limit-tcp-icmp:
[edit firewall]
user@switch# set family ethernet-switching filter
3. Define the term voip-high:
[edit firewall family ethernet-switching filter

ingress-port-voip-class-limit-tcp-icmp ]
user@switch# set term voip-high from source-mac-address 00.05.85.00.00.01
user@switch# set term voip-high from source-mac-address 00.05.85.00.00.02
user@switch# set term voip-high from protocol udp
user@switch# set term voip-high then forwarding-class expedited-forwarding
user@switch# set term voip-high then loss-priority low
4. Define the term network-control:

ingress-port-voip-class-limit-tcp-icmp ]
user@switch# set term network-control from precedence net-control

user@switch# set term network-control then forwarding-class network-control
user@switch# set term network-control then loss-priority low
5. Define the term tcp-connection to configure rate limits for TCP traffic:

ingress-port-voip-class-limit-tcp-icmp]
user@switch# set term tcp-connection from destination-address 192.0.2.16/28
user@switch# set term tcp-connection from protocol tcp
user@switch# set term tcp-connection then policer tcp-connection-policer
user@switch# set term tcp-connection then count tcp-counter
user@switch# set term tcp-connection then forwarding-class best-effort
user@switch# set term tcp-connection then loss-priority high
6. Define the term icmp-connection to configure rate limits for ICMP traffic:

user@switch# set term icmp-connection from destination-address
192.0.2.16/28
user@switch# set term icmp-connection from protocol icmp
user@switch# set term icmp-connection then policer icmp-policer
user@switch# set term icmp-connection then count icmp-counter
user@switch# set term icmp-connection then forwarding-class best-effort
user@switch# set term icmp-connection then loss-priority high
7. Define the term best-effort with no match conditions for an implicit match on
all packets that did not match any other term in the firewall filter:

user@switch# set term best-effort then forwarding-class best-effort
user@switch# set term best-effort then loss-priority high
8. Apply the firewall filter ingress-port-voip-class-limit-tcp-icmp as an input filter to

the port interfaces for employee-vlan :
[edit interfaces]
user@switch# set ge-0/0/0 description "voice priority and tcp and icmp
traffic rate-limiting filter at ingress port"
user@switch# set ge-0/0/0 unit 0 family ethernet-switching filter input
user@switch# set ge-0/0/1 description "voice priority and tcp and icmp
traffic rate-limiting filter at ingress port"
9. Configure the parameters that are desired for the different schedulers.
NOTE: When you configure parameters for the schedulers, define the numbers to
match your network traffic patterns.
[edit class-of-service]
user@switch# set schedulers voice-high buffer-size percent 15
user@switch# set schedulers voice-high priority high
user@switch# set schedulers network—control buffer-size percent 10
user@switch# set schedulers network—control priority high
user@switch# set schedulers best-effort buffer-size percent 75
user@switch# set schedulers best-effort priority low
10. Assign the forwarding-classes to schedulers with a scheduler map:
user@switch# set scheduler-maps ethernet-diffsrv-cos-map
user@switch# set scheduler-maps ethernet-diffsrv-cos-map forwarding-class
expedited-forwarding scheduler voice-high
network-control scheduler net-control
best-effort scheduler best-effort
11. Associate the scheduler map with the outgoing interface:
edit class-of-service
user@switch# set interfaces ge–0/1/0 scheduler-map ethernet-diffsrv-cos-map
user@switch# show
firewall {
policer tcp-connection-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 30k;
}
then {
discard;
}
}
policer icmp-connection-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 30k;
}
then {
discard;
}
}
filter ingress-port-voip-class-limit-tcp-icmp {
term voip-high {
from {
destination-mac-address 00.05.85.00.00.01;
destination-mac-address 00.05.85.00.00.02;
protocol udp;
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term network-control {
from {
precedence net-control ;
}
then {
forwarding-class network-control;
loss-priority low;
}
}
term tcp-connection {
from {
destination-address 192.0.2.16/28;
protocol tcp;
}
then {
policer tcp-connection-policer;
count tcp-counter;
forwarding-class best-effort;
loss-priority high;
}
}
term icmp-connection
from {
protocol icmp;
}
then {
policer icmp-connection-policer;
count icmp-counter;
loss-priority high;
}
}
term best-effort {
then {
loss-priority high;
}
}
}
}
}
interfaces {
ge-0/0/0 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
ge-0/0/1 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress
port";
unit 0 {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
}
}
scheduler-maps {
ethernet-diffsrv-cos-map {
forwarding-class expedited-forwarding scheduler voice-high;
forwarding-class network-control scheduler net-control;
forwarding-class best-effort scheduler best-effort;
}
}
interfaces {
ge/0/1/0 {
scheduler-map ethernet-diffsrv-cos-map;
}
}
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP
Traffic
these tasks:
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic ■ 783
CLI Quick Configuration To quickly configure a VLAN firewall filter on voice-vlan to prevent rogue devices from
using HTTP sessions to mimic the gatekeeper device that manages VoIP traffic, copy
the following commands and paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-rogue-block term
to-gatekeeper from destination-address 192.0.2.14
to-gatekeeper from destination-port 80
to-gatekeeper then accept
from-gatekeeper from source-address 192.0.2.14
from-gatekeeper from source-port 80
from-gatekeeper then accept
not-gatekeeper from destination-port 80
not-gatekeeper then count rogue-counter
not-gatekeeper then discard
set vlans voice-vlan description "block rogue devices on voice-vlan"
set vlans voice-vlan filter input ingress-vlan-rogue-block
Step-by-Step Procedure To configure and apply a VLAN firewall filter on voice-vlan to prevent rogue devices
from using HTTP to mimic the gatekeeper device that manages VoIP traffic:
1. Define the firewall filter ingress-vlan-rogue-block to specify filter matching on the

traffic you want to permit and restrict:
[edit firewall]
user@switch# set family ethernet-switching filter ingress-vlan-rogue-block
2. Define the term to-gatekeeper to accept packets that match the destination IP
address of the gatekeeper:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]

user@switch# set term to-gatekeeper from destination-address 192.0.2.14
user@switch# set term to-gatekeeper from destination-port 80
user@switch# set term to-gatekeeper then accept
3. Define the term from-gatekeeper to accept packets that match the source IP
address of the gatekeeper:

user@switch# set term from-gatekeeper from source-address 192.0.2.14
user@switch# set term from-gatekeeper from source-port 80
user@switch# set term from-gatekeeper then accept
4. Define the term not-gatekeeper to ensure all voice-vlan traffic on TCP ports is
destined for the gatekeeper device:
784 ■ Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic
user@switch# set term not-gatekeeper from destination-port 80

user@switch# set term not-gatekeeper then count rogue-counter
user@switch# set term not-gatekeeper then discard
5. Apply the firewall filter ingress-vlan-rogue-block as an input filter to the VLAN

interface for the VoIP telephones:
[edit interfaces]
user@switch# set vlans voice—vlan description "block rogue devices on
voice-vlan"
user@switch# set vlans voice—vlan filter input ingress-vlan-rogue-block
user@switch# show
firewall {
filter ingress-vlan-rogue-block {
term to-gatekeeper {
from {
destination-port 80;
}
then {
accept;
}
}
term from-gatekeeper {
from {
source-address 192.0.2.14/32
source-port 80;
}
then {
accept;
}
}
term not-gatekeeper {
from {
}
then {
count rogue-counter;
discard;
}
}
}
vlans {
voice-vlan {
description "block rogue devices on voice-vlan";
filter {
input ingress-vlan-rogue-block;
}
}
Configuring a VLAN Ingress Firewall Filter to Prevent Rogue Devices from Disrupting VoIP Traffic ■ 785
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the
Employee VLAN
these tasks:
CLI Quick Configuration A firewall filter is configured and applied to VLAN interfaces to filter employee-vlan
egress traffic. Employee traffic destined for the corporate subnet is accepted but not
monitored. Employee traffic destined for the Web is counted and analyzed.
To quickly configure and apply a VLAN firewall filter, copy the following commands
[edit]
set firewall family ethernet-switching filter egress-vlan-watch-employee term
employee-to-corp from destination-address 192.0.2.16/28
employee-to-corp then accept
employee-to-web from destination-port 80
employee-to-web then count employee-web-counter
employee-to-web then analyzer employee-monitor
set vlans employee-vlan description "filter at egress VLAN to count and analyze
employee to Web traffic"
set vlans employee-vlan filter output egress-vlan-watch-employee
786 ■ Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN
Step-by-Step Procedure To configure and apply an egress port firewall filter to count and analyze
employee-vlan traffic that is destined for the Web:
1. Define the firewall filter egress-vlan-watch-employee:
[edit firewall]
user@switch# set family ethernet-switching filter
egress-vlan-watch-employee
2. Define the term employee-to-corp to accept but not monitor all employee-vlan
traffic destined for the corporate subnet:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]

user@switch# set term employee-to-corp from destination-address
192.0.2.16/28
user@switch# set term employee-to-corp then accept
3. Define the term employee-to-web to count and monitor all employee-vlan traffic
destined for the Web:
[edit firewall family ethernet-switching filter egress-vlan-watch-employee]

user@switch# set term employee-to-web from destination-port 80
user@switch# set term employee-to-web then count employee-web-counter
user@switch# set term employee-to-web then analyzer employee-monitor
NOTE: See Example: Configuring Port Mirroring for Local Monitoring of Employee
Resource Use on EX-series Switches for information about configuring the
employee-monitor analyzer.
4. Apply the firewall filter egress-vlan-watch-employee as an output filter to the port

interfaces for the VoIP telephones:
[edit]
user@switch# set vlans employee-vlan description "filter at egress VLAN
to count and analyze employee to Web traffic"
user@switch# set vlans employee-vlan filter output
egress-vlan-watch-employee
user@switch# show
firewall {
filter egress-vlan-watch-employee {
term employee-to-corp {
from {
}
then {
accept;
Configuring a VLAN Firewall Filter to Count, Monitor, and Analyze Egress Traffic on the Employee VLAN ■ 787
}
}
term employee-to-web {
from {
}
then {
count employee-web-counter:
analyzer employee-monitor;
}
}
}
}
}
vlans {
employee-vlan {
description "filter at egress VLAN to count and analyze employee to Web traffic";
filter {
output egress-vlan-watch-employee;
}
}
}
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer

Applications on the Guest VLAN
these tasks:
CLI Quick Configuration In the following example, the first filter term permits guests to talk with other guests
but not employees on employee-vlan. The second filter term allows guests Web access
but prevents them from using peer-to-peer applications on guest-vlan.
To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking

guests from talking with employees or employee hosts on employee-vlan or attempting
788 ■ Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN
to use peer-to-peer applications on guest-vlan, copy the following commands and

paste them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
guest-to-guest from destination-address 192.0.2.33/28
guest-to-guest then accept
no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF
no-guest-employee-no-peer-to-peer then accept
set vlans guest-vlan description "restrict guest-to-employee traffic and
peer-to-peer applications on guest VLAN"
set vlans guest-vlan filter input ingress-vlan-limit-guest
Step-by-Step Procedure To configure and apply a VLAN firewall filter to restrict guest-to-employee traffic and
peer-to-peer applications on guest-vlan:
1. Define the firewall filter ingress-vlan-limit-guest:
[edit firewall]
set firewall family ethernet-switching filter ingress-vlan-limit-guest
2. Define the term guest-to-guest to permit guests on the guest-vlan to talk with
other guests but not employees on the employee-vlan:
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]

user@switch# set term guest-to-guest from destination-address 192.0.2.33/28
user@switch# set term guest-to-guest then accept
3. Define the term no-guest-employee-no-peer-to-peer to allow guests on guest-vlan

Web access but prevent them from using peer-to-peer applications on the
guest-vlan.
NOTE: The destination-mac-address is the default gateway, which for any host in a
VLAN is the next-hop router.
[edit firewall family ethernet-switching filter ingress-vlan-limit-guest]

user@switch# set term no-guest-employee-no-peer-to-peer from
destination-mac-address 00.05.85.00.00.DF
user@switch# set term no-guest-employee-no-peer-to-peer then accept
4. Apply the firewall filter ingress-vlan-limit-guest as an input filter to the interface

for guest-vlan :
[edit]
user@switch# set vlans guest-vlan description "restrict guest-to-employee
traffic and peer-to-peer applications on guest VLAN"
user@switch# set vlans guest-vlan filter input ingress-vlan-limit-guest
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer Applications on the Guest VLAN ■ 789
user@switch# show
firewall {
filter ingress-vlan-limit-guest {
term guest-to-guest {
from {
}
then {
accept;
}
}
term no-guest-employee-no-peer-to-peer {
from {
destination-mac-address 00.05.85.00.00.DF;
}
then {
accept;
}
}
}
}
}
vlans {
guest-vlan {
description "restrict guest-to-employee traffic and peer-to-peer applications on
guest VLAN";
filter {
input ingress-vlan-limit-guest;
}
}
}
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the
Corporate Subnet
these tasks:
790 ■ Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet

CLI Quick Configuration To quickly configure a firewall filter for a routed port (Layer 3 uplink module) to filter
employee-vlan traffic, giving highest forwarding-class priority to traffic destined for
the corporate subnet, copy the following commands and paste them into the switch
terminal window:
[edit]
set firewall family inet filter egress-router-corp-class term corp-expedite from
set firewall family inet filter egress-router-corp-class term corp-expedite then
forwarding-class expedited-forwarding
set firewall family inet filter egress-router-corp-class term corp-expedite then
loss-priority low
set firewall family inet filter egress-router-corp-class term not-to-corp then
accept
set interfaces ge-0/1/0 description "filter at egress router to expedite destined
for corporate network"
set ge-0/1/0 unit 0 family inet source-address 103.104.105.1
set interfaces ge-0/1/0 unit 0 family inet filter output egress-router-corp-class
Step-by-Step Procedure To configure and apply a firewall filter to a routed port (Layer 3 uplink module) to
give highest priority to employee-vlan traffic destined for the corporate subnet:
1. Define the firewall filter egress-router-corp-class:
[edit]
user@switch# set firewall family inet filter egress-router-corp-class
2. Define the term corp-expedite:
[edit firewall]
user@switch# set family inet filter egress-router-corp-class term
corp-expedite from destination-address 192.0.2.16/28
corp-expedite then forwarding-class expedited-forwarding
corp-expedite then loss-priority low
3. Define the term not-to-corp:
[edit firewall]
not-to-corp then accept
4. Apply the firewall filter egress-router-corp-class as an output filter for the port
on the switch's uplink module, which provides a Layer 3 connection to a router:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter at egress router to expedite
employee traffic destined for corporate network"
Configuring a Router Firewall Filter to Give Priority to Egress Traffic Destined for the Corporate Subnet ■ 791
user@switch# set ge-0/1/0 unit 0 family inet source-address 103.104.105.1

user@switch# set ge-0/1/0 unit 0 family inet filter output
egress-router-corp-class
user@switch# show
firewall {
family inet {
filter egress-router-corp-class {
term corp-expedite {
from {
}
then {
forwarding-class expedited-forwarding;
loss-priority low;
}
}
term not-to-corp {
then {
accept;
}
}
}
}
}
interfaces {
ge-0/1/0 {
unit 0 {
description "filter at egress router interface to expedite employee traffic
destined for corporate network";
family inet {
source-address 103.104.105.1
filter {
output egress-router-corp-class;
}
}
}
}
}
Verification
To confirm that the firewall filters are working properly, perform the following tasks:
■ Verifying that Firewall Filters and Policers are Operational on page 793
■ Verifying that Schedulers and Scheduler-Maps are Operational on page 793
Verifying that Firewall Filters and Policers are Operational

Purpose Verify the operational state of the firewall filters and policers that are configured on
the switch.
user@switch> show firewall

Filter: ingress-port-voip-class-limit-tcp-icmp
Counters:
Name Packets
icmp-counter 0
tcp-counter 0
Policers:
Name Packets
icmp-connection-policer 0
tcp-connection-policer 0
Filter: ingress-vlan-rogue-block
Filter: egress-vlan-watch-employee
Counters:
Name Packets
employee-web—counter 0
What It Means The show firewall command displays the names of the firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for all configured counters and the packet count for all policers.
Verifying that Schedulers and Scheduler-Maps are Operational

Purpose Verify that schedulers and scheduler-maps are operational on the switch.
user@switch> show class-of-service scheduler-map
Scheduler map: default, Index: 2
Scheduler: default-be, Forwarding class: best-effort, Index: 20

Transmit rate: 95 percent, Rate Limit: none, Buffer size: 95 percent,
Priority: low
Drop profiles:
Loss priority Protocol Index Name
Low non-TCP 1 default-drop-profile
Low TCP 1 default-drop-profile
High non-TCP 1 default-drop-profile
High TCP 1 default-drop-profile
Scheduler: default-nc, Forwarding class: network-control, Index: 22

Priority: low
Drop profiles:
Low non-TCP 1 default-drop-profile
Low TCP 1 default-drop-profile
High non-TCP 1 default-drop-profile
Verifying that Firewall Filters and Policers are Operational ■ 793

High TCP 1 default-drop-profileScheduler map:

ethernet-diffsrv-cos-map, Index: 21657
Scheduler: best-effort, Forwarding class: best-effort, Index: 61257

Transmit rate: remainder, Rate Limit: none, Buffer size: 75 percent,
Priority: low
Drop profiles:
Low non-TCP 1 <default-drop-profile>
Low TCP 1 <default-drop-profile>
High non-TCP 1 <default-drop-profile>
High TCP 1 <default-drop-profile>
Scheduler: voice-high, Forwarding class: expedited-forwarding, Index: 3123

Priority: high
Drop profiles:
Scheduler: net-control, Forwarding class: network-control, Index: 2451

Priority: high
Drop profiles:
What It Means Displays statistics about the configured schedulers and schedulers-maps.
Related Topics
■ Example: Configuring Port Mirroring for Remote Monitoring of Employee
Resource Use on EX-series Switches
■ [edit firewall] Configuration Statement Hierarchy

Chapter 47
Configuring Packet Filtering
■ Configuring Firewall Filters (CLI Procedure) on page 795

■ Configuring Firewall Filters (J-Web Procedure) on page 800
■ Configuring Policers to Control Traffic Rates (CLI Procedure) on page 804
■ Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding
Behavior (CLI Procedure) on page 807
Configuring Firewall Filters (CLI Procedure)

You configure firewall filters on EX-series switches to control traffic that enters ports
on the switch or enters and exits VLANs on the network and Layer 3 (routed)
interfaces. To configure a firewall filter you must configure the filter and then apply
it to a port, VLAN, or Layer 3 interface.
1. Configuring a Firewall Filter on page 795
2. Applying a Firewall Filter to a Port on a Switch on page 798
3. Applying a Firewall Filter to a VLAN on a Network on page 799
4. Applying a Firewall Filter to a Layer 3 (Routed) Interface on page 799
Configuring a Firewall Filter

To configure a firewall filter:
Configuring Firewall Filters (CLI Procedure) ■ 795

1. Configure the family address type for a firewall filter:

■ For a firewall filter that is applied to a port or VLAN, specify the family
address type ethernet-switching (or bridge) to filter Layer 2 (Ethernet) packets
and Layer 3 (IP) packets, for example:
[edit firewall]
user@switch# set family ethernet-switching
■ For a firewall filter that is applied to a Layer 3 (routed) interface, specify the
family address type inet to filter IPv4 packets, for example:
[edit firewall]
user@switch# set family inet
2. Specify the filter name:
[edit firewall family ethernet-switching]

user@switch# set filter ingress-port-filter
The filter name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long. Each filter name must be unique.
3. Specify a term name:
[edit firewall family ethernet-switching filter ingress-port-filter]

user@switch# set term term-one
The term name can contain letters, numbers, and hyphens (-) and can be up to
64 characters long.
A firewall filter can contain one or more terms. Each term name must be unique
within a filter.
NOTE: For EX-series switches, the number of terms allowed per firewall filter cannot
exceed 2048. If you attempt to configure a firewall filter that exceeds this limit, the
switch returns the following message after the commit operation:
Number of filter terms 2048 exceeded: Only 2048 terms can be defined.
4. In each firewall filter term, specify the match conditions to use to match
components of a packet.
To specify match conditions to match on packets that contain a specific

source-address and source-port—for example:
796 ■ Configuring a Firewall Filter

Chapter 47: Configuring Packet Filtering
[edit firewall family ethernet-switching filter ingress-port-filter term

term-one]
user@switch# set from source-address 192.0.2.14
user@switch# set from source-port 80
You can specify one or more match conditions in a single from statement. For
a match to occur, the packet must match all the conditions in the term.
The from statement is optional, but if included in a term, the from statement
cannot be empty. If you omit the from statement, all packets are considered to
match.
5. In each firewall filter term, specify the actions to take if the packet matches all
the conditions in that term.
You can specify an action and/or action modifiers:

■ To specify a filter action, for example, to discard packets that match the
conditions of the filter term:

term-one]
user@switch# set then discard
You can specify no more than one action (accept or discard) per filter term.
■ To specify action modifiers, for example, to count and classify packets in a
forwarding class:

term-one]
user@switch# set then count counter-one
user@switch# set then forwarding-class expedited-forwarding
You can specify any of the following action modifiers in a then statement:
■ analyzer analyzer-name—Mirror port traffic to a specified destination port
or VLAN that is connected to a protocol analyzer application. An analyzer
must be configured under the ethernet-switching family address type.
For information, see Configuring Port Mirroring to Analyze Traffic on
EX-Series Switches (CLI Procedure).
■ count counter-name—Count the number of packets that pass this filter
term.
Configuring a Firewall Filter ■ 797

NOTE: We recommend that you configure a counter for each term in a firewall filter,
so that you can monitor the number of packets that match the conditions specified
in each filter term.
■ forwarding-class class—Classify packets in a forwarding class.
■ loss-priority priority—Set the priority of dropping a packet.
■ policer policer-name—Apply rate-limiting to the traffic.
If you omit the then statement or do not specify an action, packets that match
all the conditions in the from statement are accepted. However, you should always
explicitly configure an action and/or action modifier in the then statement. You
can include no more than one action statement, but any combination of action
modifiers. For an action or action modifier to take effect, all conditions in the
from statement must match.
Applying a Firewall Filter to a Port on a Switch

To apply a firewall filter to an ingress port on a switch:
1. Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter
at trunk port for employee-vlan and voice-vlan"
2. Specify the unit number and family address type for the interface:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching
For firewall filters that are applied to ports, the family address type must be
ethernet-switching (or bridge).
3. To apply a firewall filter to filter packets that are entering a port:
[edit interfaces]
ingress-port-filter
You cannot apply a firewall filter to filter packets that are exiting ports.
NOTE: You can apply no more than one firewall filter per ingress port.
798 ■ Applying a Firewall Filter to a Port on a Switch

Applying a Firewall Filter to a VLAN on a Network

To apply a firewall filter to a VLAN:
1. Specify the VLAN name and VLAN ID and provide a meaningful description of
the firewall filter and the VLAN to which the filter is applied:
[edit vlans]
user@switch# set employee–vlan vlan 20 vlan-description "filter to rate
limit traffic on employee-vlan"
2. Apply firewall filters to filter packets that are entering or exiting a VLAN:
■ To apply a firewall filter to filter packets that are entering the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter input ingress-vlan-filter
■ To apply a firewall filter to filter packets that are exiting the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter
NOTE: You can apply no more than one firewall filter per VLAN, per direction.
Applying a Firewall Filter to a Layer 3 (Routed) Interface

To apply a firewall filter to a Layer 3 routed interface on a switch:
1. Specify the interface name and provide a meaningful description of the firewall
filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter to count and monitor
employee—vlan traffic on layer 3 interface"
2. Specify the unit number, family address type, and address for the interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24
For firewall filters applied to Layer 3 routed interfaces, the family address type
must be inet.
3. You can apply firewall filters to filter packets that are entering or exiting a Layer 3
routed interface:
■ To apply a firewall filter to filter packets that are entering a Layer 3 interface:
Applying a Firewall Filter to a VLAN on a Network ■ 799

[edit interfaces]
filter input ingress-router-filter
■ To apply a firewall filter to filter packets that are exiting a Layer 3 interface,
include the filter input statement, for example:
[edit interfaces]
filter output egress-router-filter
NOTE: You can apply no more than one firewall filter per Layer 3 interface, per
direction.
Related Topics
EX-series Switches
■ Verifying That Firewall Filters Are Operational
■ Monitoring Firewall Filter Traffic
■ Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding
Behavior (CLI Procedure)
Configuring Firewall Filters (J-Web Procedure)

To configure firewall filters settings using the J-Web interface:
1. Select Configure > Security > Filters.
The Firewall Filter Configuration screen displays a list of all configured VLAN or
router filters and the ports or VLANs associated with a particular filter.
2. Click one:

■ Add—Select this option to create a new filter. Enter information as specified

■ Edit—Select this option to edit an existing filter settings. Enter information
as specified in Table 119 on page 801.
■ Delete—Select this option to delete a filter.
■ Term Up—Select this option to move a term up in the filter term list.
■ Term Down—Select this option to move a term down in the filter term list.
Table 119: Create a New Filter
Filter tab
Filter type Specifies the filter type: Port/VLAN firewall filter or Select the filter type.
Router firewall filter.
Filter name Specifies the name for the filter. Enter a name.
Select terms to be part Specifies the terms to be associated with the filter. Add Click Add to add new terms. Enter
of the filter new terms or edit existing terms. information as specified in
Association tab
Port Associations Specifies the ports with which the filter is associated. 1. Click Add.
NOTE: For a Port/VLAN filter type only Ingress direction 2. Select the direction: Ingress or
is supported for port association. Egress.
3. Select the ports.
4. Click OK.
VLAN Associations Specifies the VLANs with which the filter is associated. 1. Click Add.
NOTE: Because Router firewall filters can be associated 2. Select the direction: Ingress or
with ports only, this section is not displayed for a Router Egress.
firewall filter. 3. Select the VLANs.
4. Click OK.
Table 120: Create a New Term
Term Name Specifies the name of the term. Enter a name.
Protocols Specifies the protocols to be associated with the 1. Click Add.

term.
2. Select the protocols.
3. Click OK.
Configuring Firewall Filters (J-Web Procedure) ■ 801

Table 120: Create a New Term (continued)
Source/Destination Specifies the IP address, MAC address, and Click Edit to enter the IP address and select the
available ports. ports for the source and destination.
NOTE: MAC address is specified only for a

Port/VLAN filters.
Action Specifies the packet actions for the term. Select one:
■ Accept
■ Discard
More Specifies advanced configuration options for the Select the Match conditions as specified in
filter. Table 121 on page 802.
Select the packet actions for the term as specified

Table 121: Term-Advanced Options
Table Function Your Action
ICMP Type Specifies the ICMP packet type field. Typically, you specify this match Select the option from the list.
in conjunction with the protocol match to determine which protocol
is being used on the port.
ICMP Code Specifies more specific information than icmp-type. Because the value’s Select one:
meaning depends upon the associated icmp-type, you must specify
icmp-type along with icmp-code. The keywords are grouped by the ■ Parameter-problem
ICMP type with which they are associated. ■ Redirect
■ Time-exceeded
■ Unreachable
Fragment Flags Specifies the IP fragmentation flags. Select either the option
is-fragement or enter a
NOTE: Fragment flags is supported on ingress ports, VLANs, and router combination of fragment flags.
interfaces.
TCP Flags Specifies one or more TCP flags. Select either the option tcp-initial
or enter a combination of TCP
NOTE: TCP flags is supported on ingress ports, VLANs, and router flags.
interfaces.
IP Precedence Specifies IP precedence. The options are: assured forwarding, Select the option from the list.
best-effort, expedited-forwarding, network-control.
NOTE: IP precedence and DSCP number cannot be specified together

for the same term.
Interface Specifies the interface association. Select the interface from the list.
802 ■ Configuring Firewall Filters (J-Web Procedure)

Table 121: Term-Advanced Options (continued)
Ether Type Specifies the ethernet type field of a packet. Select one:
NOTE: This option is not applicable for a Routing filter. ■ Arp

■ Dot 1q
dot1q-tag Specifies the tag field in the Ethernet header. Values can be from 1 Enter the required number.
through 4095.
NOTE: This option is not applicable for a Routing filter.
Dot 1q User Specifies the user-priority field of the tagged Ethernet packet. Enter a number or the
Priority User-priority values can be 0–7. corresponding text synonym.
In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed)
■ background (1)—Background
■ best-effort (0)—Best effort
■ controlled-load (4)—Controlled load
■ excellent-load (3)—Excellent load
■ network-control (7)—Network control reserved traffic
■ standard (2)—Standard or Spare
■ video (5)—Video
■ voice (6)—Voice
DSCP Number Specifies the Differentiated Services code point (DSCP). The DiffServ Select the DSCP number from
protocol uses the type-of-service (ToS) byte in the IP header. The most the list.
significant six bits of this byte form the DSCP.
Select VLAN Specifies the VLAN to be associated. Select the VLAN from the list.
TTL Value Specifies the time-to-live value. Enter a value.
NOTE: This option is applicable for a Routing filter.
Packet Length Specifies the length of the packet. Enter a value.
NOTE: This option is applicable for a Routing filter.
Action
Counter Name Specifies the count of the number of packets that pass this filter, term, Enter a value.
or policer.
Configuring Firewall Filters (J-Web Procedure) ■ 803

Table 121: Term-Advanced Options (continued)
Forwarding Class Classifies the packet into one of the following forwarding classes: Select the option from the list.
■ best-effort
■ network-control
■ user-defined
Loss Priority Specifies the Packet Loss Priority. Enter the value.
NOTE: Forwarding Class and Loss Priority should be specified together

for the same term.
Analyzer Specifies whether to perform port-mirroring on packets. Port-mirroring Select the analyzer from the list.
copies all packets seen on one switch port to a network monitoring
connection on another switch port.
Related Topics
Configuring Policers to Control Traffic Rates (CLI Procedure)

You can configure policers to rate limit traffic on EX-series switches. After you
configure a policer, you can include it in an ingress firewall filter configuration.
When you configure a firewall filter, you can specify a policer action for any term or
terms within the filter. All traffic that matches a term that contains a policer action
goes through the policer that the term references. Each policer that you configure
includes an implicit counter. To get term-specific packet counts, you must configure
a new policer for each filter term that requires policing.
The following policer limits apply on the switch:

