Advanced Junos Enterprise Switching: High-Level Lab Guide

Advanced Junos Enterprise Switching
10.b
High-Level Lab Guide
Worldwide Education Services

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Course Number: EDU-JUN-AJEX
This document is produced by Juniper Networks, Inc. This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Advanced Junos Enterprise Switching High-Level Lab Guide, Revision 10.b Copyright 2011 Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History: Revision 10.aApril 2011 Revision 10.bJune 2011 The information in this document is current as of the date listed above. The information in this document has been carefully verified and is believed to be accurate for software Release 10.4R3.4. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. YEAR 2000 NOTICE Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
Contents
Lab 1: Advanced Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Part 1: Logging In Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 2: Configuring and Monitoring Filter-Based VLAN Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 3: Configuring and Monitoring a PVLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 4: Configuring and Monitoring MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 5: Configuring and Monitoring Q-in-Q Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1-3 1-4 1-7 1-8
Lab 2:
Implementing MSTP and VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Part 2: Configuring and Monitoring MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Part 3: Configuring and Monitoring VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Lab 3:
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Part 1: Modifying the Existing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Part 2: Configuring 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Part 3: Configuring and Monitoring Other Access and Authentication Features . . . . . . . . . . . . . . . . . . . . . . . 3-5
Lab 4:
Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 2: Configuring and Monitoring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 3: Configuring and Monitoring LLDP and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part 4: Configuring and Monitoring the Voice VLAN Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4-2 4-4 4-6
Lab 5:
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Part 1: Exploring the Default CoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Part 2: Configuring and Monitoring CoS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Part 3: Implementing CoS Using the EZQoS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Lab 6:
Monitoring and Troubleshooting Layer 2 Networks . . . . . . . . . . . . . . . . . . . 6-1

Part 1: Modifying the Existing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Part 2: Determining Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Part 3: Verifying Hardware Components and System Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Part 4: Verifying Ethernet Switching, MSTP, and Aggregate Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . 6-5 Part 5: Configuring Port Mirroring and sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
www.juniper.net
Contents iii
iv Contents
www.juniper.net
Course Overview
This two-day course provides detailed coverage of virtual LAN (VLAN) operations, Multiple Spanning Tree Protocol (MSTP) and VLAN Spanning Tree Protocol (VSTP), authentication and access control for Layer 2 networks, IP telephony features, class of service (CoS) and monitoring and troubleshooting tools and features supported on the EX Series Ethernet Switches. Through demonstrations and hands-on labs, students will gain experience in configuring and monitoring the Junos operating system and in monitoring device and protocol operations.
Objectives
After successfully completing this course, you should be able to: Implement filter-based VLAN assignments. Restrict traffic flow within a VLAN. Manage dynamic VLAN registration. Tunnel Layer 2 traffic through Ethernet networks. Review the purpose and operations of a spanning tree. Implement multiple spanning tree instances in a network. Implement one or more spanning tree instances for a VLAN. List the benefits of implementing end-user authentication. Explain the operations of various access control features. Configure and monitor various access control features. Describe processing considerations when multiple authentication and access control features are enabled. Describe some common IP telephony deployment scenarios. Describe features that facilitate IP telephony deployments. Configure and monitor features used in IP telephony deployments. Explain the purpose and basic operations of class of service. Describe class of service features used in Layer 2 networks. Configure and monitor class of service in a Layer 2 network. Describe a basic troubleshooting method. List common issues that disrupt network operations. Identify tools used in network troubleshooting. Use available tools to resolve network issues.
Intended Audience
This course benefits individuals responsible for configuring and monitoring EX Series switches.
Course Level
Advanced Junos Enterprise Switching is an advanced-level course.
Prerequisites
Students should have an intermediate-level of networking knowledge and an understanding of the Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students should also attend the Introduction to the Junos Operating System (IJOS), the Junos Routing Essentials (JRE), and the Junos Enterprise Switching (JEX) courses prior to attending this class.
www.juniper.net
Course Overview v
Course Agenda
Day 1
Chapter 1: Course Introduction Chapter 2: Advanced Ethernet Switching Lab 1: Advanced Ethernet Switching Chapter 3: Advanced Spanning Tree Lab 2: Implementing MSTP and VSTP Chapter 4: Authentication and Access Control Lab 3: Authentication and Access Control
Day 2
Chapter 5: Deploying IP Telephony Features Lab 4: Deploying IP Telephony Features Chapter 6: Class of Service Lab 5: Class of Service Chapter 7: Monitoring and Troubleshooting Lab 6: Monitoring and Troubleshooting Layer 2 Networks
vi Course Agenda
www.juniper.net
Document Conventions
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table. Style Franklin Gothic Courier New Description Normal text. Console text: Screen captures Noncommand-related syntax commit complete Exiting configuration mode Usage Example Most of what you read in the Lab Guide and Student Guide.
GUI text elements: Menu names Text field entry
Select File > Open, and then click Configuration.conf in the Filename text box.
Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances will be shown in the context of where you must enter them. We use bold style to distinguish text that is input versus text that is simply displayed. Style Normal CLI Normal GUI Description No distinguishing variant. Usage Example Physical interface:fxp0, Enabled View configuration history by clicking Configuration > History. CLI Input GUI Input Text that you must enter. lab@San_Jose> show route Select File > Save, and type config.ini in the Filename field.
Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Note that these styles can be combined with the input style as well. Style CLI Variable GUI Variable CLI Undefined Description Text where variable value is already assigned. Text where the variables value is the users discretion or text where the variables value as shown in the lab guide might differ from the value the user must input according to the lab topology. Usage Example policy my-peers Click my-peers in the dialog. Type set policy policy-name. ping 10.0.x.y Select File > Save, and type filename in the Filename field.
GUI Undefined
www.juniper.net
Document Conventions vii
Additional Information
Education Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class locations from the World Wide Web by pointing your Web browser to: http://www.juniper.net/training/education/.
About This Publication

The Advanced Junos Enterprise Switching High-Level Lab Guide was developed and tested using software Release 10.4R3.4. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors. This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to training@juniper.net.
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats: Go to http://www.juniper.net/techpubs/. Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.
Juniper Networks Support

For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).
viii Additional Information
www.juniper.net
Lab 1
Advanced Ethernet Switching
Overview
In this lab, you familiarize yourself with the starting configuration and the lab environment. You will also use the command-line interface (CLI) to configure and monitor various Ethernet switching features covered in the corresponding lecture. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab you will perform the following tasks: Familiarize yourself with the lab environment. Configure and monitor filter-based VLAN assignments. Configure and monitor a private VLAN (PVLAN). Configure and monitor the Multiple VLAN Registration Protocol (MVRP). Configure and monitor Q-in-Q tunneling.
www.juniper.net
Advanced Ethernet Switching Lab 11 10.b.10.4R3.4
Part 1: Logging In Using the CLI

In this lab part, you familiarize yourself with the access details used to connect to the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your teams designated switch and become familiar with this labs environment.
Note
The lab equipment used in this class is likely to be remote from your physical location. The instructor will provide access details to get you logged in to your assigned device. Step 1.1 Ensure that you know to which switch you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine your switchs management address. Question: What is the management address assigned to your switch?
Step 1.2 Access the CLI for your switch using either the console, Telnet, or SSH as directed by your instructor. Refer to the Management Network Diagram for the IP address associated with your teams station. The following example uses Telnet and the SecureCRT program:
Step 1.3 Log in as user lab with the password supplied by your instructor.
Lab 12 Advanced Ethernet Switching
www.juniper.net
Part 2: Configuring and Monitoring Filter-Based VLAN Assignments