■ A maximum of 512 policers can be configured for port firewall filters.
■ A maximum of 512 policers can be configured for VLAN and Layer 3 firewall
filters.
If the policer configuration exceeds these limits, the switch returns the following
message after the commit operation:
Cannot assign policers: Max policer limit reached

1. Configuring Policers on page 805

2. Specifying Policers in a Firewall Filter Configuration on page 806
3. Applying a Firewall Filter That Is Configured with a Policer on page 806
Configuring Policers
To configure a policer:
1. Specify the name of the policer:
[edit firewall]
user@switch# set policer policer-one
The policer name can contain letters, numbers, and hyphens (-) and can be up
to 64 characters long.
2. Configure rate limiting for the policer:
a. Specify the bandwidth limit in bits per second (bps) to control the traffic rate
on an interface:
[edit firewall policer policer-one]

user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.
b. Specify the maximum allowed burst size to control the amount of traffic
bursting:
[edit firewall policer policer-one]

user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of
the interface on which the filter is applied by the amount of time to allow a
burst of traffic at that bandwidth to occur:
burst size = bandwidth * allowable time for burst traffic
The range for the burst-size limit is 1 through 2,147,450,880 bytes.
3. Specify the policer action discard to discard packets that exceed the rate limits:
[edit firewall policer]

user@switch# set policer-one then discard
Discard is the only supported policer action.
Configuring Policers ■ 805

Specifying Policers in a Firewall Filter Configuration

To reference a policer, configure a filter term that includes the policer action:

user@switch# set filter limit-hosts term term-one from source-address 192.0.2.16/28
userswitch# set filter limit-hosts term term-one then policer policer-one
Applying a Firewall Filter That Is Configured with a Policer

A firewall filter that is configured with one or more policer actions, like any other
filter, must be applied to a port, VLAN, or Layer 3 interface. For information about
applying firewall filters, see the sections on applying firewall filters in Configuring
Firewall Filters (CLI Procedure).
NOTE: You can include policer actions on ingress firewall filters only.
Related Topics
EX-series Switches
■ Verifying That Policers Are Operational
806 ■ Specifying Policers in a Firewall Filter Configuration

Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding

Behavior (CLI Procedure)
You can configure firewall filters with multifield classifiers to classify packets transiting
a port, VLAN, or Layer 3 interface on an EX-series switch.
You specify multifield classifiers in a firewall filter configuration to set the forwarding
class and packet loss priority (PLP) for incoming or outgoing packets. By default,
packets that are not classified are assigned to the best-effort class associated with
queue 0.
You can specify any of the following default forwarding classes:
Forwarding class Queue
best-effort 0
assured-forwarding 1
expedited-forwarding 5
network-control 7
To assign multifield classifiers in firewall filters:

1. Configure the family name and filter name for the filter at the [edit firewall]
hierarchy level, for example:
[edit firewall]
user@switch# set family ethernet-switching
user@switch# set family ethernet-switching filter ingress-filter
2. Configure the terms of the filter, including the forwarding-class and loss-priority
action modifiers as appropriate. When you specify a forwarding class you must
also specify the packet loss priority. For example, each of the following terms
examines different packet header fields and assigns an appropriate classifier
and the packet loss priority:
■ The term voice-traffic matches packets on the voice-vlan and assigns the
forwarding class expedited-forwarding and packet loss priority low:
[edit firewall family ethernet-switching filter ingress-filter]

user@switch# set term voice-traffic from vlan-id voice-vlan
user@switch# set term voice-traffic then forwarding-class
expedited-forwarding
user@switch# set term voice-traffic then loss-priority low
■ The term data-traffic matches packets on employee-vlan and assigns the

forwarding class assured-forwarding and packet loss priority low:
Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure) ■ 807
user@switch# set term data-traffic from vlan-id employee-vlan

user@switch# set term data-traffic then forwarding-class assured-forwarding
user@switch# set term data-traffic then loss-priority low
■ Because loss of network-generated packets can jeopardize proper network

operation, delay is preferable to discard of packets. The following term,
network-traffic, assigns the forwarding class network-control and packet loss
priority low:

user@switch# set term network-traffic from precedence net-control
user@switch# set term network-traffic then forwarding-class network
user@switch# set term network-traffic then loss-priority low
■ The last term accept-traffic matches any packets that did not match on any
of the preceding terms and assigns the forwarding class best-effort and packet
loss priority low:

user@switch# set term accept-traffic from precedence net-control
user@switch# set term accept-traffic then forwarding-class best-effort
user@switch# set term accept-traffic then loss-priority low
3. Apply the filter ingress-filter to a port, VLAN or Layer 3 interface. For information
about applying the filter, see Configuring Firewall Filters (CLI Procedure).
Related Topics
■ Defining Classifiers (J-Web Procedure)
EX-series Switches

Chapter 48
Verifying Packet Filtering
■ Verifying That Firewall Filters Are Operational on page 809

■ Verifying That Policers Are Operational on page 810
■ Monitoring Firewall Filter Traffic on page 811
Verifying That Firewall Filters Are Operational

Purpose After you configure and apply firewall filters to ports, VLANs, or Layer 3 interfaces,
you can perform the following task to verify that the firewall filters configured on
EX-series switches are working properly.
Action Use the operational mode command to verify that the firewall filters on the switch
are working properly:

Counters:
Name Bytes Packets
counter-employee-web 0 0
Counters:
Name Bytes Packets
icmp-counter 0 0
Policers:
Name Packets
Filter: ingress-vlan-limit-guest
What It Means The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. For each counter that is specified in a
filter configuration, the output field shows the byte count and packet count for the
term in which the counter is specified. For each policer that is specified in a filter
configuration, the output field shows the packet count for packets that exceed the
specified rate limits.
Verifying That Firewall Filters Are Operational ■ 809

Related Topics
EX-series Switches
Verifying That Policers Are Operational

Purpose After you configure policers and include them in firewall filter configurations, you
can perform the following tasks to verify that the policers configured on EX-series
switches are working properly.
Action Use the operational mode command to verify that the policers on the switch are
working properly:
user@switch> show policer

Filter: ingress-port-filter
Policers:
Name Packets
What It Means The show policer command displays the names of all firewall filters and policers that
are configured on the switch. For each policer that is specified in a filter configuration,
the output field shows the current packet count for all packets that exceed the
specified rate limits.
Related Topics
EX-series Switches

Chapter 48: Verifying Packet Filtering
Monitoring Firewall Filter Traffic

You can monitor firewall filter traffic on EX-series switches.
1. Monitoring Traffic for All Firewall Filters and Policers That Are Configured on
the Switch on page 811
2. Monitoring Traffic for a Specific Firewall Filter on page 811
3. Monitoring Traffic for a Specific Policer on page 812
Monitoring Traffic for All Firewall Filters and Policers That Are
Configured on the Switch
Purpose Perform the following task to monitor the number of packets and bytes that matched
the firewall filters and monitor the number of packets that exceeded policer rate
limits:

Counters:
Name Bytes Packets
counter-employee-web 3348 27
Counters:
Name Bytes Packets
icmp-counter 4100 49
Policers:
Name Packets
What It Means The show firewall command displays the names of all firewall filters, policers, and
counters that are configured on the switch. The output fields show byte and packet
counts for counters and packet count for policers.
Monitoring Traffic for a Specific Firewall Filter

Purpose Perform the following task to monitor the number of packets and bytes that matched
a firewall filter and monitor the number of packets that exceeded the policer rate
limits.
user@switch> show firewall filter ingress-vlan-rogue-block

Counters:
Name Bytes Packets
rogue-counter 2308 20
Monitoring Firewall Filter Traffic ■ 811

What It Means The show firewall filter filter-name command displays the name of the firewall filter,
the packet and byte count for all counters configured with the filter, and the packet
count for all policers configured with the filter.
Monitoring Traffic for a Specific Policer

Purpose Perform the following task to monitor the number of packets that exceeded policer
rate limits:
user@switch> show policer tcp-connection-policer

Policers:
Name Packets
What It Means The show policer policer-name command displays the name of the firewall filter that
specifies the policer-action and displays the number of packets that exceeded rate
limits for the specified filter.
Related Topics
EX-series Switches
812 ■ Monitoring Traffic for a Specific Policer

Chapter 49
Troubleshooting Packet Filtering
■ Troubleshooting Firewall Filters on page 813
Troubleshooting Firewall Filters

1. Firewall Filter Configuration Returns a No Space Available in TCAM
Message on page 813
Firewall Filter Configuration Returns a No Space Available in TCAM Message

Problem When a firewall filter configuration exceeds the amount of available TCAM space,
the switch returns the following syslogd message:
No space available in tcam.

Rules for filter filter-name will not be installed.
The switch returns this message during the commit operation if the firewall filter
that has been applied to a port, VLAN, or Layer 3 interface exceeds the amount of
available TCAM space. However, the commit operation for the firewall filter
configuration is completed in the CLI module.
Solution When a firewall filter configuration exceeds the amount of available TCAM table
space, you must configure a new firewall filter with fewer filter terms so that the
space requirements for the filter do not exceed the available space in the TCAM table.
You can perform either of the following procedures to correct the problem:
To delete the firewall filter and its bind points and apply the new smaller firewall
filter to the same bind points:
1. Delete the firewall filter configuration and the bind points to ports, VLANs, or
Layer 3 interfaces—for example:
[edit]
user@switch# delete firewall family ethernet-switching filter
filter-ingress-vlan
user@switch# delete vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# delete vlans voice-vlan filter input mini-filter—ingress-vlan
2. Commit the operation:
Troubleshooting Firewall Filters ■ 813

[edit]
user@switch# commit
3. Configure a smaller filter with fewer terms that does not exceed the amount of
available TCAM space on the switch—for example:
[edit]
user@switch# set firewall family ethernet-switching filter
new—filter-ingress-vlan ...
4. Apply (bind) the new firewall filter to a port, VLAN , or Layer 3 interface—for
example:
[edit]
user@switch# set vlans voice-vlan description "filter to block rogue
devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter—ingress-vlan
[edit]
user@switch# commit
To apply a new firewall filter and overwrite the existing bind points:
1. Configure a firewall filter with fewer terms than the original filter:
[edit]
user@switch# set firewall family ethernet-switching filter
new-filter-ingress-vlan...
2. Apply the firewall filter to the port, VLAN, or Layer 3 interfaces to overwrite the
bind points of the original filter—for example:
[edit]
user@switch# set vlans voice-vlan description "smaller filter to block
rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input new-filter-ingress-vlan
[edit]
user@switch# commit
Only the original bind points, and not the original firewall filter itself, are deleted.
814 ■ Firewall Filter Configuration Returns a No Space Available in TCAM Message

Chapter 49: Troubleshooting Packet Filtering
Related Topics
EX-series Switches


Chapter 50
Configuration Statements for Packet
Filtering
■ [edit firewall] Configuration Statement Hierarchy on page 817

■ Firewall Filter Configuration Statements Supported by JUNOS Software for
[edit firewall] Configuration Statement Hierarchy
firewall {
family family-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
policer policer-name {
if-exceeding {
}
then {
policer-action;
}
}
}
[edit firewall] Configuration Statement Hierarchy ■ 817

Related Topics
EX-series Switches
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series

Switches
You configure firewall filters to filter packets based on their components and to
perform an action on packets that match the filter.
Table 122 on page 818 lists the options that are supported for the firewall statement
in JUNOS Software for EX-series switches.
Table 122: Supported Options for Firewall Filter Statements
Statement and Option Description
family family-name { The family-name option specifies the version or type of

} addressing protocol:
■ bridge or ethernet–switching—Filter Layer 2 (Ethernet)
packets and Layer 3 (IP) packets
■ inet— Filter IPv4 packets
filter filter-name { The filter-name option identifies the filter. The name can
} contain letters, numbers, and hyphens (-) and can be up to
64 characters long. To include spaces in the name, enclose
the name in quotation marks (" " ).
term term-name { The term-name option identifies the term. The name can
the entire name in quotation marks (" " ). Each term name
must be unique within a filter.
from { The from statement is optional. If you omit it, all packets are
match-conditions; considered to match.
}
then { For information about the action and action-modifiers options,

action; see Firewall Filter Match Conditions and Actions for
action-modifiers; EX-series Switches.
}

Chapter 50: Configuration Statements for Packet Filtering
Table 122: Supported Options for Firewall Filter Statements (continued)
Statement and Option Description
policer policer-name { The policer-name option identifies the policer. The name can
the name in quotation marks (" " ).
if-exceeding { The bandwidth-limit bps option specifies the traffic rate in bits
bandwidth-limit bps per second (bps).
burst-size-limit bytes
} You can specify bps as a decimal value or as a decimal
number followed by one of the following abbreviations:
■ k (thousand)
■ m (million)
■ g (billion, which is also called a thousand million)
Range: 1000 (1k) through 102,300,000,000 (102.3g) bps
The burst-size-limit bytes option specifies the maximum allowed

burst size to control the amount of traffic bursting. To
determine the value for the burst-size limit, you can multiply
the bandwidth of the interface on which the filter is applied
by the amount of time to allow a burst of traffic at that
bandwidth to occur:
burst size = bandwidth * allowable time for burst traffic
You can specify a decimal value or a decimal number followed

by k (thousand) or m (million).
Range: 1 through 2,147,450,880 bytes
then { Use the policer-action option to specify discard to discard traffic

policer-action that exceeds the rate limits.
}
JUNOS software for EX-series switches does not support some of the firewall filter
statements that are supported by other JUNOS software packages. Table 123 on page
820 shows the firewall filter statements that are not supported by JUNOS Software
for EX-series switches.
Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches ■ 819
Table 123: Firewall Filter Statements That Are Not Supported byJUNOS Software for EX-series switches
Statements not supported Statement hierarchy level
■ interface-set interface-set-name { [edit firewall]

}
■ load-balance-group group-name {
}
■ three-color-policer name {
}
■ logical-interface-policer;
■ single-rate {
}
■ two-rate {
}
■ prefix-action name { [edit firewall family family-name]

}
■ prefix-policer {
}
■ service-filter filter-name {
}
■ simple-filter simple-filter-name {
}
■ accounting-profile name; [edit firewall family family-name filter filter-name]
■ interface-specific;
■ filter-specific; [edit firewall policer policer-name]
■ logical-bandwidth-policer;
■ logical-interface-policer;
bandwidth-percent number; [edit firewall policer policer-name if-exceeding]
820 ■ Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches
Related Topics
EX-series Switches
bandwidth-limit
Syntax bandwidth-limit bps;
Hierarchy Level [edit firewall policer policer-name if-exceeding]
Description Specify the traffic rate in bits per second.
Options bps—Traffic rate to be specified in bits per second. Specify bps as a decimal value
or as a decimal number followed by one of the following abbreviations:
■ k (thousand)
■ m (million)
■ g (billion, which is also called a thousand million)
Range: 1000 (1k) through 102,300,000,000 (102.3g) bps
Required Privilege Level firewall—To view this statement in the configuration.
firewall-control—To add this statement to the configuration.
Related Topics
EX-series Switches

burst-size-limit
Syntax burst-size-limit bytes;
Hierarchy Level [edit firewall policer policer-name if-exceeding]
Description Specify the maximum allowed burst size to control the amount of traffic bursting.
Options bytes—Decimal value or a decimal number followed by k (thousand) or m (million).

Range: 1 through 2,147,450,880 bytes
Related Topics
EX-series Switches
822 ■ burst-size-limit
family
Syntax family family-name {

term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
Hierarchy Level [edit firewall]
Description Configure a firewall filter for IP version 4.
Options family-name—Version or type of addressing protocol:

■ bridge—Filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.
■ ethernet-switching—Filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets.
■ inet—Filter IPv4 packets.

Related Topics
EX-series Switches
family ■ 823
filter
Syntax filter filter-name {

term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
Hierarchy Level [edit firewall family family-name]
Description Configure firewall filters.
Options filter-name—Name that identifies the filter. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
term-name—Name that identifies the term. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long. To include spaces in the
name, enclose it in quotation marks.
match-conditions—Conditions that define the values or fields that the incoming or

outgoing packets must contain for a match. You can specify one or more match
conditions. If you specify more than one, they all must match for a match to
occur.
action—Action to accept or discard packets that match all match conditions.
action-modifiers— Additional actions to analyze, classify, count, or police packets that

match all criteria.

Related Topics
EX-series Switches
824 ■ filter

filter
Hierarchy Level [edit interfaces ge-chassis/slot/port unit logical-unit-number family family-name]
Description Apply a firewall filter to traffic entering the port or Layer 3 interface or exiting the
Layer 3 interface.
Default All incoming traffic is accepted unmodified on the port or Layer 3 interface, and all
outgoing traffic is sent unmodified from the port or Layer 3 interface.
Options filter-name—Name of a firewall filter defined in the filter statement.

■ input—Apply a firewall filter to traffic entering the port or Layer 3 interface.
■ output—Apply a firewall filter to traffic exiting the Layer 3 interface.

Related Topics
EX-series Switches
■ JUNOS Network Interfaces Configuration Guide
filter ■ 825
from
Syntax from {
match-conditions;
}
Hierarchy Level [edit firewall family family-name filter filter-name term term-name]
Description Match packet fields to values specified in a match condition. If the from statement
is not included in a firewall filter configuration, all packets are considered to match
and the actions and action modifiers in the then statement are taken.
Options match-conditions—One or more conditions that the packet must match for the action
in the then statement to be taken.

Related Topics
EX-series Switches
826 ■ from
if-exceeding
Syntax if-exceeding {
}
Hierarchy Level [edit firewall policer policer-name]
Description Configure policer rate limits.

Related Topics
EX-series Switches
if-exceeding ■ 827
policer
Syntax policer policer-name {

if-exceeding {
}
then {
policer-action;
}
}
Hierarchy Level [edit firewall]
Description Configure policer rate limits and actions. To activate a policer, you must include the
policer action modifier in the then statement in a firewall filter term. Each policer
that you configure includes an implicit counter. To ensure term-specific packet counts,
you configure a policer for each term in the filter that requires policing.
Options policer-name—Name that identifies the policer. The name can contain letters, numbers,
hyphens (-), and can be up to 64 characters long.

Related Topics
EX-series Switches
828 ■ policer
term
Syntax term term-name {

from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
Hierarchy Level [edit firewall family family-name filter filter-name]
Description Define a firewall filter term.
Options term-name—Name that identifies the term. The name can contain letters, numbers,
and hyphens (-), and can be up to 64 characters long.
match-conditions—Conditions that define the values or fields that the incoming or

outgoing packets must contain for a match. You can specify one or more match
conditions. If you specify more than one, they all must match for a match to
occur.
action—Action to accept or discard packets that match all match conditions.
action-modifiers—Additional actions to analyze, classify, count, or police packets that

match all criteria.

Related Topics
EX-series Switches
term ■ 829
then
Syntax [edit firewall family family-name filter filter-name term term-name]

then {
action;
action-modifiers;
}
Hierarchy Level [edit firewall family family-name filter filter-name term term-name]
Description Configure a filter action.
Options action—Actions to accept or discard packets that match all match conditions specified
in a filter term.
action-modifiers—Additional actions to analyze, classify, count, or police packets that

match all conditions specified in a filter term.

Related Topics
EX-series Switches
830 ■ then
then
Syntax [edit firewall policer policer-name]

then {
policer-action;
}
Hierarchy Level [edit firewall policer policer-name]
Description Configure a policer action.
Options policer-action—Allowed policer action is discard, which discards traffic that exceeds
the rate limits defined by the policer.

firewall -control—To add this statement to the configuration.
Related Topics
EX-series Switches
then ■ 831

Chapter 51
Operational Mode Commands for Packet
Filtering
■ 833
clear firewall
Syntax clear firewall

<all>
<counter counter-name>
<filter filter-name>
Description Clear statistics about configured firewall filters.
Options none—Clear the packet and byte counts for all firewall filter counters and clear the
packet counts for all policer counters.
all—(Optional) Clear the packet and byte counts for all firewall filter counters and
clear the packet counts for all policer counters.
counter counter-name—(Optional) Clear the packet and byte counts for the specified
firewall filter counter.
filter filter-name—(Optional) Clear the packet and byte counts for the specified firewall
filter.
Related Topics
EX-series Switches
clear firewall (all) user@host> clear firewall all
clear firewall (counter user@host> clear firewall counter port-filter-counter

counter-name)
clear firewall (filter user@host> clear firewall filter ingress-port-filter

filter-name)
834 ■ clear firewall

Chapter 51: Operational Mode Commands for Packet Filtering
show firewall
Syntax show firewall

<counter counter-name>
<filter filter-name>
Description Display statistics about configured firewall filters.
Options none—Display statistics about all configured firewall filters, counters, and policers.
counter counter-name—(Optional) Display statistics about a particular firewall filter

counter.
filter filter-name—(Optional) Display statistics about a particular firewall filter.
Related Topics
EX-series Switches
List of Sample Output show firewall on page 836

show firewall (filter filter-name) on page 836
show firewall (counter counter-name) on page 836
Output Fields Table 38 on page 1020 lists the output fields for the show firewall command. Output
Table 124: show firewall Output Fields
Filter Name of the filter that is configured with the filter statement at the [edit firewall] All levels
hierarchy level.
show firewall ■ 835

Table 124: show firewall Output Fields (continued)
Counters Display filter counter information: All levels

■ Name—Name of a filter counter that has been configured with the counter
firewall filter action
■ Bytes—Number of bytes that match the filter term where the counter
action was specified.
■ Packets—Number of packets that matched the filter term where the
counter action was specified.
Policers Display policer information: All levels

■ Name—Name of policer.
■ Packets—Number of packets that matched the filter term where the policer
action was specified. This is the number of packets that exceed the rate
limits that the policer specifies.
show firewall user@host> show firewall

Filter: egress-vlan-filter
Counters:
Name Bytes Packets
employee-web-counter 0 0
Counters:
Name Bytes Packets
ingress-port-counter 0 0
Filter: ingress-port-voip-class-filter
Counters:
Name Bytes Packets
icmp-counter 0 0
Policers:
Name Packets
show firewall (filter user@host> show firewall filter egress-vlan-filter

filter-name) Filter: egress-vlan-filter
Counters:
Name Bytes Packets
employee-web-counter 0 0
show firewall (counter user@host> show firewall counter icmp-counter

counter-name) Filter: ingress-port-voip-class-filter
Counters:
Name Bytes Packets
icmp-counter 0 0

show interfaces filters
Syntax show interfaces filters

<interface-name>
Description Display firewall filters that are configured on each interface in a system.
Options none—Display firewall filter information about all interfaces.
interface-name—(Optional) Display firewall filter information about a particular

interface: ge-fpc/pic/port.
Related Topics
■ show interfaces policers
■ show firewall
List of Sample Output show interfaces filters on page 837

show interfaces filters <interface-name> on page 838
Output Fields Table 38 on page 1020 lists the output fields for the show interfaces filters command.
Table 125: show interfaces filters Output Fields
Interface Name of the physical interface. All levels
Admin Interface state: up or down. All levels
Link Link state: up or down. All levels
Proto Protocol that is configured on the interface. All levels
Input Filter Name of the firewall filter to be evaluated when packers are received on the All levels
interface.
Output Filter Name of the firewall filter to be evaluated when packets are transmitted on All levels
the interface.
show interfaces filters user@host> show interfaces filters

Interface Admin Link Proto Input Filter Output Filter
ge-0/0/0 up down
ge-0/0/0.0 up down eth-switch unknown
ge-0/0/1 up down
show interfaces filters ■ 837


ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/10.0 up down
show interfaces filters user@host> show interfaces filters ge-0/0/0

<interface-name> Interface Admin Link Proto Input Filter Output Filter
ge-0/0/0 up down

show interfaces policers
Syntax show interfaces policers

<interface-name>
Release Information Command introduced before JUNOS Release 9.0 for EX-series switches.
Description Display all policers that are configured on each interface in a system.
Options none—Display policer information about all interfaces.
interface-name—(Optional) display firewall filters information about a particular

interface.
Related Topics
■ show interfaces filters
■ show policer
List of Sample Output show interfaces policers on page 839

show interfaces policers on page 840
show interfaces policers ( interface-name) on page 840
Output Fields Table 38 on page 1020 lists the output fields for the show interfaces policers command.
Table 126: show interfaces policers Output Fields
Interface Name of the interface. All levels
Admin Interface state: up or down. All levels
Link Link state: up or down. All levels
Proto Protocol configured on the interface. All levels
Input Policer Policer to be evaluated when packets are received on the interface. It has the All levels
format interface-name-in-policer.
Output Policer Policer to be evaluated when packets are transmitted on the interface. It has All levels
the format interface-name-out-policer.
show interfaces policers user@host> show interfaces policers

Interface Admin Link Proto Input Policer Output Policer
ge-0/0/0 up down
show interfaces policers ■ 839

ge-0/0/0.0 up down
eth-switch

ge-0/0/1 up down
ge-0/0/1.0 up down
eth-switch
ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/10.0 up down
eth-switch
show interfaces policers user@host> show interfaces policers

ge-0/0/0 up down
ge-0/0/0.0 up down
eth-switch

ge-0/0/1 up down
ge-0/0/1.0 up down
eth-switch
ge-0/0/2 up down
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/5 up down
ge-0/0/6 up down
ge-0/0/7 up down
ge-0/0/8 up down
ge-0/0/9 up down
ge-0/0/10 up down
ge-0/0/10.0 up down
eth-switch
show interfaces policers user@host> show interfaces policers ge-0/0/1

( interface-name) Interface Admin Link Proto Input Policer Output Policer
ge-0/0/0 up down
ge-0/0/0.0 up down
eth-switch

show policer
Syntax show policer

<policer-name>
Description Display statistics about configured policers.
Options none—Display the count of policed packets for all configured policers in the system.
policer-name—(Optional) Display the count of policed packets for the specified policer.
Related Topics
EX-series Switches
List of Sample Output show policer on page 841

show policer (policer-name) on page 842
Output Fields Table 38 on page 1020 lists the output fields for the show policer command. Output
Table 127: show policer Output Fields
Filter Name of filter that is configured with the filter statement at the [edit firewall] All levels
hierarchy level.
Policers Display policer information: All levels

■ Filter—Name of filter that specifies the policer action.
■ Name—Name of policer.
■ Packets—Number of packets that matched the filter term where the policer
action is specified. This is the number of packets that exceed the rate
limits that the policer specifies.
show policer user@host> show policer
show policer ■ 841

Filter: egress-vlan-filter
Policers:
Name Packets
show policer user@host> show policer tcp-connection-policer

(policer-name) Filter: ingress-port-filter
Policers:
Name Packets

Part 13
CoS
■ Understanding CoS on page 845
■ Examples of Configuring CoS on page 863
■ Configuring CoS on page 881
■ Verifying CoS on page 901
■ Configuration Statements for CoS on page 909
■ Operational Mode Commands for CoS on page 937
CoS ■ 843
844 ■ CoS
Chapter 52
Understanding CoS
■ JUNOS CoS for EX-series Switches Overview on page 845

■ Understanding JUNOS CoS Components for EX-series Switches on page 847
■ Understanding CoS Code-Point Aliases on page 850
■ Understanding CoS Classifiers on page 852
■ Understanding CoS Forwarding Classes on page 854
■ Understanding CoS Tail Drop Profiles on page 856
■ Understanding CoS Schedulers on page 857
■ Understanding CoS Two-Color Marking on page 859
■ Understanding CoS Rewrite Rules on page 860
JUNOS CoS for EX-series Switches Overview

When a network experiences congestion and delay, some packets must be dropped.
JUNOS Class of Service (CoS) divides traffic into classes to which you can apply
different levels of throughput and packet loss when congestion occurs. This allows
packet loss to happen according to rules that you configure.
CoS provides multiple classes of service for different applications. You can configure
multiple forwarding classes for transmitting packets, define which packets are placed
into each output queue, and schedule the transmission service level for each queue.
In designing CoS applications, you must give careful consideration to your service
needs, and you must thoroughly plan and design CoS configuration to ensure
consistency and interoperability across all platforms in a CoS domain.
Because EX-series switches implement CoS in hardware rather than in software, you
can experiment with and deploy CoS features without affecting packet forwarding
and switching performance.
■ How JUNOS CoS Works on page 846
■ Default CoS Behavior on EX-series Switches on page 846
JUNOS CoS for EX-series Switches Overview ■ 845

How JUNOS CoS Works

JUNOS CoS works by examining traffic entering at the edge of your network. The
access switches classify traffic into defined service groups, to provide the special
treatment of traffic across the network. For example, voice traffic can be sent across
certain links, and data traffic can use other links. In addition, the data traffic streams
can be serviced differently along the network path to ensure that higher-paying
customers receive better service. As the traffic leaves the network at the far edge,
you can reclassify the traffic to meet the policies of the targeted peer.
To support CoS, you must configure each switch in the network. Generally, each
switch examines the packets that enter it to determine their CoS settings. These
settings then dictate which packets are transmitted first to the next downstream
switch. Switches at the edges of the network might be required to alter the CoS
settings of the packets that enter the network to classify the packet into the
appropriate service group.
Figure 44 on page 846 represents the network scenario of an enterprise. Switch A is

receiving traffic from various network nodes such as desktop computers, servers,
surveillance cameras, and VoIP telephones. As each packet enters, Switch A examines
the packet’s CoS settings and classifies the traffic into one of the groupings defined
by the enterprise. This definition allows Switch A to prioritize resources for servicing
the traffic streams it receives. Switch A might alter the CoS settings of the packets
to better match the enterprises’s traffic groups.
When Switch B receives the packets, it examines the CoS settings, determines the
appropriate traffic group, and processes the packet according to those settings. It
then transmits the packets to Switch C, which performs the same actions. Switch D
also examines the packets and determines the appropriate group. Because Switch
D sits at the far end of the network, it might alter the CoS settings of the packets
before transmitting them.
Figure 44: Packet Flow Across the Network
Default CoS Behavior on EX-series Switches

If you do not configure any CoS settings on your switch, the software performs some
CoS functions to ensure that user traffic and protocol packets are forwarded with
minimum delay when the network is experiencing congestion. Some default mappings
are automatically applied to each logical interface that you configure. Other default
846 ■ How JUNOS CoS Works

Chapter 52: Understanding CoS
mappings, such as explicit default classifiers and rewrite rules, are in operation only
if you explicitly associate them with an interface.
Related Topics
■ Understanding JUNOS CoS Components for EX-series Switches
Understanding JUNOS CoS Components for EX-series Switches

This topic describes the JUNOS CoS components for EX-series switches:
■ Code-Point Aliases on page 847
■ Policers on page 847
■ Classifiers on page 847
■ Forwarding Classes on page 848
■ Tail Drop Profiles on page 848
■ Schedulers on page 848
■ Rewrite Rules on page 849
Code-Point Aliases
A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.
Policers
Policers limit traffic of a certain class to a specified bandwidth and burst size. Packets
exceeding the policer limits can be discarded. You define policers with filters that
can be associated with input interfaces.
For more information about policers, see Understanding the Use of Policers in Firewall
Filters.
NOTE: You can configure policers to discard packets that exceed the rate limits. If
you want to configure CoS parameters such as loss-priority and forwarding-class, you
must use firewall filters.
Classifiers
Packet classification associates incoming packets with a particular CoS servicing
level. In JUNOS software, classifiers associate packets with a forwarding class and

loss priority and, based on the associated forwarding class, assign packets to output
queues. JUNOS software supports two general types of classifiers:
■ Behavior aggregate or CoS value traffic classifiers—Examines the CoS value in
the packet header. The value in this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and
loss priority of a packet based on the Differentiated Services code point (DSCP)
value, IP precedence value, and IEEE 802.1p value. The default classifier is based
on the DSCP value.
■ Multifield traffic classifiers—Examines multiple fields in the packet such as source
and destination addresses and source and destination port numbers of the packet.
With multifield classifiers, you set the forwarding class and loss priority of a
packet based on firewall filter rules.
Forwarding Classes
Forwarding classes group the packets for transmission. Based on forwarding classes,
you assign packets to output queues. Forwarding classes affect the forwarding,
scheduling, and marking policies applied to packets as they transit a switching
platform. By default, four categories of forwarding classes are defined: best effort,
assured forwarding, expedited forwarding, and network control. For EX-series
switches, 16 forwarding classes are supported, providing granular classification
capability.
Tail Drop Profiles

Drop profile is a mechanism that defines parameters that allow packets to be dropped
from the network. Drop profiles define the meanings of the loss priorities. When you
configure drop profiles you are essentially setting the value for queue fullness. The
queue fullness represents a percentage of the queue used to store packets in relation
to the total amount that has been allocated for that specific queue.
Loss priorities set the priority of dropping a packet. Loss priority affects the scheduling
of a packet without affecting the packet’s relative ordering. You can use the loss
priority setting to identify packets that have experienced congestion. Typically you
mark packets exceeding some service level with a high loss priority.
Schedulers
Each switch interface has multiple queues assigned to store packets. The switch
determines which queue to service based on a particular method of scheduling. This
process often involves determining which type of packet should be transmitted before
another. You can define the priority, bandwidth, delay buffer size, and tail drop
profiles to be applied to a particular queue for packet transmission.
Scheduler map associates a specified forwarding class with a scheduler configuration.

You can associate up to four user-defined scheduler maps with the interfaces.
848 ■ Forwarding Classes

Rewrite Rules
A rewrite rule sets the appropriate CoS bits in the outgoing packet thus allowing the
next downstream device to classify the packet into the appropriate service group.
Rewriting, or marking, outbound packets is useful when the switch is at the border
of a network and must alter the CoS values to meet the policies of the targeted peer.
NOTE: Rewrite rules are applied when the packets are routed. Rewrite rules are not
applied when the packets are forwarded.
Egress VLAN firewall filters can also assign forwarding class and loss priority so that
the packets are rewritten based on forwarding class and loss priority.
Related Topics
■ Understanding CoS Code-Point Aliases
■ Understanding CoS Classifiers
■ Understanding CoS Forwarding Classes
■ Understanding CoS Tail Drop Profiles
■ Understanding CoS Schedulers
■ Understanding CoS Two-Color Marking
■ Understanding CoS Rewrite Rules
Rewrite Rules ■ 849

Understanding CoS Code-Point Aliases

A code-point alias assigns a name to a pattern of code-point bits. You can use this
name instead of the bit pattern when you configure other CoS components such as
classifiers, drop-profile maps, and rewrite rules.
Behavior aggregate classifiers use class-of-service (CoS) values such as Differentiated

Services code points (DSCPs), IP precedence, and IEEE 802.1 bits to associate
incoming packets with a particular CoS servicing level. On a switch, you can assign
a meaningful name or alias to the CoS values and use this alias instead of bits when
configuring CoS components. These aliases are not part of the specifications but are
well known through usage. For example, the alias for DSCP 101110 is widely accepted
as ef (expedited forwarding).
When you configure classes and define classifiers, you can refer to the markers by
alias names. You can configure user-defined classifiers in terms of alias names. If
the value of an alias changes, it alters the behavior of any classifier that references
it.
You can configure code-point aliases for the following type of CoS markers :
■ dscp—Handles incoming IPv4 packets.
■ ieee-802.1—Handles Layer 2 CoS.
■ inet-precedence—Handles incoming IPv4 packets. IP precedence mapping
requires only the upper three bits of the DSCP field.
■ Default Code-Point Aliases on page 850

Default Code-Point Aliases

Table 128 on page 850 shows the default mappings between the bit values and
standard aliases.
Table 128: Default Code-Point Aliases
CoS Value Types Mapping
DSCP CoS Values
ef 101110
af11 001010
af12 001100
af13 001110
af21 010010
af22 010100
850 ■ Understanding CoS Code-Point Aliases

Table 128: Default Code-Point Aliases (continued)
af23 010110
af31 011010
af32 011100
af33 011110
af41 100010
af42 100100
af43 100110
be 000000
cs1 001000
cs2 010000
cs3 011000
cs4 100000
cs5 101000
nc1/cs6 110000
nc2/cs7 111000
IEEE 802.1p CoS Values
be 000
be1 001
ef 010
ef1 011
af11 100
af12 101
nc1/cs6 110
nc2/cs7 111
Legacy IP Precedence CoS Values
be 000
be1 001
Default Code-Point Aliases ■ 851

Table 128: Default Code-Point Aliases (continued)
ef 010
ef1 011
af11 100
af12 101
nc1/cs6 110
nc2/cs7 111
Related Topics
■ Configuring CoS Code-Point Aliases (CLI Procedure)
■ Defining CoS Value Aliases (J-Web Procedure)
Understanding CoS Classifiers

level. Classifiers associate packets with a forwarding class and loss priority and, based
on the associated forwarding class, assign packets to output queues. There are two
general types of classifiers:
■ Behavior aggregate (BA) classifiers
■ Multifield (MF) classifiers
For a specified interface, you can configure both an MF classifier and a BA classifier
without conflicts. In such cases, BA classification is performed first, followed by MF
classification. In case of conflict, MF classifier overrides a BA classification result.
NOTE: When a Layer 2 (L2) frame is learned, the frame is always sent out on Queue
0 while egressing from the network interface, irrespective of the classifier applied to
the ingress interface.
■ Behavior Aggregate Classifiers on page 853

■ Multifield Classifiers on page 854

Behavior Aggregate Classifiers

The behavior aggregate classifier maps a class-of-service (CoS) value to a forwarding
class and loss priority. The forwarding class determines the output queue. The loss
priority is used by schedulers to control packet discard during periods of congestion.
There are three types of BA classifiers:

■ Differentiated Services code point (DSCP) for IP DiffServ
■ IP precedence bits
■ IEEE 802.1p CoS bits
BA classifiers are based on fixed-length fields, which makes them computationally

more efficient than MF classifiers. Therefore core devices, which handle high traffic
volumes, are normally configured to perform BA classification.
In most cases, you need to rewrite a given marker (IP precedence, DSCP, or IEEE
802.1p) at the ingress node to accommodate BA classification by core and egress
devices.
NOTE: Although you can configure many classifiers, you can apply only one classifier
on the switch. Whenever you apply a new classifier, you must explicitly remove the
currently applied classifier and then apply the new classifier.
Default Behavior Aggregate Classification

JUNOS software automatically assigns implicit default classifiers to all logical interfaces
based on the type of interface. Table 129 on page 853 lists different types of interfaces
and the corresponding implicit default classifiers.
Table 129: Default BA Classification
Type of Interface Default BA Classification
Trunk interface ieee8021p-default
Layer 3 interface dscp-default
Access interface Untrusted
When you explicitly associate a classifier with a logical interface, you are in effect
overriding the implicit default classifier with an explicit classifier.
NOTE: By default, all BA classifiers classify traffic into either best-effort forwarding
class or network-control forwarding class.
Behavior Aggregate Classifiers ■ 853

Multifield Classifiers
Multifield classifiers examine multiple fields in the packet such as source and
destination addresses and source and destination port numbers of the packet. With
MF classifiers, you set the forwarding class and loss priority of a packet based on
firewall filter rules.
MF classification is normally performed at the network edge because of the general

lack of DiffServ Code Point (DSCP) or IP precedence support in end-user applications.
On an edge switch, an MF classifier provides the filtering functionality that scans
through a variety of packet fields to determine the forwarding class for a packet.
Typically, a classifier performs matching operations on the selected fields against a
configured value.
Related Topics
■ Configuring CoS Classifiers (CLI Procedure)
Understanding CoS Forwarding Classes

It is helpful to think of forwarding classes as output queues. In effect, the end result
of classification is the identification of an output queue for a particular packet. For
a classifier to assign an output queue to each packet, it must associate the packet
with one of the following forwarding classes:
■ Expedited forwarding (EF)—Provides a low loss, low latency, low jitter, assured
bandwidth, end-to-end service.
■ Assured forwarding (AF)—Provides a group of values you can define and includes
four subclasses: AF1, AF2, AF3, and AF4, each with three drop probabilities: low
and high.
■ Best effort (BE)—Provides no service profile. Loss priority is typically not carried
in a class-of-service (CoS) value.
■ Network control (NC)—This class is typically high priority because it supports
protocol control.
EX-series switches support up to 16 forwarding classes, thus allowing granular packet

classification. For example, you can configure multiple classes of EF traffic such as
EF, EF1, and EF2.
EX-series switches support up to eight output queues. Therefore, if you configure

more than eight forwarding classes, you must map multiple forwarding classes to
single output queues.
■ Default Forwarding Classes on page 855
854 ■ Multifield Classifiers

Default Forwarding Classes

Table 130 on page 855 shows the four forwarding classes defined by default.
If desired, you can rename the forwarding classes associated with the queues
supported on your switch. Assigning a new class name to an output queue does not
alter the default classification or scheduling that is applicable to that queue. CoS
configurations can be quite complicated, so unless it is required by your scenario,
we recommend that you not alter the default class names or queue number
associations.
Table 130: Default Forwarding Classes
Forwarding Class Name Comments
best-effort (be) The software does not apply any special CoS handling to packets with 000000 in
the DiffServ field. This is a backward compatibility feature. These packets are usually
dropped under congested network conditions.
expedited-forwarding (ef) The software delivers assured bandwidth, low loss, low delay, and low delay variation
(jitter) end-to-end for packets in this service class. Software accepts excess traffic in
this class, but in contrast to assured forwarding class, out-of-profile
expedited-forwarding class packets can be forwarded out of sequence or dropped.
assured-forwarding (af) The software offers a high level of assurance that the packets are delivered as long
as the packet flow from the customer stays within a certain service profile that you
define.
The software accepts excess traffic, but applies a tail drop profile to determine if the
excess packets are dropped and not forwarded.
Up to four drop probabilities (low and high) are defined for this service class.
network-control (nc) The software delivers packets in this service class with a high priority. (These packets
are not delay-sensitive.)
Typically, these packets represent routing protocol hello or keepalive messages.

Because loss of these packets jeopardizes proper network operation, packet delay
is preferable to packet discard.
The following rules govern queue assignment:

■ If classifiers fail to classify a packet, the packet always receives the default
classification to the class associated with queue 0.
■ CoS configurations that specify more queues than the switch can support are
not accepted. The commit fails with a detailed message that states the total
number of queues available.
■ All default CoS configurations are based on queue number. The name of the
forwarding class that shows up when the default configuration is displayed is
the forwarding class currently associated with that queue.
Default Forwarding Classes ■ 855

Related Topics
Understanding CoS Tail Drop Profiles

Tail drop profile is a congestion management mechanism that allows switch to drop
arriving packets when queue buffers become full or begin to overflow.
Tail drop profiles define the meanings of the loss priorities. When you configure tail
drop profiles you are essentially setting the value for queue fullness. The queue
fullness represents a percentage of the memory used to store packets in relation to
the total amount that has been allocated for that specific queue.
The queue fullness defines the delay-buffer bandwidth, which provides packet buffer
space to absorb burst traffic up to the specified duration of delay. Once the specified
delay buffer becomes full, packets with 100 percent drop probability are dropped
from the tail of the buffer.
On EX-series switches, drop-probability is implicitly set to 100% and it cannot be

modified.
You specify drop probabilities in the drop profile section of the CoS configuration
hierarchy and reference them in each scheduler configuration. You can configure a
maximum of 32 different drop profiles.
■ Default Drop Profile on page 856
Default Drop Profile

By default, if you do not configure any drop profile, tail drop profile is in effect and
functions as the primary mechanism for managing congestion. In the default tail
drop profile, when the fill level is 0 percent, the drop probability is 0 percent. When
the fill level is 100 percent, the drop probability is 100 percent.
Related Topics

Understanding CoS Schedulers

You use schedulers to define the properties of output queues. These properties include
the amount of interface bandwidth assigned to the queue, the size of the memory
buffer allocated for storing packets, the priority of the queue, and the drop profiles
associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps.
You can then associate each scheduler map with an interface, thereby configuring
the queues, packet schedulers, and tail drop processes that operate according to this
mapping.
■ Default Schedulers on page 857
■ Transmission Rate on page 857
■ Scheduler Buffer Size on page 858
■ Priority Scheduling on page 858
■ Scheduler Drop-Profile Maps on page 859
■ Scheduler Maps on page 859
Default Schedulers
Each forwarding class has an associated scheduler priority. Only two forwarding
classes, best-effort and network-control (queue 0 and queue 7), are used in the default
scheduler configuration.
By default, the best-effort forwarding class (queue 0) receives 95 percent of the

bandwidth and buffer space for the output link, and the network-control forwarding
class (queue 7) receives 5 percent. The default drop profile causes the buffer to fill
completely and then to discard all incoming packets until it has space.
The expedited-forwarding and assured-forwarding classes have no schedulers because,

by default, no resources are assigned to queue 5 and queue 1. However, you can
manually configure resources for the expedited-forwarding and assured-forwarding
classes.
Also by default, each queue can exceed the assigned bandwidth if additional
bandwidth is available from other queues. When a forwarding class does not fully
use the allocated transmission bandwidth, the remaining bandwidth can be used by
other forwarding classes if they receive a larger amount of offered load than their
allocated bandwidth allows.
Transmission Rate
The transmission-rate control determines the actual traffic bandwidth from each
forwarding class you configure. The rate is specified in bits per second. Each queue
is allocated some portion of the bandwidth of the outgoing interface.
Understanding CoS Schedulers ■ 857

This bandwidth amount can be a fixed value, such as 1 megabit per second (Mbps),
a percentage of the total available bandwidth, or the rest of the available bandwidth.
You can allow transmission bandwidth to exceed the configured rate if additional
bandwidth is available from other queues. In case of congestion, configured amount
of transmission rate is guaranteed for the queue. This property allows you to ensure
that each queue receives the amount of bandwidth appropriate to its level of service.
Scheduler Buffer Size

To control congestion at the output stage, you can configure the delay-buffer
bandwidth. The delay-buffer bandwidth provides packet buffer space to absorb burst
traffic up to the specified duration of delay. Once the specified delay buffer becomes
full, packets with 100 percent drop probability are dropped from the tail of the buffer.
The default scheduler transmission rate for queues 0 through 7 are 95, 0, 0, 0, 0, 0,
0, and 5 percent of the total available bandwidth. The default buffer-size percentages
for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent of the total available
buffer.
For each scheduler, you can configure the buffer size as one of the following:
■ A percentage of the total buffer.
■ The remaining buffer available. The remainder is the buffer percentage that is
not assigned to other queues. For example, if you assign 40 percent of the delay
buffer to queue 0, allow queue 7 to keep the default allotment of 5 percent, and
assign the remainder to queue 3, then queue 3 uses approximately 55 percent
of the delay buffer.
Priority Scheduling
Priority scheduling determines the order in which an output interface transmits traffic
from the queues, thus ensuring that queues containing important traffic are provided
better access to the outgoing interface.
Priority scheduling is accomplished through a procedure in which the scheduler

examines the priority of the queue. JUNOS software supports two levels of
transmission priority:
■ Low—The scheduler determines if the individual queue is within its defined
bandwidth profile. This binary decision, which is reevaluated on a regular time
cycle, compares the amount of data transmitted by the queue against the amount
of bandwidth allocated to it by the scheduler. When the transmitted amount is
less than the allocated amount, the queue is considered to be in profile. A queue
is out of profile when its transmitted amount is larger than its allocated amount.
Out of profile queue will be transmitted only if bandwidth is available. Otherwise,
it will be buffered.
A queue from the set is selected based on the shaped deficit weighted round
robin (SDWRR) algorithm, which operates within the set.
■ Strict-high—Strict-high priority queue receives preferential treatment over low
priority queue. Unlimited bandwidth is assigned to strict-high priority queue.
858 ■ Scheduler Buffer Size

Queues are scheduled according to the queue number, starting with the highest
queue 7, with decreasing priority down through queue 0. Traffic in higher queue
numbers is always scheduled prior to traffic in lower queue numbers. In other
words, in case of two high priority queues, the queue with higher queue number
is processed first.
Packets in low priority queues are transmitted only when strict-high priority queues
are empty.
Scheduler Drop-Profile Maps

Drop-profile maps associate drop profiles with a scheduler. Drop-profile map sets
the drop profile for a specific packet loss priority (PLP) and protocol type. The inputs
for the drop-profile map are the PLP and the protocol type. The output is the drop
profile.
Scheduler Maps
A scheduler map associates a specified forwarding class with a scheduler
configuration. After configuring a scheduler, you must include it in a scheduler map
and then associate the scheduler map with an output interface.
EX-series switches allow you to associate up to four user-defined scheduler maps

with interfaces.
Related Topics
■ Configuring CoS Schedulers (CLI Procedure)
■ Defining Schedulers (J-Web Procedure)
Understanding CoS Two-Color Marking

Networks police traffic by limiting the input or output transmission rate of a class of
traffic on the basis of user-defined criteria. Policing traffic allows you to control the
maximum rate of traffic sent or received on an interface and to partition a network
into multiple priority levels or classes of service.
Policers require you to apply limits to the traffic flow and set a consequence for
packets that exceed these limits—usually a higher loss priority, so that packets
exceeding the policer limits are discarded first.
EX-series switches support a single-rate two-color marking type of policer, which is

a simplified version of Single-Rate-Three-Color marking, defined in RFC 2697, A
Single Rate Three Color Marker. This type of policer meters traffic based on the
configured committed information rate (CIR) and committed burst size (CBS).
Scheduler Drop-Profile Maps ■ 859

The single-rate two-color marker meters traffic and marks incoming packets
depending on whether they are smaller than the committed burst size (CBS)—marked
green—or exceed it— marked red.
The single-rate two-color marking policer operates in color-blind mode. In this mode,
the policer's actions are not affected by any previous marking or metering of the
examined packets. In other words, the policer is “blind” to any previous coloring a
packet might have had.
Related Topics
Understanding CoS Rewrite Rules

As packets enter or exit a network, edge switches might be required to alter the
class-of-service (CoS) settings of the packets. Rewrite rules set the value of the CoS
bits within the packet’s header. Each rewrite rule reads the current forwarding class
and loss priority associated with the packet, locates the chosen CoS value from a
table, and writes this CoS value into the packet header.
In effect, the rewrite rule performs the opposite function of the behavior aggregate
(BA) classifier used when the packet enters the switch. As the packet leaves the
switch, the final CoS action is generally the application of a rewrite rule.
You configure rewrite rules to alter CoS values in outgoing packets on the outbound
interfaces of an edge switch to meet the policies of a targeted peer. This allows the
downstream switch in a neighboring network to classify each packet into the
NOTE: When an IP precedence rewrite rule is active, bits 3,4, and 5 of the ToS byte
are always reset to zero when code-points are rewritten.
■ Default Rewrite Rule on page 860

Default Rewrite Rule

By default, rewrite rules are applied to routed packets and are not applied to forwarded
packets. If you want to apply a rewrite rule, you can either configure your own rule
and apply it to an interface or apply a default rewrite rule.
Table 131 on page 861 shows the default rewrite rule mappings. These are based on
the default bit definitions of DSCP, IEEE 802.1p, and IP precedence values and the
default forwarding classes.

When the CoS values of a packet match the forwarding class and packet loss priority
(PLP) values, the switch rewrites markings on the packet based on rewrite-rule table.
Table 131: Default Packet Header Rewrite Mappings
Map from Forwarding Class PLP Value Map to DSCP/IEEE/IP
expedited-forwarding low ef
expedited-forwarding high ef
assured-forwarding low af11
assured-forwarding high af12 (DSCP)
best-effort low be
best-effort high be
network-control low nc1/cs6
network-control highe nc2/cs7
Related Topics
■ Configuring CoS Rewrite Rules (CLI Procedure)
■ Defining Rewrite Rules (J-Web Procedure)


Chapter 53
Examples of Configuring CoS
■ Example: Configuring CoS on EX-series Switches on page 863
Example: Configuring CoS on EX-series Switches

Configure class of service (CoS) on your switch to manage traffic so that when the
network experiences congestion and delay, critical applications are protected. Using
CoS, you can divide traffic on your switch into classes and provide various levels of
throughput and packet loss. This is especially important for traffic that is sensitive
to jitter and delay, such as voice traffic.
This example shows how to configure CoS on a single EX-series switch in the network.
Requirements
■ One Juniper Networks EX-series 3200 switch

This example uses the topology shown in Figure 45 on page 864.
Example: Configuring CoS on EX-series Switches ■ 863

Figure 45: Topology for Configuring CoS
The topology for this configuration example consists of one EX-series switch at the
access layer.
The EX-series access switch is configured to support VLAN membership. Switch ports
ge-0/0/0and ge-0/0/1 are assigned to the voice-vlan for two VoIP phones. Switch
port ge-0/0/2 is assigned to the camera-vlan for the surveillance camera. Switch ports
ge-0/0/3, ge-0/0/4, ge-0/0/5, and ge-0/0/6 are assigned to the server-vlan for the
servers hosting various applications such as those provided by Citrix, Microsoft,
Oracle, and SAP.
Table 132 on page 865 shows the VLAN configuration components.

Chapter 53: Examples of Configuring CoS
Table 132: Configuration Components: VLANs

IP Addresses
voice-vlan 10 192.168.1.0/32 Voice VLAN used for

192.168.1.1 through employee VoIP
192.168.1.11 communication.
192.168.1.12 is the subnet’s

broadcast address.
camera-vlan 20 192.168.1.13/32 VLAN for the surveillance

192.168.1.14 through cameras.
192.168.1.20

broadcast address.
server-vlan 30 192.168.1.22/32 VLAN for the servers hosting

192.168.1.23 through enterprise applications.
192.168.1.35

broadcast address.
Ports on the EX-series switches support Power over Ethernet (PoE) to provide both
network connectivity and power for VoIP telephones connecting to the ports.
Table 133 on page 865 shows the switch interfaces that are assigned to the VLANs
and the IP addresses for devices connected to the switch ports:
Table 133: Configuration Components: Switch Ports on a 48-Port All-PoE Switch
Interfaces VLAN Membership IP Addresses Port Devices
ge-0/0/0, ge-0/0/1 voice-vlan 192.168.1.1 through Two VoIP telephones.

192.168.1.2
ge-0/0/2 camera-vlan 192.168.1.14 Surveillance camera.
ge-0/0/3, ge-0/0/4, ge-0/0/5, sevrer-vlan 192.168.1.23 through Four servers hosting

ge-0/0/6 192.168.1.26 applications such as those
provided by Citrix, Microsoft,
Oracle, and SAP.

NOTE: This example shows how to configure CoS on a single EX-series switch. This
example does not consider across-the-network applications of CoS in which you
might implement different configurations on ingress and egress switches to provide
differentiated treatment to different classes across a set of nodes in a network.
Configuration
CLI Quick Configuration To quickly configure CoS, copy the following commands and paste them into the
switch terminal window:
[edit]
set class-of-service forwarding-classes class app queue-num 5
set class-of-service forwarding-classes class mail queue-num 1
set class-of-service forwarding-classes class db queue-num 2
set class-of-service forwarding-classes class erp queue-num 3
set class-of-service forwarding-classes class video queue-num 4
set class-of-service forwarding-classes class best-effort queue-num 0
set class-of-service forwarding-classes class voice queue-num 6
set class-of-service forwarding-classes class network-control queue-num 7
set firewall family ethernet-switching filter voip_class term voip from
set firewall family ethernet-switching filter voip_class term voip from
set firewall family ethernet-switching filter voip_class term voip from protocol
udp
set firewall family ethernet-switching filter voip_class term voip from source-port
2698
set firewall family ethernet-switching filter voip_class term voip then
forwarding-class voice loss-priority low
set firewall family ethernet-switching filter voip_class term network_control
from precedence [net-control internet-control]
set firewall family ethernet-switching filter voip_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter voip_class term best_effort_traffic
then forwarding-class best-effort loss-priority low
set interfaces ge-0/0/0 description phone1–voip-ingress-port
set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input voip_class
set interfaces ge-0/0/1 description phone2–voip-ingress-port
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input voip_class
set firewall family ethernet-switching filter video_class term video from
set firewall family ethernet-switching filter video_class term video from protocol
udp
set firewall family ethernet-switching filter video_class term video from
source-port 2979
set firewall family ethernet-switching filter video_class term video then
forwarding-class video loss-priority low
866 ■
set firewall family ethernet-switching filter video_class term network_control

from precedence [net-control internet-control]
set firewall family ethernet-switching filter video_class term network_control
then forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter video_class term best_effort_traffic
set interfaces ge-0/0/2 description video-ingress-port
set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input video_class
set firewall family ethernet-switching filter app_class term app from
set firewall family ethernet-switching filter app_class term app from protocol
tcp
set firewall family ethernet-switching filter app_class term app from source-port
[1494 2512 2513 2598 2897]
set firewall family ethernet-switching filter app_class term app then
forwarding-class app loss-priority low
set firewall family ethernet-switching filter app_class term mail from
set firewall family ethernet-switching filter app_class term mail from protocol
tcp
set firewall family ethernet-switching filter app_class term mail from source-port
[25 143 389 691 993 3268 3269]
set firewall family ethernet-switching filter app_class term mail then
forwarding-class mail loss-priority low
set firewall family ethernet-switching filter app_class term db from source-address
192.168.1.25/32
set firewall family ethernet-switching filter app_class term db from protocol tcp
set firewall family ethernet-switching filter app_class term db from source-port
[1521 1525 1527 1571 1810 2481]
set firewall family ethernet-switching filter app_class term db then
forwarding-class db loss-priority low
set firewall family ethernet-switching filter app_class term erp from
set firewall family ethernet-switching filter app_class term erp from protocol
tcp
set firewall family ethernet-switching filter app_class term erp from source-port
[3200 3300 3301 3600]
set firewall family ethernet-switching filter app_class term erp then
forwarding-class erp loss-priority low
set firewall family ethernet-switching filter app_class term network_control from
precedence [net-control internet-control]
set firewall family ethernet-switching filter app_class term network_control then
forwarding-class network-control loss-priority low
set firewall family ethernet-switching filter app_class term best_effort_traffic
set interfaces ge-0/0/3 unit 0 family ethernet-switching filter input app_class
set class-of-service schedulers voice-sched buffer-size percent 10
set class-of-service schedulers voice-sched priority strict-high
set class-of-service schedulers voice-sched transmit-rate percent 10
set class-of-service schedulers video-sched buffer-size percent 15
set class-of-service schedulers video-sched priority low
set class-of-service schedulers video-sched transmit-rate percent 15
set class-of-service schedulers app-sched buffer-size percent 10
set class-of-service schedulers app-sched priority low
set class-of-service schedulers app-sched transmit-rate percent 10
set class-of-service schedulers mail-sched buffer-size percent 5
set class-of-service schedulers mail-sched priority low
set class-of-service schedulers mail-sched transmit-rate percent 5
set class-of-service schedulers db-sched buffer-size percent 10

set class-of-service schedulers db-sched priority low
set class-of-service schedulers db-sched transmit-rate percent 10
set class-of-service schedulers erp-sched buffer-size percent 10
set class-of-service schedulers erp-sched priority low
set class-of-service schedulers erp-sched transmit-rate percent 10
set class-of-service schedulers nc-sched buffer-size percent 5
set class-of-service schedulers nc-sched priority strict-high
set class-of-service schedulers nc-sched transmit-rate percent 5
set class-of-service schedulers be-sched buffer-size percent 35
set class-of-service schedulers be-sched priority low
set class-of-service schedulers be-sched transmit-rate percent 35
set class-of-service scheduler-maps ethernet-cos-map forwarding-class voice
scheduler voice-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class video
scheduler video-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class app scheduler
app-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class mail
scheduler mail-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class db scheduler
db-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class erp scheduler
erp-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class
network-control scheduler nc-sched
set class-of-service scheduler-maps ethernet-cos-map forwarding-class best-effort
scheduler be-sched
set class-of-service interfaces ge-0/0/20 scheduler-map ethernet-cos-map
Step-by-Step Procedure To configure and apply CoS:
1. Configure one-to-one mapping between eight forwarding classes and eight

queues:
user@switch# set forwarding-classes class app queue-num 5
user@switch# set forwarding-classes class mail queue-num 1
user@switch# set forwarding-classes class db queue-num 2
user@switch# set forwarding-classes class erp queue-num 3
user@switch# set forwarding-classes class video queue-num 4
user@switch# set forwarding-classes class best-effort queue-num 0
user@switch# set forwarding-classes class voice queue-num 6
user@switch# set forwarding-classes class network-control queue-num 7
2. Define the firewall filter voip_class to classify the VoIP traffic:
[edit firewall]
user@switch# set family ethernet-switching filter voip_class
3. Define the term voip:
[edit firewall]
user@switch# set family ethernet-switching filter voip_class term voip
from source-address 192.168.1.1/32

protocol udp
source-port 2698
then forwarding-class voice loss-priority low
4. Define the term network_control:
[edit firewall]
user@switch# set family ethernet-switching filter voip_class term
network_control from precedence [net-control internet-control]
network_control then forwarding-class network-control loss-priority low
5. Define the term best_effort_traffic with no match conditions:
[edit firewall]
best_effort_traffic then forwarding-class best-effort loss-priority low
6. Apply the firewall filter voip_class as an input filter to the interfaces for the VoIP
phones:
[edit interfaces]
user@switch# set ge-0/0/0 description phone1–voip-ingress-port
voip_class
user@switch# set ge-0/0/1 description phone2–voip-ingress-port
voip_class
7. Define the firewall filter video_class to classify the video traffic:
[edit firewall]
user@switch# set family ethernet-switching filter video_class
8. Define the term video:
[edit firewall]
user@switch# set family ethernet-switching filter video_class term video
protocol udp
source-port 2979
then forwarding-class video loss-priority low
9. Define the term network_control (for the video_class filter) :
[edit firewall]
user@switch# set family ethernet-switching filter video_class term