In this lab part, you configure and monitor filter-based VLAN assignments. You will first verify the state of the starting configuration. You will then configure and apply a firewall filter used for a filter-based VLAN assignment. You will then associate the interfaces. Step 2.1 Use the show interfaces terse command to ensure ge-0/0/7.0, ge-0/0/8.0, and ge-0/0/12.0 are all enabled for Layer 2 operations and are up, both physically and administratively. Question: Are the referenced interfaces enabled for Layer 2 operations and up, physically and administratively?
Step 2.2 Use the show vlans command to ensure ge-0/0/7.0 and ge-0/0/8.0 are associated with the v11 and v12 VLANs respectively. Use the same command to ensure ge-0/0/12.0 is associated with both v11 and v12. Question: Are the referenced interfaces associated with the correct VLANs?
Question: What operational mode command can you issue to determine the port modes currently assigned with the referenced interfaces?
Step 2.3 Enter configuration mode and navigate to the [edit firewall family ethernet-switching] hierarchy. Create a firewall filter named fbva that matches any source IP address in the 172.23.15.0/24 subnet and associates the related traffic with VLAN v15. Ensure that all other traffic is permitted. Step 2.4 Navigate to the [edit interfaces] hierarchy and associate the newly defined filter with ge-0/0/7.0 as an input filter.
www.juniper.net
Advanced Ethernet Switching Lab 13
Step 2.5 Navigate to the [edit vlans] hierarchy and define VLAN v15 to use VLAN ID 15. Associate ge-0/0/12.0 and ge-0/0/7.0 with this VLAN. Note that to correctly associate ge-0/0/7.0 with the newly defined VLAN, you must use the mapping policy statement. Activate the changes using commit. Step 2.6 Issue the run show vlans v15 detail command and verify the designated access port and trunk port are associated with VLAN v15. Question: Are the expected interfaces now associated with VLAN v15?
Question: Based on the current configuration, with which VLAN would traffic entering ge-0/0/7.0 with an IP source address of 172.23.16.100 be associated?
Step 2.7 Issue the top save /var/home/lab/ajex/lab1part2.conf command to save the entire configuration. Note that you will need to reload this configuration at a later time so ensure the entire configuration is saved.
STOP
Before proceeding ensure that the remote team is done with Part 2.
Part 3: Configuring and Monitoring a PVLAN

In this lab part, you configure and monitor a PVLAN. You will first delete the current VLAN configuration. You will then configure and monitor a PVLAN named pvlan-50 with two community VLANs named finance and sales. Refer to the network diagram for configuration details associated with this lab. Step 3.1 Delete all configuration under the [edit vlans] hierarchy level. Step 3.2 Delete all configuration under the [edit firewall] hierarchy and remove the application of the fbva firewall filter from the ge-0/0/7.0 interface.
Lab 14 Advanced Ethernet Switching www.juniper.net
Step 3.3 Configure a primary VLAN named pvlan-50 with a VLAN ID of 50. Associate the ge-0/0/12 interface with this newly defined VLAN. Configure ge-0/0/12 to function as a PVLAN trunk port. Step 3.4 Use the details shown on the network diagram for this lab and configure two community VLANs: one named finance and the other named sales. Ensure that ge-0/0/7.0 and ge-0/0/8.0 are associated with their respective community VLANs and that both community VLANs are linked to the primary VLAN (pvlan-50). Step 3.5 Attempt to activate the changes using the commit command. Question: Does the commit operation succeed? If not can you explain why not?
Step 3.6 Remove the vlan members all statement from the ge-0/0/12.0 interface configuration and attempt the commit operation once again. Question: Does the commit operation succeed now?
Step 3.7 Issue the run show vlans pvlan-50 extensive command to determine the current PVLAN designations for the associated interfaces and community VLANs. Question: Are the expected access and trunk ports listed in the output?
Question: Based on the output, is the ge-0/0/12.0 properly enabled as a PVLAN trunk port?
www.juniper.net
Advanced Junos Enterprise Switching Note
You will now log in to your assigned SRX device. The gateway is configured with multiple virtual routers (VRs), which are logical devices created on your assigned gateway. Most of the configuration required for the SRX device has already been defined. You will, however, be required to modify the existing configuration throughout the labs. Refer to the Management Network Diagram for the IP address of your assigned SRX device. If needed, work with your instructor to obtain the required information. Step 3.8 Open a separate session to your assigned gateway. Note you can connect to your gateway using the console connection through the terminal server or through a Telnet or SSH session using the SRX devices management IP address. Consult with your instructor if you have questions.
Step 3.9 Log in to your assigned SRX device using the lab user account and the password provided by your instructor. Step 3.10 From both of the VRs attached to your assigned EX Series switch, attempt to ping the other VR attached to your assigned EX Series switch, as well as the two VRs attached to the remote student EX Series switch. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs and do not forget to reference the correct routing instance.
www.juniper.net
Question: Do the ping tests between the VRs associated with the same community VLANs succeed?
STOP
Part 4: Configuring and Monitoring MVRP

In this lab part, you configure and monitor MVRP. You will first load the configuration file saved in a previous lab part and make some minor modifications. You will then configure and monitor MVRP. Refer to the network diagram for configuration details associated with this lab. Step 4.1 Return to your EX Series switch. Navigate to the root of the hierarchy level and use the load override and commit commands to restore the configuration saved at the end of Part 2. Note that the configuration file should be in the /var/home/lab/ajex/ directory and should be named lab1part2.conf. Step 4.2 Remove the vlan members all statement from the ge-0/0/12.0 interface configuration. Step 4.3 Delete the ge-0/0/12.0 interface from all currently defined VLANs. Issue the commit command to activate the changes. Step 4.4 Issue the run show vlans command to ensure the ge-0/0/12.0 interface is no longer associated with any of the defined VLANs. Question: Is the ge-0/0/12.0 interface currently associated with any of the defined VLANs?
Step 4.5 Enable MVRP on the ge-0/0/12.0 interface. Activate the change using the commit command.
www.juniper.net
Before proceeding, ensure that the remote team in your pod finishes the previous step. Step 4.6 Issue the run show vlans command once again to determine whether the ge-0/0/12.0 interface is now associated with the defined VLANs. Question: Is the ge-0/0/12.0 interface now associated with the defined VLANs?
Step 4.7 Issue the run show mvrp statistics command to display MVRP statistics. Question: Does the output show non-zero counters for the MRPDU received and MRPDU transmitted lines?
STOP
Part 5: Configuring and Monitoring Q-in-Q Tunneling

In this lab part, you configure and monitor Q-in-Q tunneling. You will first modify the existing configuration file. You will then configure and monitor Q-in-Q tunneling and Layer 2 Protocol Tunneling (L2PT). Refer to the network diagram for configuration details associated with this lab. Step 5.1 Enable ge-0/0/6 for Layer 2 operations as an access port. Step 5.2 Configure a new VLAN named cust-1 with a VLAN ID of 200. Associate the newly defined access port (ge-0/0/6.0) with this new VLAN. Issue the commit command to activate the changes. Step 5.3 Return to the session opened for your SRX device.
www.juniper.net
From the VR attached to your assigned EX Series switch that represents the customer bridge and attached network, attempt to ping the IP address of the remote VR performing the same function for the remote team. Refer to the network diagram for the instance names and the IP address information. Do not forget to reference the correct routing instance when performing this operation. Question: Does the ping operation succeed? Can you explain why?
Step 5.4 Return to the session opened for your EX Series switch. Enable Q-in-Q tunneling for all defined VLANs. Ensure that all Layer 2 protocol traffic is permitted through the Q-in-Q tunnel for traffic associated with the cust-1 VLAN. Activate the changes and return to operational mode using the commit and-quit command. Step 5.5 Issue the show vlans cust-1 detail command. Question: Based on the output, are Q-in-Q tunneling and L2PT now enabled?
Step 5.6 Return to the session opened for your SRX device. Use the ping utility once again and verify reachability between customer sites. Refer to the network diagram for the instance names and the IP address information. Do not forget to reference the correct routing instance when performing this operation. Question: Does the ping operation succeed now?
STOP
Tell your instructor that you have completed Lab 1.
www.juniper.net
www.juniper.net
Lab 2
Implementing MSTP and VSTP
Overview
In this lab, you will use the command-line interface (CLI) to configure and monitor the Multiple Spanning Tree Protocol (MSTP) and VLAN STP (VSTP). The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab you will perform the following tasks: Modify the existing configuration. Configure and monitor MSTP. Configure and monitor VSTP.
www.juniper.net
Implementing MSTP and VSTP Lab 21 10.b.10.4R3.4
Part 1: Modifying the Existing Configuration