10. Define the term best_effort_traffic (for the video_class filter) :
[edit firewall]
11. Apply the firewall filter video_class as an input filter to the interface for the
surveillance camera:
[edit interfaces]
user@switch# set ge-0/0/2 description video-ingress-port
video_class
12. Define the firewall filter app_class to classify the application server traffic:
[edit firewall]
user@switch# set family ethernet-switching filter app_class
13. Define the term app:
[edit firewall]
user@switch# set family ethernet-switching filter app_class term app from
user@switch# set family ethernet-switching filter app_class term app
protocol tcp
user@switch# set family ethernet-switching filter app_class term app
source-port [1494 2512 2513 2598 2897]
user@switch# set family ethernet-switching filter app_class term app then
forwarding-class app loss-priority low
14. Define the term mail:
[edit firewall]
user@switch# set family ethernet-switching filter app_class term mail from
user@switch# set family ethernet-switching filter app_class term mail
protocol tcp
user@switch# set family ethernet-switching filter app_class term mail
source-port [25 143 389 691 993 3268 3269]
user@switch# set family ethernet-switching filter app_class term mail then
forwarding-class mail loss-priority low
15. Define the term db:
[edit firewall]
user@switch# set family ethernet-switching filter app_class term db from
user@switch# set family ethernet-switching filter app_class term db

protocol tcp
user@switch# set family ethernet-switching filter app_class term db
source-port [1521 1525 1527 1571 1810 2481]
user@switch# set family ethernet-switching filter app_class term db then
forwarding-class db loss-priority low
16. Define the term erp:
[edit firewall]
user@switch# set family ethernet-switching filter app_class term erp from
user@switch# set family ethernet-switching filter app_class term erp
protocol tcp
user@switch# set family ethernet-switching filter app_class term erp
source-port [3200 3300 3301 3600]
user@switch# set family ethernet-switching filter app_class term erp then
forwarding-class erp loss-priority low
17. Define the term network_control (for the app_class filter) :
[edit firewall]
user@switch# set family ethernet-switching filter app_class term
18. Define the term best_effort_traffic (for the app_class filter) :
[edit firewall]
19. Apply the firewall filter app_class as an input filter to the interfaces for the
servers hosting applications:
[edit interfaces]
app_class
app_class
app_class
app_class
20. Configure schedulers:
user@switch# set schedulers voice-sched buffer-size percent 10
user@switch# set schedulers voice-sched priority strict-high
user@switch# set schedulers voice-sched transmit-rate percent 10
user@switch# set schedulers video-sched buffer-size percent 15
user@switch# set schedulers video-sched priority low
user@switch# set schedulers video-sched transmit-rate percent 15

user@switch# set schedulers app-sched buffer-size percent 10
user@switch# set schedulers app-sched priority low
user@switch# set schedulers app-sched transmit-rate percent 10
user@switch# set schedulers mail-sched buffer-size percent 5
user@switch# set schedulers mail-sched priority low
user@switch# set schedulers mail-sched transmit-rate percent 5
user@switch# set schedulers db-sched buffer-size percent 10
user@switch# set schedulers db-sched priority low
user@switch# set schedulers db-sched transmit-rate percent 10
user@switch# set schedulers erp-sched buffer-size percent 10
user@switch# set schedulers erp-sched priority low
user@switch# set schedulers erp-sched transmit-rate percent 10
user@switch# set schedulers nc-sched buffer-size percent 5
user@switch# set schedulers nc-sched priority strict-high
user@switch# set schedulers nc-sched transmit-rate percent 5
user@switch# set schedulers be-sched buffer-size percent 35
user@switch# set schedulers be-sched priority low
user@switch# set schedulers be-sched transmit-rate percent 35
21. Assign the forwarding classes to schedulers with the scheduler

map:ethernet-cos-map:
user@switch# set scheduler-maps ethernet-cos-map forwarding-class voice
scheduler voice-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class video
scheduler video-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class app
scheduler app-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class mail
scheduler mail-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class db
scheduler db-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class erp
scheduler erp-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class
network-control scheduler nc-sched
user@switch# set scheduler-maps ethernet-cos-map forwarding-class
best-effort scheduler be-sched
22. Associate the scheduler-map with the outgoing interface:
[edit interfaces]
user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map
user@switch# show firewall
firewall family ethernet-switching {

filter voip_class {
term voip {
from {
source-address {
192.168.1.1/32;
192.168.1.2/32;
}
protocol udp;
source-port 2698;
}
then {
forwarding-class voice;
loss-priority low;
}
}
term network control {
from {
precedence [net-control internet-control];
}
then {
loss-priority low;
}
}
term best_effort_traffic {
then {
loss-priority low;
}
}
}
filter video_class {
term video {
from {
source-address {
192.168.1.14/32;
}
protocol udp;
source-port 2979;
}
then {
forwarding-class video;
loss-priority low;
}
}
from {
}
then {
loss-priority low;
}
}
then {
loss-priority low;
}
}
}
filter app_class {
term app {
from {
source-address {
192.168.1.23/32;
}
protocol tcp;
source-port [1491 2512 2513 2598 2897];
}
then {
forwarding-class app;
loss-priority low;
}
}
term mail {
from {
source-address {
192.168.1.24/32;
}
protocol tcp;
source-port [25 143 389 691 993 3268 3269];
}
then {
forwarding-class mail;
loss-priority low;
}
}
term db {
from {
source-address {
192.168.1.25/32;
}
protocol tcp;
source-port [1521 1525 1527 1571 1810 2481];
}
then {
forwarding-class db;
loss-priority low;
}
}
term erp {
from {
source-address {
192.168.1.26/32;
}
protocol tcp;
source-port [3200 3300 3301 3600];
}
then {
forwarding-class erp;
loss-priority low;
}
}
from {

}
then {
loss-priority low;
}
}
then {
loss-priority low;
}
}
}
}
user@switch# show class-of-service
class app queue-num 5;
class mail queue-num 1;
class db queue-num 2;
class erp queue-num 3;
class video queue-num 4;
class best-effort queue-num 0;
class voice queue-num 6;
class network-control queue-num 7;
}
schedulers {
voice-sched {
buffer-size percent 10;
priority strict-high;
transmit-rate percent 10;
}
video-sched {
priority low;
}
app-sched {
priority low;
}
mail-sched {
priority low;
}
db-sched {
priority low;
}
erp-sched {
priority low;
}
nc-sched {
priority strict-high;
}
be-sched {
priority low;
}
}
scheduler-maps {
ethernet-cos-map {
forwarding-class voice scheduler voice-sched;
forwarding-class video scheduler video-sched;
forwarding-class app scheduler app-sched;
forwarding-class mail scheduler mail-sched;
forwarding-class db scheduler db-sched;
forwarding-class erp scheduler erp-sched;
forwarding-class network-control scheduler nc-sched;
forwarding-class best-effort scheduler be-sched;
}
}
user@switch# show interfaces
ge-0/0/0 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet {
filter {
input voip_class;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet {
filter {
input video_class;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet {
filter {
input app_class;
}
}
}
}
ge-0/0/20 {
scheduler-map ethernet-cos-map;
}
Verification
■ Verifying That the Defined Forwarding Classes Exist and Are Mapped to
Queues on page 878
■ Verifying That the Forwarding Classes Have Been Assigned to
Schedulers on page 878
■ Verifying That the Scheduler Map Has Been Applied to the Interface on page 879
Verifying That the Defined Forwarding Classes Exist and Are

Mapped to Queues
Purpose Verify that the following forwarding classes app, db, erp, mail, video, and voice have
been defined and mapped to queues.
Action user@switch> show class-of-service forwarding-class

Forwarding class ID Queue
app 0 5
db 1 2
erp 2 3
best-effort 3 0
mail 4 1
voice 5 6
video 6 4
network-control 7 7
What It Means This output shows that the forwarding classes have been defined and mapped to
appropriate queues.
Verifying That the Forwarding Classes Have Been Assigned to

Schedulers
Purpose Verify that the forwarding classes have been assigned to schedulers.
Action user@switch> show class-of-service scheduler-map

Scheduler map: ethernet-cos-map, Index: 2
Scheduler: voice-sched, Forwarding class: voice, Index: 22
Priority: Strict-high
Drop profiles:
Scheduler: video-sched, Forwarding class: video, Index: 22

Priority: low
Drop profiles:
Scheduler: app-sched, Forwarding class: app, Index: 22

Priority: low
Drop profiles:
878 ■ Verifying That the Defined Forwarding Classes Exist and Are Mapped to Queues
Scheduler: mail-sched, Forwarding class: mail, Index: 22

Priority: low
Drop profiles:
Scheduler: db-sched, Forwarding class: db, Index: 22

Priority: low
Drop profiles:
Scheduler: erp-sched, Forwarding class: erp, Index: 22

Priority: low
Drop profiles:
Scheduler: be-sched, Forwarding class: best-effort, Index: 20

Priority: low
Drop profiles:
Scheduler: nc-sched, Forwarding class: network-control, Index: 22

Priority: Strict-high
Drop profiles:
What It Means This output shows that the forwarding classes have been assigned to schedulers.
Verifying That the Scheduler Map Has Been Applied to the

Interface
Purpose Verify that the scheduler map has been applied to the interface.
Verifying That the Scheduler Map Has Been Applied to the Interface ■ 879
Action user@switch> show class-of-service interface

...
Physical interface: ge-0/0/20, Index: 149
Queues supported: 8, Queues in use: 8
Scheduler map: ethernet-cos-map, Index: 43366
Input scheduler map: <default>, Index: 3
...
What It Means This output shows that the scheduler map (ethernet-cos-map) has been applied to the
interface (ge-0/0/20).
Related Topics
■ Assigning CoS Components to Interfaces (CLI Procedure)

Chapter 54
Configuring CoS
■ Configuring CoS (J-Web Procedure) on page 881

■ Defining CoS Value Aliases (J-Web Procedure) on page 882
■ Configuring CoS Code-Point Aliases (CLI Procedure) on page 884
■ Configuring CoS Classifiers (CLI Procedure) on page 885
■ Defining Classifiers (J-Web Procedure) on page 886
■ Configuring CoS Forwarding Classes (CLI Procedure) on page 889
■ Defining Forwarding Classes (J-Web Procedure) on page 889
■ Configuring CoS Schedulers (CLI Procedure) on page 891
■ Defining Schedulers (J-Web Procedure) on page 891
■ Configuring CoS Tail Drop Profiles (CLI Procedure) on page 894
■ Configuring CoS Rewrite Rules (CLI Procedure) on page 895
■ Defining Rewrite Rules (J-Web Procedure) on page 896
■ Assigning CoS Components to Interfaces (CLI Procedure) on page 898
■ Assigning CoS Components to Interfaces (J-Web Procedure) on page 898
Configuring CoS (J-Web Procedure)

The Class of Service Configuration pages allow you to configure the JUNOS CoS
components. You can configure forwarding classes for transmitting packets, define
which packets are placed into each output queue, and schedule the transmission
service level for each queue. After defining the CoS components you must assign
classifiers to the required physical and logical interfaces.
Using the Class of Service Configuration pages, you can configure various CoS
components individually or in combination to define particular CoS services.
To configure CoS components :

1. In the J-Web interface, select Configure>Class of Service.
2. On the Class of Service Configuration page, select one of the following options
depending on the CoS component that you want to define. Enter information
into the pages as described in the respective table:
Configuring CoS (J-Web Procedure) ■ 881

■ To define or edit CoS value aliases, select CoS Value Aliases .

■ To define or edit forwarding classes and assign queues, select Forwarding
Classes.
■ To define or edit classifiers, select Classifiers .
■ To define or edit rewrite rules, select Rewrite Rules.
■ To define or edit schedulers, select Schedulers.
■ To define or edit virtual channel groups, select Interface Associations.
3. Click Apply after completing configuration on any Configuration page.
Related Topics
■ Assigning CoS Components to Interfaces (J-Web Procedure)
Defining CoS Value Aliases (J-Web Procedure)
To define CoS Value Aliases, select Configure > Class of Service > CoS Value Aliases
in the J-Web interface.
Table 134 on page 882 describes the related fields. By defining aliases you can assign
meaningful names to a particular set of bit values and refer to them when configuring
CoS components.
Table 134: CoS Value Aliases Configuration Pages Summary
CoS Value Alias Summary

DSCP Allows you to define aliases for DiffServ code Click DSCP.
point (DSCP) IPv4 values.
You can refer to these aliases when you

configure classes and define classifiers.
IPv4 Precedence Allows you to define aliases for IPv4 Click IPv4 Precedence.
precedence values.
Precedence values are modified in the IPv4

type-of-service (TOS) field and mapped to
values that correspond to levels of service.

Chapter 54: Configuring CoS
Table 134: CoS Value Aliases Configuration Pages Summary (continued)
Alias Name Displays names given to CoS values—for None.

example, af11 or be.
Default Value Displays the default values mapped to standard None.

aliases. For example, ef (expedited forwarding)
is a standard alias for DSCP bits 101110.
You cannot delete default values. The check

box next to these values is unavailable.
Configured Value Displays the CoS values that you have assigned None.
to specific aliases.
You can delete a configured alias.
Add Opens a page that allows you to define CoS Click Add.
value aliases.
Delete Allows you to delete a configured CoS value Select the check box next to the CoS value alias
alias. and click Delete.
You cannot delete a default alias.
Add a CoS Value Alias

CoS Value Alias Assigns a name to a CoS value. A CoS value To define an alias for a CoS value, type a
can be of different types—DSCP or IP name—for example, my1.
precedence.
CoS Value Alias Bits Specifies the CoS value for which an alias is To specify a CoS value, type it in an appropriate
defined. format:
■ For DSCP CoS values, use the format
Changing this value alters the behavior of all
xxxxxx, where x is 1 or 0—for example,
classifiers that refer to this alias.
101110.
■ For IP precedence CoS values, use the
format xxx, where x is 1 or 0—for
example, 111.
Related Topics
■ Monitoring CoS Value Aliases

Configuring CoS Code-Point Aliases (CLI Procedure)

You can use code-point aliases to streamline the process of configuring CoS features
on your EX-series switch. A code-point alias assigns a name to a pattern of code-point
bits. You can use this name instead of the bit pattern when you configure other CoS
components such as classifiers, drop-profile maps, and rewrite rules.
You can configure code-point aliases for the following CoS marker types:
■ DSCP—Handles incoming IPv4 packets.
■ IEEE 802.1p—Handles Layer 2 CoS.
■ Inet precedence—Handles incoming IPv4 packets. IP precedence mapping
requires only the higher order three bits of the DSCP field.
To configure a code-point alias for a specified CoS marker type (dscp), assign an alias
(my1) to the code-point (110001):
[edit class-of-service code-point-aliases]

user@switch# set dscp my1 110001
Related Topics
■ Monitoring CoS Value Aliases
884 ■ Configuring CoS Code-Point Aliases (CLI Procedure)

Configuring CoS Classifiers (CLI Procedure)

level. Classifiers associate packets with a forwarding class and loss priority and, based
on the associated forwarding class, assign packets to output queues. JUNOS software
supports two general types of classifiers:
■ Behavior aggregate or CoS value traffic classifiers—Examines the CoS value in
the packet header. The value in this single field determines the CoS settings
applied to the packet. BA classifiers allow you to set the forwarding class and
loss priority of a packet based on the Differentiated Services code point (DSCP)
value, IP precedence value, and IEEE 802.1p value. The default classifier is based
on the DSCP value.
■ Multifield traffic classifiers—Examines multiple fields in the packet such as source
and destination addresses and source and destination port numbers of the packet.
With multifield classifiers, you set the forwarding class and loss priority of a
packet based on firewall filter rules.
This example describes how to configure the DSCP BA classifier ba-classifier as the
default DSCP map and apply it to the Gigabit Ethernet interface ge-0/0/0 of the
EX-series switch. The BA classifier assigns loss priorities, as shown in
Table 135 on page 885, to incoming packets in the four forwarding classes.
Table 135: BA-classifier Loss Priority Assignments
Forwarding Class For CoS Traffic Type ba-classifier Assignment

be Best-effort traffic High-priority code point: 000001
ef Expedited-forwarding traffic High-priority code point: 101110
af Assured-forwarding traffic High-priority code point: 001100
nc Network-control traffic High-priority code point: 110001
To configure CoS classifiers using the CLI:

1. Associate code point 000001 with forwarding class be and loss priority high:
[edit class-of-service classifiers]

user@switch# set dscp ba-classifier import default forwarding-class be
loss-priority high code-points 000001
2. Associate code point 101110 with forwarding class ef and loss priority high:

user@switch# set dscp ba-classifier forwarding-class ef loss-priority high
code-points 101110
3. Associate code point 001100 with forwarding class af and loss priority high:
Configuring CoS Classifiers (CLI Procedure) ■ 885


user@switch# set dscp ba-classifier forwarding-class af loss-priority high
code-points 001100
4. Associate code point 110001 with forwarding class nc and loss priority high:

user@switch# set dscp ba-classifier forwarding-class nc loss-priority high
code-points 110001
5. Apply the DSCP BA classifier to Gigabit Ethernet interface ge-0/0/0:
[edit class-of-service interfaces]

user@switch# set ge-0/0/0 unit 0 classifiers dscp ba-classifier
Related Topics
■ Monitoring CoS Classifiers
Defining Classifiers (J-Web Procedure)

Classifiers examine the CoS value or alias of an incoming packet and assign the
packet a level of service by setting its forwarding class and loss priority. To define
classifiers, select Configure > Class of Service > Classifiers in the J-Web
interface.Table 136 on page 886describes the related fields.
Table 136: Classifiers Configuration Page Summary
Classifier Summary
DSCP Defines classifiers for DSCP code point values. Click DSCP.
IPv4 Precedence Defines classifiers for IPv4 precedence values. Click IPv4 Precedence.
Classifier Name Displays the names of classifiers. To edit a classifier, click its name.
Allows you to edit a specific classifier.
Incoming Code Point Displays CoS values and aliases to which None.
(Alias) forwarding class and loss priority are mapped.
Classify to Forwarding Displays forwarding classes that are assigned None.

Class to specific CoS values and aliases of a classifier.

Table 136: Classifiers Configuration Page Summary (continued)
Classify to Loss Priority Displays loss priorities that are assigned to None.
specific CoS values and aliases of a classifier.
Add Opens a page that allows you to define To add a classifier, click Add.
classifiers.
Delete Deletes a specified classifier. To delete a classifier, locate the classifier, select
the check box next to it, and click Delete.
Add a Classifier/Edit Classifier

Classifier Name Specifies the name for a classifier. To name a classifier, type the name—for
example, ba-classifier.
Classifier Code Point Sets the forwarding classes and the packet loss None.
Mapping priorities (PLPs) for specific CoS values and
aliases.
Incoming Code Point Specifies the CoS value in bits and the alias of To specify a CoS value and alias, either select
a classifier for incoming packets. preconfigured ones from the list or type new
ones.
For information about forwarding classes and

aliases assigned to well-known DSCPs, see the
JUNOS Class of Service Configuration Guide.
Forwarding Class Assigns the forwarding class to the specified To assign a forwarding class, select either one
CoS value and alias. of the following default forwarding classes or
one that you have configured:
■ assured-forwarding—Provides high
assurance for packets within the specified
service profile. Excess packets are
dropped.
■ best-effort—Provides no special CoS
handling of packets. Typically, RED drop
profile is aggressive and no loss priority is
defined.
■ expedited-forwarding—Provides low loss,
low delay, low jitter, assured bandwidth,
and end-to-end service. Packets can be
forwarded out of sequence or dropped.
■ network-control—Packets can be delayed
but not dropped.
Loss Priority Assigns a loss priority to the specified CoS value To assign a loss priority, select one:
and alias.
■ high—Packet has a high loss priority.
■ low—Packet has a low loss priority.
Defining Classifiers (J-Web Procedure) ■ 887

Table 136: Classifiers Configuration Page Summary (continued)
Add Assigns a forwarding class and loss priority to To assign a forwarding class and loss priority
the specified CoS value and alias. to a specific CoS value and alias, click Add.
A classifier examines the incoming packet's

header for the specified CoS value and alias
and assigns it the forwarding class and loss
priority that you have defined.
Delete Removes the forwarding class and loss priority To remove the forwarding class and loss priority
assignment from the classifier. assignment, select it and click Delete.
Related Topics
■ Example: Configuring CoS on EX-Series Switches
■ Monitoring CoS Classifiers

Configuring CoS Forwarding Classes (CLI Procedure)

Forwarding classes allow you to group packets for transmission. Based on forwarding
classes, you assign packets to output queues.
By default, four categories of forwarding classes are defined: best effort, assured
forwarding, expedited forwarding, and network control. EX-series switches support
up to 16 forwarding classes.
You can configure forwarding classes in one of the following ways:

■ Using class statement—You can configure up to 16 forwarding classes and you
can map multiple forwarding classes to single queue.
■ Using queue statement—You can configure up to 8 forwarding classes and you
can map one forwarding class to one queue.
This example uses the class statement to configure forwarding classes.
To configure CoS forwarding classes, map the forwarding classes to queues:
[edit class-of-service forwarding-classes]

user@switch# set class be queue—num 0
user@switch# set class ef queue—num 1
user@switch# set class af queue—num 2
user@switch# set class nc queue—num 3
user@switch# set class ef1 queue—num 4
user@switch# set class ef2 queue—num 5
user@switch# set class af1 queue—num 6
user@switch# set class nc1 queue—num 7
Related Topics
■ Monitoring CoS Forwarding Classes with the J-Web Interface
Defining Forwarding Classes (J-Web Procedure)
To define forwarding classes, select Configure > Class of Service> Forwarding Classes
in the J-Web interface. Table 137 on page 890 describes the related fields. By assigning
a forwarding class to a queue number, you affect the scheduling and marking of a
packet as it transits a switch.
Configuring CoS Forwarding Classes (CLI Procedure) ■ 889

Table 137: Forwarding Classes Configuration Pages Summary
Forwarding Class Summary

Queue # Displays internal queue numbers to which To edit an assigned forwarding class, click the
forwarding classes are assigned. queue number to which the class is assigned.
By default, if a packet is not classified, it is

assigned to the class associated with queue 0.
You can have more than one forwarding class
to a queue number.
Allows you to edit an assigned forwarding class.
Forwarding Class Name Displays the forwarding class names assigned None.
to specific internal queue numbers.
By default, four forwarding classes are assigned

to queue numbers 0, 2, 4, and 5.
Add Opens a page that allows you to assign To add a forwarding class, click Add.
forwarding classes to internal queue numbers.
Add a Forwarding Class/Edit Forwarding Class Queue #

Queue # Specifies the internal queue number to which To specify an internal queue number, type an
a forwarding class is assigned. integer from 0 through 7, as supported by your
platform.
Forwarding Class Name Specifies the forwarding class name assigned To assign a forwarding class name to a queue,
to the internal queue number. type the name—for example, be-class.
Related Topics
■ Monitoring CoS Forwarding Classes

Configuring CoS Schedulers (CLI Procedure)

You use schedulers to define the CoS properties of output queues. These properties
include the amount of interface bandwidth assigned to the queue, the size of the
memory buffer allocated for storing packets, the priority of the queue, and the tail
drop profiles associated with the queue.
You associate the schedulers with forwarding classes by means of scheduler maps.
You can then associate each scheduler map with an interface, thereby configuring
the queues and packet schedulers that operate according to this mapping.
You can associate up to four user-defined scheduler maps with the interfaces.
To configure CoS schedulers using the CLI:

1. Create a scheduler (be-sched) with low priority:
[edit class-of-service schedulers]

user@switch# set be-sched priority low
2. Configure a scheduler map (be-map) that associates the scheduler (be-sched) with
the forwarding class (best-effort):
[edit class-of-service scheduler-maps]

user@switch# set be-map forwarding-classbest-effort scheduler be-sched
3. Assign the scheduler map (be-map) to a Gigabit Ethernet interface (ge-0/0/1):

user@switch# set ge-0/0/1 scheduler-map be-map
Related Topics
■ Monitoring CoS Scheduler Maps with the J-Web Interface
Defining Schedulers (J-Web Procedure)

Using schedulers, you can assign attributes to queues and thereby provide congestion
control for a particular class of traffic. These attributes include the amount of interface
bandwidth, memory buffer size, transmit rate, and schedule priority.
To configure schedulers using the Configuration pages:
Configuring CoS Schedulers (CLI Procedure) ■ 891

1. Create a scheduler and specify attributes for it. For a description of

scheduler-related fields, see Table 138 on page 892.
2. Associate the scheduler to a forwarding class. Because the forwarding class is
assigned to a queue number, the queue inherits this scheduler's attributes. For
a description of scheduler map-related fields, see Table 138 on page 892.
Table 138: Schedulers Configuration Page Summary
Scheduler Summary
Scheduler Name Displays the names of defined schedulers. To edit a scheduler, click its name.
Allows you to edit a specific scheduler.
Scheduler Information Displays a summary of defined settings for a None.

scheduler, such as bandwidth, delay buffer size,
and transmit rates.
Add Opens a page that allows you to add a Click Add.

scheduler.
Delete Removes a scheduler. Click Delete.
Add a Scheduler/Edit Scheduler

Scheduler Name Specifies the name for a scheduler. To name a scheduler, type the name—for
example, be-scheduler.
Buffer Size Defines the size of the delay buffer. To define a delay buffer size for a scheduler,
select the appropriate option:
By default, queues 0 through 7 have the
■ To specify no buffer size, select
following percentage of the total available
Unconfigured.
buffer space:
■ To specify buffer size as a percentage of
■ Queue 0—95 percent the total buffer, select Percent and type
■ Queue 1—0 percent an integer from 1 through 100.
■ Queue 2—0 percent ■ To specify buffer size as the remaining
Queue 3—0 percent available buffer, select Remainder.
■
■ Queue 4—0 percent

■ Queue 5-0 percent
NOTE: A large buffer size value correlates with

a greater possibility of packet delays. This
might not be practical for sensitive traffic such
as voice or video.
892 ■ Defining Schedulers (J-Web Procedure)

Table 138: Schedulers Configuration Page Summary (continued)
Scheduling Priority Sets the transmission priority of the scheduler, To specify a priority, select one:
which determines the order in which an output
interface transmits traffic from the queues. ■ low—Packets in this queue are transmitted
last.
You can set scheduling priority at different ■ strict—high—Packets in this queue are
levels in an order of increasing priority from transmitted first.
low to high.
A high-priority queue with a high transmission

rate might lock out lower-priority traffic.
Transmit Rate Defines the transmission rate of a scheduler. To define a transmit rate, select the appropriate
option:
The transmit rate determines the traffic
■ To not specify transmit rate, select
bandwidth from each forwarding class you
Unconfigured.
configure.
■ To specify the remaining transmission
By default, queues 0 through 7 have the capacity, select Remainder Available.
following percentage of transmission capacity: ■ To specify a percentage of transmission
capacity, select Percent and type an
■ Queue 0—95 percent integer from 1 through 100.
■ Queue 2—0 percent To enforce the exact transmission rate or
■ Queue 3—5 percent percentage you configured, select the Exact
Queue 4—0 percent Transmit Rate check box.
■

Table 139: Scheduler Maps Configuration Page Summary
Scheduler Maps Summary

Scheduler Map Name Displays the names of defined scheduler maps. To edit a scheduler map, click its name.
Scheduler maps link schedulers to forwarding
classes.
Allows you to edit a scheduler map.
Scheduler Map Information For each map, displays the schedulers and the None.
forwarding classes that they are assigned to.
Add Opens a page that allows you to add a Click Add.

scheduler map.
Delete Removes a scheduler map. Select it and click Delete.
Add a Scheduler Map/Edit Scheduler Map

Scheduler Map Name Specifies the name for a scheduler map. To name a map, type the name—for example,
be-scheduler-map.
Defining Schedulers (J-Web Procedure) ■ 893

Table 139: Scheduler Maps Configuration Page Summary (continued)
Scheduler Mapping Allows you to associate a preconfigured To associate a scheduler with a forwarding class,
scheduler with a forwarding class. locate the forwarding class and select the
scheduler in the box next to it.
After scheduler maps have been applied to an
interface, they affect the hardware queues,
packet schedulers.
Related Topics
■ Monitoring CoS Scheduler Maps
Configuring CoS Tail Drop Profiles (CLI Procedure)

Tail drop is a simple and effective traffic congestion avoidance mechanism. When
you apply this mechanism to manage congestion, packets are dropped when the
output queue is full.
To configure CoS tail-drop profiles, create a drop profile name (be-dp) and assign a
fill level (25):
[edit class-of-service drop-profiles]

user@switch# set be-dp fill-level 25
Related Topics

Configuring CoS Rewrite Rules (CLI Procedure)