In this lab part, you will modify the existing configuration on your EX Series switch and perform some basic verification tasks to prepare for subsequent lab parts. Refer to network diagram for this lab for topological and configuration details. Step 1.1 Enter configuration mode and configure the ge-0/0/9 and ge-0/0/10 interfaces for Layer 2 operations and as trunk ports. Step 1.2 Associate these newly defined trunk ports with all currently defined VLANs. Note that the VLANs must be statically associated with these new trunk ports, because the attached SRX devices do not support the Multiple VLAN registration Protocol (MVRP). Also note that you cannot use the vlan members all statement because Q-in-Q tunneling is in place. Step 1.3 Activate the configuration changes using the commit command and verify the spanning-tree topology details using the run show spanning-tree bridge command. Question: Which device is elected as the root bridge? Which interface will your switch use to forward traffic through the Layer 2 network?
Question: What limitation exists with the current spanning-tree implementation? What options exist that overcome this limitation?
Part 2: Configuring and Monitoring MSTP

In this lab part, you configure and monitor MSTP. You create two multiple spanning-tree instances (MSTIs); one for all VLAN IDs between 1 and 199, and a second for all VLAN IDs between 200 and 399. Once configured, you use various operational mode commands to monitor MSTP. Step 2.1 Delete RSTP, under the [edit protocols] hierarchy. Step 2.2 Configure MSTP to include two MSTIs (MSTI 1 and MSTI 2). Associate MSTI 1 with VLAN IDs 1 through 199 and MSTI 2 with VLAN IDs 200 through 399. Name the MSTP configuration my-mstp-config. Activate the configuration using commit.
Lab 22 Implementing MSTP and VSTP
www.juniper.net
Step 2.3 Return to the session opened for your assigned SRX device. If needed, open a new session and log in using the credentials provided by your instructor. Enter configuration mode and navigate to [edit protocols] hierarchy. Step 2.4 Delete the existing RSTP configuration on your assigned SRX device. Step 2.5 Configure MSTP to include two MSTIs (MSTI 1 and MSTI 2). Associate MSTI 1 with VLAN IDs 1 through 199 and MSTI 2 with VLAN IDs 200 through 399. Name the MSTP configuration my-mstp-config. Step 2.6 Question: Configure a non-default bridge priority for each MSTI. If you are assigned srxX-1, specify a bridge priority of 4k for MSTI 1 and 8k for MSTI 2. If you are assigned srxX-2, specify a bridge priority of 8k for MSTI 1 and 4k for MSTI 2. Activate the changes using the commit command. Based on the current configurations, what forwarding paths would you expect for traffic associated with the various VLANs currently in use?
Note
Before proceeding, ensure that the remote team in your pod finishes the previous step. Step 2.7 Return to the session opened for your EX Series switch. Issue the run show spanning-tree bridge command and answer the questions that follow. Question: Are the expected devices elected root bridges for MSTI 1 and MSTI 2?
Question: Which device has been elected as the root bridge for the Common and Internal Spanning Tree (CIST)?
www.juniper.net
Implementing MSTP and VSTP Lab 23
Question: What configuration change can you make to ensure srxX-1 is always the root bridge as long as it is available?
Step 2.8 On your assigned EX Series switch, issue the run show spanning-tree mstp configuration command. Question: Does the output display the expected VLAN to MSTI mapping information?
Question: Which three components in the displayed output must match for switches participating in the same MST region?
Question: How is the configuration digest determined?
Step 2.9 Issue the top save /var/home/lab/ajex/mstp.conf command to save the current configuration on your EX Series switch to the /var/tmp directory. Step 2.10 Change the revision level to test the effects of mismatched settings that are required to match on switches participating in the same MST region. If you are assigned exX-1, set your revision number to 1. If you are assigned exX-2, set your revision number to 2. Issue commit to activate the configuration change. Step 2.11 Issue the run show spanning-tree mstp configuration command to verify the change. Next issue the run show spanning-tree bridge command to verify the current state of the MSTP topology and root bridge election details. Question: What impact did changing the revision level have on the MSTP topology and root bridge election for MSTI 1 and MSTI 2?
www.juniper.net
Part 3: Configuring and Monitoring VSTP

In this lab part, you configure and monitor VSTP. Once configured, you use various operational mode commands to verify VSTP operations. Note that SRX devices do not currently support VSTP. Because of this fact, you will need to alter the current topology to exclude the SRX devices for this lab part. Step 3.1 Issue the set rstp and commit commands in an attempt to enable RSTP along with MSTP. Question: Did the commit operation succeed? If not, why not?
Step 3.2 Delete MSTP and attempt the commit operation once again. Step 3.3 Delete the ge-0/0/9 and ge-0/0/10 interface references from under the [edit interfaces] and [edit vlans] hierarchy levels. Step 3.4 Configure VSTP to support the currently defined VLANs independently. Refer to the following table for the bridge-priority values. Activate the changes using the commit command.
exX-1 v11 v12 v15 cust-1 4k 4k 8k 8k
exX-2 8k 8k 4k 4k
Note
Before proceeding, ensure that the remote team in your pod finishes the previous step. Step 3.5 Issue the run show spanning-tree bridge command to determine the current root bridge designations for each VLAN.
www.juniper.net
Implementing MSTP and VSTP Lab 25
Question: Based on the configuration, are the correct root bridges currently elected? Can you explain why?
Step 3.6 Manually associate the ge-0/0/12.0 interface with all currently defined VLANs. Activate the configuration changes using the commit command.
Note
Before proceeding, ensure that the remote team in your pod finishes the previous step. Step 3.7 Issue the run show spanning-tree bridge command once again to determine the current root bridge designations for each VLAN. Question: Are the correct root bridges now elected?
Step 3.8 Use the load override command to restore the mstp.conf configuration file saved in the /var/home/lab/ajex/ directory. Activate the changes and return to operational mode using the commit and-quit command.
STOP
www.juniper.net
Lab 3
Authentication and Access Control
Overview
In this lab, you will use the command-line interface (CLI) to configure and monitor various authentication and access control features supported on EX Series switches. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab you will perform the following tasks: Modify the existing configuration. Configure and monitor 802.1X. Configure and monitor other authentication and access features.
www.juniper.net
Authentication and Access Control Lab 31 10.b.10.4R3.4
Part 1: Modifying the Existing Configuration