You configure rewrite rules to alter CoS values in outgoing packets on the outbound
interfaces of a switch to match the policies of a targeted peer. Policy matching allows
the downstream router in a neighboring network to classify each packet into the
In addition, you often need to rewrite a given marker such as IP precedence, DSCP,
or IEEE 802.1p at the switch's inbound interfaces to accommodate behavior aggregate
(BA) classification by core devices.
You do not need to explicitly apply rewrite rules to interfaces. By default, rewrite
rules are applied to routed packets.
To configure CoS rewrite rules, associate the rewrite rule (customup-rw) with forwarding
class, loss priority, and code-point:
[edit class-of-service rewrite-rules]

user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority low
code-point 000
user@switch# set ieee-802.1 customup-rw forwarding-class be loss-priority high
code-point 001
user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority low
code-point 010
user@switch# set ieee-802.1 customup-rw forwarding-class af loss-priority high
code-point 011
user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority low
code-point 100
user@switch# set ieee-802.1 customup-rw forwarding-class ef loss-priority high
code-point 101
user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority low
code-point 110
user@switch# set ieee-802.1 customup-rw forwarding-class nc loss-priority high
code-point 111
Related Topics
■ Monitoring CoS Rewrite Rules with the J-Web Interface
Configuring CoS Rewrite Rules (CLI Procedure) ■ 895

Defining Rewrite Rules (J-Web Procedure)
To define rewrite rules, select Configure > Class of Service > Rewrite Rules in the
J-Web interface. Table 140 on page 896 describes the related fields. Use the rewrite
rules to alter the CoS values in outgoing packets to meet the requirements of the
targeted peer. A rewrite rule examines the forwarding class and loss priority of a
packet and sets its bits to a corresponding value specified in the rule.
Table 140: Rewrite Rules Configuration Page Summary
Rewrite Rules Summary

DSCP Redefines DSCP code point values of outgoing Click DSCP.
packets.
IPv4 Precedence Redefines IPv4 precedence code point values. Click IPv4 Precedence.
Rewrite Rule Name Displays names of defined rewrite rules. To edit a rule, click its name.
Allows you to edit a specific rule.
Forwarding Class Displays forwarding classes associated with a None.

specific rewrite rule.
Loss Priority Displays loss priority values associated with a None.

specific rewrite rule.
Rewrite Outgoing Code Displays the CoS values and aliases that a None.
Point To specific rewrite rule has set for a specific
forwarding class and loss priority.
Add Opens a page that allows you to define a new To add a rewrite rule, click Add.
rewrite rule.
Delete Removes specified rewrite rules. To remove a rule, select the check box next to
it and click Delete.
Add a Rewrite Rule/Edit Rewrite Rule

Rewrite Rule Name Specifies a rewrite rule name. To name a rule, type the name—for example,
rewrite-dscps.
896 ■ Defining Rewrite Rules (J-Web Procedure)

Table 140: Rewrite Rules Configuration Page Summary (continued)
Code Point Mapping Rewrites outgoing CoS values of a packet based To configure the CoS value assignment, follow
on the forwarding class and loss priority. these steps:
1. From the Forwarding Class list, select a
Allows you to remove a code point mapping
class.
entry.
2. Select a priority from the following:
■ low—Rewrite rule applies to packets
with a low loss priority.
■ high—Rewrite rule applies to packets
with a high loss priority.
3. For Rewritten Code Point, either select a
predefined CoS value and alias or type a
new CoS value and alias.
For information about predefined CoS

values and aliases, see the JUNOS Class of
Service Configuration Guide.
4. Click Add.
To remove a code point mapping entry, select

it and click Delete.
Related Topics
■ Monitoring CoS Rewrite Rules

Assigning CoS Components to Interfaces (CLI Procedure)

After you have defined the following CoS components, you must assign them to
logical or physical interfaces. (Only these three types of CoS components get assigned
to interfaces.)
■ Forwarding classes—Assign only to logical interfaces.
■ Classifiers—Assign only to logical interfaces.
■ Scheduler maps—Assign to either physical or logical interfaces.
To assign CoS components to interfaces, associate a CoS component (scheduler map

named ethernet-cos-map) with an interface (ge-0/0/20):

user@switch# set ge-0/0/20 scheduler-map ethernet-cos-map
Related Topics
Assigning CoS Components to Interfaces (J-Web Procedure)

After you have defined CoS components, you must assign them to logical or physical
interfaces. The CoS Configuration pages allow you to assign scheduler maps to
physical or logical interfaces and to assign forwarding classes, or classifiers to logical
interfaces.
To assign CoS components to interfaces:

1. In the J-Web interface, select Configure>Class of Service>Interface Association.
2. Enter information into these pages, as described in Table 141 on page 898.
3. Click one:
■ To apply the configuration click OK.
■ To cancel your entries click Cancel.
Table 141: Assigning CoS Components to Interfaces
Add CoS Service to a Physical Interface/Edit CoS Physical Interface
898 ■ Assigning CoS Components to Interfaces (CLI Procedure)

Table 141: Assigning CoS Components to Interfaces (continued)
Physical Interface Specifies the name of a physical interface. Allows To specify an interface for CoS assignment, type
Name you to assign CoS components to a set of interfaces its name in the Physical Interface Name box.
at the same time.
To specify a set of interfaces for CoS assignment,
use the wildcard character (*)—for example,
ge-0/*/0.
Scheduler Map Specifies a predefined scheduler map for the To specify a map for an interface, select it from
physical interface. the Scheduler Map list.
A scheduler map enables the physical interface to

have more than one set of output queues.
Add Allows you to add a CoS service to a logical To add a CoS Service to a logical interface, click
interface on a specified physical interface. Add.
Add CoS Service to a Logical Interface Unit/Edit CoS Logical Interface Unit
Logical Interface Specifies the name of a logical interface. Allows To specify an interface for CoS assignment, type
Unit Name you to assign CoS components to a logical interface its name in the Logical Interface Unit Name box.
configured on a physical interface at the same time.
To assign CoS services to all logical interfaces
configured on this physical interface, type the
wildcard character (*).
Forwarding Class Assigns a predefined forwarding class to incoming To assign a forwarding class to the interface, select
packets on a logical interface. it.
Classifiers Allows you to apply classification maps to a logical To assign a classification map to the interface,
interface. Classifiers assign a forwarding class and select an appropriate classifier for each CoS value
loss priority to an incoming packet based on its type used on the interface.
CoS value.
Related Topics
■ Monitoring Interfaces That Have CoS Components


Chapter 55
Verifying CoS
■ Monitoring CoS Classifiers on page 901

■ Monitoring CoS Forwarding Classes on page 902
■ Monitoring Interfaces That Have CoS Components on page 903
■ Monitoring CoS Rewrite Rules on page 904
■ Monitoring CoS Scheduler Maps on page 905
■ Monitoring CoS Value Aliases on page 907
Monitoring CoS Classifiers

Purpose Use the monitoring functionality to display the mapping of incoming CoS values to
forwarding class and loss priority for each classifier.
Action To monitor CoS classifiers in the J-Web interface, select Monitor>Class of

Service>Classifiers
To monitor CoS classifiers in the CLI, enter the following CLI command:
show class-of-service classifier
What It Means Table 142 on page 901 summarizes key output fields for CoS classifiers.
Table 142: Summary of Key CoS Classifier Output Fields
Classifier Name Name of a classifier. To display classifier assignments, click the

plus sign (+).
CoS Value Type The classifiers are displayed by type:

■ dscp—All classifiers of the DSCP type.
■ ieee-802.1—All classifiers of the IEEE
802.1 type.
■ inet-precedence—All classifiers of the
IP precedence type.
Index Internal index of the classifier.
Monitoring CoS Classifiers ■ 901

Table 142: Summary of Key CoS Classifier Output Fields (continued)
Incoming CoS Value CoS value of the incoming packets, in bits.

These values are used for classification.
Assign to Forwarding Class Forwarding class that the classifier assigns

to an incoming packet. This class affects the
forwarding and scheduling policies that are
applied to the packet as it transits the
switch.
Assign to Loss Priority Loss priority value that the classifier assigns
to the incoming packet based on its CoS
value.
Related Topics
Monitoring CoS Forwarding Classes

Purpose Use the monitoring functionality to view the current assignment of CoS forwarding
classes to queue numbers on the system.
Action To monitor CoS forwarding classes in the J-Web interface, select Monitor>Class of
Service>Forwarding Classes.
To monitor CoS forwarding classes in the CLI, enter the following CLI command:
show class-of-service forwarding-class
What It Means Table 143 on page 903 summarizes key output fields for CoS forwarding classes.

Chapter 55: Verifying CoS
Table 143: Summary of Key CoS Forwarding Class Output Fields
Forwarding Class Names of forwarding classes assigned to

queue numbers. By default, the following
forwarding classes are assigned to queues
0, 1, 5, or 7:
■ best-effort—Provides no special CoS
handling of packets. Loss priority is
typically not carried in a CoS value.
■ expedited-forwarding—Provides low loss,
low delay, low jitter, assured
bandwidth, and end-to-end service.
■ assured-forwarding—Provides high
assurance for packets within specified
service profile. Excess packets are
dropped.
■ network-control—Packets can be
delayed but not dropped.
Queue Queue number corresponding to the By default, four queues, 0, 1, 5 or 7, are

forwarding class name. assigned to forwarding classes.
Related Topics
Monitoring Interfaces That Have CoS Components

Purpose Use the monitoring functionality to display details about the physical and logical
interfaces and the CoS components assigned to them.
Action To monitor interfaces that have CoS components in the J-Web interface, select
Monitor>Class of Service>Interface Association.
To monitor interfaces that have CoS components in the CLI, enter the following
command:
show class-of-service interface interface
What It Means Table 144 on page 904 summarizes key output fields for CoS interfaces.

Table 144: Summary of Key CoS Interfaces Output Fields
Interface Name of a physical interface to which CoS To display names of logical interfaces
components are assigned. configured on this physical interface, click
the plus sign (+).
Scheduler Map Name of the scheduler map associated with

this interface.
Queues Supported Number of queues you can configure on the

interface.
Queues in Use Number of queues currently configured.
Logical Interface Name of a logical interface on the physical

interface to which CoS components are
assigned.
Object Category of an object—for example,

classifier, scheduler-map, or rewrite.
Name Name that you have given to an object—for

example, ba-classifier.
Type Type of an object—for example, dscp for a

classifier.
Index Index of this interface or the internal index

of a specific object.
Related Topics
Monitoring CoS Rewrite Rules

Purpose Use the monitoring functionality to display information about CoS value rewrite rules,
which are based on the forwarding class and loss priority.
Action To monitor CoS rewrite rules in the J-Web interface, select Monitor>Class of
Service>Rewrite Rules.
To monitor CoS rewrite rules in the CLI, enter the following command:
show class-of-service rewrite-rules
What It Means Table 145 on page 905 summarizes key output fields for CoS rewrite rules.

Table 145: Summary of Key CoS Rewrite Rules Output Fields
Rewrite Rule Name Names of rewrite rules.
CoS Value Type Rewrite rule type: To display forwarding classes, loss priorities,
and rewritten CoS values, click the plus sign
■ dscp—For IPv4 DiffServ traffic. (+).
■ ieee-802.1—For Layer 2 traffic.
■ inet-precedence—For IPv4 traffic.
Index Internal index for this particular rewrite rule.
Forwarding Class Forwarding class that is used to determine Rewrite rules are applied to CoS values in
CoS values for rewriting in combination with outgoing packets based on forwarding class
loss priority. and loss priority setting.
Loss Priority Loss priority that is used to determine CoS

values for rewriting in combination with
forwarding class.
Rewrite CoS Value To Value that the CoS value is rewritten to.
Related Topics
Monitoring CoS Scheduler Maps

Purpose Use the monitoring functionality to display assignments of CoS forwarding classes
to schedulers.
Action To monitor CoS scheduler maps in the J-Web interface, select Monitor>Class of
Service>Scheduler Maps.
To monitor CoS scheduler maps in the CLI, enter the following CLI command:
show class-of-service scheduler-map
What It Means Table 146 on page 905 summarizes key output fields for CoS scheduler maps.
Table 146: Summary of Key CoS Scheduler Maps Output Fields
Scheduler Map Name of a scheduler map. For details, click the plus sign (+).

Table 146: Summary of Key CoS Scheduler Maps Output Fields (continued)
Index Index of a specific object—scheduler maps,

schedulers, or drop profiles.
Scheduler Name Name of a scheduler.
Forwarding Class Forwarding classes this scheduler is

assigned to.
Transmit Rate Configured transmit rate of the scheduler

in bits per second (bps). The rate value can
be either of the following:
■ A percentage—The scheduler receives
the specified percentage of the total
interface bandwidth.
■ remainder— The scheduler receives the
remaining bandwidth of the interface
after bandwidth allocation to other
schedulers.
Buffer Size Delay buffer size in the queue or the amount

of transmit delay (in milliseconds). The
buffer size can be either of the following:
■ A percentage—The buffer is a
percentage of the total buffer
allocation.
■ remainder—The buffer is sized
according to what remains after other
scheduler buffer allocations.
Priority Scheduling priority of a queue:

■ strict-high—Packets in this queue are
transmitted first.
■ low—Packets in this queue are
transmitted last.
Drop Profiles Name and index of a drop profile that is

assigned to a specific loss priority and
protocol pair.
Loss Priority Packet loss priority corresponding to a drop

profile.
Protocol Transport protocol corresponding to a drop

profile.
Drop Profile Name Name of the drop profile.
Index Index of a specific object—scheduler maps,

schedulers, or drop profiles.
906 ■ Monitoring CoS Scheduler Maps

Related Topics
Monitoring CoS Value Aliases

Purpose Use the monitoring functionality to display information about the CoS value aliases
that the system is currently using to represent DSCP, IEEE 802.1p, and IPv4
precedence bits.
Action To monitor CoS value aliases in the J-Web interface, select Monitor>Class of
Service>CoS Value Aliases.
To monitor CoS value aliases in the CLI, enter the following command:
show class-of-service code-point-aliases
What It Means Table 147 on page 907 summarizes key output fields for CoS value aliases.
Table 147: Summary of Key CoS Value Alias Output Fields
CoS Value Type Type of the CoS value: To display aliases and bit patterns, click the
plus sign (+).
■ dscp—Examines Layer 3 packet
headers for IP packet classification.
■ ieee-802.1—Examines Layer 2 packet
headers for packet classification.
■ inet-precedence—Examines Layer 3
packet headers for IP packet
classification.
CoS Value Alias Name given to a set of bits—for example,

af11 is a name for 001010 bits.
CoS Value Set of bits associated with an alias.
Related Topics


Chapter 56
Configuration Statements for CoS
■ [edit class-of-service] Configuration Statement Hierarchy on page 909
[edit class-of-service] Configuration Statement Hierarchy
class-of-service {
classifiers {
loss-priority loss-priority {
}
}
}
}
alias-name bits;
}
}
}
interfaces {
interface-name {
classifiers {
}
}
}
}
rewrite-rules {
loss-priority loss-priority code-point (alias | bits);
[edit class-of-service] Configuration Statement Hierarchy ■ 909

}
}
}
scheduler-maps {
map-name {
}
}
schedulers {
scheduler-name {
profile-name;
priority priority;
}
}
}
Related Topics
(J-Web Procedure)
Procedure)
Procedure)
Procedure)

Chapter 56: Configuration Statements for CoS
buffer-size
Syntax buffer-size (percent percentage | remainder);
Hierarchy Level [edit class-of-service schedulers scheduler-name]
Description Specify buffer size.
Default If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
Options percent percentage—Buffer size as a percentage of total buffer.
remainder—Remaining buffer available.

Related Topics
Procedure)
buffer-size ■ 911
class
Syntax class class-name queue-num queue-number;
Hierarchy Level [edit class-of-service forwarding-classes]
Description Configure up to 16 forwarding classes with multiple forwarding classes mapped to
single queues. If you want to configure up to eight forwarding classes with one-to-one
mapping to output queues, use the queue statement instead of the class statement
at the [edit class-of-service forwarding-classes] hierarchy level.
Options class-name—Name of forwarding class..
queue-num queue-number—Output queue number.

Range: 0 through 15.
Related Topics
912 ■ class
class-of-service
Syntax class-of-service {
classifiers {
loss-priority level {
}
}
}
}
alias-name bits;
}
}
}
interfaces {
interface-name {
classifiers {
}
}
}
}
rewrite-rules {
loss-priority priority code-point (alias | bits);
}
}
}
scheduler-maps {
map-name {
}
}
schedulers {
scheduler-name {
profile-name;
class-of-service ■ 913
priority priority;
}
}
}
Description Configure class-of-service parameters on EX-series switches.
Default If you do not configure any CoS features, all packets are transmitted from output
transmission queue 0.

Related Topics
(J-Web Procedure)
Procedure)
Procedure)
Procedure)

classifiers
Syntax classifiers {
code-points [ aliases ] [ 6–bit-patterns ];
}
}
}
}
[editclass-of-service interfaces interface-name unit logical-unit-number]

classifiers {
}
Hierarchy Level [edit class-of-service],

[editclass-of-service interfaces interface-name unit logical-unit-number]
Description Apply a CoS aggregate behavior classifier to a logical interface. You can apply a
default classifier or one that has been previously defined.

Related Topics
Procedure)
classifiers ■ 915
code-point-aliases
Syntax code-point-aliases {
alias-name bits;
}
}
Hierarchy Level [edit class-of-service]
Description Define an alias for a CoS marker.

Related Topics
(J-Web Procedure)
916 ■ code-point-aliases
code-points
Syntax code-points [ aliases ] [ 6 bit-patterns ];
Hierarchy Level [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) forwarding-class

class-name loss-priority level]
Description Specify one or more DSCP code-point aliases or bit sets for association with a
forwarding class.
Options aliases—Name of the DSCP alias.
6 bit-patterns—Value of the code-point bits, in decimal form.

Related Topics
Procedure)
code-points ■ 917
drop-profile-map
Syntax drop-profile-map loss-priority (high) protocol (any) drop-profile profile-name;
Description Define loss priority value for drop profile.
Options drop-profile profile-name—Name of the drop profile.

Related Topics
Procedure)
918 ■ drop-profile-map
dscp
Syntax dscp classifier-name {

}
}
}
Hierarchy Level [edit class-of-service classifiers],

[edit class-of-service code-point-aliases],
[editclass-of-service interfaces interface-name unit logical-unit-number classifiers],
Description Define the Differentiated Services code point (DSCP) mapping that is applied to the
packets.
Options classifier-name—Name of the classifier.

Related Topics
(J-Web Procedure)
Procedure)
Procedure)
dscp ■ 919
forwarding-class
Syntax forwarding-class class-name {

}
}
Hierarchy Level [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],

[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]
Description Define forwarding class name and option values.
Options class-name—Name of the forwarding class.

Related Topics
920 ■ forwarding-class
forwarding-class
Syntax forwarding-class class-name {

}
}
Hierarchy Level [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name],

[editclass-of-service interfaces interface-name unit logical-unit-number],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name],
[edit class-of-service scheduler-maps map-name]
Description Define forwarding class name and option values.
Options class-name—Name of the forwarding class.

Related Topics
forwarding-class ■ 921
ieee-802.1
Syntax ieee-802.1 classifier-name {

}
}
}

Description Apply a IEEE-802.1 rewrite rule.

Related Topics
Procedure)
(J-Web Procedure)
Procedure)
922 ■ ieee-802.1
import
Syntax import (classifier-name | default);
Hierarchy Level [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence)] classifier-name,

[edit class-of-service rewrite-rules (dscp | ieee-802.1 | inet-precedence) rewrite-name
Description Specify a default or previously defined classifier.
Options classifier-name—Name of the classifier mapping configured at the [edit class-of-service

classifiers] hierarchy level.
default—Default classifier mapping.

Related Topics
Procedure)
Procedure)
import ■ 923
inet-precedence
Syntax inet-precedence classifier-name {

}
}
}

Description Apply an IPv4 precedence rewrite rule.

Related Topics
Procedure)
(J-Web Procedure)
Procedure)
924 ■ inet-precedence
interfaces
Syntax interfaces {
interface-name {
classifiers {
}
}
}
}
Description Configure interface-specific CoS properties for incoming packets.
Options interface-name—Name of the interface.

Related Topics
Procedure)
Procedure)
interfaces ■ 925
loss-priority
Syntax loss-priority level {

}
Hierarchy Level [edit class-of-service classifiers (dscp | ieee-802.1 | inet-precedence) classifier-name

forwarding-class class-name],
[edit class-of-service rewrite-rules] (dscp | ieee-802.1 | inet-precedence) rewrite-name
forwarding-class class-name]
Description Specify packet loss priority value for a specific set of code-point aliases and bit
patterns.
Options level—Can be one of the following:

■ high—Packet has high loss priority.
■ low—Packet has low loss priority.

Related Topics
Procedure)
Procedure)
926 ■ loss-priority
priority
Syntax priority priority;
Description Specify packet-scheduling priority value.
Options priority—It can be one of the following:

■ low—Scheduler has low priority.
■ strict-high—Scheduler has strictly high priority.

Related Topics
Procedure)
priority ■ 927
protocol
Syntax protocol protocol drop-profile profile-name;
Description Specify the protocol type for the specified drop-profile.
Options drop-profile profile-name—Name of the drop-profile.
protocol—Type of protocol. It can be:

■ any—Protocol type is ignored while assigning drop profile.

Related Topics
random-early-discard
Syntax random-early-discard loss-priority priority;

Description to be added
Default to be added
Options loss-priority priority—to be added.

Related Topics
[Unresolved xref]to be added
928 ■ protocol
rewrite-rules
Syntax rewrite-rules {
(dscp | ieee-802.1 | inet-precedence rewrite-name {
loss-priority priority code-point (alias | bits);
}
}
}
Description Specify a rewrite-rules mapping for the traffic that passes through all queues on the
interface.

Related Topics
Procedure)
rewrite-rules ■ 929
scheduler-map
Syntax scheduler-map map-name;
Hierarchy Level [editclass-of-service interfaces]
Description Associate a scheduler map name with an interface.
Options map-name—Name of the scheduler map.

Related Topics
930 ■ scheduler-map
scheduler-maps
Syntax scheduler-maps {
map-name {
}
}
Description Specify a scheduler map name and associate it with the scheduler configuration and
forwarding class.
Options map-name—Name of the scheduler map.

Related Topics
scheduler-maps ■ 931
schedulers
Syntax schedulers {
scheduler-name {
drop-profile-map loss-priority loss-priority protocol protocol drop-profile profile-name;
priority priority;
}
}
Description Specify scheduler name and parameter values.
Options scheduler-name—Name of the scheduler.

Related Topics
Procedure)
932 ■ schedulers
shaping-rate
Syntax shaping-rate (percent percentage | rate);
Description The transmit-rate statement at the [edit class-of-service schedulers scheduler-name]
hierarchy level configures the minimum bandwidth allocated to a queue. The
transmission bandwidth can be configured as an exact value or allowed to exceed
the configured rate if additional bandwidth is available from other queues.
You should configure the shaping rate as an absolute maximum usage and not the
additional usage beyond the configured transmit rate.
Default If you do not include this statement, the default shaping rate is 100 percent, which
is the same as no shaping at all.
Options percent percentage—Shaping rate as a percentage of the available interface bandwidth..

Range: 0 through 100 percent
rate—Peak rate, in bits per second (bps). You can specify a value in bits per second
either as a complete decimal number or as a decimal number followed by the
abbreviation k (1000), m (1,000,000), or g (1,000,000,000).
Range: 3200 through 32,000,000,000 bps
Related Topics
shaping-rate ■ 933
transmit-rate
Syntax transmit-rate (rate | percent percentage | remainder);
Description Specify the transmit rate or percentage for a scheduler.
Default If you do not include this statement, the default scheduler transmission rate and
buffer size percentages for queues 0 through 7 are 95, 0, 0, 0, 0, 0, 0, and 5 percent.
Options rate—Transmission rate, in bps. You can specify a value in bits per second either as
a complete decimal number or as a decimal number followed by the abbreviation
k (1000), m (1,000,000), or g (1,000,000,000).
Range: 3200 through 160,000,000,000 bps
percent percentage—Percentage of transmission capacity. A percentage of zero drops

all packets in the queue.
Range: 0 through 100 percent
remainder—Remaining rate available

Related Topics
Procedure)
934 ■ transmit-rate
unit
Syntax unit logical-unit-number {

classifiers {
}
}
Hierarchy Level [editclass-of-service interfaces interface-name]
Description Configure a logical interface on the physical device. You must configure a logical
interface to be able to use the physical device.
Options logical-unit-number—Number of the logical unit.

Related Topics
unit ■ 935

Chapter 57
Operational Mode Commands for CoS
■ 937
show class-of-service
Syntax show class-of-service
Description Display the class of service (CoS) information.
Options This command has no options.

List of Sample Output show class-of- service on page 939
Output Fields Table 148 on page 938 lists the output fields for the show class-of-service command.
Table 148: show class-of-service Output Fields
Forwarding class The forwarding class configuration: All levels

■ Forwarding class—Name of the forwarding class.
■ ID—Forwarding class ID.
■ Queue—Queue number.
Code point type The type of code-point alias: All levels

■ dscp—Aliases for DiffServ code point (DSCP) values.
■ ieee–802.1—Aliases for IEEE 802.1p values.
■ inet-precedence—Aliases for IP precedence values.
Alias Names given to CoS values. All levels
Bit pattern Set of bits associated with an alias. All levels
Classifier Name of the classifier. All levels
Code point Code-point values. All levels
Loss priority Loss priority assigned to specific CoS values and aliases of the classifier. All levels
Rewrite rule Name of the rewrite-rule. All levels
Drop profile Name of the drop profile. All levels
Type Type of drop profile. EX-series switches support only the discrete type of All levels
drop-profile.
Fill level Percentage of queue buffer fullness of high packets after which high packets All levels
are dropped.
Scheduler Name of the scheduler. All levels
938 ■ show class-of-service

Chapter 57: Operational Mode Commands for CoS
Table 148: show class-of-service Output Fields (continued)
Transmit rate Transmission rate of the scheduler. All levels
Buffer size Delay buffer size in the queue. All levels
Drop profiles Drop profiles configured for the specified scheduler. All levels
Protocol Transport protocol corresponding to the drop profile. All levels
Name Name of the drop profile. All levels
Queues supported Number of queues that can be configured on the interface. All levels
Queues in use Number of queues currently configured. All levels
Scheduler map Name of the scheduler map. All levels
Index Internal index of a specific object. All levels
show class-of- service user@switch> show class-of-service

Forwarding class ID Queue
best-effort 0 0
expedited-forwarding 1 5
assured-forwarding 2 1
network-control 3 7
Code point type: dscp

Alias Bit pattern
af11 001010
af12 001100
... ...
Code point type: ieee-802.1

Alias Bit pattern
af11 010
... ...
Code point type: inet-precedence

Alias Bit pattern
af11 001
... ...
Classifier: dscp-default, Code point type: dscp, Index: 7

Code point Forwarding class Loss priority
000000 best-effort low
000001 best-effort low
... ... ...
Classifier: ieee8021p-default, Code point type: ieee-802.1, Index: 11

000 best-effort low
001 best-effort low
show class-of-service ■ 939

010 best-effort low

011 best-effort low
100 best-effort low
101 best-effort low
110 network-control low
Classifier: ipprec-default, Code point type: inet-precedence, Index: 12

000 best-effort low
001 best-effort low
010 best-effort low
011 best-effort low
100 best-effort low
101 best-effort low
Classifier: ieee8021p-untrust, Code point type: ieee-802.1, Index: 16

000 best-effort low
001 best-effort low
010 best-effort low
011 best-effort low
100 best-effort low
101 best-effort low
110 best-effort low
111 best-effort low
Rewrite rule: dscp-default, Code point type: dscp, Index: 27

Forwarding class Loss priority Code point
best-effort low 000000
best-effort high 000000
expedited-forwarding low 101110
expedited-forwarding high 101110
assured-forwarding low 001010
assured-forwarding high 001100
network-control low 110000
network-control high 111000
Rewrite rule: ieee8021p-default, Code point type: ieee-802.1, Index: 30

best-effort low 000
Rewrite rule: ipprec-default, Code point type: inet-precedence, Index: 31

best-effort low 000

Chapter 57: Operational Mode Commands for CoS
Drop profile:<default-drop-profile>, Type: discrete, Index: 1

Fill level
100
Scheduler map: <default>, Index: 2
Scheduler:<default-be>, Forwarding class: best-effort, Index: 20

Priority: low
Drop profiles:
Scheduler: <default-nc>, Forwarding class: network-control, Index: 22

Priority: low
Drop profiles:


... ... ...
Fabric priority: low

Scheduler: <default-fabric>, Index: 23
Drop profiles:
Fabric priority: high

Scheduler: <default-fabric>, Index: 23
Drop profiles:
show class-of-service ■ 941


Part 14
PoE
■ Understanding PoE on page 945
■ Examples of Configuring PoE on page 949
■ Configuring PoE on page 957
■ Verifying PoE on page 961
■ Configuration Statements for PoE on page 963
■ Operational Mode Commands for PoE on page 971
PoE ■ 943
944 ■ PoE
Chapter 58
Understanding PoE
■ PoE and EX-series Switches Overview on page 945
PoE and EX-series Switches Overview

Power over Ethernet (PoE) is the implementation of IEEE 802.3af, allowing both data
and electric power to pass over a copper Ethernet LAN cable. This technology allows
VoIP telephones, wireless access points, video cameras, and point-of-sale devices to
safely receive power from the same access ports that are used to connect personal
computers to the network.
This topic covers:

■ PoE and Power Supply Units in EX-series Switches on page 945
■ Classes of Powered Devices on page 946
■ Global and Specific PoE Parameters on page 946
PoE and Power Supply Units in EX-series Switches

EX-series switch models provide either 8, 24, or 48 PoE ports. The total number of
PoE ports for an EX-series switch can be extended by inserting additional PoE cards.
Power supply units with three different power capacities are available for use with
the EX-series switches:
■ 320-W power supply unit: Supports 8 ports of PoE power at 15.4 W per port,
plus system power.
plus system power.
plus system power.
All 802.3af-compliant powered devices require no more than 12.95 watts. Thus, if
you follow the recommended guidelines for selecting power supply units to support
the number of PoE ports, the switch should be able to supply power to all connected
powered devices. If you install a higher capacity power supply unit on a switch model
that has only 8 PoE ports, it does not extend PoE capabilities to the non-PoE ports.
PoE and EX-series Switches Overview ■ 945

Classes of Powered Devices

A powered device is classified based on the maximum power that it draws across
all input voltages and operational modes. The most common class is 0, in which the
switch allows a maximum draw of 15.4 W per port. The switch provides 15.4 W at
the port in order to guarantee enough power to run a device, after accounting for
line loss. For example, 15.4 W - power loss (16%) = 12.95 W. Table 149 on page
946 lists the classes of powered devices and associated power levels.
Table 149: Class of Powered Device and Power Levels
Class Usage Minimum Power Levels Output Range of Maximum Power required by the
from PoE Port Powered Device
0 Default 15.4 W 0.44 through 12.95 W
1 Optional 4.0 W 0.44 through 3.84 W
Global and Specific PoE Parameters

All EX-series switches with PoE ports have a PoE controller. The PoE controller keeps
track of the switch's power consumption and distributes the available power to
individual PoE ports. You can set the PoE controller to reserve a limited amount of
power (up to 19 W) to handle a power spike. The default is that no power is kept on
reserve.
The factory default configuration creates a PoE interface for all the PoE ports on the
switch. You can specify maximum power, priority, and telemetries for each PoE
interface.
■ maximum-power—This setting defaults to 15.4 W. If you follow the
recommended guidelines for the installed power supply unit (see
Table 149 on page 946, the switch should be able to provide sufficient power for
all PoE ports using the default power setting.
■ priority—This setting defaults to low. If a port is set as high priority and a situation
arises where there is not sufficient power for all the PoE ports, the available
power is directed to the higher priority port(s). If the switch needs to shut down
powered devices because a power supply fails and there is insufficient power,
low priority devices are shut before high priority powered devices. Thus, security
cameras, emergency phones, and other high priority phones should be set to
high priority.
■ telemetries—This setting allows you to monitor per port PoE power consumption.
It is not included in the default PoE configuration.
Related Topics
■ Example: Configuring PoE Interfaces on an EX-series Switch
946 ■ Classes of Powered Devices

Chapter 58: Understanding PoE
■ Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch


Chapter 59
Examples of Configuring PoE
■ Example: Configuring PoE Interfaces on an EX-series Switch on page 949

Switch on page 952
Example: Configuring PoE Interfaces on an EX-series Switch

All EX-series switches except the EX 4200-24F provide Power over Ethernet (PoE)
ports. The PoE ports supply electric power over the same ports that are used to
connect network devices and allow you to plug in devices that require both network
connectivity and electric power, such as VoIP phones, WAPs, and some IP cameras.
The factory default configuration specifies PoE interfaces for the PoE ports. Therefore,
you do not need to configure PoE unless you wish to modify the default values or
disable a specific PoE interface.
This example describes a default configuration of PoE interfaces on an EX-series

switch:
Requirements
■ One EX-series 4200 switch
Before you configure PoE, be sure you have:

■ Installed your EX-series switch. See Installing and Connecting EX-series Switches
for details.
■ Performed the initial switch configuration. See Configuring Basic Settings for an
EX-series Switch for details.
Example: Configuring PoE Interfaces on an EX-series Switch ■ 949


which has a total of 24 ports. Eight of the ports support PoE, which means they
provide both network connectivity and electric power for devices such as VoIP phones,
WAPs, and some IP security cameras. The remaining 16 ports provide only network
connectivity. You use the standard ports to connect devices that have their own
power sources, such as desktop and laptop computers, printers, and servers.
Table 150 on page 950 details the topology used in this configuration example.
Table 150: Components of the PoE Configuration Topology
Property Settings
Switch hardware EX-series 4200-E-24T switch, with 24 Gigabit Ethernet
ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16
non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name default
Connections to Avaya IP telephone—with integrated hub, to ge-0/0/1 through ge-0/0/7

connect phone and desktop PC to a single port (requires PoE)
Direct connections to desktop PCs, file servers, integrated ge-0/0/8 through ge-0/0/20
printer/fax/copier machines (no PoE required)
Unused ports (for future expansion) ge-0/0/21 through ge-0/0/23
Configuration
To enable the default PoE configuration on the switch:
CLI Quick Configuration By default, PoE interfaces are created for all PoE ports and PoE is enabled. You can
simply connect powered devices to the PoE ports.
Step-by-Step Procedure To use the PoE interfaces with default values:
1. Make sure the switch is powered on.

2. Connect the WAP to switch port ge-0/0/0.
3. Connect the eight Avaya phones to switch ports ge-0/0/1 through ge-0/0/7.

Chapter 59: Examples of Configuring PoE
Verification
To verify that PoE interfaces have been created and are operational, perform this
task:
■ Verifying That the PoE Interfaces Have Been Created on page 951
Verifying That the PoE Interfaces Have Been Created

Purpose Verify that the PoE interfaces have been created on the switch.
Action List all the PoE interfaces configured on the switch:
user@switch> show poe interface

Interface Enabled status max-power priority power-consumption Class
ge-0/0/0 Enabled ON 15.4W Low 12.95W 0
What It Means The show poe interface command lists PoE interfaces configured on the switch, with
their status, priority, power consumption, and class. This output shows that eight
interfaces have been created with default values and are consuming power at the
expected rates.
Troubleshooting
Troubleshooting PoE Interfaces

Problem The PoE port is not supplying power to the port.
Solution Check for the following:
Items to Check Explanation

Is the switch a full PoE model or partial PoE? If you are using a partial PoE model, only interfaces ge-0/0/0
through ge-0/0/7 can function as PoE ports.
Has the PoE interface been disabled for that port? Use the show poe interface command to check PoE
interface status.
Is the cable properly seated in the port socket? Check the hardware.
Enable telemetries for the interface. Check the history of power consumption on the interface by
using the show poe telemetries interface command.
Related Topics
Switch
■ Configuring PoE Interfaces for EX-series Switches (CLI Procedure)
■ Configuring PoE (J-Web Procedure)
Example: Configuring PoE Interfaces with Different Priorities on an EX-series

Switch
EX-series switches provide Power over Ethernet (PoE) ports, which supply electric
power over the same ports that are used to connect network devices. These ports
allow you to plug in devices that need both network connectivity and electric power,
such as VoIP phones, WAPs, and some IP cameras. You can configure a particular
PoE interface to have a high priority setting. If a port is set as high priority and a
situation arises where there is not sufficient power for all the PoE ports, the available
power is directed to the higher priority ports. If the switch needs to shut down
powered devices because a power supply fails and there is insufficient power, low
priority devices are shut down before high priority powered devices. Thus, security
cameras, emergency phones, and other high priority phones should be set to high
priority.
This example describes how to configure a few high priority PoE interfaces for an
EX-series switch (by default, interfaces are set to low priority):
Requirements
■ One EX-series 4200 switch
Before you configure PoE, be sure you have:

■ Installed your EX-series switch. See Installing and Connecting an EX-series Switch
for details.
■ Performed the initial switch configuration. See Configuring Basic Settings for an
EX-series Switch for details.


which has a total of 24 ports. Eight of the ports support PoE, which means they
provide both network connectivity and electric power for devices such as VoIP
telephones, WAPs, and some IP security cameras. The remaining 16 ports provide
only network connectivity. You use the standard ports to connect devices that have
their own power sources, such as desktop and laptop computers, printers, and servers.
Table 151 on page 953 details the topology used in this configuration example.
Table 151: Components of the PoE Configuration Topology
Property Settings
Switch hardware EX-series 4200–E-24T switch, with 24 Gigabit Ethernet
ports: 8 PoE ports (ge-0/0/0 through ge-0/0/7) and 16
non-PoE ports (ge-0/0/8 through ge-0/0/23)
VLAN name default
Security IP Cameras (require PoE) ge-0/0/1 and ge-0/0/2 high
Emergency VoIP phone (requires PoE) ge-0/0/3 high
VoIP phone in Executive Office (requires PoE) ge-0/0/4 high
Other VoIP phones (require PoE) ge-0/0/5 through ge-0/0/7
Direct connections to desktop PCs, file servers, integrated ge-0/0/8 through ge-0/0/20
printer/fax/copier machines (no PoE required)
Unused ports (for future expansion) ge-0/0/21 through ge-0/0/23
Configuration
Configure Power over Ethernet Interfaces:
Configuring Desired Priority for PoE Interface and Enabling Telemetries

CLI Quick Configuration By default, PoE interfaces are created for all PoE ports and PoE is enabled. The default
priority for PoE interfaces is low.

To quickly configure PoE with some interfaces set to high priority and others to the
default low priority, and to include a description of the interfaces, copy the following
[edit]
set poe interface ge-0/0/1 priority high telemetries
set poe interface all
set interfaces ge-0/0/0 description "WAP"
set interfaces ge-0/0/1 description "security camera front door"
set interfaces ge-0/0/2 description "security camera back door"
set interfaces ge-0/0/3 description "emergency phone"
set interfaces ge-0/0/4 description "Executive Office VoIP phone"
set interfaces ge-0/0/5 description "staff VoIP phone"
Step-by-Step Procedure To configure PoE interfaces with different priorities:
1. Configure the PoE interfaces at the [edit poe] hierarchy level with some interfaces
set to high priority and others to the default low priority, thus enabling the
logging of per-port power consumption for the high priority ports.
[edit poe]
user@switch# set interface ge-0/0/1 priority high telemetries
user@switch# set interface all
2. Specify a description for the PoE interfaces:
[edit interfaces]
user@switch# set ge-0/0/0 description "WAP"
user@switch# set ge-0/0/1 description "security camera front door"
user@switch# set ge-0/0/2 description "security camera back door"
user@switch# set ge-0/0/3 description "emergency phone"
user@switch# set ge-0/0/4 description "Executive Office VoIP phone"
user@switch# set ge-0/0/5 description "staff VoIP phone"
3. Connect the WAP to switch interface ge-0/0/0. This interface is PoE-enabled

for the default settings based on the factory configuration. Telemetries are not
enabled.
4. Connect the two security cameras to switch interfaces ge-0/0/1 and ge-0/0/2.
These interfaces are set to high priority with telemetries enabled.
5. Connect the emergency VoIP phone to switch interface ge-0/0/3. This interface
is set to high priority with telemetries enabled.
6. Connect the Executive Office VoIP phone to switch interface ge-0/0/4. This
interface is set to high priority with telemetries enabled.
954 ■ Configuring Desired Priority for PoE Interface and Enabling Telemetries
7. Connect the staff VoIP phones to switch interfaces ge-0/0/5 through ge-0/0/7.
These interfaces are set to the default values. Telemetries are not enabled.
8. Commit the configuration and activate the configuration on the switch:
[edit]
user@switch# commit
Verification
To verify that PoE interfaces have been created and are operational, perform the
following tasks:
■ Verifying That the PoE Interfaces Have Been Created with Desired
Priorities on page 955
Verifying That the PoE Interfaces Have Been Created with Desired
Priorities
Purpose Verify that the PoE interfaces on the switch are now set to the desired priority settings.
user@switch> show poe interfaceshow poe interface

Interface Enabled Status Max-Power Priority Power-Consumption Class
ge-0/0/1 Enabled ON 15.4W High 12.95W 0
ge-0/0/7 Enabled OFF 15.4W Low 0 W 0
their status, priority, power consumption, and class. This output shows that eight
PoE interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as
priority high. The remaining interfaces are configured with the default values.
Troubleshooting
Troubleshooting PoE Interfaces

Problem The PoE port is not supplying power to the port.
Solution Check for the following:
Items to Check Explanation

Is the switch a full PoE model or partial PoE? If you are using a partial PoE model, only interfaces ge-0/0/0
through ge-0/0/7 can function as PoE ports.
Has the PoE interface been disabled for that port? Use the show poe interface command to check PoE
interface status.
Is the cable properly seated in the port socket? Check the hardware.
Enable telemetries for the interface. Check the history of power consumption on the interface by
using the show poe telemetries interface command.
Related Topics
■ Monitoring PoE

Chapter 60
Configuring PoE
■ Configuring PoE on an EX-series Switch (CLI Procedure) on page 957

■ Configuring PoE (J-Web Procedure) on page 958
Configuring PoE on an EX-series Switch (CLI Procedure)

EX-series switch models provide either 8, 24, or 48 PoE ports, which supply electric
allow you to plug in devices that require both network connectivity and electric
power, such as VoIP phones, WAPs, and some IP cameras.
The factory default configuration for EX-series switches specifies and enables PoE
interfaces for the PoE ports.
To configure PoE using the CLI:

1. Enable PoE:
■ For all PoE interfaces:
[edit]
user@switch# set poe interface all
■ For a specific PoE interface:
[edit]
user@switch# set poe interface ge-0/0/0
2. Set the power priority:

[edit]
user@switch# set poe interface all priority low
[edit]
user@switch# set poe interface ge-0/0/0 priority high
Configuring PoE on an EX-series Switch (CLI Procedure) ■ 957

3. Set the maximum PoE wattage available (the default is 15.4):

[edit]
user@switch# set poe interface all maximum-power 14
[edit]
user@switch# set poe interface ge-0/0/0 maximum power 12.8
4. Enable logging of PoE power consumption with the default telemetries settings:
[edit]
user@switch# set poe interface all telemetries
[edit]
user@switch# set poe interface ge-0/0/0 telemetries
5. Reserve a specified wattage of power for the switch in case of a spike in PoE
consumption (the default is 0):
[edit]
user@switch# set poe guard-band 15
Related Topics
Switch
Configuring PoE (J-Web Procedure)

EX-series switch models provide either 8, 24, or 48 PoE ports, which supply electric
allow you to plug in devices that require both network connectivity and electric
power: such as VoIP phones, WAPs, and some IP cameras. Using the Power over
Ethernet (PoE) configuration page, you can modify the settings of all interfaces that
are PoE-enabled.
To modify PoE settings:

1. In the Configure menu, select Power over Ethernet.

Chapter 60: Configuring PoE
The page displays a list of all interfaces except uplink ports. Specific operational
details about an interface are displayed in the Details section of the page. The
details include the PoE Operational Status and Port class.
2. Click one:
■ Edit — Changes PoE settings for the selected port as described in
■ System Settings — Modifies general PoE settings as described in
Table 152: PoE Edit Settings
Field Description Your Action
Enable PoE Specifies that PoE is enabled on the interface. Select this option to enable PoE on the
interface.
Priority Lists the power priority (Low or High) configured on Set the priority as High or Low.
ports enabled for PoE.
Maximum Power Specifies the maximum PoE wattage available to Select a value in watts. If no value is
provision active PoE ports on the switch. specified, the default is 15.4.
Table 153: System Settings
Field Description Your Action
Guard Band Specifies the band to control power availability Enter a value to set the guard band value. The
on the switch. default value is 0.
Related Topics
■ Monitoring PoE


Chapter 61
Verifying PoE
■ Monitoring PoE on page 961

■ Verifying Status of PoE Interfaces on an EX-series Switch on page 962
Monitoring PoE
Purpose Use the monitoring functionality to view real-time data of the power consumed by
each PoE interface, and to enable and configure Telemetries values. When Telemetries
is enabled, the software measures the power consumed by each interface and stores
the data for future reference.
Action To monitor PoE using the J-Web interface, select Monitor > Power over Ethernet.
To monitor PoE using the CLI:

■ To display the real-time PoE status for all PoE interfaces, enter show poe interface.
■ To display the real-time PoE status for a specific PoE interface, enter show poe
interface interface-name.
The show poe interface command displays the power consumption of the interface
at the moment that the command is issued.
To monitor the PoE interface's power consumption over a period of time, you can
enable telemetries for the interface with the telemetries configuration statement.
When Telemetries is enabled, you can display the log of the interface's power
consumption by using the CLI command:
show poe telemetries interface interface-name all| x
What It Means In the J-Web interface the PoE Monitoring screen is divided into two parts. The top
half of the screen displays real-time data of the power consumed by each interface
and a list of ports that utilize maximum power.
Select a particular interface to view a graph of the power consumed by the selected
interface.
The bottom half of the screen displays telemetries values for interfaces. The telemetry
status displays whether telemetry has been enabled on the interface. Click the Show
Graph button to view a graph of the telemetries. The graph can be based on power
or voltage. To modify telemetries values, click Edit. Specify Interval in minutes,
Monitoring PoE ■ 961

Duration in hours, and select Log Telemetries to enable telemetries on the selected
interface.
Related Topics
Switch
■ Verifying Status of PoE Interfaces on an EX-series Switch
Verifying Status of PoE Interfaces on an EX-series Switch

Purpose Verify that the PoE interfaces on the switch are enabled and set to the desired priority
settings.
user@switch> show poe interface

Interface Enabled Status Max-Power Priority Power-Consumption Class
ge-0/0/7 Enabled OFF 15.4W Low 0 W 0
their status, priority, power consumption, and class. This command has been executed
on a switch with partial PoE (8 PoE ports). The output shows that all eight PoE
interfaces are enabled. Interfaces ge-0/0/1 through ge-0/0/3 are configured as priority
high. The remaining interfaces were configured with the default values.
Related Topics
■ Monitoring PoE

Chapter 62
Configuration Statements for PoE
■ [edit poe] Configuration Statement Hierarchy on page 963
[edit poe] Configuration Statement Hierarchy
poe {
guard-band watts;
disable;
priority value;
telemetries {
disable;
duration hours;
interval minutes;
}
}
management type;
}
Related Topics
[edit poe] Configuration Statement Hierarchy ■ 963

disable
Syntax disable;
Hierarchy Level [edit poe interface (all | interface-name)],

[edit poe interface (all | interface-name) telemetries]
Description Disablesthe PoE capabilities of this port. The port operates as a standard network
access port. If the disable statement is specified after the telemetries statement, it
disables the logging of PoE power consumption for this port.
To disable the monitoring and retain the stored configuration values for interval and
duration for possible future use, you can specify the disable substatement in the
substanza for telemetries.
Default The PoE capabilities are automatically enabled when a PoE interface is set. If the
telemetries statement is specified, monitoring of PoE per-port power consumption
is enabled.

duration
Syntax duration hours;
Hierarchy Level [edit poe interface (all | interface-name) telemetries]
Description Modify the duration for logging telemetries if you are monitoring the per-port power
consumption for PoE interfaces.
Options hours—Hours the logging continues.

Range: 1 through 24 hours
Default: 1 hour
964 ■ disable
Chapter 62: Configuration Statements for PoE
guard-band
Syntax guard-band watts;
Hierarchy Level [edit poe]
Description Reserve the specified amount of power for the switch in case of a spike in PoE
consumption.
Default 0W
Options watts—Amount of power to be reserved for the switch in case of a spike in PoE
consumption.
Range: 0 through 19 W
Default: 0 W
Required Privilege Level router—To view this statement in the configuration.
router-control—To add this statement to the configuration.
guard-band ■ 965
interface
Syntax interface (all | interface-name) {

disable;
priority value;
telemetries {
disable;
interval minutes;
duration hours;
}
}
Description Enable a PoE interface for a PoE port. An interface must be enabled in order for the
port to provide power to a connected powered device.
Default The PoE interface is enabled by default.
Options all—All interfaces on the switch.
interface-name—Name of the specific interface.

interval
Syntax interval minutes;
Hierarchy Level [edit poe interface (all | interface-name) telemetries]

Description Modify the interval for logging telemetries if you are monitoring the per-port power
consumption for PoE interfaces.
Options minutes—Frequency of logging.

Range: 1 through 30 minutes
Default: 5 minutes
966 ■ interface
management
Syntax management type;
Description Designate the way that the switch's PoE controller allocates power to the PoE ports.
Default static
Options type—Management type:

■ static—The switch reserves a certain amount of power for the PoE port even
when a powered device is not connected to the port. This setting ensures that
power is available when needed.
Required Privilege Level router—To view this statement in the configuration.

router-control—To add this statement to the configuration.
maximum-power
Syntax maximum-power watts;
Hierarchy Level [edit poe interface (all | interface-name)]
Description Maximum amount of power that can be supplied to the port.
Default 15.4 W
Options watts
Range: 0 through 15.4
Default: 15.4 W
management ■ 967
priority
Syntax priority value;
Description Set the priority for shutdown of individual ports when there is insufficient power for
all PoE ports. If a port is set as high priority and a situation arises where there is not
sufficient power for all the PoE ports, the available power is directed to the higher
priority port(s). If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, low priority devices are shut down before
high priority devices.
Default low
Options value—highor low:

■ high—Specifies that this port is to be treated as high priority in terms of power
allocation. If there is insufficient power for all the PoE ports, the available power
is directed to this port. If the switch needs to shut down powered devices because
a power supply fails and there is insufficient power, the power is not shut down
on this port until after it has been shut down on all the low priority ports.
■ low—Specifies that this port is to be treated as low priority in terms of power
allocation. If there is insufficient power for all the PoE ports, power is not supplied
to this port. If the switch needs to shut down powered devices because a power
supply fails and there is insufficient power, the power is shut down on this port
before it is shut down on high priority ports.

Related Topics
■ Example: Configuring PoE Interfaces with Different Priorities on for an EX-series
Switch
968 ■ priority
telemetries
Syntax telemetries {
disable;
duration hours;
interval minutes;
}
Description Allows you to log per port PoE power consumption.
If you want to log per-port power consumption, you must explicitly specify the
telemetriesstatement. You can enable telemetries for all the PoE interfaces by setting
poe interface all. However, if you modify the configuration of any individual PoE
interface (for example, to change the priority, you must also specify the telemetries
for that interface in order to maintain the logging. If you do not specify telemetries
for a PoE interface, logging is disabled.
Default If the telemetries statement is specified, logging is enabled with the default values
for interval and duration,

Related Topics
Switch
telemetries ■ 969

Chapter 63
Operational Mode Commands for PoE
■ 971
show poe controller
Syntax show poe controller

<detail | summary>
Description Display the status of the Power over Ethernet (PoE) software module controller.
Options none—Display general parameters of the PoE software module controller.
detail | summary—(Optional) Display the specified level of output.
Related Topics
■ show poe interface
■ Example: Configuring PoE for an EX-series Switches
Switch
■ Monitoring PoE
List of Sample Output show poe controller on page 972

Output Fields Table 154 on page 972 lists the output fields for the show poe controller command.
Table 154: show poe controller Output Fields
Ctrl-index Identifies the controller.
Max-power Specifies the maximum power that can be provided by the switch to PoE ports.
power-consumption Specifies the total amount of power being used by the PoE ports, as measured
by the specified telemetries settings.
Guard-band Specifies the amount of power that has been placed in reserve.
Management Specifies the management mode. Static is the only management mode
supported.
show poe controller user@host> show poe controller
Ctrl-index Max-power power-consumption Guard-band Management
972 ■ show poe controller

Chapter 63: Operational Mode Commands for PoE
0 305 W 0W 15W Static

show poe interface
Syntax show poe interface <ge-fpc/pic/port>
Description Display the status of Power over Ethernet (PoE) ports.
Options none—Display status of all PoE ports on the switch.
ge-fpc/pic/port—(Optional) Display the status of a specific PoE port on the switch.
Related Topics
■ Example: Configuring PoE for an EX-series Switches
Switch
■ Monitoring PoE
List of Sample Output show status for all poe interfaces on the switch on page 974
show status for a specific PoE interface on the switch on page 975
Output Fields Table 155 on page 974 lists the output fields for the show poe interface command.
Table 155: show poe interface Output Fields
PoE Interface Specifies the interface address.
Enabled Specifies whether PoE capabilities are enabled or disabled.
status Specifies whether PoE is currently being provided to the port.
max-power Specifies the maximum power that can be provided to the port.
priority Specifies whether the port is high or low priority.
power-consumption Specifies how much power is being used by the port, as measured by the specified telemetries settings.
Class Indicates the IEEE 802.af classification that defines the maximum power requirements for a powered device.
show status for all poe user@host> show poe interface

interfaces on the switch Interface Enabled status max-power priority power-consumption Class
ge-0/0/1 Enabled OFF 15.4W Low 0.0W 0
ge-0/0/3 Enabled OFF 12.0W High 0.0W 0
974 ■ show poe interface

ge-0/0/5 Enabled OFF 15.4W Low 0.0W 0
show status for a user@host> show poe interface ge-0/0/3

specific PoE interface on
the switch PoE interface status:
PoE interface : ge-0/0/3
PoE capability of the interface : Enabled
Current status of power supply on interface : OFF
Power limit on the interface : 12.0W
Priority : High
Power consumed : 0.0W
Class of power device : 0

show poe telemetries interface
Syntax show poe telemetries interface ge-fpc/pic/port all | x
Description Display a history of power consumption on the specified interface.
Options ge-fpc/pic/port—Display telemetries for the specified PoE interface.
all—Display all telemetries records for the specified PoE interface.
x—Display the specified number of telemetries records for the specified PoE interface.
Related Topics
■ show poe interface
■ Monitoring PoE
List of Sample Output show poe telemetries interface ( Last 10 Records) on page 976
show poe telemetries interface (All Records) on page 977
Output Fields Table 156 on page 976 lists the output fields for the show poe telemetries interface
Table 156: show poe telemetries interface Output Fields
S1 No Number of the record for the specified port. Record number 1 is the most
recent.
Timestamp Time that the power-consumption data was gathered.
Power Amount of power provided by the specified port at the time the data was
gathered.
Voltage Maximum voltage provided by the specified port at the time the data was
gathered.
show poe telemetries user@switch> show poe telemetries interface ge-0/0/0 10

interface ( Last 10 Sl No Timestamp Power Voltage
Records) 1 01-27-2008 18:19:58 UTC 15.4W 51.6V
2 01-27-2008 18:18:58 UTC 15.4W 51.6V
3 01-27-2008 18:17:58 UTC 15.4W 51.6V
4 01-27-2008 18:16:58 UTC 15.4W 51.6V
5 01-27-2008 18:15:58 UTC 15.4W 51.6V
6 01-27-2008 18:14:58 UTC 15.4W 51.6V
976 ■ show poe telemetries interface

7 01-27-2008 18:13:58 UTC 15.4W 51.6V

8 01-27-2008 18:12:57 UTC 15.4W 51.6V
9 01-27-2008 18:11:57 UTC 15.4W 51.6V
10 01-27-2008 18:10:57 UTC 15.4W 51.6V
show poe telemetries user@switch> show poe telemetries interface ge-0/0/0 all
interface (All Records) Sl No Timestamp Power Voltage
1 01-27-2008 18:19:58 UTC 15.4W 51.6V
2 01-27-2008 18:18:58 UTC 15.4W 51.6V
3 01-27-2008 18:17:58 UTC 15.4W 51.6V
4 01-27-2008 18:16:58 UTC 15.4W 51.6V
5 01-27-2008 18:15:58 UTC 15.4W 51.6V
6 01-27-2008 18:14:58 UTC 15.4W 51.6V
7 01-27-2008 18:13:58 UTC 15.4W 51.6V
8 01-27-2008 18:12:57 UTC 15.4W 51.6V
9 01-27-2008 18:11:57 UTC 15.4W 51.6V
10 01-27-2008 18:10:57 UTC 15.4W 51.6V
11 01-27-2008 18:09:57 UTC 15.4W 51.6V
12 01-27-2008 18:08:57 UTC 15.4W 51.6V
13 01-27-2008 18:07:57 UTC 15.4W 51.6V
14 01-27-2008 18:06:57 UTC 15.4W 51.6V
15 01-27-2008 18:05:57 UTC 15.4W 51.6V
16 01-27-2008 18:04:56 UTC 15.4W 51.6V
17 01-27-2008 18:03:56 UTC 15.4W 51.6V
18 01-27-2008 18:02:56 UTC 15.4W 51.6V
19 01-27-2008 18:01:56 UTC 15.4W 51.6V
20 01-27-2008 18:00:56 UTC 15.4W 51.6V
21 01-27-2008 17:59:56 UTC 15.4W 51.6V
22 01-27-2008 17:58:56 UTC 15.4W 51.6V
23 01-27-2008 17:57:56 UTC 15.4W 51.6V
24 01-27-2008 17:56:55 UTC 15.4W 51.6V
25 01-27-2008 17:55:55 UTC 15.4W 51.6V
26 01-27-2008 17:54:55 UTC 15.4W 51.6V
27 01-27-2008 17:53:55 UTC 15.4W 51.6V
28 01-27-2008 17:52:55 UTC 15.4W 51.6V
29 01-27-2008 17:51:55 UTC 15.4W 51.6V
30 01-27-2008 17:50:55 UTC 15.4W 51.6V
31 01-27-2008 17:49:55 UTC 15.4W 51.6V
32 01-27-2008 17:48:55 UTC 15.4W 51.6V
33 01-27-2008 17:47:54 UTC 15.4W 51.6V
34 01-27-2008 17:46:54 UTC 15.4W 51.6V
35 01-27-2008 17:45:54 UTC 15.4W 51.6V
36 01-27-2008 17:44:54 UTC 15.4W 51.6V
37 01-27-2008 17:43:54 UTC 15.4W 51.6V
38 01-27-2008 17:42:54 UTC 15.4W 51.6V
39 01-27-2008 17:41:54 UTC 15.4W 51.6V
40 01-27-2008 17:40:54 UTC 15.4W 51.6V
41 01-27-2008 17:39:53 UTC 15.4W 51.6V
42 01-27-2008 17:38:53 UTC 15.4W 51.6V
43 01-27-2008 17:37:53 UTC 15.4W 51.6V
44 01-27-2008 17:36:53 UTC 15.4W 51.6V


Part 15
Port Mirroring
■ Understanding Port Mirroring on page 981
■ Examples of Configuring Port Mirroring on page 985
■ Configuring Port Mirroring on page 999
■ Configuration Statements for Port Mirroring on page 1007
■ Operational Mode Commands for Port Mirroring on page 1019
Port Mirroring ■ 979

980 ■ Port Mirroring

Chapter 64
Understanding Port Mirroring
■ Port Mirroring on EX-series Switches Overview on page 981
Port Mirroring on EX-series Switches Overview

Use port mirroring to facilitate analyzing traffic on your switch on a packet level. Use
port mirroring as part of monitoring switch traffic for such purposes as enforcing
policies concerning network usage and file sharing, and identifying sources of
problems on your network by locating abnormal or heavy bandwidth usage from
particular stations or applications.
Port mirroring copies packets entering or exiting a port, or entering a VLAN, to either
a local port for local monitoring or to a VLAN for remote monitoring.
■ Port Mirroring Overview on page 981
■ Port Mirroring Terminology on page 983
Port Mirroring Overview