In this lab part, you modify the existing configuration. In preparation for Part 2, you must modify the Q-in-Q and filter-based VLAN configuration because those features cannot be enabled with 802.1X on the same interface at the same time. Step 1.1 Enter configuration mode and navigate to the [edit vlans] hierarchy. Step 1.2 Delete the dot1q-tunneling statement from the v11 and v12 VLANs. Step 1.3 Delete the v15 VLAN and all configuration related to the filter-based VLAN assignment defined in Lab 1. Step 1.4 Navigate to the [edit ethernet-switching] hierarchy and set the Ethernet-type for the switch to 0x8100. Activate the changes and return to operational mode using the commit and-quit command.
Note
Changing the Ethernet-type to 0x8100 allows trunk ports to support VLANs configured for Q-in-Q tunneling as well as standard 802.1Q VLANs at the same time. In production environments, ensure the Ethernet-type is set consistently on all devices within a given forwarding path. Step 1.5 Return to the session opened for your assigned SRX device. If needed, open a new session and log in using the credentials provided by your instructor. Use the ping utility and attempt to verify access to and reachability through the Layer 2 network. Use the virtual routers (VRs) associated with your assigned SRX device as the source devices for these tests. Use the corresponding VR connected to the remote teams EX Series switch as the destination. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: Did the ping operations succeed? Can you explain why?
Step 1.6 On your assigned SRX device, enter configuration mode, navigate to the [edit vlans] hierarchy, and delete the v15 VLAN.
Lab 32 Authentication and Access Control www.juniper.net
Step 1.7 Delete the dot1q-tunneling statement from the v11 and v12 VLANs. Step 1.8 Navigate to the [edit ethernet-switching] hierarchy and set the Ethernet-type for the switch to 0x8100. Activate the changes and return to operational mode using the commit and-quit command. Step 1.9 Use the ping utility and attempt to verify access to and reachability through the Layer 2 network. Use the VRs associated with your assigned SRX device as the source devices for these tests. Use the corresponding VR connected to the remote teams EX Series switch as the destination. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: Do the ping operations succeed?
Part 2: Configuring 802.1X

In this lab part, you configure the 802.1X and the static MAC bypass option. Once configured, you use relevant operational mode commands to monitor operations. Refer to the network diagram for this lab for topological and configuration details. Step 2.1 Return to the session opened for your assigned EX Series switch. Display the Ethernet switching table to determine what MAC addresses have been learned for the v11 and v12 VLANs. Question: Do the MAC addresses learned for the v11 and v12 VLANs match the MAC addresses shown on the network diagram for this lab?
Step 2.2 Enter configuration mode and navigate to the [edit access] hierarchy level. Define a RADIUS server using the IP address of the server located in the management network and a secret of Juniper. Refer to the Management Network Diagram or consult with your instructor as needed. Step 2.3 Create an authentication profile named my-profile. Define an authentication order of RADIUS only and use the IP address of the RADIUS defined in the previous step as the authentication server.
www.juniper.net
Authentication and Access Control Lab 33
Step 2.4 Navigate to the [edit protocols dot1x] hierarchy and configure your switch as an 802.1X authenticator. Use the authentication profile defined in the previous step and enable 802.1X authentication for the ge-0/0/7.0 and ge-0/0/8.0 interfaces. Activate the configuration changes using the commit command. Step 2.5 Issue the run show dot1x interface detail command and answer the questions that follow. Question: What is the current supplicant mode enabled for the listed interfaces?
Question: If an 802.1X client authenticated through the ge-0/0/7.0 or ge-0/0/8.0 interfaces, would that client be forced to reauthenticate after a period of time? If so, after what period of time?
Step 2.6 Set the supplicant mode for the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the single-secure supplicant mode. Disable reauthentication on the ge-0/0/7.0 interface and double the reauthentication interval on the ge-0/0/8.0 interface to 7200 seconds (2 hours). Step 2.7 Activate the configuration changes using the commit command. Next, issue the run show dot1x interface detail command and answer the questions that follow. Question: Have the recent changes taken effect?
Step 2.8 Return to the session opened for your assigned SRX device. Use the ping utility and attempt to verify access to and reachability through the Layer 2 network. Use the VRs associated with your assigned SRX device as the source devices for these tests. Use the corresponding VR connected to the remote teams EX Series switch as the destination. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: Can the VRs access the Layer 2 network through your assigned EX Series switch?
Lab 34 Authentication and Access Control
www.juniper.net
Step 2.9 Return to the session opened for your assigned EX Series switch. Configure the static MAC bypass option to always permit the MAC addresses shown on the network diagram. Associate the illustrated MAC addresses with their corresponding access ports. Refer to the network diagram for this lab as needed. Activate the changes using the commit command. Question: Did the commit operation succeed? If not, why not?
Step 2.10 Change the supplicant mode on the ge-0/0/7.0 and ge-0/0/8.0 interfaces to the multiple supplicant mode. Issue the commit command to activate the changes.
Note
Before proceeding, ensure that the remote team in your pod finishes the previous step. Step 2.11 Return to the session opened for your assigned SRX device. Use the ping utility and attempt to verify access to and reachability through the Layer 2 network. Use the VRs associated with your assigned SRX device as the source devices for these tests. Use the corresponding VR connected to the remote teams EX Series switch as the destination. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: Can the VRs access the Layer 2 network through your assigned EX Series switch?
Part 3: Configuring and Monitoring Other Access and Authentication Features

In this lab part, you configure the MAC RADIUS, guest VLAN, and server fail fallback features. Once configured, you use various operational mode commands to verify proper operations. Step 3.1 Return to the session opened for your assigned EX Series switch. Issue the run show dot1x static-mac-address command to view the MAC addresses currently permitted through static MAC bypass. Delete all static MAC bypass entries and activate the changes using the commit command.
www.juniper.net
Question: Based on the current configuration, will traffic from the VRs, representing hosts without the 802.1X client, be permitted through the switch?
Step 3.2 Configure MAC RADIUS on the ge-0/0/7.0 and ge-0/0/8.0 interfaces. Use the restrict option for both interfaces to ensure that no Extensible Authentication Protocol over LAN (EAPoL) traffic is sent from your switch. Issue the commit command to activate the changes. Step 3.3 Issue the run show dot1x interface ge-0/0/7.0 detail command to verify the settings associated with MAC RADIUS on the ge-0/0/7.0 interface. Question: Is MAC RADIUS currently enabled? Will EAPoL traffic be sent out the ge-0/0/7.0 interface?
Step 3.4 Issue the run show dot1x interface to determine the current state of the ge-0/0/7.0 and ge-0/0/8.0 interfaces. Question: What is the state of these interfaces? What does this state indicate?
Step 3.5 Return to the session opened for your assigned SRX device. Use the ping utility to test access into the Layer 2 network. Use the VRs associated with your assigned SRX device as the source devices for these tests. Use the corresponding VR connected to the remote teams EX Series switch as the destination. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: Do the ping tests succeed? If not, what might be the cause of this failure?
Step 3.6 Return to the session opened for your assigned EX Series switch. Configure the server fail fallback option for the ge-0/0/7.0 and ge-0/0/8.0 interfaces. Use the permit action for this feature on both access ports.
Lab 36 Authentication and Access Control www.juniper.net
Step 3.7 Change the IP address of the RADIUS server to 1.1.1.1 to ensure that your switch does not receive an access-reject message when an authentication request is made to the RADIUS server. Use the replace pattern command to simplify this task. Use the commit and-quit command to activate the configuration changes and return to operational mode.
Note
Before proceeding, ensure that the remote team in your pod finishes the previous step. Step 3.8 Return to the session opened for your assigned SRX device. Use the ping utility to send traffic from the VRs attached to your assigned EX Series switch. Use the corresponding VR connected to the remote teams EX Series switch as the destination. Note that these ping tests should initially fail until the MAC RADIUS authentication attempts timeout and the server fail fallback feature authenticates the required ports. Work with the remote team as needed. Question: Do the ping tests eventually succeed?
STOP
www.juniper.net
Lab 38 Authentication and Access Control
www.juniper.net
Lab 4
Deploying IP Telephony Features
Overview
In this lab, you implement various features that are commonly used in IP telephony deployments. Specifically you will use the command-line interface (CLI) to configure and monitor Power over Ethernet (PoE), the Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED), and the voice VLAN feature. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab you will perform the following tasks: Modify the existing configurations. Configure and monitor PoE. Configure and monitor LLDP and LLDP-MED. Configure and monitor a voice VLAN.
www.juniper.net
Deploying IP Telephony Features Lab 41 10.b.10.4R3.4
Part 1: Modifying the Existing Configurations

In this lab part, you modify the existing configurations on your assigned EX and SRX devices. You will enter configuration mode and load and activate a predefined configuration saved on your assigned devices. Step 1.1 Return to the session opened for your assigned SRX device. If needed, open a new session and log in using the credentials provided by your instructor. Enter configuration mode and override the existing configuration file with the lab4-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit and-quit command to activate the new configuration file and return to operational mode. Step 1.2 Return to the session opened for your assigned EX Series switch. If needed, open a new session and log in using the credentials provided by your instructor. Enter configuration mode and override the existing configuration file with the lab4-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit command to activate the new configuration file.
Part 2: Configuring and Monitoring PoE

In this lab part, you will configure and monitor PoE on EX Series switches. The purpose of this lab part is to illustrate proper configuration and monitoring steps when working with PoE. Step 2.1 On your assigned EX Series switch, issue the run show chassis hardware command. Question: How many PoE ports does your switch support?
Question: What is the capacity of your switchs power supply?
Step 2.2 Issue the run show poe interface command to determine the current state of all PoE interfaces.
Lab 42 Deploying IP Telephony Features
www.juniper.net
Question: Based on the output, what interfaces support PoE on your assigned switch? What is the current administrative and operational state of these interfaces?
Step 2.3 Navigate to the [edit poe] hierarchy. Enable PoE on all supported interfaces. Activate the configuration change using the commit command. Step 2.4 Issue the run show poe controller command to determine how much power is available and how much power is being used. Question: How much power is currently available for the PoE controller to budget? How much power is currently consumed?
Step 2.5 Issue the run show poe interface command to determine the current state of all PoE interfaces. Question: What is the current administrative and operational state of the PoE interfaces? What do these states indicate?
Question: What is the maximum power available to the PoE interfaces?
Question: What priority level is assigned to the PoE interfaces?
Step 2.6 Configure the ge-0/0/6 and ge-0/0/7 interfaces with a PoE priority level of high. Issue the commit command to activate the changes.
www.juniper.net Deploying IP Telephony Features Lab 43
Step 2.7 Issue the run show poe interface command again to ensure the priority level has been adjusted properly for the ge-0/0/6 and ge-0/0/7 PoE interfaces. Question: What is the current PoE priority level for the ge-0/0/6 and ge-0/0/7 interfaces?
Part 3: Configuring and Monitoring LLDP and LLDP-MED

In this lab part, you will configure and monitor LLDP and LLDP-MED. Step 3.1 Navigate to the [edit protocols] hierarchy and configure LLDP and LLDP-MED for all interfaces. Activate the configuration changes using the commit command.
Note
LLDP and LLDP-MED have been preconfigured on the SRX devices. Step 3.2 Issue the run show lldp local-information command to view information about your assigned EX Series switch that will be communicated to attached neighbors. Question: Based on the output, what is the chassis ID assigned to your switch?
Question: Based on the output, what are the system capabilities of your switch?
Question: Based on the output, what are the descriptions for the ge-0/0/6.0 and ge-0/0/7.0 interfaces?
www.juniper.net
Step 3.3 Configure descriptions of v10 access port and v11 access port for the ge-0/0/6.0 and ge-0/0/7.0 interfaces respectively. Issue the commit command to activate the change. Step 3.4 Issue the run show lldp local-information command to verify the interface descriptions for LLDP have been updated. Question: Have the interface descriptions been updated?
Step 3.5 Disable LLDP and LLDP-MED on the me0.0 interface. Activate the change using the commit command. Note you typically would not disable LLDP or LLDP-MED on internal interfaces, including the me0.0 interface. You disable the me0.0 interface in this task for verification purposes only. Step 3.6 Issue the run show lldp detail command to view detailed LLDP and LLDP-MED information. Question: Based on the output, what is the current LLDP and LLDP-MED status of the me0.0 interface? What is the status of the other configured interfaces?
Question: Based on the output, what are the supported LLDP MED TLVs?
Question: Based on the output, how many neighbors has your switch detected?
Note
Before proceeding, ensure that the remote team in your pod finishes the previous step.
www.juniper.net
Deploying IP Telephony Features Lab 45
Step 3.7 Issue the run show lldp neighbors command to view the attached LLDP neighbors. Question: Does your switch show a neighbor for all configured access and trunk ports?
Step 3.8 Issue the run show lldp statistics command to view LLDP statistics. Question: Is your switch sending and receiving LLDP packets?
STOP
Do NOT continue to the next lab part until both teams within your assigned pod have reached this point.
Part 4: Configuring and Monitoring the Voice VLAN Feature

In this part, you will configure and monitor the voice VLAN feature. Step 4.1 Return to the session opened for your assigned SRX device. If needed, open a new session and log in using the credentials provided by your instructor. Enter configuration mode and navigate to the[edit interfaces] hierarchy. Activate vlan-tagging and unit 25 for the ge-0/0/6 and ge-0/0/7 interfaces. Also deactivate unit 0 for the same interfaces. Issue the commit and-quit command to activate the new configuration file and return to operational mode. Step 4.2 Return to the session opened for your assigned EX Series switch. If needed, open a new session and log in using the credentials provided by your instructor. Navigate to the [edit vlans] hierarchy and configure a new VLAN named voice with a VLAN ID of 25. Associate the trunk ports configured on your switch with this new VLAN. Activate the changes using the commit command. Refer to the network diagram for this lab as needed.
Note
Voice VLAN has been preconfigured on the SRX devices.
www.juniper.net
Step 4.3 Navigate to the [edit ethernet-switching-options] hierarchy. Configure the voice VLAN feature to support all access ports. Step 4.4 Before activating the voice VLAN feature, use the run monitor traffic interface ge-0/0/6 detail print-ascii no-resolve command to monitor LLDP-MED packets for the ge-0/0/6 interface. Once an outgoing LLDP frame has been sent (within 30 seconds or less), issue the Ctrl + c key sequence to stop the monitoring process. Question: Did your sample capture include at least one outgoing LLDP packet?
Question: What is the name of the VLAN currently being sent through LLDP-MED?
Step 4.5 Activate the changes and return to operational mode by issuing the commit and-quit command. Step 4.6 Use the monitor traffic interface ge-0/0/6 detail print-ascii no-resolve command to monitor LLDP-MED packets for the ge-0/0/6 interface. Once an outgoing LLDP frame has been sent (within 30 seconds or less), issue the Ctrl + c key sequence to stop the monitoring process. Question: What VLAN values are currently being sent and received through LLDP MED?
Step 4.7 Issue the show vlans command to verify the current VLAN assignments. Question: To which VLANs are the ge-0/0/6.0 and ge-0/0/7.0 access ports assigned?
www.juniper.net
Deploying IP Telephony Features Lab 47
Step 4.8 Return to the session opened for your assigned SRX device. Use the ping utility and verify traffic with a VLAN tag of 25 can pass through the ge-0/0/6.0 and ge-0/0/7.0 access ports. Note that the interfaces on the SRX devices are configured for 802.1Q operations with a VLAN ID of 25. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: Did the ping tests succeed?
STOP
www.juniper.net
Lab 5
Class of Service
Overview
In this lab, you will use the command-line interface (CLI) to configure and monitor class of service (CoS) on EX Series switches. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab you will perform the following tasks: Explore the default CoS configuration. Configure and monitor CoS components. Implement CoS using the EZQoS template.
www.juniper.net
Class of Service Lab 51 10.b.10.4R3.4
Part 1: Exploring the Default CoS Configuration