Port mirroring is needed for traffic analysis on a switch because a switch, unlike a
router, does not broadcast packets to every port on the device. The switch sends
packets only to the port to which the destination device is connected. You configure
port mirroring on the switch to send copies of unicast traffic to either a local analyzer
interface or an analyzer VLAN. Then you can analyze the mirrored traffic using a
protocol analyzer application. The protocol analyzer application can run either on a
computer connected to the analyzer output interface or on a remote monitoring
station.
Mirroring a high volume of traffic can be performance intensive for the switch.
Therefore, you should disable port mirroring when you are not using it, and select
specific interfaces as input to the port mirror analyzer in preference to using the all
keyword. You can also limit the amount of mirrored traffic by using statistical
sampling setting a ratio to select a statistical sample, or using a firewall filter.
With local port mirroring, traffic from multiple ports is replicated to the analyzer
output interface. If the output interface for an analyzer reaches capacity, packets are
dropped. You should consider whether the traffic being mirrored exceeds the capacity
of the analyzer output interface.
Port Mirroring on EX-series Switches Overview ■ 981

You can use port mirroring on an EX-series switch to mirror any of the following:
■ Packets entering or exiting a port—In any combination. For example, you can
send copies of the packets entering some ports and the packets exiting other
ports to the same local analyzer port or analyzer VLAN.
■ Packets entering a VLAN—You can mirror the packets entering a VLAN to either
a local analyzer port or to an analyzer VLAN.
■ Statistical sample—Sample of the packets entering or exiting a port or entering
a VLAN. Specify the sample number of packets by setting the ratio. You can send
the sample of packets to either a local analyzer port or to an analyzer VLAN.
■ Policy-based sample—Sample of packets entering a port or VLAN. You can
configure a firewall filter to establish a policy to select certain packets. You can
send the sampled packets to a local analyzer interface or to an analyzer VLAN.
NOTE: Firewall filters are not supported on egress ports, therefore you cannot specify
policy-based sampling of packets exiting an interface.
NOTE: JUNOS software for EX-series switches implements port mirroring differently
than other JUNOS software packages. JUNOS software for EX-series switches does
not include the port-mirroring statement found in the edit forwarding-options level of
the hierarchy of other JUNOS software packages, nor the port-mirror action in firewall
filter terms.
Limitations of Port Mirroring

Port mirroring on EX-series switches has the following limitations:
■ Only one port mirroring instance can be configured on an EX-series switch.
■ Packets with physical layer errors are filtered out and thus are not sent to the
analyzer port or VLAN.
■ Only one VLAN can be configured as input to an analyzer.
■ The following interfaces cannot be configured as input to an analyzer:
■ Network ports that are set to trunk mode
■ Aggregated port (LAG)
■ Dedicated virtual chassis ports
■ Ports on the optional uplink modules
■ Management port (me0 or vme0)
982 ■ Port Mirroring Overview

Chapter 64: Understanding Port Mirroring
Port Mirroring Terminology
Term Description
Analyzer A port-mirroring configuration on an EX-series switch. The analyzer includes a name,
source ports or source VLAN, a destination for mirrored packets (either a monitor port or
an analyzer VLAN), optional ratio field for specifying statistical sampling of packets, and
loss-priority setting.
Analyzer output interface Interface to which mirrored traffic is sent and to which a protocol analyzer application is
connected.
Also known as monitor interface
The following limitations apply to analyzer output interfaces:
■ Cannot also be a source port.
■ Cannot be used for switching.
■ Does not participate in Layer 2 protocols, such as Spanning Tree Protocol (STP), when
it is part of a port mirroring configuration.
■ When configured as an analyzer output interface, it loses any existing VLAN
associations.
If the bandwidth of the analyzer output interface is not sufficient to handle the traffic from
the source ports, overflow packets are dropped.
Analyzer VLAN VLAN to which mirrored traffic is sent and to which a protocol analyzer application. The
analyzer VLAN is spread across the switches in your network.
Also known as monitor VLAN
Input interface An interface on the switch that is being mirrored, either on traffic entering or exiting the
interface. An input interface cannot also be an output interface for an analyzer.
Also known as mirrored ports or
monitored interfaces
Mirror ratio See statistical sampling.
Monitoring station A computer running a protocol analyzer application.
Remote port mirroring Functions the same as local port mirroring, except that the traffic that is mirrored is not
copied to a local analyzer port but is instead flooded into an analyzer VLAN that you create
specifically for the purpose of receiving mirrored traffic.
Policy-based mirroring Mirroring of packets that match the match items in the defined firewall filter term. The
action item analyzer analyzer-name is used in the firewall filter to send the packets to the
port mirror analyzer.
Protocol analyzer application An application used to examine packets transmitted across a network segment. Also
commonly called network analyzer, packet sniffer, or probe.
Statistical sampling You can configure the system to mirror a sampling of the packets, by setting a ratio of
1:x, where x is a value from 1 through 2047.
For example, when the ratio is set to 1, all packets are copied to the analyzer. When the
ratio is set to 200, 1 of every 200 packets is copied.
Port Mirroring Terminology ■ 983

Related Topics
■ Example: Configuring Port Mirroring for Local Monitoring of Employee Resource
Use on EX-series Switches
■ Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (J-Web
Procedure) or Configuring Port Mirroring to Analyze Traffic on EX-Series Switches
(CLI Procedure)
■ analyzer configuration statement
■ show analyzer command

Chapter 65
Examples of Configuring Port Mirroring

Use on EX-series Switches on page 985
Resource Use on EX-series Switches on page 992
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource

EX-series switches allow you to configure port mirroring to send copies of packets
entering or exiting an interface, or entering a VLAN, to an analyzer interface or VLAN.
You can analyze the mirrored traffic using a protocol analyzer application installed
on a system connected to the local destination interface (or a running on a remote
monitoring station if you are sending mirrored traffic to an analyzer VLAN).
This example describes how to configure an EX-series switch to mirror traffic entering
interfaces connected to employee computers to an analyzer output interface on the
same switch.
This example describes how to configure local port mirroring:

Requirements
■ One EX 3200 or EX 4200 switch
Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.
Example: Configuring Port Mirroring for Local Monitoring of Employee Resource Use on EX-series Switches ■ 985

This topic includes two related examples that describe how to mirror traffic entering
ports on the switch to a destination interface on the same switch. The first example
shows how to mirror all traffic entering the ports connected to employee computers.
The second example shows the same scenario, but includes a filter to mirror only
the employee traffic going to the Web.
Network Topology
In this example, ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.
In this example, one interface, ge-0/0/10, is reserved for analysis of mirrored traffic.
Connect a PC running a protocol analyzer application to the analyzer output interface
to analyze the mirrored traffic.
NOTE: Multiple ports mirrored to one interface can cause buffer overflow and dropped
packets.
Figure 46 on page 986 shows the network topology for this example.
Figure 46: Network Topology for Local Port Mirroring Example
Configuration
To configure port mirroring, perform these tasks:

Chapter 65: Examples of Configuring Port Mirroring

Mirroring All Employee Traffic for Local Analysis

CLI Quick Configuration To quickly configure local port mirroring for ingress traffic to the two ports connected
to employee computers, copy the following commands and paste them into the
switch terminal window:
set analyzer employee–monitor input ingress interface ge-0/0/0.0
set analyzer employee–monitor input ingress interface ge-0/0/1.0
set analyzer employee–monitor output interface ge-0/0/10.0
J-Web Quick To configure the employee-monitor analyzer with the J-Web interface:
Configuration
1. From the Configure menu, select Security > Port Mirroring
2. Click Add.
3. Enter employee-monitor in the Analyzer Name field.
4. In the Analyzer Port field, click Select to select ge-0/0/10 as the output interface.
5. Click Add to select the ingress interfaces. Select ge-0/0/0 and click OK.
6. Click Add to select the ingress interfaces. Select ge-0/0/1 and click OK.
7. Click OK to save the configuration.
Step-by-Step Procedure To configure an analyzer called employee-monitor and specify the input (source)
interfaces and the analyzer output interface.
1. Configure each interface connected to employee computers as an input interface

for the port-mirror analyzer that we are calling employee-monitor:
user@switch# set analyzer employee-monitor input ingress interface
ge–0/0/0.0
ge–0/0/1.0
2. Configure the output analyzer interface for the employee-monitor analyzer. This
will be the destination interface for the mirrored packets:
set analyzer employee-monitor output interface ge-0/0/10.0
3. commit
[edit]
user@switch# show
analyzer employee-monitor {
input {
Mirroring All Employee Traffic for Local Analysis ■ 987

ingress {
}
}
output {
interface {
ge-0/0/10.0;
}
}
}
}
Mirroring Employee-to-Web Traffic for Local Analysis

CLI Quick Configuration To quickly configure local port mirroring of traffic from the two ports connected to
employee computers, filtering so that only traffic to the external Web is mirrored,
copy the following commands and paste them into the switch terminal window:
[edit]
set ethernet-switching-options analyzer employee–web–monitor output interface
ge-0/0/10.0
set firewall family ethernet-switching filter watch-employee term employee-to-corp
from destination-address 192.0.2.16/28
then accept
set firewall family ethernet-switching filter watch-employee term employee-to-web
from destination-port 80
set firewall family ethernet-switching filter watch-employee term
employee_to_internet then analyzer employee-web-monitor
set firewall family ethernet-switching filter watch-employee
edit interfaces set ge-0/0/0 unit 0 family ethernet-switching filter input
watch-employee
edit interfaces set ge-0/0/1 unit 0 family ethernet-switching filter input
watch-employee
Step-by-Step Procedure To configure local port mirroring of employee-to-Web traffic from the two ports
connected to employee computers:
1. Configure the local analyzer interface:
[edit interfaces]
2. Configure the employee-web-monitor analyzer output (the input to the analyzer

comes from the action of the filter):
user@switch# set analyzer employee-web-monitor output interface ge-0/0/10.0
3. Configure a firewall filter called watch-employee to send mirrored copies of

employee requests to the Web to the employee-web-monitor analyzer. Accept all
988 ■ Mirroring Employee-to-Web Traffic for Local Analysis

traffic to and from the corporate subnet (destination or source address of

192.0.2.16/28). Send mirrored copies of all packets destined for the Internet
(destination port 80) to the employee-web-monitor analyzer.

user@switch# set filter watch-employee term employee-to-corp from
user@switch# set filter watch-employee term employee-to-corp then accept
user@switch# set filter watch-employee term employee-to-web from
destination-port 80
user@switch# set filter watch-employee term employee-to-web then analyzer
employee-web-monitor
4. Apply the watch-employee filter to the appropriate ports:
[edit interfaces]
watch-employee
watch-employee
5. commit
[edit]
user@switch# show
analyzer employee-web-monitor {
output {
}
}
}
...
firewall family ethernet-switching {
filter watch-employee {
from {
}
then
accept
term employee-to-web
from {
destination-port 80
}
then
analyzer employee-web-monitor
...
interfaces
Mirroring Employee-to-Web Traffic for Local Analysis ■ 989

ge-0/0/0 {
unit 0
port-mode trunk;
vlan members [employee-vlan, voice-vlan];
filter {
input watch-employee;
}
}
}
ge-0/0/1 {
port-mode trunk;
vlan members [employee-vlan, voice-vlan];
filter {
}
}
}
Verification
To confirm that the configuration is correct, perform these tasks:
■ Verifying That the Analyzer Has Been Correctly Created on page 990
Verifying That the Analyzer Has Been Correctly Created

Purpose Verify that the analyzer named employee-monitor or employee-web-monitor has been
created on the switch with the appropriate input interfaces, and appropriate output
interface.
Action You can verify the port mirror analyzer is configured as expected using the show
analyzer command.
user@switch> show analyzer

Analyzer name : employee-monitor
Analyzer mirror ratio : 1
Analyzer loss priority : Low
Analyzer ingress monitored interfaces: ge-0/0/0.0
ge-0/0/1.0
Analyzer egress monitored interfaces : None
Analyzer monitor interface : ge-0/0/10.0
Analyzer monitor VLAN : None
What It Means This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring
every packet, the default setting), a loss priority of low (set this option to high only
when the analyzer output is to a VLAN), is mirroring the traffic entering the ge-0/0/0
and ge-0/0/1 interfaces, and sending the mirrored traffic to the ge-0/0/10 interface.
Related Topics
Procedure)
■ Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (CLI
Procedure)
■ analyzer Configuration Statement

Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource

EX-series switches allow you to configure port mirroring to send copies of packets
entering or exiting an interface, or entering a VLAN, to an analyzer interface or a
VLAN. You can analyze the mirrored traffic using a protocol analyzer application
running on a remote monitoring station if you are sending mirrored traffic to an
analyzer VLAN.
This topic includes two related examples that describe how to mirror traffic entering
ports on the switch to the remote-analyzer VLAN so that you can perform analysis
from a remote monitoring station. The first example shows how to mirror all traffic
entering the ports connected to employee computers. The second example shows
the same scenario, but includes a filter to mirror only the employee traffic going to
the Web.
This example describes how to configure remote port mirroring:

Requirements
■ One EX 3200 or EX 4200 switch connected to a distribution layer switch
■ One uplink module to connect to the distribution layer switch
Before you configure port mirroring, be sure you have an understanding of port
mirroring concepts.

This topic includes two related examples that describe how to configure port mirroring
to the remote-analyzer VLAN so that analysis can be performed from a remote
monitoring station. The first example shows how to configure an EX-series switch
to mirror all traffic from employee computers. The second example shows the same
scenario, but the setup includes a filter to mirror only the employee traffic going to
the Web.
992 ■ Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource Use on EX-series Switches
Figure 47: Remote Port Mirroring Example Network Topology
In this example:
■ Ports ge-0/0/0 and ge-0/0/1 serve as connections for employee computers.
■ Interface ge-0/1/1 is a Layer 2 interface on the uplink module that connects to
a distribution switch.
■ VLAN remote-analyzer is configured on all switches in the topology to carry the
mirrored traffic.
NOTE: The interface connected to the remote monitoring station must be a member
of VLAN remote-analyzer, and this VLAN must be configured on all switches between
the monitored switch and the monitoring station.
Configuration
To configure port mirroring for remote traffic analysis, perform these tasks:
Mirroring All Employee Traffic for Remote Analysis

CLI Quick Configuration To quickly configure remote port mirroring of all traffic from the two ports connected
to employee computers, copy the following commands and paste them into the
terminal window:
[edit]
set vlans remote-analyzer vlan-id 999

set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/0.0
set ethernet-switching-options analyzer employee-monitor input ingress interface
ge-0/0/1.0
set ethernet-switching-options analyzer employee–monitor loss-priority high output
vlan remote-analyzer
Step-by-Step Procedure To configure basic remote port mirroring:
1. Configure the VLAN tag IDs for the remote-analyzer VLAN:
[edit vlans]
user@switch# set remote-analyzer vlan-id 999
2. Configure the interface on the uplink module connected to the distribution

switch for trunk mode and associate it with the remote-analyzer VLAN:
[edit interfaces]
user@switch# set ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
999
3. Configure the employee-monitor analyzer:
user@switch#set analyzer employee–monitor loss-priority high input ingress

user@switch#set analyzer employee–monitor input ingress interface

ge-0/0/1.0
user@switch#set analyzer employee–monitor output vlan remote-analyzer
4. commit
[edit]
user@switch# show
analyzer employee-monitor {
loss-priority high;
input {
ingress {
}
}
output {
vlan {
remote-analyzer;
}
994 ■ Mirroring All Employee Traffic for Remote Analysis

}
}
Mirroring Employee-to-Web Traffic for Remote Analysis

CLI Quick Configuration To quickly configure port mirroring mirror employee traffic to the external Web,
copy the following commands and paste them into the terminal window:
[edit]
set ethernet-switching-options analyzer employee-web-monitor loss-priority high
output vlan 999
set vlans remote-analyzer vlan-id 999
set interfaces ge-0/1/1 unit 0 family ethernet-switching port mode trunk
from destination-address 192.0.2.16/28
then accept
from destination-port 80
then analyzer employee–web-monitor
edit interfaces set ge-0/1/1.0 unit 0 family ethernet-switching filter input
watch-employee
Step-by-Step Procedure To configure port mirroring of all traffic from the two ports connected to employee
computers to the remote-analyzer VLAN for use from a remote monitoring station:
1. Configure the employee-monitor analyzer:
user@switch# set analyzer employee-web-monitor loss-priority high output

vlan 999
2. Configure the VLAN tag IDs for the remote-analyzer VLAN:
[edit vlans]
user@switch# set remote-analyzer vlan-id 999
3. Configure the interface to associate it with the remote-analyzer VLAN:
[edit interfaces]
999
4. Configure the firewall filter called watch-employee:

Mirroring Employee-to-Web Traffic for Remote Analysis ■ 995

user@switch# set filter watch-employee term employee-to-corp then accept

user@switch# set filter watch-employee term employee-to-web from
destination-port 80
user@switch# set filter watch-employee term employee-to-web then analyzer
employee-web-monitor
5. Apply the firewall filter to the employee ports:
[edit interfaces]
employee-to-web
employee-to-web
6. commit
[edit]
user@switch# show
interfaces {
...
ge-0/1/1 {
unit 0 {
port-mode trunk;
vlan {
members remote-analyzer;
}
filter {
}
}
}
}
...
firewall {
...
filter watch-employee {
from {
source-address {
192.0.2.16/28;
}
destination-address {
192.0.2.16/28;
}
}
then accept;
}
term employee-to-web {
from {
996 ■ Mirroring Employee-to-Web Traffic for Remote Analysis

}
then analyzer employee-web-monitor;
}
}
analyzer employee-web-monitor {
loss-priority high;
output {
vlan {
999;
}
}
}
Verification
■ Verifying That the Analyzer Has Been Correctly Created on page 997
Verifying That the Analyzer Has Been Correctly Created

Purpose Verify that the analyzer named employee-monitor or employee-web-monitor has been
created on the switch with the appropriate input interfaces, and appropriate output
interface.
Action You can verify the port mirror analyzer is configured as expected using the show
analyzer command. To view previously created analyzers that are disabled, go to the
J-Web interface.
user@switch> show analyzer
Analyzer loss priority : High
ge-0/0/1.0
Analyzer monitor interface : None
Analyzer monitor VLAN : remote-analyzer
What It Means This output shows that the employee-monitor analyzer has a ratio of 1 (mirroring
every packet, the default), a loss priority of high (set this option to high whenever
the analyzer output is to a VLAN), is mirroring the traffic entering ge-0/0/0 and
ge-0/0/1, and sending the mirrored traffic to the analyzer called remote-analyzer.
Related Topics
Procedure)
Procedure)

Chapter 66
Configuring Port Mirroring

Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (CLI Procedure)

You configure port mirroring in order to copy packets so that you can analyze traffic
using a protocol analyzer application. You can mirror traffic entering or exiting an
interface, or entering a VLAN. You can send the mirrored packets to a local interface
to monitor traffic locally or to a VLAN to monitor traffic remotely.
Mirroring a high volume of traffic can be performance intensive for the switch.
Therefore, you should disable port mirroring when you are not using it and select
specific input interfaces in preference to using the all keyword. You can also limit
the amount of mirrored traffic by using a firewall filter or the ratio keyword to mirror
only a selection of packets.
NOTE: Only one analyzer can be enabled on an EX-series switch. To create additional
analyzers, first disable any existing analyzers using the disable analyzer analyzer-name
command or the J-Web port mirroring configuration page.
NOTE: Interfaces used as input or output for a port mirror analyzer must be configured
as family ethernet-switching.
■ Configuring Port Mirroring for Local Traffic Analysis on page 1000

■ Configuring Port Mirroring for Remote Traffic Analysis on page 1000
■ Filtering the Traffic Entering a Port Mirroring Analyzer on page 1001
Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (CLI Procedure) ■ 999
Configuring Port Mirroring for Local Traffic Analysis

To mirror interface traffic or VLAN traffic on the switch to an interface on the switch:
1. Choose a name for the port mirroring configuration—in this case,
employee-monitor, and specify the input—in this case, packets entering ge-0/0/0
and ge-0/0/1:
ge–0/0/0.0
ge–0/0/1.0
2. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 of every 200 packets is mirrored to the analyzer.
You can use statistical sampling to reduce the volume of mirrored traffic, as a
high volume of mirrored traffic can be performance intensive for the switch.
3. Configure the destination interface for the mirrored packets:
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
4. commit
Configuring Port Mirroring for Remote Traffic Analysis

To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for
analysis from a remote location:
1. Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer
and given the ID of 999 by convention in this documentation:
[edit]
user@switch# set vlans remote-analyzer vlan-id 999
2. Set the uplink module interface that is connected to the distribution switch to
trunk mode and associate it with the remote-analyzer VLAN:
[edit]
port-mode trunk vlan members 999
3. Configure the analyzer:

a. Choose a name and set the loss priority to high. Loss priority should always
be set to high when configuring for remote port mirroring:
1000 ■ Configuring Port Mirroring for Local Traffic Analysis

Chapter 66: Configuring Port Mirroring
user@switch# set analyzer employee–monitor loss-priority high
b. Specify the traffic to be mirrored— in this example the packets entering

ports ge-0/0/0 and ge–0/0/1:

ge-0/0/0.0

ge-0/0/1.0
c. Specify the remote-analyzer VLAN as the output for the analyzer:
user@switch#set analyzer employee–monitor output vlan 999
4. Optionally, you can specify a statistical sampling of the packets by setting a ratio:
user@switch# set analyzer employee-monitor ratio 200
When the ratio is set to 200, 1 out of every 200 packets is mirrored to the
analyzer. You can use this to reduce the volume of mirrored traffic as a very high
volume of mirrored traffic can be performance intensive for the switch.
5. commit
Filtering the Traffic Entering a Port Mirroring Analyzer

To filter which packets are mirrored to an analyzer, create the analyzer, then use it
as the action in the firewall filter. You can use firewall filters in both local and remote
port mirroring configurations.
If the same analyzer is used in multiple filters or terms, the packets are copied to
the analyzer output port or analyzer VLAN only once.
NOTE: Port mirroring is supported for packets exiting an interface, however firewall
filters are not. Therefore, you cannot use filters where the analyzer input is the traffic
exiting an interface.
To filter mirrored traffic, create an analyzer and then create a firewall filter. The filter
can use any of the available match conditions and must have an action of analyzer
analyzer-name. The action of the firewall filter provides the input to the analyzer.
Filtering the Traffic Entering a Port Mirroring Analyzer ■ 1001

To configure port mirroring with filters:

1. Configure the analyzer name and output:
a. For local analysis, set the output to the local interface to which you will
connect the computer running the protocol analyzer application:
user@switch# set analyzer employee-monitor output interface ge-0/0/10.0
b. For remote analysis, set the loss-priority to high and set the output to the
remote-analyzer VLAN:
user@switch#set analyzer employee–monitor loss-priority high output vlan

999
2. Create a firewall filter using any of the available match conditions and specify
the action as analyzer analyzer-name:
This example shows a firewall filter called example-filter, with two terms:
a. Create the first term to define the traffic that should not pass through to the
analyzer:
[edit firewall family ethernet switching]

user@switch# set filter example–filter term term–1 from match-condition1
user@switch# set filter example–filter term term–1 then accept
b. Create the second term to define the traffic that should pass through to the
analyzer:
[edit firewall family ethernet switching]

user@switch# set filter example–filter term–2 then analyzer analyzer-name
3. Apply the firewall filter to the interfaces or VLAN that are input to the analyzer:
[edit]
user@switch# set interface interface-name unit 0 family ethernet-switching
filter input example-filter
user@switch# set vlan vlan-name unit 0 family ethernet-switching filter
input example-filter
4. commit
1002 ■ Filtering the Traffic Entering a Port Mirroring Analyzer

Related Topics
Procedure)
EX-series Switches
■ egress
■ ethernet-switching-options
■ ingress
■ input
■ interface
■ loss-priority
■ output
■ ratio
■ vlan
Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (J-Web

Procedure)
To configure port mirroring using the J-Web interface:
1. From the Configure menu, select Security > Port Mirroring.
The first part of the screen displays analyzer details such as the name, status,
analyzer port, ratio, and loss priority.
The second part of the screen lists ingress and egress ports of the selected
analyzer.
2. Click one:

■ Add—Add an analyzer. Enter information as specified in

■ Edit—Modify details of the selected analyzer. Enter information as specified
■ Delete—Deletes the selected analyzer.
■ Enable/Disable—Enable or disable the selected analyzer (toggle).
NOTE: Only one analyzer can be enabled at a time. You can have multiple disabled
analyzer configurations.
When an analyzer is deleted or disabled, any filter association is removed.
Table 157: Port Mirroring Configuration Settings
Analyzer Specifies the name of the analyzer. Type a name for the analyzer.
Name
Ratio Specifies the ratio of packets to be mirrored. For example: Enter a number from 0 through 2047.
■ A ratio of 1 sends copies of all packets.
■ A ratio of 2047 sends copies of 1 out of every 2047
packets.
Loss Priority Specifies the loss priority of the mirrored packets. Keep the default of low, unless the output is
to a VLAN.
By default, the switch applies a lower priority to mirrored
data than to regular port-to-port data—mirrored traffic is
dropped in preference for regular traffic when capacity is
exceeded.
For port mirroring configurations with output to an analyzer

VLAN, set the loss priority to high.
Analyzer Port Specifies a local interface or VLAN to which mirrored packets Click Select. In the Select Analyzer Port/VLAN
are sent. window, select either port or VLAN as the
Analyzer Type. Next, select the required port
NOTE: A VLAN must have only one associated interface to or VLAN.
be specified as an analyzer interface.
Ingress Specifies interfaces or VLANs for which entering traffic is Click Add and select Port or VLAN. Next,
mirrored. select the interfaces or VLANs.
Click Remove to delete an ingress interface

or VLAN.
Egress Specifies interfaces for which traffic exiting the interfaces is Click Add to add egress interfaces.
mirrored.
Click Remove to delete an egress interface.
1004 ■ Configuring Port Mirroring to Analyze Traffic on EX-Series Switches (J-Web Procedure)
Related Topics
Procedure)


Chapter 67
Configuration Statements for Port
Mirroring
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
group-name name {
}
}
allowed-mac {
mac-address-list;
}
mac-limit action;
}
[edit ethernet-switching-options] Configuration Statement Hierarchy ■ 1007

}
}
}
Related Topics

Chapter 67: Configuration Statements for Port Mirroring
analyzer
Syntax analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
Hierarchy Level [editethernet-switching-options ]
Description Configure port mirroring. One analyzer (port mirroring configuration) can be enabled
on the switch at a time, other analyzers can be present and disabled.
Default Port mirroring is disabled and JUNOS software creates no default analyzers.
Options name—Name that identifies the analyzer. The name can be up to 125 characters
long, must begin with a letter, and can include uppercase letters, lowercase
letters, numbers, dashes, and underscores. No other special characters are
allowed.

Related Topics
analyzer ■ 1009
egress
Syntax egress {
}
Hierarchy Level [edit ethernet-switching-options analyzer name input]
Description Specify ports for which traffic exiting the interface is mirrored in an port mirroring
configuration.
The statement is explained separately.
Default No default.

Related Topics
1010 ■ egress
analyzer {
name {
ratio number;
input {
ingress {
}
egress {
}
output {
}
}
}
group-name name {
}
}
allowed-mac {
mac-address-list;
}
}
}
voip{
vlan vlan-name ;
network-control>;
}
}
}
}
ethernet-switching-options ■ 1011

Related Topics
ingress
Syntax ingress {
}
Hierarchy Level [edit ethernet-switching-options analyzer name input]
Description Configure ports or VLANs for which the entering traffic is mirrored as part of an port
mirroring configuration.
Default No default.

Related Topics

input
Syntax input {
ingress {
}
egress {
}
}
Hierarchy Level [edit ethernet-switching-options analyzer name]
Description The definition of traffic to be mirrored in a port mirroring configuration—can be a
combination of traffic entering or exiting specific ports, and traffic entering a VLAN.
Default No default.

Related Topics
input ■ 1013
interface
Syntax interface (all | interface-name);
Hierarchy Level [edit ethernet-switching-options analyzer name input egress],

[edit ethernet-switching-options analyzer name input ingress],
[edit ethernet-switching-options analyzer name output]
Description Configure the interfaces for which traffic is mirrored.
Options all—Apply port mirroring to all interfaces on the switch. Mirroring a high volume of
traffic can be performance intensive for the switch. Therefore, you should
generally select specific input interfaces in preference to using the all keyword,
or use the all keyword in combination with setting a ratio for statistical sampling.
interface-name—Apply port mirroring to the specified interface only.

Related Topics
1014 ■ interface
loss-priority
Syntax loss-priority priority;
Description Configure a loss priority for mirrored packets. By default, the switch applies a lower
priority to mirrored data than to regular port-to-port data—mirrored traffic is dropped
in preference for regular traffic when capacity is exceeded. For port mirroring
configurations with output to an analyzer VLAN, set the loss priority to high.
Default Low
Options priority—The value for priority can be low or high.

Default: low
Required Privilege Level routing—To view this statement in the configuration.routing-control—To add this
statement to the configuration.
Related Topics
loss-priority ■ 1015
output
Syntax output {
}
Description Configure the destination for mirrored traffic, either an interface on the switch, for
local monitoring, or a VLAN, for remote monitoring.
Default No default.

Related Topics
1016 ■ output
ratio
Syntax ratio number;
Description Configure port mirroring to copy a sampling of packets, by setting a ratio of 1:x, A
ratio of 1 mirrors all packets, and 2047 mirrors 1 out of every 2047 packets.
Default 1
Options number
Default: 1
Related Topics
vlan
Syntax vlan (vlan-id | vlan-name);
Hierarchy Level [edit ethernet-switching-options analyzer name input ingress],

[edit ethernet-switching-options analyzer name output]
Description Configure mirrored traffic to be sent to a VLAN for remote monitoring.
Options vlan-id—Numeric VLAN identifer.
vlan-name—Name of the VLAN.

Related Topics
ratio ■ 1017

Chapter 68
Operational Mode Commands for Port
Mirroring
■ 1019
show analyzer
Syntax show analyzer analyzer-name
Description Display information about analyzers configured for port mirroring.
Options analyzer-name—(Optional) Displays the status of a specific analyzer on the switch.