In this lab part, you will explore the default CoS configuration on your EX Series switch and perform some basic verification tasks to understand how the default CoS configuration works. Step 1.1 On your assigned EX Series switch, issue the show class-of-service interface ge-0/0/6 command to determine the default assignments for the ge-0/0/6 interface. Question: How many queues are supported on the ge-0/0/6 interface? How many are currently in use?
Question: What classifier is assigned to the ge-0/0/6 interface?
Step 1.2 Issue the show class-of-service classifier name ieee8021p-untrust command to determine the code point to forwarding class for the default ieee8021p-untrust classifier. Question: Based on this default classifier, to which forwarding class will traffic entering the ge-0/0/6interface with the 802.1P CoS bits 111 be assigned?
Step 1.3 Issue the show class-of-service interface ge-0/0/12 command to determine the default classifier assigned to the ge-0/0/12interface. Question: What classifier is assigned to the ge-0/0/12interface?
Lab 52 Class of Service
www.juniper.net
Question: Why are default classifiers assigned to the ge-0/0/12 and ge-0/0/6 interfaces different?
Step 1.4 Issue the show class-of-service classifier name ieee8021p-default command to determine the code point to forwarding class for the default ieee8021p-default classifier. Question: Based on this default classifier, to which forwarding class will traffic entering the ge-0/0/12interface with the 802.1P CoS bits 111 be assigned?
Step 1.5 Issue the show class-of-service classifier type ? command to determine which types of classifiers are supported on EX Series switches. Question: What classifier types are supported on your EX Series switch?
Question: Which type of classifier is typically used when classifying voice over IP (VoIP) traffic?
Step 1.6 Issue the show class-of-service classifier type dscp command. Question: Which two forwarding classes are used by the dscp-default classifier?
www.juniper.net
Class of Service Lab 53
Question: To which forwarding class would traffic with the DSCP code point value 000000 be assigned? What about traffic with the DSCP code point value 111111?
Question: Based on the output, what loss priority value is assigned, by default, to traffic with the various code point values?
Step 1.7 Issue the show class-of-service forwarding-class command to determine the default forwarding classes and their assigned queues. Question: What are the default forwarding classes and their corresponding queues?
Step 1.8 Issue the show interfaces ge-0/0/6 extensive | find "Egress queues" command to view queue and scheduler details for the ge-0/0/6 interface. Question: Which queues currently show non-zero counters? Can you explain why the other queues do not show non-zero counters?
Question: Which queues are currently being serviced by the default scheduler map? What percentage of the available bandwidth and buffer is allocated to each queue being serviced?
Part 2: Configuring and Monitoring CoS Components

In this lab part, you configure and monitor various CoS components. Refer to the network diagram for this lab for topological and configuration details.
Lab 54 Class of Service www.juniper.net
Step 2.1 On your assigned EX Series switch, enter configuration mode and navigate to the [edit class-of-service] hierarchy. Step 2.2 Create four custom forwarding classes named my-be, my-ef, my-af, and my-nc. Associate these forwarding classes with queues 0, 5, 1, and 7 respectively. Step 2.3 Use the commit command to activate the changes. Next, issue the run show interfaces ge-0/0/6 extensive | find "Queue counters" command to view the current forwarding class information for the ge-0/0/6 interface. Question: Are the custom forwarding classes now in effect and associated with the ge-0/0/6 interface?
Question: Which queues are currently being serviced by the default scheduler map?
Step 2.4 Create a custom DSCP classifier named my-dscp-classifier. Associate code-point alias ef (101110) with the my-ef forwarding class, code-point alias af41 (100010) with the my-af forwarding class, and code-point aliases cs3 (011000) and af31 (011010) with the my-nc forwarding class. Ensure that this custom classifier inherits all default code point aliases not specified in these custom definitions. Ensure that these custom definitions use the low loss priority level. Step 2.5 For the my-be forwarding class, change the default loss priority level of low to high for the code-point alias be (000000). Step 2.6 Associate this newly defined DSCP classifier with all logical Gigabit Ethernet interfaces. Use the commit command to activate the recent changes.
Note
The attached SRX devices have been pre-configured with a similar CoS configuration.
www.juniper.net
Step 2.7 Issue the run show class-of-service interface ge-0/0/6 command to verify that the new custom DSCP classifier is now associated with the ge-0/0/6 interface.
Question: Is the custom DSCP classifier now associated with the ge-0/0/6.0 interface?
Step 2.8 Issue the run show class-of-service classifier name my-dscp-classifier command to verify that the recent changes have taken effect. Question: Are the correct code-point to forwarding class mappings and loss priority levels now active for the custom DSCP classifier?
Step 2.9 Create a new scheduler for each queue defined earlier. Use the following table for configuration details for each scheduler.
Scheduler Configuration Details Name my-be-sched my-af-sched my-ef-sched my-nc-sched Step 2.10 Create a scheduler map named my-scheduler-map that maps the recently defined schedulers with their corresponding forwarding classes and queues. Step 2.11 Associate the newly defined scheduler map with all physical Gigabit Ethernet interfaces. Issue the commit command to activate the configuration changes. Transmit rate 30% 70% N/A N/A Buffer size 50% 20% 20% 10% Priority Low Low Strict High Strict High
www.juniper.net
The attached SRX devices have been pre-configured with a similar CoS configuration. Step 2.12 Issue the run show class-of-service interface ge-0/0/10 command to verify that the newly defined and applied scheduler map has been associated with the ge-0/0/10 interface. Question: Is the custom scheduler map associated with the ge-0/0/10 interface?
Step 2.13 Issue the run show interfaces ge-0/0/10 extensive | find "Queue counters" command to view current scheduler details and statistics for the ge-0/0/10 interface. Question: Which queues currently show non-zero counters for the ge-0/0/10 interface?
Step 2.14 Associate the default DSCP rewrite rule with all logical Gigabit Ethernet interfaces. Activate the change using the commit command.
Note
The attached SRX devices have been pre-configured with a similar CoS configuration. Step 2.15 Issue the run show class-of-service interface ge-0/0/10 command to ensure that the default DSCP rewrite rule has been applied to the ge-0/0/10.0 interface. Question: Is the default DSCP rewrite rule now associated with the ge-0/0/10.0 interface?
www.juniper.net
Step 2.16 Return to the session opened for your assigned SRX device. If needed, open a new session and log in using the credentials provided by your instructor. Use the ping utility to send traffic from your assigned vrx0 virtual router (VR) to your assigned vry1 VR, where y is either 1 or 2 depending on your assigned devices. As the destination IP address, use the IP address from the 172.23.25.0/24 subnet assigned to your vry1 VR. To test proper classification, use the tos option with values 0, 96, 104, 136, and 184 when performing your ping tests. Refer to the network diagram for the instance names and the IP addresses assigned to your VRs. Do not forget to reference the correct routing instance. Step 2.17 Return to the session opened for your assigned EX Series switch. Issue the run show interfaces queue ge-0/0/7 command to verify that all queues for the ge-0/0/7 interface show a non-zero counter value for egress traffic. Question: Do all queues for the ge-0/0/7 interface show a non-zero counter value for egress traffic?
Note
You can perform similar tests with traffic destined to the remote VRs.
STOP
Part 3: Implementing CoS Using the EZQoS Template

In this lab part, you use the EZQoS template to simplify the implementation of CoS components. Step 3.1 On your EX Series switch, delete all configuration under the [edit class-of-service] hierarchy. Use the commit command to activate the configuration changes. Step 3.2 Navigate to the root hierarchy level and issue the load merge /etc/config/ ezqos-voip.conf command to load the EZQoS configuration template. Step 3.3 Issue the set apply-groups ezqos-voip command to apply the ezqos-voip configuration group loaded in the previous step.
Lab 58 Class of Service www.juniper.net
Step 3.4 Associate the ezqos-dscp-classifier with all logical Gigabit Ethernet interfaces. Step 3.5 Associate the ezqos-voip-sched-maps with all physical Gigabit Ethernet interfaces. Step 3.6 Issue the commit command to activate the configuration changes. Next, issue the
run show class-of-service interface ge-0/0/6 command to verify the
current CoS components associated with the ge-0/0/6 interface. Question: Are the CoS components defined within the template now associated with the ge-0/0/6 interface?
Question: How many queues are currently in use? Can you explain why ?
Step 3.7 Associate the default DSCP rewrite rule with all logical Gigabit Ethernet interfaces. Activate this configuration change using the commit command. Step 3.8 Issue the run show class-of-service interface ge-0/0/6 command to verify that the default DSCP rewrite rule is now associated with the ge-0/0/6 interface. Question: Is the default DSCP rewrite rule now associated with the ge-0/0/6.0 interface?
Step 3.9 Add the ezqos-voice-fc forwarding class as the designated forwarding class for the voice VLAN defined in a previous lab. Activate the configuration change and return to operational mode using the commit and-quit command.
www.juniper.net
If time permits, you can perform verification tests using the ping utility on your assigned SRX device as you did toward the end of Part 2 of this lab.
STOP
www.juniper.net
Lab 6
Monitoring and Troubleshooting Layer 2 Networks
Overview
In this lab, you will first load a configuration file that will introduce problems that you will troubleshoot and fix. You will then examine hardware components and system processes. Next you will examine Ethernet switching functionality, the Multiple Spanning Tree Protocol (MSTP), and interface functionality. Finally you will configure port mirroring and the sFlow feature for monitoring purposes. As you identify problems throughout this lab, you will take corrective actions to fix them. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab you will perform the following tasks: Examine hardware components. Examine and troubleshoot system processes. Examine and troubleshoot Ethernet switching functionality. Examine and troubleshoot MSTP. Examine and troubleshoot Aggregated Ethernet interfaces. Configure and monitor port mirroring. Configure and monitor sFlow.
www.juniper.net
Monitoring and Troubleshooting Layer 2 Networks Lab 61 10.b.10.4R3.4
Part 1: Modifying the Existing Configurations

In this lab part, you load and activate a predefined configuration saved on your assigned devices. This predefined configuration will introduce a number of issues in your network. You will then troubleshoot the issues to restore network functionality. Step 1.1 Return to the session opened for your assigned SRX device. If needed, open a new session and log in using the credentials provided by your instructor. Enter configuration mode and override the existing configuration file with the lab6-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit and-quit command to activate the new configuration file and return to operational mode. Step 1.2 Return to the session opened for your assigned EX Series switch. If needed, open a new session and log in using the credentials provided by your instructor. Enter configuration mode and override the existing configuration file with the lab6-start.conf configuration file stored in the /var/home/lab/ajex/ directory. Issue the commit command to activate the new configuration file.
Part 2: Determining Success

In this lab part, you will examine key processes and hardware components to determine why vr10 cannot communicate with vr20. Step 2.1 On your assigned SRX device, use the ping utility and verify communication between the vr10 and the vr20 devices. Note that the interfaces on the SRX devices are configured for 802.1Q operations with a VLAN ID of 10. Refer to the network diagram for the instance names and the IP addresses assigned to the various virtual routers (VRs). Do not forget to reference the correct routing instance. Step 2.2 On your assigned SRX device, use the ping utility and verify communication between the vr11 and the vr21 devices. Note that the interfaces on the SRX devices are configured for 802.1Q operations with a VLAN ID of 11. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: What do the ping tests reveal?
Lab 62 Monitoring and Troubleshooting Layer 2 Networks
www.juniper.net
Question: Can any value be gained from testing Layer 4 or higher?
Question: What criteria will determine if the network has returned to a functioning state?
Part 3: Verifying Hardware Components and System Processes

In this lab part, you will verify your assigned EX Series switchs hardware components and system processes in an effort to find what is causing the issue. Step 3.1 On your assigned EX Series switch, issue the run show chassis routing-engine command. Question: What CPU and memory utilization is present in the output?
Step 3.2 Issue the run show chassis alarms and run show system alarms commands. Question: Are any problems detected?
Step 3.3 Issue the run show interfaces terse ge* command. Question: What does this output reveal?
Question: Does the problem appear to be a Layer 1 issue?
www.juniper.net
Monitoring and Troubleshooting Layer 2 Networks Lab 63
Step 3.4 Issue the run show system processes extensive command. Question: Is the daemon that controls the Ethernet switching functions running?
Question: Does the absence of the eswd daemon affect traffic flows between the VR devices?
Step 3.5 To determine why the eswd daemon is not running, examine the log messages file on your assigned EX Series switch. Use the | match eswd option to narrow your search. Question: What does this output reveal?
Step 3.6 Restart the eswd daemon by issuing the run restart ethernet-switching command. Question: What is the result of attempting to restart the eswd daemon?
Step 3.7 Navigate to the [edit system processes] hierarchy level and remove the configuration that is disabling the eswd daemon. Activate the changes using the commit command. Step 3.8 Check the status of the eswd daemon by issuing the run show system processes extensive | match eswd command. Question: Is the eswd daemon running?
www.juniper.net
STOP
Before proceeding, ensure that the remote student team in your pod finishes the previous steps.
Return to your assigned SRX device, use the ping utility and verify communication between the vr10 and the vr20 devices. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance.
Step 3.9
Step 3.10 On your assigned SRX device, use the ping utility and verify communication between the vr11 and the vr21 devices. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance. Question: What do the ping tests reveal?
Part 4: Verifying Ethernet Switching, MSTP, and Aggregate Ethernet Interfaces