List of Sample Output show analyzer on page 1020
Output Fields Table 38 on page 1020 lists the output fields for the command-name command. Output
Table 158: command-name Output Fields
name Displays the name of the analyzer.
mirror ratio Displays the ratio of packets to be mirrored, between 1 and 2047 where 1 sends copies of all packets
and 2047 sends copies of 1 out of every 2047 packets.
loss priority Displays the loss priority of the mirrored packets. By default, the switch applies a lower priority to
mirrored data than to regular port-to-port data—mirrored traffic is dropped in preference for regular
traffic when capacity is exceeded. For port mirroring configurations with output to an analyzer VLAN,
set the loss priority to high.
ingress monitored interfaces Displays interfaces for which traffic entering the interfaces is mirrored.
egress monitored interfaces Displays interfaces for which traffic exiting the interfaces is mirrored.
ingress monitored VLANs Displays VLANs for which traffic entering the VLAN is mirrored.
monitor interface Specifies a local interface to which mirrored packets are sent.
monitor VLAN Specifies a VLAN to which mirrored packets are sent.
show analyzer user@host> show analyzer

Analyzer loss priority : High
ge-0/0/1.0
Analyzer monitor interface : None
Analyzer monitor VLAN : remote-analyzer
1020 ■ show analyzer

Part 16
Network Management
■ Configuration Statements for Network Management on page 1023
Network Management ■ 1021

1022 ■ Network Management

Chapter 69
Configuration Statements for Network
Management
■ [edit snmp] Configuration Statement Hierarchy on page 1023
[edit snmp] Configuration Statement Hierarchy
snmp {
rmon {
history index {
bucket-size number;
interval seconds;
owner owner-name;
}
}
}
[edit snmp] Configuration Statement Hierarchy ■ 1023

bucket-size
Syntax bucket-size number;
Hierarchy Level [edit snmp rmon history]
Description Configure the sampling of Ethernet statistics for network fault diagnosis, planning,
and performance tuning.
Default 50
Options number—Number of discrete samples of Ethernet statistics requested.
Required Privilege Level snmp—To view this statement in the configuration.

snmp–control—To add this statement to the configuration.
Related Topics
■ history
■ interface
■ interval
■ owner
1024 ■ bucket-size
Chapter 69: Configuration Statements for Network Management
history
Syntax history history-index {

bucket-size number;
interval seconds;
owner owner-name;
}
Hierarchy Level [edit snmp rmon]
Description Configure RMON history group entries. This RMON feature can be used with the
Simple Network Management Protocol (SNMP) agent in the switch to monitor all the
traffic flowing among switches on all connected LAN segments. It collects statistics
in accordance with user-configurable parameters.
The history group controls the periodic statistical sampling of data from various types
of networks. This group contains configuration entries that specify an interface,
polling period, and other parameters. The interface interface-name statement is
mandatory. Other statements in the history group are optional.
Default Not configured.
Options history-index—Identifies this history entry as an integer.

interface
Syntax interface interface-name;
Hierarchy Level [edit snmp rmon history history-index]
Description Specify the interface to be monitored in the specified RMON history entry.
Only one interface can be specified for a particular RMON history index. There is a
one-to-one relationship between the interface and the history index. The interface
must be specified in order for the RMON history to be created.
Options interface-name—Specify the interface to be monitored within the specified entry of

the RMON history of Ethernet statistics.

history ■ 1025
owner
Syntax owner owner-name;
Hierarchy Level [edit snmp rmon history]
Description Specify the user or group responsible for this configuration.
Options owner-name—The user or group responsible for this configuration.

Range: 0 through 32 alphanumeric characters
1026 ■ owner
Chapter 69: Configuration Statements for Network Management
rmon
Syntax rmon {
history history-index {
bucket-size number;
interval seconds;
owner owner-name;
}
}
Hierarchy Level [edit snmp]
Description RMON is an existing feature of JUNOS software.
The RMON specification provides network administrators with comprehensive

network fault diagnosis, planning, and performance tuning information. It delivers
this information in nine groups of monitoring elements, each providing specific sets
of data to meet common network monitoring requirements. Each group is optional,
so that vendors do not need to support all the groups within the MIB.
JUNOS software supports RMON Statistics, History, Alarm, and Event groups. The
EX-series documentation describes only the rmon history statement, which was added
with this release.
Default Disabled.

Related Topics
■ Network Management Configuration Guide at
rmon ■ 1027

Part 17
Index
■ Index on page 1031
Index ■ 1029
1030 ■ Index
Index
authentication
specifying access privileges ..................................94
Symbols authentication-order statement..................................669
802.1X settings authentication-server statement.................................672
configuring..........................................................616 authenticator statement.............................................670
monitoring..........................................................647 authenticator-profile-name statement........................671
802.3ad statement.....................................................278 auto-negotiation statement........................................279
.20
26
0
2,9
1
2,0
1
2,3
7
2,8
7
2,9
8
2,0
8
2,1
8
2,2
8,3
8
2,4
8
2,5
8
2,6
8
2,7
8
2,8
2,9
2,0
9
2,1
9
2,2
9,3
9
4,4
1,0
1
4,1
4,2
1
4,3
1
4,4
1,5
1
4,6
1
4,7
1
4,9
2
4,0
2
4,3
2
4,4
2,5
2
4,6
2
4,7
2
4,8
2
4,9
3
4,0
3
4,1
3
4,2
3
4,3
4,4
3,6
3
4,7
3
4,8
3
4,9
4
6,0
6,6,7
6,8
7
6,0
7
6,1
7
6,3
7
6,4
7
6,5
7
6,6
7,7
6,9
8
6,0
8
6,1
8
6,2
8
6,3
8
6,4
8
6,5
8
6,7
8
6,8
9
6,1
9
6,2
9
6,3
9
6,4
9
7,5
0
7,2
0
7,4
0
7,8
1
7,0
1
7,1
7,3
1
7,4
1
7,5
1
8,6
2
8,1
2
8,2
8,3
2
8,4
2
8,5
2
8,6
2
8,7
2
8,8
2,9
3
8,0
3
9,1
9,1
9,2
1
9,3
1
9,5
1
9,6
1
9,7
1
9,8
1
9,9
2,0
2
9,1
2
9,2
9,3
2
9,4
2
9,5
2
9,6
2
9,7
2
9,8
2
9,9
3,0
3
9,1
3
9,2
3
9,3
9,4
3
9,5
6
9,4
6
9,5
6
9,6
9,7
6
9,8
6
1,9
0,0
19
0,10,11
0,12
0,13
0,14
0,15
0,16
0,17
0,2
14
0,2
15
0,2
16
0,27 B
backbone area
area ID ...............................................................483
A area type ............................................................483
access privileges bandwidth-limit statement.........................................821
specifying ............................................................94 BGP (Border Gateway Protocol)
access statement........................................................664 AS number .........................................................480
accounting-server statement......................................665 See also ASs (autonomous systems), AS
active alarms number
checking.............................................................100 Configuration......................................................479
active routes, displaying.............................................498 enabling .............................................................479
Add a RADIUS Server page local address ......................................................480
field summary......................................................95 monitoring..........................................................491
Add a User Configuration page peer address ......................................................480
field summary......................................................95 peer AS number..................................................480
addresses router ID ............................................................479
BGP local address ..............................................480 statistics..............................................................491
BGP peer address ...............................................480 status..................................................................492
destination, displaying........................................498 BGP groups, displaying..............................................491
advertisement-interval statement...............................666 BGP neighbors
alarm severity displaying...........................................................492
major (red) ...........................................................77 BGP peers See BGP neighbors
See also major alarms peer address ......................................................480
minor (yellow)......................................................78 peer AS number .................................................480
See also minor alarms BGP routing information............................................491
alarms BGP sessions, status...................................................492
major See major alarms boot operations, DHCP...............................................482
minor See minor alarms bridge-priority statement...........................................410
overview...............................................................77 bucket-size statement..............................................1024
red See major alarms buffer-size statement.................................................911
yellow See minor alarms burst-size-limit statement...........................................822
allowed-mac statement..............................................667
analyzer statement..................................................1009
arp-inspection statement............................................668 C
AS path, displaying....................................................499 ca-type statement......................................................673
ASs (autonomous systems) ca-value statement.....................................................674
AS number .........................................................480 certificates See SSL certificates
Index ■ 1031
chassis rewrite rules page...............................................896

alarm condition indicator....................................100 secure Web access................................................79
chassis software process..............................................14 Configuration text
chassisd process..........................................................14 editing............................................................45, 47
checking viewing.................................................................45
active alarms......................................................100 Configuring
civic-based statement.................................................675 802.1X settings...................................................616
Class of Service classifiers page..................................886 EX-series switch..............................................61, 62
field summary....................................................886 firewall filters......................................................800
Class of Service Cos value aliases page Link Layer Discovery Protocol.............................626
field summary....................................................882 LLDP...................................................................626
Class of Service forwarding classes page....................889 management access.............................................79
field summary....................................................890 PoE.....................................................................958
Class of Service rewrite rules page.............................896 port mirroring...................................................1003
field summary....................................................896 SNMP..................................................................485
Class of Service scheduler maps page........................891 configuring
field summary....................................................893 link aggregation..................................................264
Class of Service schedulers page................................891 port security.......................................................632
field summary....................................................892 Virtual chassis.....................................................181
class statement..........................................................912 VLANs.................................................................365
class-of-service statement..........................................913 congestion control
classifiers with CoS schedulers ...........................................891
adding and editing .............................................887 CoS (class of service)
defining .............................................................886 classifiers..............................886, 901 See classifiers
summary ...........................................................886 CoS value aliases See CoS value aliases
classifiers statement...................................................915 forwarding classes.....889, 902 See forwarding
classifiers, CoS...........................................................901 c l a s s e s
clear interfaces............................................................903
snmp rmon history.............................................110 loss priority.........................................................906
clear arp inspection statistics command....................718 packet loss priority..............................................906
clear dhcp snooping binding command.....................719 rewrite rules See rewrite rules
clear dot1x command................................................720 scheduler maps See scheduler maps
clear firewall command..............................................834 schedulers See schedulers
clear gvrp statistics command....................................444 CoS value aliases
clear lldp neighbors command...................................721 adding ...............................................................883
clear lldp statistics command.....................................722 summary ...........................................................882
clear snmp rmon historycommand............................110 cost statement
clear spanning-tree statistics command.....................445 STP.....................................................................411
clear virtual-chassis vc-port statistics command.........218 country-code statement.............................................676
CLI terminal.................................................................48 CPU utilization, displaying............................................92
overview...............................................................48
code-point-aliases statement......................................916
code-points statement................................................917 D
command-name command..............................223, 1020 daemons See processes, software
compact flash default gateway
displaying usage...................................................92 defining................................................................80
configuration default gateway, static routing...................................489
upgrading (J-Web).................................................59 deleting
uploading .............................................................73 current rescue configuration (CLI configuration
Configuration editor)...............................................................98
adding users.........................................................94 description statement........................................280, 412
CoS classifiers page.............................................886 destination address, displaying..................................498
CoS forwarding classes page...............................889 DHCP
CoS scheduler maps page...................................891 monitor...............................................................493
CoS schedulers page...........................................891
CoS value aliases page........................................882
1032 ■ Index
Index
DHCP (Dynamic Host Configuration Protocol) ethernet-switching-options statement......415, 682, 1011

Configuration......................................................480 event viewer, J-Web
conflicts..............................................................493 overview.............................................................101
DHCP leases See also system log messages
configuring .........................................................481 examine-dhcp statement............................................683
monitoring..........................................................493
DHCP pages
field summary....................................................481 F
DHCP pools family statement........................................................282
configuring (Quick Configuration).......................481 firewall filters......................................................823
monitoring..........................................................494 fast-start statement....................................................684
DHCP server files
boot operations ..................................................482 managing..............................................................96
Configuration......................................................480 filter statement..........................................283, 416, 825
information ........................................................481 firewall filters......................................................824
monitoring operations........................................493 Firewall filters
static bindings ....................................................482 configuring..........................................................800
subnet for configuration (Quick flow-control statement...............................................284
Configuration).................................................481 forward-delay statement............................................417
dhcp-trusted statement..............................................677 forwarding classes
diagnose adding and editing..............................................890
CLI terminal..........................................................48 assigning to output queues .................................889
packet capture......................................................87 defining .............................................................889
diagnosing summary ...........................................................890
traceroute tool......................................................89 forwarding software process........................................14
diagnosis forwarding-class statement........................................685
DHCP conflicts....................................................493 class of service............................................920, 921
viewing active alarms.........................................100 from statement..........................................................826
disable statement fwdd process................................................................14
802.1X................................................................678
GVRP..................................................................412
LLDP...................................................................679 G
LLDP MED..........................................................679 Gigabit Ethernet interfaces
power over Ethernet diagnostics information, displaying.....................317
telemetries...................................................964 status information, displaying.....................296, 306
STP.....................................................................413 group-name statement.......................................418, 514
dot1x statement.........................................................680 groups
drop profiles See CoS; RED drop profiles BGP, displaying...................................................491
drop-profile-map statement.......................................918 guard-band statement................................................965
dscp statement..........................................................919 guest-vlan statement..................................................686
duration statement.....................................................964 GVRP
configuration
show............................................................456
E statistics
edge statement..........................................................414 clearing........................................................444
Edit show............................................................458
configuration text.................................................47 gvrp statement...........................................................419
egress statement
port mirroring...................................................1010
elin statement............................................................681 H
ether-options statement.............................................281 halting a switching platform
Ethernet interfaces with J-Web............................................................93
status information, displaying halting a switching platform immediately
Gigabit Ethernet...................................296, 306 with J-Web ...........................................................93
Ethernet ports hardware
alarm condition indicator....................................100 major (red) alarm conditions on............................77
Index ■ 1033
hello-time statement..................................................420 JUNOS software

history statement overview...............................................................13
RMON...............................................................1025 Packet Forwarding Engine....................................13
hold-multiplier statement...........................................687 processes..............................................................14
hostname Routing Engine.....................................................13
pinging (J-Web).....................................................86 JUNOScript API
HTTP (Hypertext Transfer Protocol) enabling secure access..........................................79
enabling Web access ............................................79 JUNOScript over SSL....................................................79
HTTPS (Hypertext Transfer Protocol over SSL)
enabling secure access .........................................79
Quick Configuration..............................................79 L
Hypertext Transfer Protocol See HTTP l3-interface statement........................................284, 424
Hypertext Transfer Protocol over SSL See HTTPS LACP
configuring..........................................................264
lacp statement...........................................................285
I laptop See management device
idle time, displaying.....................................................92 leave-timer statement
ieee–802.1 statement................................................922 GVRP..................................................................426
if-exceeding statement...............................................827 leaveall-timer statement
ifd process...................................................................14 GVRP..................................................................425
import statement.......................................................923 link aggregation
inet-precedence statement.........................................924 configuring..........................................................264
ingress statement.....................................................1012 Link Layer Discovery Protocol
input statement........................................................1013 configuring..........................................................626
Install Remote page link-mode statement..................................................286
field summary......................................................60 LLDP
installation configuring..........................................................626
software upgrades, from a remote server.............59 lldp statement............................................................691
software upgrades, uploading...............................60 lldp-med statement....................................................692
interface loading a configuration file
monitoring..........................................................267 uploading .............................................................73
interface software process...........................................14 location statement.....................................................693
interface statement............................................688, 689 login classes
802.1X................................................................690 specifying ............................................................94
Ethernet switching options.........................422, 515 login time, displaying...................................................92
GVRP..................................................................421 loss priority, CoS........................................................906
port mirroring...................................................1014 loss-priority statement.............................................1015
power over Ethernet...........................................966 class of service....................................................926
RMON history...................................................1025
STP.....................................................................423
interfaces statement M
class of service....................................................925 mac-limit statement...................................................694
interval statement......................................................966 mac-move-limit statement.........................................695
mac-persistence-timer statement...............................206
mac-table-aging-time statement.................................427
J major (red) alarms
J-Web interface description............................................................77
event viewer.......................................................101 Management access
join-timer statement configuring............................................................79
GVRP..................................................................424 management device
JUNOS CLI connecting through the CLI.................................105
overview...............................................................48 connecting to console port..................................105
JUNOS Internet software management software process....................................14
version, displaying................................................91 management statement.............................................967
managing
reboots.................................................................93
1034 ■ Index
Index
Managing designating OSPF interfaces ...............................484

files.......................................................................96 enabling .............................................................483
mapping, CoS forwarding classes to schedulers.........891 monitoring..........................................................494
mastership-priority statement....................................207 router ID ............................................................483
max-age statement....................................................428 statistics..............................................................496
maximum-power statement.......................................967 OSPF interfaces
maximum-requests statement...................................696 displaying...........................................................495
member statement....................................................208 enabling..............................................................484
members statement status..................................................................495
interfaces....................................................287, 429 OSPF neighbors
memory utilization, displaying.....................................93 displaying...........................................................495
mgd process................................................................14 status..................................................................495
minor (yellow) alarms OSPF page
description............................................................78 field summary....................................................483
mode (STP) statement................................................430 OSPF routing information..........................................494
monitoring output statement
BGP.....................................................................491 port mirroring...................................................1016
interface.............................................................267 owner statement......................................................1026
OSPF...................................................................495
RIP......................................................................497
routing tables......................................................498 P
system process information..................................92 packet capture.............................................................87
system properties.................................................91 Packet Forwarding Engine...........................................13
virtual chassis.....................................................195 packet loss priority, CoS.............................................906
Monitoring passwords
802.1X settings...................................................647 for downloading software upgrades......................58
DHCP services....................................................493 RADIUS secret......................................................95
PoE.....................................................................961 root password, recovering..................................105
port security.......................................................648 PC See management device
MSTP periodic statement.....................................................289
configuration Ping Host page
displaying....................................................468 field summary......................................................86
mstp statement..........................................................431 PoE
mtu statement...........................................................287 configuring..........................................................958
monitoring..........................................................961
poe
N controller............................................................972
native-vlan-id statement.....................................288, 432 show interfaces command..................................974
network interfaces policer statement.......................................................828
enabling RIP on..................................................485 Port Mirroring
next hop configuring........................................................1003
address for static routes......................................489 port security
next hop, displaying...................................................499 configuring..........................................................632
no-management-vlan statement.................................209 Port security
no-reauthentication statement...................................696 monitoring..........................................................648
NSSAs (not-so-stubby areas) port-mode statement.........................................290, 433
area ID ...............................................................483 power over ethernet See poe
area type ............................................................483 pre-provisioned statement.........................................210
priority statement
class of service....................................................927
O power over Ethernet...........................................968
Open Shortest Path First See OSPF STP.....................................................................434
operating system See JUNOS software process ID, displaying..................................................92
OSPF (Open Shortest Path First) process information, system, monitoring.....................92
area type ............................................................483 process owner, displaying............................................92
Configuration......................................................483 process start time, displaying.......................................93
Index ■ 1035
process state, displaying..............................................92 RIP neighbors

processes, software displaying...........................................................497
chassis process.....................................................14 status..................................................................497
forwarding process...............................................14 RIP page
interface process...................................................14 field summary....................................................484
management process............................................14 RIP routing information.............................................497
routing protocol process.......................................14 rmon
profile statement........................................................697 history................................................................111
properties, system, monitoring....................................91 rmon statement.......................................................1027
protocol statement.....................................................928 role............................................................................211
protocols role statement............................................................211
originating, displaying.........................................499 root password recovery..............................................105
OSPF, monitoring...............................................494 Routing Engine
RIP, monitoring..................................................497 software component.............................................13
routing protocols, monitoring.............................491 routing policies
export, displaying...............................................492
import, displaying...............................................492
Q routing protocol software process................................14
quiet-period statement...............................................698 routing table
displaying...........................................................498
rpd process..................................................................14
R rstp statement............................................................436
RADIUS
secret ...................................................................95
radius statement........................................................699 S
random-early-discard statement................................928 scheduler maps
ratio statement.........................................................1017 adding and editing .............................................893
reauthentication statement........................................700 defining .............................................................891
reboot immediately summary ...........................................................893
with J-Web............................................................93 scheduler-map statement...........................................930
rebooting scheduler-maps statement.........................................931
with J-Web ...........................................................93 schedulers
redundant-trunk-group statement......................435, 516 adding and editing .............................................892
remote server, upgrading from....................................59 defining .............................................................891
request session member command...........................219 mapping to forwarding classes ..........................891
request system configuration rescue delete scheduler maps See scheduler maps
command.................................................................98 summary ...........................................................892
request virtual-chassis recycle command...................220 schedulers statement.................................................932
request virtual-chassis vc-port (uplink port) scheduling a reboot
command...............................................................221 with J-Web............................................................93
request virtual–chassis renumber command..............225 secret
Rescue configuration RADIUS ................................................................95
setting...................................................................99 secure access
retries statement........................................................701 JUNOScript SSL access..........................................79
rewrite rules Secure Access page
adding and editing (Quick Configuration)............896 field summary......................................................79
defining (Configuration)......................................896 secure-access-port statement.....................................702
summary ...........................................................896 serial number
rewrite-rules statement..............................................929 routing platform....................................................91
RIP (Routing Information Protocol) serial-number statement............................................212
Configuration......................................................484 server-timeout statement...........................................703
designating RIP interfaces...................................485 sessions
enabling .............................................................484 BGP peer, status details.......................................492
monitoring..........................................................497 BGP peer, status summary..................................492
statistics..............................................................497 shaping-rate statement...............................................933
show arp inspection statistics command....................723
1036 ■ Index
Index
show bgp neighbor command....................................491 show virtual-chassis vc-port statistics command........235

show bgp summary command...................................491 show vlans command................................................470
show class-of-service classifier command..................901 snmp
show class-of-service code-point-aliases rmon history.......................................................111
command...............................................................907 SNMP
show class-of-service command.................................938 configuring..........................................................485
show class-of-service forwarding-class command......902 SNMP features...........................................................485
show command.........................................................456 snmp rmon history
show dhcp snooping binding command.....................724 clear....................................................................110
show dot1x command...............................................725 software.......................................................................13
show dot1x static-mac-address command.................728 halting immediately (J-Web) .................................93
show ethernet-switching interfaces command...........446 version, displaying................................................91
show ethernet-switching mac-learning-log See also JUNOS software
command...............................................................449 speed statement.........................................................291
show ethernet-switching table command...................451 SSL (Secure Sockets Layer)
show firewall enabling secure access (Quick Configuration).......79
sub-topic.............................................................835 SSL certificates
show firewall command.............................................835 adding .................................................................81
show gvrp statistics command...................................458 static routes
show interfaces (10-Gigabit Ethernet) command........306 Configuration......................................................488
show interfaces (Gigabit Ethernet) command.............296 Static Routes page
show interfaces diagnostics optics command.............317 field summary....................................................489
show interfaces filters command...............................837 static routing
show interfaces policers command............................839 default gateway..................................................489
show lldp command..................................................729 static statement.........................................................704
show lldp local-info command...................................734 statistics
show lldp neighbors command..................................736 BGP.....................................................................491
show lldp statistics command....................................739 DHCP..................................................................494
show network-access aaa statistics accounting OSPF...................................................................496
command...............................................................741 RIP......................................................................497
show network-access aaa statistics authentication status
command...............................................................742 BGP.....................................................................492
show network-access aaa statistics dynamic-requests OSPF interfaces..................................................495
command...............................................................743 OSPF neighbors..................................................495
show ospf interfaces command.................................495 RIP neighbors.....................................................497
show ospf neighbors command.................................495 stop-on-access-deny statement..................................705
show ospf statistics command...................................495 stop-on-failure statement...........................................705
show poe controller command...................................972 STP
show poe interface command....................................974 bridge
show poe telemetries interface command..................976 displaying....................................................461
show policer command..............................................841 interface
show redundant-trunk-group command.............460, 518 displaying....................................................464
show rip neighbors command....................................497 statistics
show rip statistics command......................................497 clearing........................................................445
show route detail command.......................................498 displaying....................................................469
show route terse command........................................498 stp statement.............................................................437
show snmp rmon history command..........................111 stub areas
show spanning-tree bridge command........................461 area ID ...............................................................483
show spanning-tree interface command....................464 area type ............................................................483
show spanning-tree mstp configuration supplicant statement..................................................706
command...............................................................468 supplicant-timeout statement.....................................707
show spanning-tree statistics command.....................469 switching
show system processes command...............................92 configuring..........................................................365
show system uptime..................................................226 switching platform
show virtual-chassis status command........................230 halting (J-Web)......................................................93
show virtual-chassis vc-port command...............228, 232 rebooting (J-Web)..................................................93
Index ■ 1037
system identification, displaying..................................91 V

system log messages version
event viewer.......................................................101 software, displaying..............................................91
monitoring (Quick Configuration).......................101 View
system overview configuration text.................................................45
software................................................................13 view and edit
system process information, displaying.......................93 uploading a file.....................................................73
system storage, displaying...........................................91 View Events page
system time field summary (filtering log messages)................101
defining ...............................................................82 field summary (viewing log messages)................103
system time, displaying...............................................91 Virtual chassis
system uptime configuring..........................................................181
virtual chassis.....................................................226 Virtual Chassis
monitoring..........................................................195
virtual chassis
T active topology...................................................228
telemetries statement................................................969 member id..........................................................220
term statement..........................................................829 member ID.........................................................230
then statement...................................................830, 831 members of........................................................208
time zone renumber............................................................225
defining ...............................................................81 session................................................................219
topic1 system uptime....................................................226
sub-topci.2234
,464
,494,514
,707
,187
,197
,207
,217
,237
,247
,257,287
,297
,367
,397
,417
,427
,438
,348
,378,398
,419
,381
,020 uplink VCP..........................................................221
topic2 virtual chassis port..............................................232
subt-opci.2234
,464
,494
,514
,707
,187
,197
,207
,217
,237
,247
,257
,287
,297
,367
,397
,417
,427
,438
,348
,358
,378
,398
,419
,381
,020 virtual chassis ports............................................230
traceoptions statement..............................................708 virtual chassis ports
LLDP...................................................................710 clear statistics.....................................................218
virtual chassis.....................................................213 statistics..............................................................235
translate statement virtual-chassis statement............................................215
interfaces....................................................292, 438 vlan statement...........................................................713
transmit-delay statement...........................................711 interfaces....................................................294, 439
transmit-period statement..........................................712 port mirroring...................................................1017
transmit-rate statement..............................................934 vlan-assignment statement........................................714
troubleshooting vlan-id statement.......................................................440
root password recovery......................................105 VLANs
TTY, displaying............................................................92 configuring..................................................365, 441
vlans statement..........................................................441
voip statement...........................................................715
U
unit statement
class of service....................................................935 W
interfaces............................................................293 Web access, secure See secure access
upgrades what statement..........................................................716
installing by uploading..........................................60
installing from remote server................................59
Upload package page Y
field summary......................................................60 yellow alarms See minor alarms
uploading a configuration file.......................................73
username
displaying.............................................................92
specifying ............................................................94
users
adding .................................................................94
displaying.............................................................92
1038 ■ Index

EX Configs ALL

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EX Configs ALL

Uploaded by

Copyright:

Available Formats

Complete Software Guide for JUNOS for EX-series Software,

Juniper Networks, Inc.

YEAR 2000 NOTICE

How To Use This Guide ..............................................................................xxxv

Part 1 JUNOS for EX-series Product Overview

Chapter 1 Product Overview 3

Software Overview ..........................................................................................3

Uplink Modules .......................................................................................17

Part 2 Complete Software Configuration Statement Hierarchy and

Chapter 2 Complete Software Configuration Statement Hierarchy 23

[edit access] Configuration Statement Hierarchy ...........................................23

Part 3 Software User Interfaces

Chapter 3 Command-Line Interface 37

Chapter 4 J-Web Graphical User Interface 43

J-Web Interface .............................................................................................43

Using the CLI Editor in the J-Web Interface to Edit Configuration

Part 4 Software Installation, Upgrades, and Initial Configuration

Chapter 5 Software Installation and Initial Configuration 55

Software Installation ......................................................................................55

Part 5 System Basics

Chapter 6 Understanding Basic System Concepts 77

Understanding Alarm Types and Severity Levels on EX-series Switches ........77

Chapter 7 Configuring Basic System Functions 79

Configuring Management Access for the EX-series Switch (J-Web

Table of Contents ■ vii

Chapter 8 Administering and Monitoring Basic System Functions 85

Monitoring Hosts Using the J-Web Ping Host Tool .........................................85

Chapter 9 Troubleshooting Basic System Functions 105

Troubleshooting Loss of the Root Password ................................................105

Chapter 10 Operational Mode Commands for … 109

clear snmp rmon history ...........................................................................1020

Part 6 Virtual Chassis

Chapter 11 Understanding Virtual Chassis 117

Virtual Chassis Concepts .............................................................................117

viii ■ Table of Contents

Member Switch and Member ID ...........................................................122

Chapter 12 Examples of Configuring Virtual Chassis 131

Virtual Chassis Configuration Examples ......................................................131

Chapter 13 Configuring Virtual Chassis 181

Virtual Chassis Configuration Tasks .............................................................181

Chapter 14 Verifying Virtual Chassis 193

Virtual Chassis Verification Tasks ................................................................193

Chapter 15 Troubleshooting Virtual Chassis 203

Troubleshooting a Virtual Chassis ................................................................203

Chapter 16 Configuration Statements for Virtual Chassis 205

Virtual Chassis Configuration Statement Hierarchy .....................................205

Chapter 17 Operational Mode Commands for Virtual Chassis 217

Virtual Chassis Commands ..........................................................................217

Chapter 18 Understanding Interfaces 239

EX-series Switches Interfaces Overview ......................................................239

Chapter 19 Examples of Configuring Interfaces 245

Example: Configuring Aggregated Ethernet High-Speed Uplinks Between a

Chapter 20 Configuring Interfaces 257

Configuring Gigabit Ethernet Interfaces (J-Web Procedure) ..........................257

Chapter 21 Verifying Interfaces 267

Monitoring Interface Status and Traffic .......................................................267

Chapter 22 Troubleshooting Interfaces 271

Troubleshooting an Aggregated Ethernet Interface ......................................271

Chapter 23 Configuration Statements for Interfaces 277

Interface Configuration Statement Hierarchy ..............................................277

xii ■ Table of Contents

Chapter 24 Operational Mode Commands for Interfaces 295

show interfaces ...........................................................................................296