In this part, you will examine the Ethernet switching table and the aggregated Ethernet interfaces. You will then troubleshoot and fix any problems that are found. Step 4.1 Open a new session to the SRX device assigned to the remote team. Log in to that device using the credentials provided by your instructor. Find the media access control (MAC) address associated with the vry0 device, where y is either 1 or 2 depending on the SRX device. Refer to the network diagram for this lab as needed. Question: What is the current MAC address assigned to the remote vry0 device?
Step 4.2 Return to the session opened for your assigned EX Series switch. On your assigned EX Series switch, display the Ethernet switching table and determine whether the MAC address associated with the remote teams vry0 device is present. Question: Is the MAC address for the remote teams vry0 device present?
www.juniper.net
Question: Can you find any problems with the MAC address entry?
Step 4.3 Remove any static MAC address entries configured on your assigned EX Series switch. Activate the changes using the commit command. Step 4.4 Examine the Ethernet switching table. Question: Is the static MAC address entry present?
STOP
Return to the session opened for your assigned SRX device. Use the ping utility and verify communication between the vr10 and the vr20 devices. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance.
Step 4.5
Step 4.7 Return to the session opened for your assigned EX Series switch. On your assigned EX Series switch, examine the Ethernet switching interface information.
www.juniper.net
Question: Why do the ge-0/0/6 and ge-0/0/7 interfaces show a value of untagged in the Tagging field?
Question: Can having these two interfaces configured as access ports cause problems with your setup? Why?
Question: What can you do to overcome this issue?
Step 4.8 Configure the ge-0/0/6 and ge-0/0/7 interfaces to receive and send 802.1Q frames. Activate the changes using the commit command. Step 4.9 Examine the Ethernet switching interface information again. Question: Will the ge-0/0/6 and ge-0/0/7 interfaces receive and send 802.1Q tagged frames?
STOP
Return to your assigned SRX device, use the ping utility and verify communication between the vr10 and the vr20 devices. Refer to the network diagram for the instance names and the IP addresses assigned to the various VRs. Do not forget to reference the correct routing instance.
Step 4.10
www.juniper.net
Question: Is the issue resolved yet? Why or why not?
Step 4.12 On your assigned SRX device, use the ping utility to generate a constant stream of traffic between the vr10 and vr20 devices. Issue the command ping routing-instance vry0 172.23.10.10z rapid count 10000000.
Note
The value of y is 1 if your assigned SRX device is SRX1. The value of y is 2 if your assigned SRX device is SRX2. The value of z is 2 if your assigned SRX device is SRX1. The value of z is 1 if your assigned SRX device is SRX2. Step 4.13 Return to the session opened for your assigned EX Series switch. On your assigned EX Series switch, examine which interfaces are being used for this traffic by issuing the command run monitor interface traffic. Press the Ctrl + d or Ctrl + u key combinations to scroll down or up. Press the q key when you are finished examining the output. Question: What interfaces are being used for the ping traffic?
www.juniper.net
Step 4.14 Traffic flows exceeding 1 Gbps is expected from the VR devices connected to your assigned EX Series switch. The traffic flows must traverse the aggregate Ethernet links in the switched topology to accommodate this requirement. The Gigabit Ethernet links are only to be used if an aggregate Ethernet link fails. Collect spanning-tree protocol information by issuing the command run show spanning-tree bridge. Question: What spanning-tree protocol is in use?
Question: What is the regional root bridge ID for MSTI 1?
Step 4.15 Return to your assigned SRX device, stop the ping test by pressing the Ctrl + c key combination, and collect spanning-tree protocol information by issuing the command show spanning-tree bridge. Question: What is the regional root bridge ID for MSTI 1?
Question: All devices in the network should be using the same regional root bridge for MSTI 1. What can cause two regional root bridges to appear?
Step 4.16 On your assigned SRX device, examine the configuration digest by issuing the command show spanning-tree mstp configuration. Step 4.17 On your assigned EX Series switch, examine the configuration digest by issuing the command run show spanning-tree mstp configuration. Question: Does a configuration digest mismatch exist? Why?
www.juniper.net
Question: What can you do to fix this problem?
Step 4.18 Navigate to the [edit protocols mstp] hierarchy level and add VLAN 10 to MSTI 1. Activate the changes using the commit command.
STOP
On your assigned EX Series switch, issue the command run show spanning-tree bridge.
Step 4.19
Step 4.20 Return to your assigned SRX device and issue the command show spanning-tree bridge. Question: Do both of your assigned devices now show the same regional root bridge for MSTI 1?
Note
The value of y is 1 if your assigned SRX device is SRX1. The value of y is 2 if your assigned SRX device is SRX2. The value of z is 2 if your assigned SRX device is SRX1. The value of z is 1 if your assigned SRX device is SRX2.
Note
If the ping operation is not successful, work with the remote team in your pod and verify that all student devices show the same regional root bridge for MSTI 1. Do not proceed until the continuous ping operation shows success. If needed, work with your instructor.
Lab 610 Monitoring and Troubleshooting Layer 2 Networks www.juniper.net
Step 4.22 Return to your assigned EX Series switch and examine the traffic flow using the run monitor interface traffic command. Press the Ctrl + d or Ctrl + u key combinations to scroll down or up. Press the q key when you are finished examining the output. Question: Which interfaces are being used for the traffic flow?
Question: Do you currently have enough information to determine why the traffic is not using the ae0 interface?
Step 4.23 Exit the current output by pressing the q key. Examine the status of the ae0 interface by issuing the command run show interface terse | match ae0. Question: Can you determine the problem from this output?
Step 4.24 Examine the Ethernet switching table. Question: What can you determine from this output?
Step 4.25 Examine the interface statuses of MSTI 1 by issuing the command run show spanning-tree interface msti 1. Question: What can you determine from this output?
www.juniper.net
Step 4.26 Examine the traffic entering and exiting the ae0 interface by issuing the command run monitor traffic interface ae0. Press the Ctrl + c key combination when you are finished. Question: What can you determine from this output?
Step 4.27 Examine the traffic entering and exiting the ge-0/0/9 interface, which is a child interface of the ae0 interface. Issue the command run monitor traffic interface ge-0/0/9. Press the Ctrl + c key combination when you are finished. Question: What can you determine from this output?
Step 4.28 Examine all the interfaces that have LACP configured by issuing the command run show lacp interfaces. Question: What can you determine from this output?
Step 4.29 Configure LACP to actively attempt to configure its remote partner on the ae0 interface. Activate the change using the commit command. Step 4.30 Issue the command run show lacp interfaces. Question: What can you determine from this output?
STOP
www.juniper.net
Note
The value of y is 1 if your assigned SRX device is SRX1. The value of y is 2 if your assigned SRX device is SRX2. The value of z is 2 if your assigned SRX device is SRX1. The value of z is 1 if your assigned SRX device is SRX2.
Note
If the ping operation is not successful, you might need to wait for a moment for MSTP changes to occur on all participating devices. Do not proceed until the continuous ping operation shows success. If needed, work with your instructor. Step 4.32 Return to your assigned EX Series switch and examine the traffic flow using the run monitor interface traffic command. Press the Ctrl + d or Ctrl + u key combinations to scroll down or up. Press the q key when you are finished examining the output. Question: Which interfaces is the traffic using?
Question: Has the network been restored to a functioning condition?
Part 5: Configuring Port Mirroring and sFlow

In this lab part, you will configure port mirroring and sFlow collection. You will then monitor the operation of both. Step 5.1 Configure the ge-0/0/13 interface to participate in family ethernet-switching.
www.juniper.net
Step 5.2 Navigate to the [edit ethernet-switching-options] hierarchy level. Configure the analyzer monitor-vr to copy 1 out of every 5 frames that enters your assigned EX Series switch on the ge-0/0/6 interface. Then configure the monitor-vr analyzer to send these frames to the analyzer device located off the ge-0/0/13 interface. Activate the changes using the commit command. Step 5.3 Verify that the analyzer has been correctly created by issuing the command run show analyzer. Question: Has the analyzer been configured correctly?
Note
The value of y is 1 if your assigned SRX device is SRX1. The value of y is 2 if your assigned SRX device is SRX2. The value of z is 2 if your assigned SRX device is SRX1. The value of z is 1 if your assigned SRX device is SRX2. Step 5.5 Return to your assigned EX Series switch and examine the traffic flow using the run monitor interface traffic command. Press the Ctrl + d or Ctrl + u key combinations to scroll down or up. Press the q key when you are finished examining the output. Question: Is traffic being mirrored out the ge-0/0/13 interface?
Step 5.6 Navigate to the [edit protocols sflow] hierarchy level. Configure the collector with the address of the local server located in your management network. Refer to the Management Network Diagram for this address.
www.juniper.net
Step 5.7 Enable sFlow on the child interfaces of the ae0 interface. Next, set the sFlow agent to collect interface statistics every second. Then sample every 100 frames that egress the interfaces.
Note
The sFlow collection cannot be configured on an aggregate Ethernet interface. It must be configured on its child interfaces instead. Step 5.8 Verify that sFlow has been configured correctly by issuing the command run show sflow. Question: Has the sFlow collection been configured correctly?
Step 5.9 Verify the sFlow collector is working correctly by issuing the command run show sflow collector. Question: Is traffic being sampled and sent to the sFlow collector?
Step 5.10 Return to the sessions opened for your assigned SRX device and your assigned EX Series switch. On both of your assigned devices, enter configuration mode and load the reset configuration files by issuing the load override /var/home/lab/ajex/ reset.conf command. Activate the reset configuration files and return to operational mode using the commit and-quit command.
STOP
www.juniper.net
www.juniper.net

Appendix A: Lab Diagrams
A2 Lab Diagrams
www.juniper.net
www.juniper.net
Lab Diagrams A3
A4 Lab Diagrams
www.juniper.net

Advanced Junos Enterprise Switching: High-Level Lab Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Junos Enterprise Switching: High-Level Lab Guide

Uploaded by

Copyright:

Available Formats

Advanced Junos Enterprise Switching

High-Level Lab Guide

Worldwide Education Services

Implementing MSTP and VSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Deploying IP Telephony Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Monitoring and Troubleshooting Layer 2 Networks . . . . . . . . . . . . . . . . . . . 6-1

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

GUI text elements: Menu names Text field entry

Input Text Versus Output Text

Defined and Undefined Syntax Variables

Document Conventions vii

About This Publication

Juniper Networks Support

viii Additional Information

Advanced Ethernet Switching Lab 11 10.b.10.4R3.4